5c4abe39ba6799098f4e674930c563c652e0a4818b7154726a1029277595b4a6

Analysis

max time kernel
95s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4af3289b0cd3a13d052ecc8f92d6190N.exe
Size

128KB
MD5

b4af3289b0cd3a13d052ecc8f92d6190
SHA1

e3dbc83d99fd3ddbaa77a76c997d4343b2d10a5a
SHA256

5c4abe39ba6799098f4e674930c563c652e0a4818b7154726a1029277595b4a6
SHA512

d1b2ffab7fe20ac7a6274a0c1f80ca51f0f46316479c54b84bac02c833956ddb5503a801339a7f234b2b8252518f0199c30c5c2ce623ea60975276f336136f1d
SSDEEP

3072:kBmT1xOLmCLK4x1ecOKVElJhw9Y9rkEznYfzB9BSwW:c21xOrAfKVwM9Y9rkYOzLc

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmhocd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdmfllhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chnlgjlb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adkqoohc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhpofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dahmfpap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adhdjpjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baegibae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnmaea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dahmfpap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaoaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aajhndkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgelgi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpmapodj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cggimh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cogddd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmeigg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qodeajbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qdaniq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgifbhid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnhgjaml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfkqjmdg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caojpaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dafppp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgpcliao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aoioli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baegibae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdimqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aphnnafb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdagpnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bogkmgba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cocjiehd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chkobkod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qfkqjmdg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aajhndkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnhgjaml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agdcpkll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpmapodj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amqhbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bogkmgba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bknlbhhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cponen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgnomg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgpcliao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Coqncejg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdmfllhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhpofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cglbhhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdbpgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aphnnafb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agdcpkll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adhdjpjf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgkiaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmhocd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cglbhhga.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhphmj32.exe

Executes dropped EXE 62 IoCs

pid	Process
2468	Panhbfep.exe
2792	Qfkqjmdg.exe
1716	Qmeigg32.exe
3388	Qdoacabq.exe
3744	Qfmmplad.exe
540	Qodeajbg.exe
2532	Qdaniq32.exe
3196	Afpjel32.exe
2056	Aphnnafb.exe
4860	Ahofoogd.exe
3080	Aoioli32.exe
3268	Ahaceo32.exe
2204	Agdcpkll.exe
1880	Aajhndkb.exe
2380	Adhdjpjf.exe
5028	Akblfj32.exe
3212	Amqhbe32.exe
5036	Adkqoohc.exe
3820	Akdilipp.exe
4484	Aaoaic32.exe
3936	Bdmmeo32.exe
1056	Bgkiaj32.exe
2492	Bmeandma.exe
4140	Baannc32.exe
5084	Bgnffj32.exe
2200	Bmhocd32.exe
3708	Bdagpnbk.exe
1468	Bgpcliao.exe
556	Bogkmgba.exe
3528	Baegibae.exe
4452	Bhpofl32.exe
4760	Bknlbhhe.exe
4836	Bahdob32.exe
3172	Bhblllfo.exe
4712	Bgelgi32.exe
632	Boldhf32.exe
2472	Cpmapodj.exe
4044	Cdimqm32.exe
4876	Cggimh32.exe
696	Conanfli.exe
4184	Cammjakm.exe
948	Cponen32.exe
1624	Cgifbhid.exe
2488	Coqncejg.exe
3648	Caojpaij.exe
4212	Cdmfllhn.exe
1216	Cglbhhga.exe
1032	Cocjiehd.exe
2076	Caageq32.exe
60	Chkobkod.exe
1736	Cgnomg32.exe
384	Cnhgjaml.exe
4964	Cdbpgl32.exe
4388	Chnlgjlb.exe
4080	Cogddd32.exe
3932	Dafppp32.exe
3108	Dhphmj32.exe
828	Dkndie32.exe
1728	Dnmaea32.exe
3916	Dahmfpap.exe
2292	Dgeenfog.exe
4316	Dkqaoe32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Olaafabl.dll	Cammjakm.exe
File created	C:\Windows\SysWOW64\Cogddd32.exe	Chnlgjlb.exe
File created	C:\Windows\SysWOW64\Oblknjim.dll	Chnlgjlb.exe
File opened for modification	C:\Windows\SysWOW64\Dnmaea32.exe	Dkndie32.exe
File opened for modification	C:\Windows\SysWOW64\Qdoacabq.exe	Qmeigg32.exe
File created	C:\Windows\SysWOW64\Afpjel32.exe	Qdaniq32.exe
File opened for modification	C:\Windows\SysWOW64\Aphnnafb.exe	Afpjel32.exe
File created	C:\Windows\SysWOW64\Bdmmeo32.exe	Aaoaic32.exe
File opened for modification	C:\Windows\SysWOW64\Dgeenfog.exe	Dahmfpap.exe
File created	C:\Windows\SysWOW64\Cdimqm32.exe	Cpmapodj.exe
File created	C:\Windows\SysWOW64\Cponen32.exe	Cammjakm.exe
File created	C:\Windows\SysWOW64\Okhbek32.dll	Cponen32.exe
File created	C:\Windows\SysWOW64\Mgnddp32.dll	Caojpaij.exe
File created	C:\Windows\SysWOW64\Fmbgla32.dll	Afpjel32.exe
File opened for modification	C:\Windows\SysWOW64\Ahaceo32.exe	Aoioli32.exe
File created	C:\Windows\SysWOW64\Adkqoohc.exe	Amqhbe32.exe
File opened for modification	C:\Windows\SysWOW64\Bgnffj32.exe	Baannc32.exe
File opened for modification	C:\Windows\SysWOW64\Cdbpgl32.exe	Cnhgjaml.exe
File created	C:\Windows\SysWOW64\Dhphmj32.exe	Dafppp32.exe
File created	C:\Windows\SysWOW64\Chkobkod.exe	Caageq32.exe
File created	C:\Windows\SysWOW64\Aaoaic32.exe	Akdilipp.exe
File created	C:\Windows\SysWOW64\Bdagpnbk.exe	Bmhocd32.exe
File opened for modification	C:\Windows\SysWOW64\Bhblllfo.exe	Bahdob32.exe
File created	C:\Windows\SysWOW64\Cgifbhid.exe	Cponen32.exe
File opened for modification	C:\Windows\SysWOW64\Cnhgjaml.exe	Cgnomg32.exe
File created	C:\Windows\SysWOW64\Dafppp32.exe	Cogddd32.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Dgeenfog.exe
File opened for modification	C:\Windows\SysWOW64\Qdaniq32.exe	Qodeajbg.exe
File opened for modification	C:\Windows\SysWOW64\Ahofoogd.exe	Aphnnafb.exe
File created	C:\Windows\SysWOW64\Qnbidcgp.dll	Bgkiaj32.exe
File created	C:\Windows\SysWOW64\Dmncdk32.dll	Baegibae.exe
File opened for modification	C:\Windows\SysWOW64\Bmhocd32.exe	Bgnffj32.exe
File created	C:\Windows\SysWOW64\Mmihfl32.dll	Conanfli.exe
File opened for modification	C:\Windows\SysWOW64\Afpjel32.exe	Qdaniq32.exe
File created	C:\Windows\SysWOW64\Aoioli32.exe	Ahofoogd.exe
File created	C:\Windows\SysWOW64\Dnkdmlfj.dll	Aoioli32.exe
File opened for modification	C:\Windows\SysWOW64\Aajhndkb.exe	Agdcpkll.exe
File created	C:\Windows\SysWOW64\Ciipkkdj.dll	Bgelgi32.exe
File created	C:\Windows\SysWOW64\Ahofoogd.exe	Aphnnafb.exe
File created	C:\Windows\SysWOW64\Jkmjlphl.dll	Ahaceo32.exe
File created	C:\Windows\SysWOW64\Bmijpchc.dll	Agdcpkll.exe
File opened for modification	C:\Windows\SysWOW64\Amqhbe32.exe	Akblfj32.exe
File opened for modification	C:\Windows\SysWOW64\Bogkmgba.exe	Bgpcliao.exe
File created	C:\Windows\SysWOW64\Dkbnla32.dll	Bahdob32.exe
File opened for modification	C:\Windows\SysWOW64\Cponen32.exe	Cammjakm.exe
File created	C:\Windows\SysWOW64\Lbandhne.dll	Qodeajbg.exe
File opened for modification	C:\Windows\SysWOW64\Caojpaij.exe	Coqncejg.exe
File created	C:\Windows\SysWOW64\Cocjiehd.exe	Cglbhhga.exe
File created	C:\Windows\SysWOW64\Ijilflah.dll	Chkobkod.exe
File opened for modification	C:\Windows\SysWOW64\Akdilipp.exe	Adkqoohc.exe
File created	C:\Windows\SysWOW64\Qfoaecol.dll	Coqncejg.exe
File created	C:\Windows\SysWOW64\Cgnomg32.exe	Chkobkod.exe
File created	C:\Windows\SysWOW64\Dahmfpap.exe	Dnmaea32.exe
File created	C:\Windows\SysWOW64\Qmeigg32.exe	Qfkqjmdg.exe
File created	C:\Windows\SysWOW64\Okddnh32.dll	Qmeigg32.exe
File opened for modification	C:\Windows\SysWOW64\Qodeajbg.exe	Qfmmplad.exe
File created	C:\Windows\SysWOW64\Aajhndkb.exe	Agdcpkll.exe
File created	C:\Windows\SysWOW64\Hlfpph32.dll	Baannc32.exe
File opened for modification	C:\Windows\SysWOW64\Cdimqm32.exe	Cpmapodj.exe
File created	C:\Windows\SysWOW64\Adnbpqkj.dll	Bmhocd32.exe
File opened for modification	C:\Windows\SysWOW64\Bahdob32.exe	Bknlbhhe.exe
File opened for modification	C:\Windows\SysWOW64\Cdmfllhn.exe	Caojpaij.exe
File created	C:\Windows\SysWOW64\Mcdibc32.dll	Cocjiehd.exe
File created	C:\Windows\SysWOW64\Qfkqjmdg.exe	Panhbfep.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1600	4316	WerFault.exe	147

System Location Discovery: System Language Discovery 1 TTPs 63 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpmapodj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coqncejg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caageq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkobkod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoioli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agdcpkll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aphnnafb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhpofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conanfli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocjiehd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmeigg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qodeajbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akblfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmmeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dahmfpap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4af3289b0cd3a13d052ecc8f92d6190N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afpjel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgelgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgnomg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnhgjaml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhphmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhocd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bknlbhhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cogddd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgeenfog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfkqjmdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akdilipp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aajhndkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqhbe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaoaic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boldhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caojpaij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Panhbfep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdaniq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqaoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bogkmgba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bahdob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cammjakm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkndie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnmaea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adhdjpjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgkiaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adkqoohc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baegibae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdoacabq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahofoogd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chnlgjlb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dafppp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baannc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cponen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdmfllhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfmmplad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdimqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdagpnbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cggimh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeandma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgnffj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdbpgl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhblllfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cglbhhga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgifbhid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahaceo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgpcliao.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkbnla32.dll"	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Coqncejg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	b4af3289b0cd3a13d052ecc8f92d6190N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkhnbpne.dll"	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmeandma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdagpnbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cammjakm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdmfllhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aphnnafb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ahaceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Akdilipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnhgjaml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgmodn32.dll"	Bmeandma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfpph32.dll"	Baannc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Domdocba.dll"	Bknlbhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdmfllhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijilflah.dll"	Chkobkod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kajimagp.dll"	Aajhndkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amqhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdmmeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnhgjaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oblknjim.dll"	Chnlgjlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bknlbhhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cggimh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chkobkod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qdaniq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afpjel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Adkqoohc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chnlgjlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qmeigg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpkgohbq.dll"	Aphnnafb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lielhgaa.dll"	Amqhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ahofoogd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieoigp32.dll"	Akblfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiapmnp.dll"	Cdbpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Akblfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifaohg32.dll"	Aaoaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgnddp32.dll"	Caojpaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdbpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Dgeenfog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qodeajbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aoioli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Akblfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgkiaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdagpnbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baegibae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bknlbhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlobem32.dll"	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qfmmplad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ahaceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgifbhid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chnlgjlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhphmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjijkpg.dll"	Dnmaea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Panhbfep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Boldhf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 2468	4996	b4af3289b0cd3a13d052ecc8f92d6190N.exe	83
PID 4996 wrote to memory of 2468	4996	b4af3289b0cd3a13d052ecc8f92d6190N.exe	83
PID 4996 wrote to memory of 2468	4996	b4af3289b0cd3a13d052ecc8f92d6190N.exe	83
PID 2468 wrote to memory of 2792	2468	Panhbfep.exe	84
PID 2468 wrote to memory of 2792	2468	Panhbfep.exe	84
PID 2468 wrote to memory of 2792	2468	Panhbfep.exe	84
PID 2792 wrote to memory of 1716	2792	Qfkqjmdg.exe	85
PID 2792 wrote to memory of 1716	2792	Qfkqjmdg.exe	85
PID 2792 wrote to memory of 1716	2792	Qfkqjmdg.exe	85
PID 1716 wrote to memory of 3388	1716	Qmeigg32.exe	86
PID 1716 wrote to memory of 3388	1716	Qmeigg32.exe	86
PID 1716 wrote to memory of 3388	1716	Qmeigg32.exe	86
PID 3388 wrote to memory of 3744	3388	Qdoacabq.exe	87
PID 3388 wrote to memory of 3744	3388	Qdoacabq.exe	87
PID 3388 wrote to memory of 3744	3388	Qdoacabq.exe	87
PID 3744 wrote to memory of 540	3744	Qfmmplad.exe	89
PID 3744 wrote to memory of 540	3744	Qfmmplad.exe	89
PID 3744 wrote to memory of 540	3744	Qfmmplad.exe	89
PID 540 wrote to memory of 2532	540	Qodeajbg.exe	90
PID 540 wrote to memory of 2532	540	Qodeajbg.exe	90
PID 540 wrote to memory of 2532	540	Qodeajbg.exe	90
PID 2532 wrote to memory of 3196	2532	Qdaniq32.exe	91
PID 2532 wrote to memory of 3196	2532	Qdaniq32.exe	91
PID 2532 wrote to memory of 3196	2532	Qdaniq32.exe	91
PID 3196 wrote to memory of 2056	3196	Afpjel32.exe	92
PID 3196 wrote to memory of 2056	3196	Afpjel32.exe	92
PID 3196 wrote to memory of 2056	3196	Afpjel32.exe	92
PID 2056 wrote to memory of 4860	2056	Aphnnafb.exe	94
PID 2056 wrote to memory of 4860	2056	Aphnnafb.exe	94
PID 2056 wrote to memory of 4860	2056	Aphnnafb.exe	94
PID 4860 wrote to memory of 3080	4860	Ahofoogd.exe	95
PID 4860 wrote to memory of 3080	4860	Ahofoogd.exe	95
PID 4860 wrote to memory of 3080	4860	Ahofoogd.exe	95
PID 3080 wrote to memory of 3268	3080	Aoioli32.exe	96
PID 3080 wrote to memory of 3268	3080	Aoioli32.exe	96
PID 3080 wrote to memory of 3268	3080	Aoioli32.exe	96
PID 3268 wrote to memory of 2204	3268	Ahaceo32.exe	97
PID 3268 wrote to memory of 2204	3268	Ahaceo32.exe	97
PID 3268 wrote to memory of 2204	3268	Ahaceo32.exe	97
PID 2204 wrote to memory of 1880	2204	Agdcpkll.exe	99
PID 2204 wrote to memory of 1880	2204	Agdcpkll.exe	99
PID 2204 wrote to memory of 1880	2204	Agdcpkll.exe	99
PID 1880 wrote to memory of 2380	1880	Aajhndkb.exe	100
PID 1880 wrote to memory of 2380	1880	Aajhndkb.exe	100
PID 1880 wrote to memory of 2380	1880	Aajhndkb.exe	100
PID 2380 wrote to memory of 5028	2380	Adhdjpjf.exe	101
PID 2380 wrote to memory of 5028	2380	Adhdjpjf.exe	101
PID 2380 wrote to memory of 5028	2380	Adhdjpjf.exe	101
PID 5028 wrote to memory of 3212	5028	Akblfj32.exe	102
PID 5028 wrote to memory of 3212	5028	Akblfj32.exe	102
PID 5028 wrote to memory of 3212	5028	Akblfj32.exe	102
PID 3212 wrote to memory of 5036	3212	Amqhbe32.exe	103
PID 3212 wrote to memory of 5036	3212	Amqhbe32.exe	103
PID 3212 wrote to memory of 5036	3212	Amqhbe32.exe	103
PID 5036 wrote to memory of 3820	5036	Adkqoohc.exe	104
PID 5036 wrote to memory of 3820	5036	Adkqoohc.exe	104
PID 5036 wrote to memory of 3820	5036	Adkqoohc.exe	104
PID 3820 wrote to memory of 4484	3820	Akdilipp.exe	105
PID 3820 wrote to memory of 4484	3820	Akdilipp.exe	105
PID 3820 wrote to memory of 4484	3820	Akdilipp.exe	105
PID 4484 wrote to memory of 3936	4484	Aaoaic32.exe	106
PID 4484 wrote to memory of 3936	4484	Aaoaic32.exe	106
PID 4484 wrote to memory of 3936	4484	Aaoaic32.exe	106
PID 3936 wrote to memory of 1056	3936	Bdmmeo32.exe	107

C:\Users\Admin\AppData\Local\Temp\b4af3289b0cd3a13d052ecc8f92d6190N.exe
"C:\Users\Admin\AppData\Local\Temp\b4af3289b0cd3a13d052ecc8f92d6190N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Windows\SysWOW64\Panhbfep.exe
  C:\Windows\system32\Panhbfep.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\SysWOW64\Qfkqjmdg.exe
    C:\Windows\system32\Qfkqjmdg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\SysWOW64\Qmeigg32.exe
      C:\Windows\system32\Qmeigg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1716
    - - C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3388
      - C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3744
        
        C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4140
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:556
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4452
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3172
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4712
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:696
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4184
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:948
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1216
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3932
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:828
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3916
        
        C:\Windows\SysWOW64\Dgeenfog.exe
        
        C:\Windows\system32\Dgeenfog.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 412
        64⤵
        Program crash
        
        PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4316 -ip 4316
1⤵
PID:4204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aajhndkb.exe

Filesize
128KB

MD5
19ff618f902b9e4f7401cae34fd2b55f

SHA1
c699e4c353b118e2e38979ceb95aeae39e87c154

SHA256
c26876715a2dd08430444317e02b6684870170a0b69f059671362e4cc7519a2a

SHA512
95decab58230149da54693be00f166af212dad82e74a591cf37c1d886c7048a504dcdf34dfe338a7acf43a6ccce2697ff7d4a6fd9e0b11f127362a18a4d3c591

Download Submit
C:\Windows\SysWOW64\Aaoaic32.exe

Filesize
128KB

MD5
7dc41ee2711aacec0272018e0b2e2f63

SHA1
c10143feed22c3ece141e1bfbf3d760f32edba33

SHA256
d53faffad38a5f7ff0c593ac26ed65e2c7521ebfa3c1fc2b8dd365406348fc69

SHA512
22ac9b5bab7a4aebbb6a0d5e8b177be669ed0afc7398f2d1735af14ba1c777c275c02f3ca4e20a6bd4562e7f31bd145db51ca5b409b77e3a32e5fc265199008f

Download Submit
C:\Windows\SysWOW64\Adhdjpjf.exe

Filesize
128KB

MD5
559501e7f354bea5f7dc09c1896ba75a

SHA1
a48748d5a0e5f9430ff1b24f53ddfb24449607f8

SHA256
d8c574ae682ef263808237603fbffc195af207cddac571e3c47711f13a48c1d1

SHA512
39927cd1eeb34dfc4e2b094042aeeb3c556b507058fb88492fa64869b816462f784b1c7f9260cbf31b62cf0a10c00134f5ff68d39e1d082c9da605c00844193d

Download Submit
C:\Windows\SysWOW64\Adkqoohc.exe

Filesize
128KB

MD5
a50a4596e6f7be1db1e6428f9277dfc1

SHA1
3b3d910f70ab58b3250a1f6115eeedaef74e6b58

SHA256
9eb04c4aa051173deac2b05f29ec903d5d2c442d4675931dccbc2a4ab88b9b7c

SHA512
f575e1daeb6902d8a74520bba051aa8d942af45798dca178e0847ec4ef11443831f96f1f39a5a1980ce64a99d5f2f79d1c79fcb107f2ef13cf55c8b5d9a51260

Download Submit
C:\Windows\SysWOW64\Afpjel32.exe

Filesize
128KB

MD5
65d4f97e3656bb2fe277ec0adcab200f

SHA1
d88a7e1a0f752780a0e09f94ba8398347d6d5d20

SHA256
346a9f56e971ef044f69f64ac5ad19e4b12f79bc7c066d04afcd1a7ae2af3fcb

SHA512
dcba9e6722873dba17e43e952368327911d3ff262fa71cabd0fc29378b73a023e21a517238082b3558923134cc88e8f7c7afa9d884ca0d7220a6c7fdd0096e58

Download Submit
C:\Windows\SysWOW64\Agdcpkll.exe

Filesize
128KB

MD5
85bea8e9ddb36939b5320b1183fb6085

SHA1
cab4c68aa5dab7133306e5aea540dd62b0a2ba61

SHA256
4e4cfd6c08f72ed071c046dd2d28f28a2641b65ae35ca01685dbb9ab3f0947d0

SHA512
1fb442221cd14382bc4d90fbd397c4f47db85469090ce66bc43e4196c0bcd50dc068dace8e4346668c089a60ee6e94a628d0134d6d1037425b36b0e4f7fa444a

Download Submit
C:\Windows\SysWOW64\Ahaceo32.exe

Filesize
128KB

MD5
a4a7d510f295d02ea35494674e8e7656

SHA1
effb847ffcf37de8973c41f5ca928b5b3f03470e

SHA256
d2d0a995a9011894a52c4603976200f79419cc7e6a3998737b30c30417ae5ef0

SHA512
a5ed2d4d50e6cb35073cead0d6b2c9382404f1cbecc4046a6cbeafaca19fb4c37f188512f4deb07c796876fe7f5b6766349d4112935f0eacb11bc06c78cf01e2

Download Submit
C:\Windows\SysWOW64\Ahofoogd.exe

Filesize
128KB

MD5
2a3a2c1df6ef8dc60f5004ed4778d083

SHA1
fcb31eeb6ce3f2db141731e67eb45de04cd975e2

SHA256
97da59ac82f8870ff700092fa27c9a6763ad630b67cb683ff3fe66c5943fb073

SHA512
aed96a956c2622e6b55971cb7eec9926998f393848ebef7b67de85d28d4c2cfacfe97cb96c9052784b046fae4d29fbf3b69fc48cef04eddbe94344b268d192b4

Download Submit
C:\Windows\SysWOW64\Akblfj32.exe

Filesize
128KB

MD5
3a7176e527ae339b3d146f41768d122c

SHA1
b9963c9ecd341b8a055a978116b296e5a9bb5886

SHA256
f99c986ebf4b986f228dfb466d6ba9446315af3a0d7296098f036e6ac9d94f35

SHA512
77268ea49ed082bbd49ee088080803c544c849175f83348241656d3dcec904102dbc84a56588aa6def6293deacbeb1d05cefa723528f4fd54798e5af196b72d9

Download Submit
C:\Windows\SysWOW64\Akdilipp.exe

Filesize
128KB

MD5
a8dc0b1160d8f78c8d67d06a5772b177

SHA1
66b604b99bcae535fcecf7690f0d67beabc1ee12

SHA256
228dbafec06f91a8b20eb890dd67ba2951ccccb954fb233d4e793a9d0006f9a4

SHA512
d73bddd0d1511c852edb2d1a0a7b0272298e5cfce2a211e94c3a83a97a5057c7e371217ec1738f639c3a959a5b67f13943a31da1552f3724f55579fab06372b2

Download Submit
C:\Windows\SysWOW64\Amqhbe32.exe

Filesize
128KB

MD5
ca42dd2887d009cb9bdd5d051a435aa9

SHA1
ba787df1dbbfc9e741cb3b6d8e41552de18eec66

SHA256
74b157e6359ba1ffe84d8891302efca2b43220eda1ff0a319ba43764ff39e4c6

SHA512
5dbc68619348ed66bbe6f707aeb83da057db6c976145f5ff007d8ddecd70f49a1e59d2e772b1a8d01783b12f29b272787e43772dc6a506c26ca075b2f26a18bb

Download Submit
C:\Windows\SysWOW64\Aoioli32.exe

Filesize
128KB

MD5
5ebdf6188fdbf7bb2d034720f1eb126e

SHA1
40889816581cb3bd2d1156f2ccfd7b895fe91119

SHA256
66dd3f7e17abc3b24f2e0f9c37f251f1b82cd747a3f8fba9d3b68baabcf7016e

SHA512
a40748ff1c67cfb037311cc54804843d61d21eeea4408b8277b9c9581df85b577b861d5745ea9dbefbf07a0c99611e46afa717902fc5a05e463f3e58916b650c

Download Submit
C:\Windows\SysWOW64\Aphnnafb.exe

Filesize
128KB

MD5
c018c5551191cc157370b45583a8653f

SHA1
ce641ba154fabd9ff569ca971d9139b9754595a0

SHA256
e37766f6cc34479394ca6060ac4997deaca620b4587b8b66181d655e8be82607

SHA512
edcfcda6724fd4f2719aa8a760548d4895c125713cdd83343e5a22d9c4dd45ea8103c3791cc0315166fa69d123a90cf08da82aff5296d41f4af35c234238d5a0

Download Submit
C:\Windows\SysWOW64\Baannc32.exe

Filesize
128KB

MD5
eb16c755abbad26644ce79fccb7fc0a5

SHA1
060efca3009255ec4c6edfd4792679c6a37710d6

SHA256
2dd432173d2a48625752ef94d455533d468dd8d10e1ef8ecfd844882096f32cd

SHA512
4ee840797e4f63e7eb9e51063ced9eaa02e15867a23cc2f29a5d0c01ff07f369a79924982b3c018ec3d0209b1db027295be13864c4e6ab5c5c7cc4d8212788cd

Download Submit
C:\Windows\SysWOW64\Baegibae.exe

Filesize
128KB

MD5
ab47eac28172a5dff01619d66a0814f7

SHA1
6ff4bcb761af60ecce7ea14643ea3aae3db1ba20

SHA256
a4616435fe8f3f7310f2a7132f4ba11da348157ba936160197ba2e167b28e525

SHA512
d83bf1129324f95794e0cc055b441a113527270f3ad2a0f10f3c2d62f0c25c843b22d40d56d83a9fb5145c060664e1cab2373448a43525371a981f4128028092

Download Submit
C:\Windows\SysWOW64\Bdagpnbk.exe

Filesize
128KB

MD5
e042f8ba6a843b46c0f7ec8b6ef12970

SHA1
eb5bf2efa73a5f46ae457728f1e8059fae52efa4

SHA256
964e14f7f450182bafd0a66d5d05079ea1ddb5d25e7cccd3af4c807f34265682

SHA512
6addefd034e5731fc8ed05376a70bc50dd0db681eb3556e2e781d8e3fc88739e1c78677ff8353d2de8ff5aec2373449f3102207d8a66a8bb4b48e62de448ee85

Download Submit
C:\Windows\SysWOW64\Bdmmeo32.exe

Filesize
128KB

MD5
7642f93dc7b3308cc5e6f00cf792092b

SHA1
d8734d94eaa4b8b27b003bcca5a038da39328be8

SHA256
6630b11d86cdb44864cc5d2af69b1195c917603f96a44ac0ec6e22272a801b76

SHA512
5e44b83a7b375392ba0a6bc892ff38631c4fe26e6d9cccd7208e904399de0a762be19dd548c87636754c4da739d7f439f84cae2b4a846e91e86d2f04684e5d85

Download Submit
C:\Windows\SysWOW64\Bgkiaj32.exe

Filesize
128KB

MD5
c675c5997317dcff92d01851fb7997d5

SHA1
fbaa7c9eff255f18cbb05d14d6b912d2a40b02f6

SHA256
2c96296ca72443cecfb3dc67689ea890fc1a23e27c56be61e8b9c576ad32ba83

SHA512
14bf6df8b3525905e6eb22f1d6e83feb226787e2e1129900596b2c5b785cad2f4ca5f95368bfa1d9f5648b0cd4c7d858299a08bea5a71ab5a355a0ee2dfa8967

Download Submit
C:\Windows\SysWOW64\Bgnffj32.exe

Filesize
128KB

MD5
6249202dacdb05e35ae1d24ea6995883

SHA1
264bb969cc754f33b9adb64c22b1a5e1f0cd1a80

SHA256
de5752e7ddad2fb70218c5080fe896d53e89e3dc352fcf683aeefe6a645c7c8c

SHA512
fa6430a125c4d395ba63117fb9d44ad878d7af5d9727fc0d3e6acc982235d2142907ce85c7a444577f7077f32ecef3580d0716ab90241071253e7ec67391b5be

Download Submit
C:\Windows\SysWOW64\Bgpcliao.exe

Filesize
128KB

MD5
d5192e0ca6652574b945de9ec1868ee4

SHA1
bebd22c3dfc73fa1f87816e101764eef63ae8d50

SHA256
829ab16067a15a2f1172abcc9a1518ceb9a46fdd66ace02eb9da8a450686d252

SHA512
dd418a933b1911f25731276aa8a3bd85a0587ad4dc01c46fbdf3aa39f8ccd6e9a5dca677e8671f21264fae15d7309ec019951b489f0c8351a2f64272ab8fd18d

Download Submit
C:\Windows\SysWOW64\Bhpofl32.exe

Filesize
128KB

MD5
76d36129d5478a710e119b28fe871fce

SHA1
81e35548f8b11df159f7ae50a8a772b7874b585a

SHA256
cea9b040a1ddc293fbf2b0d010d6185e1a7e0253b020417b69cad75d382e6f4c

SHA512
e6d2f2ff6252562cac74e16bca7ad1c931a176a610987b0e6eb7a8a68664a110d7c049459fd952016d3c5e19b8e67a5899154f9403cf629dc579cbbbd1c1257b

Download Submit
C:\Windows\SysWOW64\Bknlbhhe.exe

Filesize
128KB

MD5
657f1edd3c5bcaf47532f4d300ecbec6

SHA1
c6bc5fbdd7cbf78ffb99031196ddefa2a9735cd6

SHA256
98f261e4f4a9e0e0dd00e3b3f38bbfe052720065529a2f0ae6eb69dcba7afd9a

SHA512
dc07817db924285af20f44647667c6372df6d8e18419eed83e8426aa11e0b93579ba9d40eadc77d7c825fca3891b56d672fab4ff58aaf972dbf82a1934b31e80

Download Submit
C:\Windows\SysWOW64\Bmeandma.exe

Filesize
128KB

MD5
c2666edc9820631bbee0f8aa9d21ee22

SHA1
1445f1c4ec56dffb96346e7ad184274695488978

SHA256
102dbcca02b5f8850e56befe2aa82f047185f315b22c55e0e104c6a5341169ac

SHA512
c6fc4ae60e7fba77d670aeadddb235b39e56fe37eb27c131b969613433a406d470b00987a78e40ccca5d4365ae7aed5a2cbea46ae99043b87e99a01d5467b253

Download Submit
C:\Windows\SysWOW64\Bmhocd32.exe

Filesize
128KB

MD5
09c061afb759829c28e90993f6520706

SHA1
5a7e4ffbf7d7cc64845389689e0b74e7c47c3ea6

SHA256
23539c0b51ccab70ea877b18329453579e2b0cb90e2b799cb5be15ab6d388ccb

SHA512
03f70c85a16f3d7bf826c60d5c522a77385011ffdeebf6f636ed4c60dbaf3b9c898bf10e1e953b01c0f827daa5a74a890d66c115b1103f941ff69b0dea2739e1

Download Submit
C:\Windows\SysWOW64\Bogkmgba.exe

Filesize
128KB

MD5
a20e41d1f5b9367f2f2ff907273793a1

SHA1
23ea5bfa9898f20df041227b103f59100568e313

SHA256
059ed313261abf3fabc31d080c3f79e9f0f693e52aae1dc33ece8a6c1f8cd0e0

SHA512
f42c8c20b735be0abc82d14b9df03b7ca2e90582334dbba12c3a502a361f6d6ec9e13a917e97dc7d43ef1b2c2d53ed751117ce2a131b4657108f1b81a6b787e2

Download Submit
C:\Windows\SysWOW64\Godcje32.dll

Filesize
7KB

MD5
b17aa568226d8a003b80c2f9cc73ebe1

SHA1
c7eb22e71ed5f22739b53224623618c581fff84a

SHA256
b9a2c7b49dbcfe5bd88ba3a4b320b3a89166578ef4c9a158f3b386642cd5c8c3

SHA512
9a5bc94c8448f8b67ddbb3dafe2b2281767e62c7374f81a5881062a1b4cb590fcffbba1d1655378407b338d5d184748f9efe109e796a1578ed0d8528969ef9bd

Download Submit
C:\Windows\SysWOW64\Panhbfep.exe

Filesize
128KB

MD5
d60ad5c6663e9a9c78da9fc7588c62df

SHA1
ebe015329fc66869121177e7cd6817707feaca8d

SHA256
cad0b113fc18fb3366e618a7451b4e7009248acfba490206ca2205d6b5d0daac

SHA512
bae5f79f261f108a92632bfcb02bfbfae44022956078ddcf69c7967dc0ad1567f367c3419428089f1b02ca5ee4be055e7f8424dc2073f1867712bd15db0ad6f3

Download Submit
C:\Windows\SysWOW64\Qdaniq32.exe

Filesize
128KB

MD5
7cf1d1cc49aab0940a1944a876f65261

SHA1
ebb68cbaa5adb93abfe4ced48fc57f91a964e816

SHA256
bad9928d0feb353c33314d9000428ace802de3b068a2ddc224171dbb73bf19d2

SHA512
8353cdcea9ef2974c00b1b522b165af337f357f6f3e39e75cc38a022a5350ea58ddd14eb40810332bafb36626111a9758f1143dc25ca68aef9e8709ac1a52d4b

Download Submit
C:\Windows\SysWOW64\Qdoacabq.exe

Filesize
128KB

MD5
57ccf72d08512e5e5ad503ff225eabf1

SHA1
85708e41fd7ed278c28c05a4018980cf1a37a47d

SHA256
bd9db78c7f5526627a6647e37eaf9812142b9edea9f692aad8e567c6460d4833

SHA512
87d496279d923e641f6e7e379ffaa8c3ecc5738e6f1eb364f3338648a9d96d6f3d62fe54601edca5994d900ab0073ecb433ff5180eb68d54c8563d079a28bec1

Download Submit
C:\Windows\SysWOW64\Qfkqjmdg.exe

Filesize
128KB

MD5
97d232ff07902dd464ef9e8f818078a6

SHA1
db2e7565bc76635001de5c8929a48b498fa18c54

SHA256
b0d80a3da07dca3a232198c7a25d00d5ab1f0b9ebfda1191ddc929c1eb60cae5

SHA512
7e8156cbd790d6afb76df12e30a176da8c6c95202483ce0133a75bce78753c3a8ac033cd8282b369024b32bbe444e7bd8b60d262b337e2600ca4b814018846dd

Download Submit
C:\Windows\SysWOW64\Qfmmplad.exe

Filesize
128KB

MD5
f6cd510605bd3bd9a518d4d12f6d1b7b

SHA1
edbd189fe968f6f0e53504144afb2658a46346c0

SHA256
b6be5c3d379ef924855ec8f463538688ecd55b600ee18075a5d1e5adcfb93d61

SHA512
87c39e401baf2904a6f4e2c5617a61ae60a0192ed59fab9e2b4c406c4ee9fe9486aa8e8aba7711593071e04268c1ae0f352c6b3827abd17564cc9adddb5a9d95

Download Submit
C:\Windows\SysWOW64\Qmeigg32.exe

Filesize
128KB

MD5
3b93172ffebc16071ec78f3b89ad2e59

SHA1
a35c7636af540b35c680993bf8db7d53f282fcf8

SHA256
7f354d2d2ac36be47c8afcee233c7b44da0061a3c62b1a87091b4c8361ae55cf

SHA512
c0be991bae4d87f6098ac28ad40ab12e7b0cf05c1b7d42bf976b8a1f3e074f90c507fad8ba6d1e7b395c72c70d4ecd4735af71f60e1abeb4649b9b772c380497

Download Submit
C:\Windows\SysWOW64\Qodeajbg.exe

Filesize
128KB

MD5
05564f6f1f8a693f8806b7707ff8061e

SHA1
c3dc4e61e4655a32baae3eed698c1a37a682d4af

SHA256
fefb9867938e81aaf60b0240d90e592cacb59b8aa36ff19a9e5bcc5a270f6918

SHA512
ac5cd96e23236930a38981bc2215e70d297221c6f119b1510b3e2b049074376db56e018c3258c36b475c64feaa266a0f88eb6a4644c18feec4b92f7348f64f29

Download Submit
memory/60-368-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/60-444-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/384-376-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/384-442-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/540-47-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/556-231-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/556-465-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/632-458-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/632-280-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/696-304-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/696-454-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/828-417-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/948-316-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/948-452-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1032-446-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1032-352-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1056-175-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1216-447-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1216-346-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1468-224-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1468-466-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1624-451-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1624-322-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1716-23-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1728-422-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1736-370-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1880-111-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2056-71-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2076-358-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2076-445-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2200-207-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2200-468-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2204-103-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2292-435-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2380-119-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2468-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2472-290-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2472-457-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2488-328-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2488-450-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2492-183-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2532-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2792-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3080-88-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3108-438-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3108-406-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3172-268-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3172-460-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3196-63-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3212-135-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3268-96-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3388-31-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3528-464-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3528-239-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3648-334-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3648-449-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3708-467-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3708-216-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3744-39-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3820-151-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3916-437-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3916-424-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3932-439-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3932-400-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3936-167-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4044-292-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4044-456-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4080-440-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4080-394-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4140-191-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4184-453-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4184-310-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4212-340-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4212-448-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4316-436-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4388-441-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4388-388-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4452-248-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4452-463-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4484-159-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4712-274-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4712-459-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4760-255-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4760-462-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4836-461-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4836-262-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4860-79-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4876-455-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4876-298-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4964-443-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4964-382-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4996-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5028-127-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5036-144-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5084-469-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5084-199-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads