e8943fd49e126310e62d13c007b4d24f2876d4e62b5010f10d5f871e3ad8f47d

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 12:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0ed7bd52c3fa211379126a23818ad330N.exe
Size

96KB
MD5

0ed7bd52c3fa211379126a23818ad330
SHA1

7c28b5f21b2a59e6ea603d03df2319d562075ce0
SHA256

e8943fd49e126310e62d13c007b4d24f2876d4e62b5010f10d5f871e3ad8f47d
SHA512

e029da2b2d08214c01f6bb45efcb5b9003037339f6b90880ea959827d7479fab454551b848858efde2b59fe91829483c17783b1480210c1be0fe1344fbc0ac78
SSDEEP

1536:fecC7rWneyq0rtTp8w6Z+W1xT0XrUAWUQVXz8b7BiOX9gTjWTz4Wnu/j48duV9j1:fecKCeyPtTRyT1xT0YiQVXYb7UOX9gT4

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe

Executes dropped EXE 63 IoCs

pid	Process
3460	Qddfkd32.exe
4048	Qcgffqei.exe
4852	Ajanck32.exe
2516	Ampkof32.exe
2412	Acjclpcf.exe
2352	Afhohlbj.exe
1724	Anogiicl.exe
4764	Aeiofcji.exe
4092	Agglboim.exe
2664	Anadoi32.exe
5080	Aeklkchg.exe
3476	Afmhck32.exe
3900	Ajhddjfn.exe
5112	Aabmqd32.exe
3908	Afoeiklb.exe
2032	Aminee32.exe
2784	Aepefb32.exe
1404	Agoabn32.exe
3548	Bnhjohkb.exe
1512	Bmkjkd32.exe
1108	Bcebhoii.exe
1376	Bfdodjhm.exe
4576	Bmngqdpj.exe
4132	Beeoaapl.exe
2988	Bgcknmop.exe
4324	Bjagjhnc.exe
4448	Bmpcfdmg.exe
4616	Bjddphlq.exe
4368	Bnpppgdj.exe
2072	Banllbdn.exe
3800	Bhhdil32.exe
3188	Bjfaeh32.exe
1936	Bapiabak.exe
3012	Bcoenmao.exe
2496	Cfmajipb.exe
4220	Cndikf32.exe
1276	Cabfga32.exe
952	Cdabcm32.exe
4200	Cfpnph32.exe
4196	Cnffqf32.exe
4924	Caebma32.exe
4028	Chokikeb.exe
4752	Cjmgfgdf.exe
3316	Cagobalc.exe
3664	Ceckcp32.exe
4208	Cfdhkhjj.exe
5104	Cmnpgb32.exe
4876	Chcddk32.exe
440	Cnnlaehj.exe
4088	Dhfajjoj.exe
3716	Dopigd32.exe
2452	Dejacond.exe
4376	Dhhnpjmh.exe
2004	Djgjlelk.exe
3528	Delnin32.exe
3576	Dkifae32.exe
4848	Daconoae.exe
2056	Dhmgki32.exe
4440	Dkkcge32.exe
2092	Dmjocp32.exe
4044	Dddhpjof.exe
4928	Dgbdlf32.exe
2448	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	0ed7bd52c3fa211379126a23818ad330N.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Ajanck32.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Beeoaapl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2040	2448	WerFault.exe	148

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0ed7bd52c3fa211379126a23818ad330N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	0ed7bd52c3fa211379126a23818ad330N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	0ed7bd52c3fa211379126a23818ad330N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	0ed7bd52c3fa211379126a23818ad330N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3820 wrote to memory of 3460	3820	0ed7bd52c3fa211379126a23818ad330N.exe	84
PID 3820 wrote to memory of 3460	3820	0ed7bd52c3fa211379126a23818ad330N.exe	84
PID 3820 wrote to memory of 3460	3820	0ed7bd52c3fa211379126a23818ad330N.exe	84
PID 3460 wrote to memory of 4048	3460	Qddfkd32.exe	85
PID 3460 wrote to memory of 4048	3460	Qddfkd32.exe	85
PID 3460 wrote to memory of 4048	3460	Qddfkd32.exe	85
PID 4048 wrote to memory of 4852	4048	Qcgffqei.exe	86
PID 4048 wrote to memory of 4852	4048	Qcgffqei.exe	86
PID 4048 wrote to memory of 4852	4048	Qcgffqei.exe	86
PID 4852 wrote to memory of 2516	4852	Ajanck32.exe	88
PID 4852 wrote to memory of 2516	4852	Ajanck32.exe	88
PID 4852 wrote to memory of 2516	4852	Ajanck32.exe	88
PID 2516 wrote to memory of 2412	2516	Ampkof32.exe	89
PID 2516 wrote to memory of 2412	2516	Ampkof32.exe	89
PID 2516 wrote to memory of 2412	2516	Ampkof32.exe	89
PID 2412 wrote to memory of 2352	2412	Acjclpcf.exe	90
PID 2412 wrote to memory of 2352	2412	Acjclpcf.exe	90
PID 2412 wrote to memory of 2352	2412	Acjclpcf.exe	90
PID 2352 wrote to memory of 1724	2352	Afhohlbj.exe	91
PID 2352 wrote to memory of 1724	2352	Afhohlbj.exe	91
PID 2352 wrote to memory of 1724	2352	Afhohlbj.exe	91
PID 1724 wrote to memory of 4764	1724	Anogiicl.exe	92
PID 1724 wrote to memory of 4764	1724	Anogiicl.exe	92
PID 1724 wrote to memory of 4764	1724	Anogiicl.exe	92
PID 4764 wrote to memory of 4092	4764	Aeiofcji.exe	93
PID 4764 wrote to memory of 4092	4764	Aeiofcji.exe	93
PID 4764 wrote to memory of 4092	4764	Aeiofcji.exe	93
PID 4092 wrote to memory of 2664	4092	Agglboim.exe	94
PID 4092 wrote to memory of 2664	4092	Agglboim.exe	94
PID 4092 wrote to memory of 2664	4092	Agglboim.exe	94
PID 2664 wrote to memory of 5080	2664	Anadoi32.exe	96
PID 2664 wrote to memory of 5080	2664	Anadoi32.exe	96
PID 2664 wrote to memory of 5080	2664	Anadoi32.exe	96
PID 5080 wrote to memory of 3476	5080	Aeklkchg.exe	97
PID 5080 wrote to memory of 3476	5080	Aeklkchg.exe	97
PID 5080 wrote to memory of 3476	5080	Aeklkchg.exe	97
PID 3476 wrote to memory of 3900	3476	Afmhck32.exe	98
PID 3476 wrote to memory of 3900	3476	Afmhck32.exe	98
PID 3476 wrote to memory of 3900	3476	Afmhck32.exe	98
PID 3900 wrote to memory of 5112	3900	Ajhddjfn.exe	99
PID 3900 wrote to memory of 5112	3900	Ajhddjfn.exe	99
PID 3900 wrote to memory of 5112	3900	Ajhddjfn.exe	99
PID 5112 wrote to memory of 3908	5112	Aabmqd32.exe	100
PID 5112 wrote to memory of 3908	5112	Aabmqd32.exe	100
PID 5112 wrote to memory of 3908	5112	Aabmqd32.exe	100
PID 3908 wrote to memory of 2032	3908	Afoeiklb.exe	101
PID 3908 wrote to memory of 2032	3908	Afoeiklb.exe	101
PID 3908 wrote to memory of 2032	3908	Afoeiklb.exe	101
PID 2032 wrote to memory of 2784	2032	Aminee32.exe	102
PID 2032 wrote to memory of 2784	2032	Aminee32.exe	102
PID 2032 wrote to memory of 2784	2032	Aminee32.exe	102
PID 2784 wrote to memory of 1404	2784	Aepefb32.exe	103
PID 2784 wrote to memory of 1404	2784	Aepefb32.exe	103
PID 2784 wrote to memory of 1404	2784	Aepefb32.exe	103
PID 1404 wrote to memory of 3548	1404	Agoabn32.exe	104
PID 1404 wrote to memory of 3548	1404	Agoabn32.exe	104
PID 1404 wrote to memory of 3548	1404	Agoabn32.exe	104
PID 3548 wrote to memory of 1512	3548	Bnhjohkb.exe	105
PID 3548 wrote to memory of 1512	3548	Bnhjohkb.exe	105
PID 3548 wrote to memory of 1512	3548	Bnhjohkb.exe	105
PID 1512 wrote to memory of 1108	1512	Bmkjkd32.exe	106
PID 1512 wrote to memory of 1108	1512	Bmkjkd32.exe	106
PID 1512 wrote to memory of 1108	1512	Bmkjkd32.exe	106
PID 1108 wrote to memory of 1376	1108	Bcebhoii.exe	107

C:\Users\Admin\AppData\Local\Temp\0ed7bd52c3fa211379126a23818ad330N.exe
"C:\Users\Admin\AppData\Local\Temp\0ed7bd52c3fa211379126a23818ad330N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3820
- C:\Windows\SysWOW64\Qddfkd32.exe
  C:\Windows\system32\Qddfkd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3460
- - C:\Windows\SysWOW64\Qcgffqei.exe
    C:\Windows\system32\Qcgffqei.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4048
  - - C:\Windows\SysWOW64\Ajanck32.exe
      C:\Windows\system32\Ajanck32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4852
    - - C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2516
      - C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4616
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4220
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:952
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4196
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4924
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4028
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3664
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4208
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3576
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4044
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 408
        65⤵
        Program crash
        
        PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2448 -ip 2448
1⤵
PID:4744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
96KB

MD5
5fe5993c1c467c77d3f0e25ceb6f8c9d

SHA1
49da5ad48ffdaf303895c1817903feab0da81169

SHA256
4b5d88193b4a7d1cb880bbe3e65cb05ff916aca59245205f7d5525a36f8f3faa

SHA512
c173bdd47eb70b15b6319954eeb00623e4ca44f70792db2325e05e14ed85bd866c7cc0f51ec99f1eb717ef17b95b40be74ea0cb77706732984a387625b77b711

Download Submit
C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
96KB

MD5
d71e864fc93cf3f2ef657c5dbc122740

SHA1
af3f71c02af4dba1f1c7c84aafcc57dea4688281

SHA256
8ab4459d7d2e511ed3939a68b5b699f74d155e613913e9d9a0e9f4bd330914c7

SHA512
c59527be6b2b7449b397f29fb36f8c0b90c3b7889b057a578ad21fc421c37277ab49386341af8129632e9f4cf977848300d07d2357da41c480ea8c34e855609a

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
96KB

MD5
26a9409904612ef2c21ce8815243357c

SHA1
8dbdbc48ce25279c974d1819a1b2dac70f9c4dbf

SHA256
3e245e4be041bb1bb010de323fe508231a7b345fdf9100dde1b682922e86d0b1

SHA512
2568aefff3bff5ec2a489945371e7f1160a7b17c5f6ed37c1c15b97e6ab55711672710d516f9d3887f38233e460c824d6d449ff61c6d7642529cca252c3815ce

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
96KB

MD5
895e4ab7fcd9c201f78d72b1b42535e5

SHA1
0aefcefac53a4b0da3e381626916b8cab2df81ed

SHA256
1e708525c6c421938c271f98cd98c96250cdebc845475a0c48cf4da4fb224a93

SHA512
e00341c534beeeb2d09b639b1b392367da486810d2580d2885853641b9b37b761428d4f68a74eb1ededf97be4322cd5d78b8eac2db3f3b570aee7efa8aac4a8c

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
96KB

MD5
f6ae0de9496a1e9d7dc80022eb5fed03

SHA1
be19689219e390904daa0d21698a5c1134e6c182

SHA256
9e61768fb0df31aa7d3ec97b5e063c76ac036410091a5c4a1fa66c307445457a

SHA512
e23b745ec8161af536193bb9e6444d049fc9f89d3ac192ce73138d6b6bb5d455b3d5dcc2229e7bea4320cb1366bb023b0be95f9d42bb7763cd7b7659dd9b87a3

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
96KB

MD5
4e2b4d17302ead8111d6999a61d9be2a

SHA1
a6100b35788d57cef0e2f18f7eaa2da9fd877827

SHA256
53ecc89facc129818595b46b74c50a60564a1a1d60b0ed01e1ed846a2fe6d775

SHA512
c46d7693ee40b556bb19b3cfb9fbfa4fb70da44db8e1dfcd1620317f07a329cdacdc4a6e82157419b626ec9798de01d9a85eb4803da8db07524196229acde1c8

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
96KB

MD5
d1fa1334a82aab7d1feb806a87e6cec8

SHA1
19ee0c71e39a91f79e9dbbe65a03d02df1a2b761

SHA256
dd41708cf395af558eac1db1329d4014dfc57ca8cd2e850e4c79d359b90a8750

SHA512
4d72ec899b110ea1b47df3dccfd24bd80132245eb13091a362566c9b16480435ed40d4d9c726060b3fbf8e019359bc1c00e2479f9c1d355afc60c8047100bb47

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
96KB

MD5
96581880b766ab98d1385cc993ee9239

SHA1
1eb850c50382ef93434a2390f431af0fa140787b

SHA256
d40b7868ba916c4029905f00c94436484e817ee0b4b94dfa1af4771aa9489ccb

SHA512
b7924b9abe6e6a564fc329b870cfeb47531419ef6c015236b7e4d048922d32fee95d95c51df74cde0eddd7c07bcaa6a5b4ce84d7c651578f23daa972e17aa882

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
96KB

MD5
bcb126852128ca799c3b444653e7243d

SHA1
26dbd89dbda8b108238461ec61df2f07a696ee52

SHA256
40ba151529a02db4694a438e498db34f5a3fae1cb82549e38e6724a139b8fe66

SHA512
f041980f558a7c14ce20d4880bbd2143b84a31230593ebf5b70e0feef843b32387c126cdd93418324ca54d5d35700bbdcb0ee53f89387b151cd14ee101b014d7

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
96KB

MD5
61f876a99e1009f17184b392119eb4a6

SHA1
3436ccd5a15a72b6cb682d2ed2cd8a643e5595e3

SHA256
08123853e5496d0390aea63eac5fb87d73814b00a4b41c9d61ba2fcbbce1e690

SHA512
85b13d6b54664c6a5ede49c6960bcfb8a3e07df69e2e4abf34c5cb6417a7a37b8899c1a1892191b00ad7d6beab97e7f119681aab04275cac62a1fced3c7df36d

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
96KB

MD5
3b8385d48f82c44f341e125679f0fc51

SHA1
2f718a72871d491afe899fd9c47fc6c11ab6290a

SHA256
d48c26658e451c179c7d36fc37dbf40cde8ff8dec9cf4028f517da0ec5906d79

SHA512
687aafdc687684bd49b6ac1dca229301baa4bbdb3f1385c56af8639ebfff8793b635fb84cc22b534d5f0ab84e3cf99d9a009992ca4cd2665db96973e8c4de8e2

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
96KB

MD5
36f0b37539f84c38112919169100229e

SHA1
9f06de72efde0384c8dd8ba3254cf1b73a65c436

SHA256
b4ceabd3d7c4381cfcc51cd73bd1c32ea397af7bf2c1548cc3bb3ca760fbd427

SHA512
219c51308232b1c97f375b0c196ebaea5932c47f60cc003c1e5686a53d0065ad6b280f9c71dfcb314c79a4217320406ca7e74b1750e02506a9379c750666aa33

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
96KB

MD5
0dfd4c6da6d89c84bd31c2bc9048f245

SHA1
7b78f4bb890fc60ed2528a4969af6eff17eef81f

SHA256
ba677835a163b8a741c715266a948c0234a08c46ed7bb145d3cdee177fca4187

SHA512
248f2fc4c62b52d6c0c904d417d7233c6ef589f4320b67df03f1b81712facdd3a37b55f63b19fe3313cfd3dc79d2f391899117e3c84e02c0e71aa6f728ae63b6

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
96KB

MD5
357a8186f0a65c4c2377b5bc3ff9db61

SHA1
00a07f0214c966b777981fc3665eda87c9d98cd1

SHA256
10e4e37a0ee96a06534eeb7722c983e1c7c46e19aa2b2f503d45b97080074032

SHA512
76a0714776c913d40dd6f3d2a8f862b56d9e796fbcdb74b551e06328600814d5dd27f02c3c1262c405d15a30333cc89bc620e488bf5baa19d974f91627120fc4

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
96KB

MD5
31d72ace5874cc10c9b801f8aea42236

SHA1
3d464ce8b2d7c206ee74dea631f8ac2db30058d8

SHA256
07de485ce26f0cf6ecae6e91156128d36da725d39a3bbe3f87786a6f15c6a82e

SHA512
19d9c24c4aea541a58b692a2f07b0eac5a6d73fb7cdf483a520e5ebe3b57095dc8da504815d5c2b3c57665051259bf071a257893f0993d5242e30517f65b853a

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
96KB

MD5
f473b24f046083bf4eaec35cb4320e33

SHA1
e75b7622f6413e1e7e2a99619f60cabd566c18c1

SHA256
348d5ffde6ca4d6714c2668cc82cd7422ef6a36d9a8f3bff5f082ef48c691c5e

SHA512
79653344c5eeaa218eb91f98cff5ffed4a6cc794c820728b93e3363734c2ebec6f7c55a926de91a1d47c7bdf7816c12ccda9277be43323fde40d348187a9639e

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
96KB

MD5
b4fe3833a905860d66273bd24ff23547

SHA1
d21bf6854ab87d5a9f7fb9e4f342974c20582dc1

SHA256
4e8815333981ebaadf6809a9b1f1a995df81b1586ba974bb349ff173ebbf8bb6

SHA512
6efda5c7ffa2fe166637fd0428ce73d3f0a8cf7b6c585761e2184a18c990c6a2bd207f7538294483d6fa9db7239717e12c2b555d305c70e3e040689d1e14d5fb

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
96KB

MD5
facc0dd72cbf093d0765aaba6111b9e0

SHA1
ddb92f4aa80dd9067b30752527b96d19ee948b61

SHA256
ac8c9965c27e1a62fba7c66cda2c76fd66217190054efd91931cd7e43e21689e

SHA512
2807674c94e0ee0d031da9524e1dabc654be84326ce4520fc3b724b2ea5eaefa938eb1fcd6a76579710efdfa59dc7169cb4bf9429b44dc339f6623a17a85534b

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
96KB

MD5
47156d4158f22792436238eeee181240

SHA1
9042fe6cb86e20a2be321e8a4c19a9260bba9757

SHA256
b73941ea061c5bc56400a91c3f88f6a23e73caa7111fcfb3462efb56fd65714b

SHA512
c307fb8839563817efba0a11d196b9158e27fd295d6f0ae37aef1a4b5e72694cd32d929256cb28c752ca682815decb49a721e231af542fa1e10cee01f47cf10f

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
96KB

MD5
7057635be1c0f044c0d3b79381acdb64

SHA1
15839b340aa5412a8c46a55fb87b3b615503a397

SHA256
e9781d031d4ef1ca2a5a3a459fc2dff71debe3a851fd038d08cd488ae95a230b

SHA512
d63092293143707434f64f45325a51b73995e4b3f87e84282bb5645eef2c024e522ae289df9ae6bb71aa7b2c510e51d39c6041f3e8502002d7211d735d96d26d

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
96KB

MD5
fd7ef6b4d86504e4d8571e20f0bc83da

SHA1
e6a8859af5cae2cc5573ef0cd648ea78e5200169

SHA256
b3d846d231ac65e2177d1b5cd96657ae96b18fd43fdc3510e1e757c109b6c70c

SHA512
aca08ca9a987ad3d4e9f8d0913bd93540126de5d8783fefa3f3f746be1a92f50f076fa192a1716a260a0323ba7ecb5cadad2dbe1ce650af7888a95ce08d82e10

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
96KB

MD5
d784bdb03c74ac451a5f253534f2ca68

SHA1
f655894ec75b5916aa02f45d3c5fe7aa1d0e2718

SHA256
cf25f7b0df89b492a9e362974066d2c2ad97ab5de6b8b5dfa281ef1e88ea5a87

SHA512
13bcf8110142bdaf2233bef1a70d0f051e8ad71cbc5dd088c31cc190f736cc0ae97d67642d90b6a635266f3e6357a9ff920db2a2f508ed4031f6f289f33f6672

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
96KB

MD5
51bf798ba97a427d47b546cde9b02336

SHA1
dbaf03db2e5dde203ca3d21338169ad6d2811943

SHA256
580248960aa4f0699483b56639b74cb39bf33032dc35fbefb0f3fdc47e681e89

SHA512
09fcc6af6107b89d78c850fe12d7d8bfcc7576e71ff8e737294324c115ea2ae5d2ccdf9f078d60669c69c229a1500b2379d99aee480134f7bdf7d58aef1b2ec9

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
96KB

MD5
96b3d876454d6fbcd7ae81c18d43baf8

SHA1
fe353e055bb59b78897db1c3681f118a43fa107e

SHA256
09293479608aa61ed0821e91176c574ad0e509c3c6dc12fddb59cdddd9f867bc

SHA512
3a15c689782ce1585a03ae5baed7cafde10581ef16b358bfb565fdac2420ec5b2cb8b677b49eef8e3aba4f328ebc4783a44b40ccc00a7ddd3b261dca27cc591b

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
96KB

MD5
4c89da5ace1201d2d4bc20eab5cabdeb

SHA1
1a8fac5baeed1c2e64c8f0995884b9593f0026ac

SHA256
61b69d1d4b9fb29a908174fbf0412efb41bddc84fe676750fbd0efcac4d4cc69

SHA512
e5ec36fe35c5ebc0bbf0930d75cd04ef0c4c2a3469fbee1d351f6a04b7648a61254deb40ae0454f38f3b71e1c64465ca0e8b8e11239a09fa44cce67b5e756f40

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
96KB

MD5
851eec2a711c544dd7c18e1ab033153a

SHA1
6551e37233d7455a4af9f3267d83b3015c6c7b39

SHA256
1de385238d93399313e0299320b865b1a606ebe1a7d7bcac3d081583eff02ac4

SHA512
8038f161f4b652503f117e77be43a184334483e41a99e0cfbef3a71c74e33f06ecd1ae609d7e51d7d4eefac4bf986b51c5db17184ad31d9a048f71f7cb1582ec

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
96KB

MD5
c7311c5026e4e5d3f30404fd4995bee6

SHA1
0d6fd07754533975e6f2615e9f6e110dbf73701c

SHA256
b83e442fbb883c400fc360c45f7a378106f5673894cba77e5bc15a46b914c20b

SHA512
73ad1236584f52ae2accd896ce0b25fe04f383107909d7e90f776c43d74c21a2f9749061ef6caf18980ea199a5ee70b5d87c6e345cf242fbc5b0c3a20d04c8ab

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
96KB

MD5
3899aef28c70cff58cc6600c819151e9

SHA1
d38f10a3034df8abe234aeea300f24c292f0dfdd

SHA256
ccac81bd4a10469ced72cbd786fcf9066aca1fa40b64daf133351b2beff51cc3

SHA512
9d7ec9bb989ad99b37b2868002a55e43f07104439a52453fa3cc96beb1aecb1e8827ab08735f295128c075a7f18fa4dd8843c134e557de3118cd5cd59af329ed

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
96KB

MD5
21f7c4c34dbe52a8a8ecf62ff7522a98

SHA1
a42079d9f47fa9f82641b1a80d46363a4255106d

SHA256
efe94f1a41f12b7c8383fa44d4761c373b47baf3144f5afd6c5829bfffd943b2

SHA512
57183015efc6630c44ffc7ef68a0037cfcbf3badffef97023e222439a3df4e51f74aceb1a157b7b4771fc5867df7c843ad752cb2279bcedd3a1cc38335d0fa45

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
96KB

MD5
e6e75392f5935ee51049ba56157f0d3e

SHA1
0cb9724e8a4546bcd58f2291042f275be4d573e5

SHA256
fc0647d63bdb084667229cb230fc29cc2b376668a9c4927382369cb6424569ea

SHA512
1e32c8256602afc51b6286e38bef1473464057d708c80b125d47019cd4bbe3203ab23c1660d29218da47a7ea76648c616d280f85da6287fb671e853c825d5ef7

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
96KB

MD5
9bfcb86977b70a0e8ca28433bf507508

SHA1
8e5c73438e89fb0c2d33bb91fe759dbdc6477885

SHA256
525b17589f5ed6e584d183140b904f17593beef1bff61677e15dfb5b0a98327a

SHA512
cf3f7b6318691e8e08bd07b58b928593318b4518f84743b2b42d785a32b37df5d641e2992d3f9430a0f57dff9040622bdc3592f461e8e14129626da5c88ea91d

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
96KB

MD5
6f7e867544af0f69ae5ce9ad7cef5e45

SHA1
1ae5585cb4fea36b09fb20b2fd3e1728767e90fb

SHA256
9e7b80464ba7eb8c8424f33d80f6b612c35fc1475b7ad0635f71dca4887cc8f6

SHA512
4240ede1e53b0db6fd3f6a79570d902219a8333864a692993f79604c34a026a4aebd459737289d78af445b4ad562c0a99e50833f69b3bab5ba402f3dd08b0306

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
96KB

MD5
dc1c20950997f25d08b9f0d87d89c112

SHA1
41a7a9fcad118647bb34455111a48f1601eeeab8

SHA256
a865b6f61cdd357c7cef02592b34fc3586a085ca3a4639dfddd931b27d80c6f2

SHA512
df98613011efc5c838196810c5742b36a66f4db2a8ffc86a6771cc1be6d67cecad8b20dcc5331576c4938a87736b50c76743e4c180cacba85a386bdb8ff17d15

Download Submit
C:\Windows\SysWOW64\Hmcjlfqa.dll

Filesize
7KB

MD5
65f75661b5bc443865b47c6903f753d0

SHA1
4554ef429c0e0c6acc3fb4bd086b2bd4b13aa3e1

SHA256
ec771233a510e20e82dd836b9f32c442ea90c27c47f46c1d1a76d886cf946f9b

SHA512
ac75d63bfacd1cd50ade6c8c2df4efa6673b37aab46acad6bcbc02e1f8ead7f75fbfc84ba1dddbf21e1b99acff615e336c748798b3db0420a632551eea5b06e9

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
96KB

MD5
e1676f6ccad5f30be46d16f418173e5f

SHA1
3668daefe681eedeee610d332784fcdfe3e03c36

SHA256
6c5fed0fbaecff8df8921cf00be691b58da9bf727575346268e6983c0f8b5a2c

SHA512
d764d257f2e90005d7dd62d547961b6c38ea11561b875bece64d2306c2f3a6a8f24674354ae6e64f1eda53691477552e90294d6fc4d3383b6ec9398fbff8bd5d

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
96KB

MD5
c5c86ce05f6aeee7cf46ee37ed03822c

SHA1
a30e7bd3824b08b3f06f349555bdb25420d04688

SHA256
4e210956f8580aafd7d13f6447f2af9a6eabee07947bfcc3180b54c756323f68

SHA512
d93292857b3eabedb28de3060b1d23025f2346bc9094d391ac9e019e0dd33f643487bf052761b73eec104692a68d61962b37be12c8f262594c5a16fb3ea351d4

Download Submit
memory/440-456-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/440-358-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/952-296-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1108-167-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1276-465-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1276-286-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1376-176-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1404-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1512-159-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1724-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1936-469-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1936-262-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2004-388-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2032-127-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2056-449-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2056-412-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2072-239-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2072-472-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2092-424-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2092-446-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2352-48-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2412-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2448-443-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2448-442-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2452-376-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2452-453-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2496-274-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2496-467-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2516-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2664-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2784-135-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2988-204-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3012-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3012-468-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3188-255-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3188-470-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3316-332-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3460-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3476-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3528-451-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3528-394-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3548-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3576-400-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3576-450-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3664-459-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3664-334-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3716-454-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3716-370-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3800-471-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3800-247-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3820-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3900-104-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3908-119-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4028-461-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4028-316-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4044-445-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4044-430-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4048-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4088-364-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4088-455-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4092-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4132-196-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4196-463-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4196-304-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4200-464-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4200-298-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4208-458-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4208-340-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4220-280-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4220-466-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4324-208-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4368-231-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4368-473-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4376-452-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4376-382-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4440-418-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4440-447-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4448-215-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4576-183-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4616-474-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4616-224-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4752-322-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4752-460-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4764-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4848-406-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4848-448-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4852-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4876-457-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4876-352-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4924-310-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4924-462-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4928-436-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4928-444-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5080-87-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5104-350-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5112-111-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads