9ad0808bfbdb173d12a0649bd62016357da5e40e2e92d2e4efc17d963fb1d8b6

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2024 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6931d4f0ac5a3ade76753cf3b55b790N.exe
Size

124KB
MD5

d6931d4f0ac5a3ade76753cf3b55b790
SHA1

754365f6304512d5cc445fddd37998f6269e551d
SHA256

9ad0808bfbdb173d12a0649bd62016357da5e40e2e92d2e4efc17d963fb1d8b6
SHA512

23983fe6fea70e887c4ea38a4c83f6a66331e732acf48e499a3cf52f82b8f02788ed7c8aadaaf819d172a23bedc4c88dba689f040c23337b31a34d539ed1eef7
SSDEEP

1536:hFJYI93LaE3yE16IxyuR87jXq+66DFUABABOVLefEjw6YmLsAjqLciEFms11:Ltba+6pk87j6+JB8M6m9jqLsFmsr

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe

Executes dropped EXE 62 IoCs

pid	Process
2880	Aeiofcji.exe
1048	Afjlnk32.exe
1828	Anadoi32.exe
452	Aqppkd32.exe
2852	Agjhgngj.exe
4060	Afmhck32.exe
3980	Andqdh32.exe
3624	Amgapeea.exe
4016	Acqimo32.exe
2856	Ajkaii32.exe
244	Aadifclh.exe
1624	Bfabnjjp.exe
2484	Bnhjohkb.exe
3692	Bebblb32.exe
756	Bganhm32.exe
4496	Bnkgeg32.exe
4764	Baicac32.exe
3712	Bffkij32.exe
4576	Bmpcfdmg.exe
2188	Beglgani.exe
4008	Bgehcmmm.exe
3556	Bjddphlq.exe
920	Bmbplc32.exe
468	Bclhhnca.exe
1728	Bfkedibe.exe
3788	Bnbmefbg.exe
3052	Belebq32.exe
2236	Chjaol32.exe
4192	Cenahpha.exe
2444	Chmndlge.exe
1616	Cjkjpgfi.exe
1144	Cmiflbel.exe
1012	Cdcoim32.exe
4740	Chokikeb.exe
3144	Cnicfe32.exe
2556	Cagobalc.exe
1340	Cdfkolkf.exe
5028	Cjpckf32.exe
4984	Cnkplejl.exe
2820	Cmnpgb32.exe
4036	Ceehho32.exe
3892	Chcddk32.exe
1064	Cjbpaf32.exe
1140	Cmqmma32.exe
3792	Cegdnopg.exe
404	Dhfajjoj.exe
4936	Djdmffnn.exe
4052	Danecp32.exe
2600	Ddmaok32.exe
4612	Dhhnpjmh.exe
3888	Dobfld32.exe
2224	Daqbip32.exe
2680	Ddonekbl.exe
3044	Dkifae32.exe
1000	Dmgbnq32.exe
4656	Ddakjkqi.exe
464	Dfpgffpm.exe
4604	Dogogcpo.exe
4332	Daekdooc.exe
4308	Deagdn32.exe
2024	Dhocqigp.exe
4856	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Baicac32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bffkij32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1876	4856	WerFault.exe	146

System Location Discovery: System Language Discovery 1 TTPs 63 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6931d4f0ac5a3ade76753cf3b55b790N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d6931d4f0ac5a3ade76753cf3b55b790N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 2880	1668	d6931d4f0ac5a3ade76753cf3b55b790N.exe	82
PID 1668 wrote to memory of 2880	1668	d6931d4f0ac5a3ade76753cf3b55b790N.exe	82
PID 1668 wrote to memory of 2880	1668	d6931d4f0ac5a3ade76753cf3b55b790N.exe	82
PID 2880 wrote to memory of 1048	2880	Aeiofcji.exe	83
PID 2880 wrote to memory of 1048	2880	Aeiofcji.exe	83
PID 2880 wrote to memory of 1048	2880	Aeiofcji.exe	83
PID 1048 wrote to memory of 1828	1048	Afjlnk32.exe	84
PID 1048 wrote to memory of 1828	1048	Afjlnk32.exe	84
PID 1048 wrote to memory of 1828	1048	Afjlnk32.exe	84
PID 1828 wrote to memory of 452	1828	Anadoi32.exe	85
PID 1828 wrote to memory of 452	1828	Anadoi32.exe	85
PID 1828 wrote to memory of 452	1828	Anadoi32.exe	85
PID 452 wrote to memory of 2852	452	Aqppkd32.exe	86
PID 452 wrote to memory of 2852	452	Aqppkd32.exe	86
PID 452 wrote to memory of 2852	452	Aqppkd32.exe	86
PID 2852 wrote to memory of 4060	2852	Agjhgngj.exe	87
PID 2852 wrote to memory of 4060	2852	Agjhgngj.exe	87
PID 2852 wrote to memory of 4060	2852	Agjhgngj.exe	87
PID 4060 wrote to memory of 3980	4060	Afmhck32.exe	88
PID 4060 wrote to memory of 3980	4060	Afmhck32.exe	88
PID 4060 wrote to memory of 3980	4060	Afmhck32.exe	88
PID 3980 wrote to memory of 3624	3980	Andqdh32.exe	89
PID 3980 wrote to memory of 3624	3980	Andqdh32.exe	89
PID 3980 wrote to memory of 3624	3980	Andqdh32.exe	89
PID 3624 wrote to memory of 4016	3624	Amgapeea.exe	91
PID 3624 wrote to memory of 4016	3624	Amgapeea.exe	91
PID 3624 wrote to memory of 4016	3624	Amgapeea.exe	91
PID 4016 wrote to memory of 2856	4016	Acqimo32.exe	92
PID 4016 wrote to memory of 2856	4016	Acqimo32.exe	92
PID 4016 wrote to memory of 2856	4016	Acqimo32.exe	92
PID 2856 wrote to memory of 244	2856	Ajkaii32.exe	93
PID 2856 wrote to memory of 244	2856	Ajkaii32.exe	93
PID 2856 wrote to memory of 244	2856	Ajkaii32.exe	93
PID 244 wrote to memory of 1624	244	Aadifclh.exe	94
PID 244 wrote to memory of 1624	244	Aadifclh.exe	94
PID 244 wrote to memory of 1624	244	Aadifclh.exe	94
PID 1624 wrote to memory of 2484	1624	Bfabnjjp.exe	96
PID 1624 wrote to memory of 2484	1624	Bfabnjjp.exe	96
PID 1624 wrote to memory of 2484	1624	Bfabnjjp.exe	96
PID 2484 wrote to memory of 3692	2484	Bnhjohkb.exe	97
PID 2484 wrote to memory of 3692	2484	Bnhjohkb.exe	97
PID 2484 wrote to memory of 3692	2484	Bnhjohkb.exe	97
PID 3692 wrote to memory of 756	3692	Bebblb32.exe	98
PID 3692 wrote to memory of 756	3692	Bebblb32.exe	98
PID 3692 wrote to memory of 756	3692	Bebblb32.exe	98
PID 756 wrote to memory of 4496	756	Bganhm32.exe	99
PID 756 wrote to memory of 4496	756	Bganhm32.exe	99
PID 756 wrote to memory of 4496	756	Bganhm32.exe	99
PID 4496 wrote to memory of 4764	4496	Bnkgeg32.exe	100
PID 4496 wrote to memory of 4764	4496	Bnkgeg32.exe	100
PID 4496 wrote to memory of 4764	4496	Bnkgeg32.exe	100
PID 4764 wrote to memory of 3712	4764	Baicac32.exe	101
PID 4764 wrote to memory of 3712	4764	Baicac32.exe	101
PID 4764 wrote to memory of 3712	4764	Baicac32.exe	101
PID 3712 wrote to memory of 4576	3712	Bffkij32.exe	103
PID 3712 wrote to memory of 4576	3712	Bffkij32.exe	103
PID 3712 wrote to memory of 4576	3712	Bffkij32.exe	103
PID 4576 wrote to memory of 2188	4576	Bmpcfdmg.exe	104
PID 4576 wrote to memory of 2188	4576	Bmpcfdmg.exe	104
PID 4576 wrote to memory of 2188	4576	Bmpcfdmg.exe	104
PID 2188 wrote to memory of 4008	2188	Beglgani.exe	105
PID 2188 wrote to memory of 4008	2188	Beglgani.exe	105
PID 2188 wrote to memory of 4008	2188	Beglgani.exe	105
PID 4008 wrote to memory of 3556	4008	Bgehcmmm.exe	106

C:\Users\Admin\AppData\Local\Temp\d6931d4f0ac5a3ade76753cf3b55b790N.exe
"C:\Users\Admin\AppData\Local\Temp\d6931d4f0ac5a3ade76753cf3b55b790N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\SysWOW64\Aeiofcji.exe
  C:\Windows\system32\Aeiofcji.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\Afjlnk32.exe
    C:\Windows\system32\Afjlnk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Windows\SysWOW64\Anadoi32.exe
      C:\Windows\system32\Anadoi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1828
    - - C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:452
      - C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:244
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:468
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3788
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1144
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2556
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5028
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4984
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3892
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3792
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4052
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3888
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:464
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4308
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 396
        64⤵
        Program crash
        
        PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4856 -ip 4856
1⤵
PID:3212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
124KB

MD5
4779bc61de4f54c60e106992072d3f11

SHA1
3f36feab3d47ae78f462a3139bb304881337d4c4

SHA256
79c67771ff075bfff33d09f9ede25a72642d45d0373045191814a622f2287cbd

SHA512
71e8d3750a65e7e8411a05db0f695b51494f7683d63f7bb2d0205404c525cd1452530cf1ddbef7fbdf807e6773f0b605790a286f42ec1504ebfc37fa00041af1

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
124KB

MD5
98ca25d21caf227ce12585c8f984ef72

SHA1
3d24a4d2974ee0843ecaa480aa8c1345fe6498b9

SHA256
874916a4c54519488e0f9b3b185248d888b92c22462ff241a78d635142d5dcc4

SHA512
bce27fa3b5ae617436bb703c6fba4fd508c452cddfa71b034b22390351d1be8d6d346d89560fc763a10b978df8e3ded823140f7215cbc9a8ad28cea69d56bdef

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
124KB

MD5
1d2802d761ad33d6d6146b5826c98837

SHA1
3c05895402c0ef92b123bd92cb9bbbfb831c3e8a

SHA256
061ef9f50e934613a36036d967d6315310ae231f143a9260397505fab56c87fb

SHA512
e132f61b4d38977e6134ea3b0d06d962bed14334424488d127708f1d6747a0023e8a5ab97daf24ceda3781e2c1788e67dcec71ecd6c5f0c5346c13d3f6c1e948

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
124KB

MD5
95dce9500508d4c711b22269d5f43f25

SHA1
5b00e829a44d2fff4580bc7c2b5eeab241b03131

SHA256
d0ba3ab0bdd08c5b8ff800656f9e5b1874b392c729fb64a60f594a829b4595a6

SHA512
ea55752a5ff35b0b307f53878f316a6b93735f83f375e93d5ae9468550307eafb1236e97c526ec6d7b05dd29f2368b4a6ade0799f9295942ebdd6119394a58a7

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
124KB

MD5
0c1e1aef29d166594a3ec1127aa34c78

SHA1
1354f3ca6e20a561282eef6cecc18e1890977aac

SHA256
04c24fcbf62fac4cd82ed50f837a28565178896c03715643715f18887bc3746d

SHA512
812070464ac189aada31d194d894dd0eb228205bfd7238465fcc5b473839d155b87ec323e7381a4bd8e8e7400c235181ee1aec35616b6f111118ac0eb7a75fcf

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
124KB

MD5
a9b8dbfb6c984378ae1d1b6537d570d2

SHA1
0defb542ff695592e2f32b186fd9f1d1ed8ecb45

SHA256
8d4301bb067a74a1b596b6a6e058180e58a5a92be75c571551600019327b00cd

SHA512
718d47fba5545da28b74cf1b0329b4ee5671e4c4136d11ac9a62c1511d2f85dfb8ebc22d7ece1ecd9953085a1a02793bed66caaa534d0b60948448725906511d

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
124KB

MD5
275da6e74ee5e0e9e08ee2d4d867ebf5

SHA1
b2ea2242da9b99562d1b6b1217a9c1a592967b59

SHA256
0b3cf8dafaba6f973d0e2b87b4dce99162ffb713813f7f9746b110e4b6300500

SHA512
9a31775ffba4154d1960aff430933996a131c30e0b6d278b17705453e914221743e86fe0a17da64d7e436623a0c8bd59fef6b0809938a23a390ed14d6c7fa8c2

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
124KB

MD5
c5a2a8a5c35429a61eb21919963965ff

SHA1
0d95e92a39f8bccd1404fbfc35682a542c8e746e

SHA256
301202857d05308972db50a1e2a257c9efe4b747e822ce07fc6b81db2b8439b2

SHA512
36ae117a24bbf1c9a8f20bac46bf522fb6801aef63c5bac4f94ded49c34fb8482eefeafe2de97dac1b2b93b5af9e790b9e87365caf742431974e490885d0144f

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
124KB

MD5
f32be1a3f647e22a7793765c34e53eac

SHA1
54346ff5823d571ee01d2812a4b5ed192629a69d

SHA256
fb39109e7c206b0912635160f8394dedc8d0eb8336496c35735d6fed697d8bec

SHA512
63b81be20f7a6cc9ba8c47792c28a89ed9f6ab8cfd9f14bc62d15b2b8dd3e475ce615a21ede3f2f75deb261c208dfde94c888e0e8b4d9f5d4925692aad124626

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
124KB

MD5
9e7a4645c8a5f673db20c3af3319ffcd

SHA1
6e95c90775242d7326528ec17493851aa0e346e8

SHA256
190858ed97e8b34a9af1fa47316f5d5a0685e8adda8ee3ffb30214d0af33a502

SHA512
752b35f300db3fa25b2bbaf075ff77310cf718c7ad97d173547ddfd234dde56c6e144dfdcb4bea4b0cf0f5fe8bf5dcd6596390bc455923ed0fefce563e011bd1

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
124KB

MD5
4420d76da2ac83419ec6952df6c5737b

SHA1
489714aadf01b12643ef84c70a5996b78794c1d7

SHA256
1b1dea024bcc49f718e75f2ed7457b2668f7546026cf7362fa06953723fcfbb4

SHA512
a91a78237914b54086418c0778a33463e30fef0f333ee88a409302d3ce56e0b3756d3d531225ce3631e80002a8d5a008ef8909d0c00e3b8de253b8d08aa5dda5

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
124KB

MD5
63f6159db725d3177d4916771135d708

SHA1
74f8f777a25def65c58bfb61afabcdbbe978ebe6

SHA256
1d8a60e4f47ed01fd50971b4083f759baf9dd75176afe303ae6245340c3d8ff2

SHA512
497eead1a2a9fca57ce1aa802efc5f2b9d04467e28e2707294069e70b8eb14469ab375e9f8cf24f5bf11be9a235aecacd7d96927aba5a97a88e3e5a4d1eb63a5

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
124KB

MD5
1de60b6a84c39e97088f1032921af118

SHA1
04f6db744ee00e0c1b7abcd008c03dd53e623ce9

SHA256
addef8e6cc94b874e211baa97800486efb84f672f42ce039fd0bcc7c4024679b

SHA512
bc0d0e8a0bfc0a53a08b45728193363570cedf61252c53afe1fa6c489e632e48733f8677fc5c15fa449528ba7e960870fcf19093e1dcb5ca8d6306c715ef9ce4

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
124KB

MD5
80250b5a355677980097606b868e61c2

SHA1
928d8f745fd05583e42d390803c764914b434f0c

SHA256
4cbfea1f9c6acfd9f452d2874701ad4abe19a4ae80e4e6df617ab86346d40a0f

SHA512
08a40f70e089d99696e8ded722fcce17362bec0ab15c0f66b8990fae82464df16e65546cf35bccaeba097268163f9b958d924e7fdcd0e72304ae2a398bf7d013

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
124KB

MD5
0cd539e854d9c2160f623853ce91b43b

SHA1
16ec0a4ce427fcbff019495afb85f5a24f5fe539

SHA256
e453963541d1a420c262048bab17cfcec26d46749f8d0c4edb03c6d3fd2ee46b

SHA512
8102623af254ff8cb48b541b8463eb3a96b46bb080b32615fa498305c25c5035bb8744a867f57be2eeec905e608916829dae410ac9ad7c5004839577234926b4

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
124KB

MD5
22de2ee0b30b7e13b2bb0fed68973a81

SHA1
222f8227ef3246fd1f877a4e518972cdea44bf87

SHA256
f10ee136ec3c3158b258902333ca971ba4fd7d43d2da2661ba939923f4fa9c1f

SHA512
0e1438bedd98039b1d2259f75cabd8352a1bfb2232adafc78ca9faa87b7550823c9a557d0210db7a5c75bedb379d922acc9d4d52ba5e1078146921dfd8b9fc10

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
124KB

MD5
ff0e35c95bfcf39a3c60193e1c3eca5d

SHA1
450f281100391a22015c0a19484420c7daa81e1c

SHA256
d97435c46e5501f3462576a202835c1098988725eadd1d8438ff1538ab99400c

SHA512
92e7c3d1c1b21ffae42321b51e45436b4725b61dd6f4b5e91a9a6247d4207b5bc2b71019eae7eea18c5781d44696f6ed836f1729e86cdb07fc7eb83e265dcc50

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
124KB

MD5
2bab7f3807945ac7911894bc42583d88

SHA1
d932965be8168ba5cc17b4b97e5c00c4c6c2975c

SHA256
40d475096457df2d1ba13cecf73888baf12b5c34e659a8b3b52e3784e29fc8d5

SHA512
f01108c6701eb90bd3217bea6a3214b6670b24cf47f1687b753943b559c21760738cfa241ba46000513a35c37eb9c23f3095230444c1f978e30a3db607fe9ed0

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
124KB

MD5
9f223766929a8a7e1a32b640897c7997

SHA1
67e90573377fcd310a265b33b3345541f99286b1

SHA256
01348e57071222578a7f44cda1a55a23452a3595e1aac03413cda207566b90cf

SHA512
5dafa1a1ab2c1e6d13e4dd77c17e20acdef005c16a9c989a4a41c6a6bb65db08f9d28fb2c89b8077e2cbfe0051d4aec579eb5ac10c853ab6ab01ed7c03fd6c05

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
124KB

MD5
7f6eb21b1a0d1d9d790090d0eb1d7f81

SHA1
372be7665d4a9e54ba059e0460caddaa7d06eea3

SHA256
deb87f4792a18df5336992b042612c2ba1180033b9518e78f62857cdf89384a3

SHA512
c71252d5c5278bcc07e9ae00bbdf8c7290d638fd13fd499a29eb6bbf71a11120fbde4748307d030ba0cec9c645ff56754447345c58d253b54be3acf790a00f50

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
124KB

MD5
8b7fd226dc11c633785e77d3ba5bc017

SHA1
dcca065f7c17f745f14e9d2a15fe93caf14e676b

SHA256
f2744faf6bacaf189508711873888e2bf1e08c49b8a07407259a6fb0db19c8c4

SHA512
677edeb92c6056f7efeb7252b4a24d915053ec3e011a5f3a7f99946e3c1118fee1775153ac81581be71d1e9735a5d8f0b3afd35cb9c5244edbe53b6acbac3704

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
124KB

MD5
328bcf5d077c24a419a7ff75c616e815

SHA1
0110914848b457e60d09ec421e192deabdff4208

SHA256
b91b1df27bb1511c78ccb5937f76b5df7cba3a1e93e40133a19e7702a443c4e3

SHA512
bb8f6460cedd6342c11ec8fa39d753c020f7648c2e254fcf70d12cb47be337adeef5fd6a267bc77f2f7d461c95ea14ceebdd22a3bef688ecfd079cc309dc9cc6

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
124KB

MD5
507fd4df9a1867b8593724b276e632ed

SHA1
e79c088f456cca9df4cf316f321af537b9a6cf99

SHA256
f6c1f4203d3d38b384ae8839988bb53036f5a3aee069dd94cbaf8ad06d921471

SHA512
fe2593fe65f5ab851718af403fb2b23e9e18df26217aab6352c6ea92d1b53d6604f92b8b73a5eddaa5b08fea4d1fabcc0813e706788565fc1ca3d4807bd36de0

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
124KB

MD5
f239c0b434f26c9cb755145ec5e6488a

SHA1
239da5c2b04e9607a67b6bba6d1463250f17dc37

SHA256
8833c85a90c9c8eb9f770f37f7a52dcee93638812b87dbb89fa7c7f6dfc4a1ee

SHA512
b01675e01b00e1d11f28454dd26571be8e5a7fd9b0bb417b2d4e188af8805347dd1f639b762627eb6a3c480cfc298c4b142c17879d92d35094c768e542292809

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
124KB

MD5
26add50912e6ceded10623813c48a462

SHA1
406aa3edb38845b92eb686dce09e21315187d522

SHA256
42b8c929e49eee6a93200b9ceca98fcea4e466a6618ef51119c1b1601dd2d7ba

SHA512
e76a88390ba207bdaca3451a80fd6067f845ec8ae32609a8a0daf02f6e2ccc2cfe0bdba603df3368f2f09531cc472a5113eeeb6e25af3bb1e11ef38c8f4b9b61

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
124KB

MD5
f049235fe6c1c1b34e3099c7a5cf29df

SHA1
5e3f47e0f004c81cd207eb788aa4b110e5bb1817

SHA256
1e77744253e409fc871c55945aa6932e423246cc4186cdc327cf029d0502b7db

SHA512
57ecec4577b7bde9358b2ca065b5640eed13bfb5ea29202bb4d72aa1221837608ec6a9f7689dc014689793585a612ef8d26bf87bd3427b6d5f7b341a28f897c5

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
124KB

MD5
77a4fa37c2a1154704ad37092841e0b7

SHA1
f76b4701a178162767089954e1b32b0efadb9518

SHA256
1886da4eb105043a67dbf4a54b6afa07f01323d16cf00198a614016da214e11a

SHA512
56225beb90f153c65a50697923cd17da9e4dee87de9ec54a39dda91f55de3313165dd4eca3fe350a276b237dec8ad13c59f2d0e5cb397f2f1b3972792454e867

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
124KB

MD5
62fac90e066c06f526905aaf75d4a64e

SHA1
341a91cc741d74692b9b4438c0a782b60fe52ea5

SHA256
af6eaba5376c5c986912086208eda4580ec2b7f55c5eb7333e16200194b5669d

SHA512
29109094e84e635832dc07b95026259d62be01a89577a2e032cd1066dbd5143000d3aa24883f5322a24e570f836a58af107e9c412f297b2fab8b652edd8c1f50

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
124KB

MD5
8c646687be54d0993501be7318340a64

SHA1
cc398f3d485fef732ed31398ef595a07a82ef219

SHA256
74e99b5b5b0d2915fcf23c5ed033092ffd4da7e3c8af19d16fd2b357a363bbdd

SHA512
f37cb23add9b3b5979169bab26786e5987a35908dce95e76327a93ed42a5a8664fd17341ff268f0d8bc6f6b473f3607d84c778300cf6dde2101bbae3c326a159

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
124KB

MD5
82762e686357f49b7e293743f26ba8b4

SHA1
9f4c144b308337a14b8164d1c249313ad465ed88

SHA256
b5a00a1e3d19feafadbfe677b578f014327eaff7003b8f2fddbc6d37b0313832

SHA512
05961552789d357ff5dfe121b91165f4b6628e2d4d862d7c6cd196eb3452a85378efc409edd97dd812b62b2b7c3808c58977040db0739961253cebfb4919a137

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
124KB

MD5
783beef213b858613f9e0afbf0a2eda9

SHA1
a1eeac151d020820210f6584603e2bae3f572b35

SHA256
a816e90555cdd69c68ae672a017b67f4a57edcbcf180ce107d3bada509f606aa

SHA512
a64602b977fc75d3db5f069622337f9f1e993b8903511ca6901e4a296ca6f7e773aa317ad7e6a96c0b3f80bb73ec97e5ee370c9952a3404d4c05fe8496d6d8a0

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
124KB

MD5
80818069cca3552d6bdff3501ea0c0a9

SHA1
19b6c0572367308669241ea0c42224ccc7c9622e

SHA256
2d3be7e523a787617af6bf848c0d02ca191deb43e5250a30e46d5e4cef0926ac

SHA512
084656c21b8e939c837e9ca1de5bd738187c5455e3974a7e3b0bc105b1f94f99768af5f11d02073ae9736bbbbfba1c4d583c1a38e4b688d2e5ab7172c1f0b1a1

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
124KB

MD5
c4a719093901ea2c6712271c4787bac3

SHA1
1242f37ac18ba17c2ad5b73e75fc48de9c43b2eb

SHA256
9acaf5c31d9e68ce4418b8f76d2b2732d87e3bac561daab9de73ba713a9456d6

SHA512
299e66aa8e9b578ff79372a685e82c01f2e162bb34033824cd8b283c7aceff1a3bfa54505fa1b3f50e2033f935a92180ed92e2330ac6d3d7a116a6cb5c4ffe02

Download Submit
memory/244-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/404-452-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/404-341-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/452-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/464-441-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/464-407-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/468-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/756-121-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/920-185-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1000-395-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1000-443-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1012-465-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1012-263-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1048-17-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1064-455-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1064-323-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1140-454-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1140-329-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1144-257-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1144-466-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1340-287-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1340-461-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1616-253-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1624-97-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1668-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1668-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/1728-201-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1828-25-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2024-438-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2024-431-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2188-161-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2224-377-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2224-446-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2236-225-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2236-467-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2444-245-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2484-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2556-462-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2556-281-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2600-359-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2600-449-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2680-445-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2680-383-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2820-305-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2820-458-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2852-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2856-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2880-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3044-389-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3044-444-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3052-217-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3052-468-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3144-275-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3144-463-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3556-177-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3624-65-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3692-113-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3712-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3788-469-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3788-209-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3792-453-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3792-335-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3888-371-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3888-447-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3892-317-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3892-456-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3980-61-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4008-169-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4016-73-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4036-457-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4036-311-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4052-353-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4052-450-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4060-49-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4192-237-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4308-425-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4308-439-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4332-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4496-129-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4576-153-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4604-413-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4604-440-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4612-365-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4612-448-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4656-442-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4656-401-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4740-464-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4740-269-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4764-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4856-437-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4936-451-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4936-347-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4984-459-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4984-299-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5028-293-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5028-460-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads