e69d1d83a7e7338939f7873f44ac202d27cabc56310bcef2d8e5281a8297bf01

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e69d1d83a7e7338939f7873f44ac202d27cabc56310bcef2d8e5281a8297bf01N.exe
Size

59KB
MD5

d8bc145ade84da2038a3d22807d4d8c0
SHA1

167d442da316cb97df296a9b7ff11eb2bfc22846
SHA256

e69d1d83a7e7338939f7873f44ac202d27cabc56310bcef2d8e5281a8297bf01
SHA512

894f285d778f2bf36c43af552e132735d67b1c2f93ffbef397f59041f2f4cf35741fc28f52047866b7af2d16a01ad20e1de6be00bf83788a813e74049d9965d5
SSDEEP

1536:wZuZ+E6Fv6gfNCqBt3XIcHk0QzzRm2LoO:8e6Fv6gVD4cH0HxoO

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejagaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fglnkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adjjeieh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagmdllg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjffpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eajlhg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qppaclio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecgodpgb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdcmkgmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdeiqgkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkbgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecbeip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dalofi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdpnda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e69d1d83a7e7338939f7873f44ac202d27cabc56310bcef2d8e5281a8297bf01N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqgojmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abfdpfaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedjl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgpeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadghn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkbfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpcpfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpedeiff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpedeiff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkbgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgihop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aagdnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abjmkf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpqjjjjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fboecfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnjocf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqfojblo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfolacnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcffnbee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edaaccbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eahobg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egegjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadghn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daollh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecgodpgb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eahobg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e69d1d83a7e7338939f7873f44ac202d27cabc56310bcef2d8e5281a8297bf01N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qppaclio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adjjeieh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biiobo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejagaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biiobo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdmoafdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgihop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egegjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqphic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qikbaaml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdmoafdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daollh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecbeip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ephbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbajeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aimogakj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfolacnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fclhpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgiaemic.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbajeg32.exe

Executes dropped EXE 64 IoCs

pid	Process
1712	Pmbegqjk.exe
2180	Qppaclio.exe
3016	Qjffpe32.exe
784	Qapnmopa.exe
3364	Qbajeg32.exe
1672	Qikbaaml.exe
4732	Apeknk32.exe
2280	Acqgojmb.exe
5108	Aimogakj.exe
5032	Aadghn32.exe
548	Abfdpfaj.exe
3356	Aiplmq32.exe
5008	Aagdnn32.exe
1632	Ajohfcpj.exe
1724	Amnebo32.exe
5020	Abjmkf32.exe
752	Aidehpea.exe
4492	Adjjeieh.exe
3216	Ajdbac32.exe
1652	Bpqjjjjl.exe
1136	Bfkbfd32.exe
3124	Biiobo32.exe
4736	Bbaclegm.exe
3024	Biklho32.exe
2088	Bpedeiff.exe
3212	Bfolacnc.exe
4468	Binhnomg.exe
636	Bagmdllg.exe
3524	Bdeiqgkj.exe
2852	Cajjjk32.exe
828	Ckdkhq32.exe
2576	Cdmoafdb.exe
3496	Cmedjl32.exe
4844	Cpcpfg32.exe
1180	Dgpeha32.exe
1968	Dcffnbee.exe
2768	Ddfbgelh.exe
2492	Ddhomdje.exe
1172	Dkbgjo32.exe
2352	Dalofi32.exe
2484	Dgihop32.exe
1860	Daollh32.exe
3164	Ddmhhd32.exe
3308	Enemaimp.exe
3860	Ecbeip32.exe
3020	Enhifi32.exe
3580	Edaaccbj.exe
4308	Ejojljqa.exe
400	Ephbhd32.exe
3340	Ecgodpgb.exe
2132	Ejagaj32.exe
2364	Eahobg32.exe
3520	Egegjn32.exe
4092	Eajlhg32.exe
2540	Fclhpo32.exe
4576	Fqphic32.exe
1500	Fgiaemic.exe
3264	Fboecfii.exe
2012	Fcpakn32.exe
512	Fglnkm32.exe
4324	Fdpnda32.exe
2528	Fqfojblo.exe
4136	Fnjocf32.exe
4424	Gddgpqbe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fqfojblo.exe	Fdpnda32.exe
File created	C:\Windows\SysWOW64\Khihgadg.dll	Qikbaaml.exe
File created	C:\Windows\SysWOW64\Abjmkf32.exe	Amnebo32.exe
File created	C:\Windows\SysWOW64\Pjcfndog.dll	Bagmdllg.exe
File created	C:\Windows\SysWOW64\Ahkdgl32.dll	Dgihop32.exe
File created	C:\Windows\SysWOW64\Fqphic32.exe	Fclhpo32.exe
File created	C:\Windows\SysWOW64\Kngmnjok.dll	Qjffpe32.exe
File created	C:\Windows\SysWOW64\Dohnnkjk.dll	Acqgojmb.exe
File created	C:\Windows\SysWOW64\Ajdbac32.exe	Adjjeieh.exe
File created	C:\Windows\SysWOW64\Ephbhd32.exe	Ejojljqa.exe
File opened for modification	C:\Windows\SysWOW64\Fglnkm32.exe	Fcpakn32.exe
File created	C:\Windows\SysWOW64\Cmedjl32.exe	Cdmoafdb.exe
File created	C:\Windows\SysWOW64\Ddhomdje.exe	Ddfbgelh.exe
File opened for modification	C:\Windows\SysWOW64\Enemaimp.exe	Ddmhhd32.exe
File created	C:\Windows\SysWOW64\Icembg32.dll	Ecbeip32.exe
File created	C:\Windows\SysWOW64\Cjeejn32.dll	Enhifi32.exe
File created	C:\Windows\SysWOW64\Ipecicga.dll	Bfolacnc.exe
File created	C:\Windows\SysWOW64\Imhcpepk.dll	Egegjn32.exe
File created	C:\Windows\SysWOW64\Gokfdpdo.dll	Fcpakn32.exe
File created	C:\Windows\SysWOW64\Qikbaaml.exe	Qbajeg32.exe
File opened for modification	C:\Windows\SysWOW64\Aadghn32.exe	Aimogakj.exe
File created	C:\Windows\SysWOW64\Lalceb32.dll	Bbaclegm.exe
File created	C:\Windows\SysWOW64\Pknjieep.dll	Bdeiqgkj.exe
File created	C:\Windows\SysWOW64\Kojkgebl.dll	Ephbhd32.exe
File created	C:\Windows\SysWOW64\Bejceb32.dll	Fglnkm32.exe
File opened for modification	C:\Windows\SysWOW64\Fnjocf32.exe	Fqfojblo.exe
File created	C:\Windows\SysWOW64\Gddgpqbe.exe	Fnjocf32.exe
File opened for modification	C:\Windows\SysWOW64\Fgiaemic.exe	Fqphic32.exe
File created	C:\Windows\SysWOW64\Pmbegqjk.exe	e69d1d83a7e7338939f7873f44ac202d27cabc56310bcef2d8e5281a8297bf01N.exe
File opened for modification	C:\Windows\SysWOW64\Aiplmq32.exe	Abfdpfaj.exe
File created	C:\Windows\SysWOW64\Gpeipb32.dll	Aagdnn32.exe
File created	C:\Windows\SysWOW64\Pnbmhkia.dll	Adjjeieh.exe
File created	C:\Windows\SysWOW64\Ecbeip32.exe	Enemaimp.exe
File created	C:\Windows\SysWOW64\Ddmhhd32.exe	Daollh32.exe
File opened for modification	C:\Windows\SysWOW64\Ephbhd32.exe	Ejojljqa.exe
File opened for modification	C:\Windows\SysWOW64\Eahobg32.exe	Ejagaj32.exe
File opened for modification	C:\Windows\SysWOW64\Apeknk32.exe	Qikbaaml.exe
File opened for modification	C:\Windows\SysWOW64\Bpqjjjjl.exe	Ajdbac32.exe
File created	C:\Windows\SysWOW64\Ckdkhq32.exe	Cajjjk32.exe
File created	C:\Windows\SysWOW64\Cdmoafdb.exe	Ckdkhq32.exe
File opened for modification	C:\Windows\SysWOW64\Dkbgjo32.exe	Ddhomdje.exe
File opened for modification	C:\Windows\SysWOW64\Fqfojblo.exe	Fdpnda32.exe
File created	C:\Windows\SysWOW64\Abfdpfaj.exe	Aadghn32.exe
File created	C:\Windows\SysWOW64\Dnhpfk32.dll	Daollh32.exe
File created	C:\Windows\SysWOW64\Camgolnm.dll	Enemaimp.exe
File created	C:\Windows\SysWOW64\Ecgodpgb.exe	Ephbhd32.exe
File created	C:\Windows\SysWOW64\Gohlkq32.dll	Pmbegqjk.exe
File created	C:\Windows\SysWOW64\Qjffpe32.exe	Qppaclio.exe
File created	C:\Windows\SysWOW64\Qbajeg32.exe	Qapnmopa.exe
File created	C:\Windows\SysWOW64\Apeknk32.exe	Qikbaaml.exe
File created	C:\Windows\SysWOW64\Amnebo32.exe	Ajohfcpj.exe
File created	C:\Windows\SysWOW64\Acajpc32.dll	Dgpeha32.exe
File created	C:\Windows\SysWOW64\Jfqqddpi.dll	Fboecfii.exe
File created	C:\Windows\SysWOW64\Bcomgibl.dll	Qppaclio.exe
File opened for modification	C:\Windows\SysWOW64\Aimogakj.exe	Acqgojmb.exe
File created	C:\Windows\SysWOW64\Aadghn32.exe	Aimogakj.exe
File opened for modification	C:\Windows\SysWOW64\Bpedeiff.exe	Biklho32.exe
File created	C:\Windows\SysWOW64\Dcffnbee.exe	Dgpeha32.exe
File opened for modification	C:\Windows\SysWOW64\Ecgodpgb.exe	Ephbhd32.exe
File created	C:\Windows\SysWOW64\Fgiaemic.exe	Fqphic32.exe
File created	C:\Windows\SysWOW64\Ajohfcpj.exe	Aagdnn32.exe
File created	C:\Windows\SysWOW64\Agecdgmk.dll	Dcffnbee.exe
File created	C:\Windows\SysWOW64\Pjcblekh.dll	Ddfbgelh.exe
File created	C:\Windows\SysWOW64\Jjnmkgom.dll	Dalofi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5080	4424	WerFault.exe	155

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fglnkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgpeha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ephbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpedeiff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajjjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddfbgelh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejojljqa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqphic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdpnda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qppaclio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abfdpfaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckdkhq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqfojblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagmdllg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdeiqgkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dalofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enemaimp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enhifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnjocf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e69d1d83a7e7338939f7873f44ac202d27cabc56310bcef2d8e5281a8297bf01N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbajeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biiobo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdmoafdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edaaccbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgiaemic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aidehpea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcffnbee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amnebo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fclhpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjffpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqgojmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egegjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpcpfg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkbgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eajlhg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gddgpqbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecbeip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecgodpgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qikbaaml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajdbac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbaclegm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biklho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejagaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadghn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aagdnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfolacnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgihop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eahobg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpqjjjjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkbfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qapnmopa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Binhnomg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daollh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fboecfii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcpakn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aimogakj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adjjeieh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdcmkgmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddhomdje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aiplmq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajohfcpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abjmkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedjl32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajdbac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocmhlca.dll"	Biiobo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbaclegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpphjbnh.dll"	Binhnomg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajjjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amnebo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjffpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abjmkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknjieep.dll"	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dooaccfg.dll"	Cajjjk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dalofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egegjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fboecfii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdcmkgmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkbfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icembg32.dll"	Ecbeip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqphic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fdpnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gohlkq32.dll"	Pmbegqjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhjgbbnj.dll"	Abfdpfaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amnebo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edaaccbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leeigm32.dll"	Qbajeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecgodpgb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdmoafdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpcpfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcckiibj.dll"	Ajohfcpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpedeiff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcblekh.dll"	Ddfbgelh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhpfk32.dll"	Daollh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejceb32.dll"	Fglnkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apeknk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddhomdje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fclhpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldicpljn.dll"	Fdpnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpedeiff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fgiaemic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecbeip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfakpfj.dll"	Aidehpea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpqjjjjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaecci32.dll"	Edaaccbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qikbaaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddfbgelh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acqgojmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e69d1d83a7e7338939f7873f44ac202d27cabc56310bcef2d8e5281a8297bf01N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ephbhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e69d1d83a7e7338939f7873f44ac202d27cabc56310bcef2d8e5281a8297bf01N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejojljqa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eclbio32.dll"	Eajlhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejojljqa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpeipb32.dll"	Aagdnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecgodpgb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aiplmq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eajlhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eahobg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qapnmopa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aadghn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acajpc32.dll"	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmhhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjffpe32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3236 wrote to memory of 1712	3236	e69d1d83a7e7338939f7873f44ac202d27cabc56310bcef2d8e5281a8297bf01N.exe	89
PID 3236 wrote to memory of 1712	3236	e69d1d83a7e7338939f7873f44ac202d27cabc56310bcef2d8e5281a8297bf01N.exe	89
PID 3236 wrote to memory of 1712	3236	e69d1d83a7e7338939f7873f44ac202d27cabc56310bcef2d8e5281a8297bf01N.exe	89
PID 1712 wrote to memory of 2180	1712	Pmbegqjk.exe	90
PID 1712 wrote to memory of 2180	1712	Pmbegqjk.exe	90
PID 1712 wrote to memory of 2180	1712	Pmbegqjk.exe	90
PID 2180 wrote to memory of 3016	2180	Qppaclio.exe	91
PID 2180 wrote to memory of 3016	2180	Qppaclio.exe	91
PID 2180 wrote to memory of 3016	2180	Qppaclio.exe	91
PID 3016 wrote to memory of 784	3016	Qjffpe32.exe	92
PID 3016 wrote to memory of 784	3016	Qjffpe32.exe	92
PID 3016 wrote to memory of 784	3016	Qjffpe32.exe	92
PID 784 wrote to memory of 3364	784	Qapnmopa.exe	93
PID 784 wrote to memory of 3364	784	Qapnmopa.exe	93
PID 784 wrote to memory of 3364	784	Qapnmopa.exe	93
PID 3364 wrote to memory of 1672	3364	Qbajeg32.exe	94
PID 3364 wrote to memory of 1672	3364	Qbajeg32.exe	94
PID 3364 wrote to memory of 1672	3364	Qbajeg32.exe	94
PID 1672 wrote to memory of 4732	1672	Qikbaaml.exe	95
PID 1672 wrote to memory of 4732	1672	Qikbaaml.exe	95
PID 1672 wrote to memory of 4732	1672	Qikbaaml.exe	95
PID 4732 wrote to memory of 2280	4732	Apeknk32.exe	96
PID 4732 wrote to memory of 2280	4732	Apeknk32.exe	96
PID 4732 wrote to memory of 2280	4732	Apeknk32.exe	96
PID 2280 wrote to memory of 5108	2280	Acqgojmb.exe	97
PID 2280 wrote to memory of 5108	2280	Acqgojmb.exe	97
PID 2280 wrote to memory of 5108	2280	Acqgojmb.exe	97
PID 5108 wrote to memory of 5032	5108	Aimogakj.exe	98
PID 5108 wrote to memory of 5032	5108	Aimogakj.exe	98
PID 5108 wrote to memory of 5032	5108	Aimogakj.exe	98
PID 5032 wrote to memory of 548	5032	Aadghn32.exe	99
PID 5032 wrote to memory of 548	5032	Aadghn32.exe	99
PID 5032 wrote to memory of 548	5032	Aadghn32.exe	99
PID 548 wrote to memory of 3356	548	Abfdpfaj.exe	100
PID 548 wrote to memory of 3356	548	Abfdpfaj.exe	100
PID 548 wrote to memory of 3356	548	Abfdpfaj.exe	100
PID 3356 wrote to memory of 5008	3356	Aiplmq32.exe	101
PID 3356 wrote to memory of 5008	3356	Aiplmq32.exe	101
PID 3356 wrote to memory of 5008	3356	Aiplmq32.exe	101
PID 5008 wrote to memory of 1632	5008	Aagdnn32.exe	102
PID 5008 wrote to memory of 1632	5008	Aagdnn32.exe	102
PID 5008 wrote to memory of 1632	5008	Aagdnn32.exe	102
PID 1632 wrote to memory of 1724	1632	Ajohfcpj.exe	103
PID 1632 wrote to memory of 1724	1632	Ajohfcpj.exe	103
PID 1632 wrote to memory of 1724	1632	Ajohfcpj.exe	103
PID 1724 wrote to memory of 5020	1724	Amnebo32.exe	104
PID 1724 wrote to memory of 5020	1724	Amnebo32.exe	104
PID 1724 wrote to memory of 5020	1724	Amnebo32.exe	104
PID 5020 wrote to memory of 752	5020	Abjmkf32.exe	105
PID 5020 wrote to memory of 752	5020	Abjmkf32.exe	105
PID 5020 wrote to memory of 752	5020	Abjmkf32.exe	105
PID 752 wrote to memory of 4492	752	Aidehpea.exe	106
PID 752 wrote to memory of 4492	752	Aidehpea.exe	106
PID 752 wrote to memory of 4492	752	Aidehpea.exe	106
PID 4492 wrote to memory of 3216	4492	Adjjeieh.exe	107
PID 4492 wrote to memory of 3216	4492	Adjjeieh.exe	107
PID 4492 wrote to memory of 3216	4492	Adjjeieh.exe	107
PID 3216 wrote to memory of 1652	3216	Ajdbac32.exe	108
PID 3216 wrote to memory of 1652	3216	Ajdbac32.exe	108
PID 3216 wrote to memory of 1652	3216	Ajdbac32.exe	108
PID 1652 wrote to memory of 1136	1652	Bpqjjjjl.exe	109
PID 1652 wrote to memory of 1136	1652	Bpqjjjjl.exe	109
PID 1652 wrote to memory of 1136	1652	Bpqjjjjl.exe	109
PID 1136 wrote to memory of 3124	1136	Bfkbfd32.exe	110

C:\Users\Admin\AppData\Local\Temp\e69d1d83a7e7338939f7873f44ac202d27cabc56310bcef2d8e5281a8297bf01N.exe
"C:\Users\Admin\AppData\Local\Temp\e69d1d83a7e7338939f7873f44ac202d27cabc56310bcef2d8e5281a8297bf01N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3236
- C:\Windows\SysWOW64\Pmbegqjk.exe
  C:\Windows\system32\Pmbegqjk.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\SysWOW64\Qppaclio.exe
    C:\Windows\system32\Qppaclio.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Windows\SysWOW64\Qjffpe32.exe
      C:\Windows\system32\Qjffpe32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3016
    - - C:\Windows\SysWOW64\Qapnmopa.exe
        
        C:\Windows\system32\Qapnmopa.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:784
      - C:\Windows\SysWOW64\Qbajeg32.exe
        
        C:\Windows\system32\Qbajeg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\SysWOW64\Qikbaaml.exe
        
        C:\Windows\system32\Qikbaaml.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Apeknk32.exe
        
        C:\Windows\system32\Apeknk32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Acqgojmb.exe
        
        C:\Windows\system32\Acqgojmb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Aimogakj.exe
        
        C:\Windows\system32\Aimogakj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Aadghn32.exe
        
        C:\Windows\system32\Aadghn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\Abfdpfaj.exe
        
        C:\Windows\system32\Abfdpfaj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Aiplmq32.exe
        
        C:\Windows\system32\Aiplmq32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\SysWOW64\Aagdnn32.exe
        
        C:\Windows\system32\Aagdnn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Ajohfcpj.exe
        
        C:\Windows\system32\Ajohfcpj.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\Amnebo32.exe
        
        C:\Windows\system32\Amnebo32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Abjmkf32.exe
        
        C:\Windows\system32\Abjmkf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Aidehpea.exe
        
        C:\Windows\system32\Aidehpea.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SysWOW64\Adjjeieh.exe
        
        C:\Windows\system32\Adjjeieh.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SysWOW64\Ajdbac32.exe
        
        C:\Windows\system32\Ajdbac32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Bpqjjjjl.exe
        
        C:\Windows\system32\Bpqjjjjl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Bfkbfd32.exe
        
        C:\Windows\system32\Bfkbfd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\Biiobo32.exe
        
        C:\Windows\system32\Biiobo32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Bbaclegm.exe
        
        C:\Windows\system32\Bbaclegm.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Biklho32.exe
        
        C:\Windows\system32\Biklho32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\Bpedeiff.exe
        
        C:\Windows\system32\Bpedeiff.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Bfolacnc.exe
        
        C:\Windows\system32\Bfolacnc.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\Windows\SysWOW64\Binhnomg.exe
        
        C:\Windows\system32\Binhnomg.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Bdcmkgmm.exe
        
        C:\Windows\system32\Bdcmkgmm.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Bagmdllg.exe
        
        C:\Windows\system32\Bagmdllg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:636
        
        C:\Windows\SysWOW64\Bdeiqgkj.exe
        
        C:\Windows\system32\Bdeiqgkj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3524
        
        C:\Windows\SysWOW64\Cajjjk32.exe
        
        C:\Windows\system32\Cajjjk32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Ckdkhq32.exe
        
        C:\Windows\system32\Ckdkhq32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:828
        
        C:\Windows\SysWOW64\Cdmoafdb.exe
        
        C:\Windows\system32\Cdmoafdb.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Cmedjl32.exe
        
        C:\Windows\system32\Cmedjl32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3496
        
        C:\Windows\SysWOW64\Cpcpfg32.exe
        
        C:\Windows\system32\Cpcpfg32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1180
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Ddfbgelh.exe
        
        C:\Windows\system32\Ddfbgelh.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Ddhomdje.exe
        
        C:\Windows\system32\Ddhomdje.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Dkbgjo32.exe
        
        C:\Windows\system32\Dkbgjo32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1172
        
        C:\Windows\SysWOW64\Dalofi32.exe
        
        C:\Windows\system32\Dalofi32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Dgihop32.exe
        
        C:\Windows\system32\Dgihop32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Windows\SysWOW64\Daollh32.exe
        
        C:\Windows\system32\Daollh32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Ddmhhd32.exe
        
        C:\Windows\system32\Ddmhhd32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Enemaimp.exe
        
        C:\Windows\system32\Enemaimp.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3308
        
        C:\Windows\SysWOW64\Ecbeip32.exe
        
        C:\Windows\system32\Ecbeip32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Enhifi32.exe
        
        C:\Windows\system32\Enhifi32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\Edaaccbj.exe
        
        C:\Windows\system32\Edaaccbj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3580
        
        C:\Windows\SysWOW64\Ejojljqa.exe
        
        C:\Windows\system32\Ejojljqa.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Ephbhd32.exe
        
        C:\Windows\system32\Ephbhd32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Ecgodpgb.exe
        
        C:\Windows\system32\Ecgodpgb.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Ejagaj32.exe
        
        C:\Windows\system32\Ejagaj32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\Eahobg32.exe
        
        C:\Windows\system32\Eahobg32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Egegjn32.exe
        
        C:\Windows\system32\Egegjn32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Eajlhg32.exe
        
        C:\Windows\system32\Eajlhg32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Fclhpo32.exe
        
        C:\Windows\system32\Fclhpo32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Fqphic32.exe
        
        C:\Windows\system32\Fqphic32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Fgiaemic.exe
        
        C:\Windows\system32\Fgiaemic.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Fboecfii.exe
        
        C:\Windows\system32\Fboecfii.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Fcpakn32.exe
        
        C:\Windows\system32\Fcpakn32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\Fglnkm32.exe
        
        C:\Windows\system32\Fglnkm32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:512
        
        C:\Windows\SysWOW64\Fdpnda32.exe
        
        C:\Windows\system32\Fdpnda32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Fqfojblo.exe
        
        C:\Windows\system32\Fqfojblo.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\Fnjocf32.exe
        
        C:\Windows\system32\Fnjocf32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4136
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        66⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 400
        67⤵
        Program crash
        
        PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4424 -ip 4424
1⤵
PID:1404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4212,i,13995403245988825027,7033610968827661507,262144 --variations-seed-version --mojo-platform-channel-handle=1316 /prefetch:8
1⤵
PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadghn32.exe

Filesize
59KB

MD5
f82e27629c4edfbb96f3f279d31dbee4

SHA1
483725357b29bfeca41da3be03fcece405127eab

SHA256
75bd96e3b938a26a4b82d91d8b3819ba522d5227379771daf0686392a9083dd2

SHA512
0b33963c5dd74c361a6617da80da5d2548633aa918fd6e772793883e64b3f181ac1bc340cf48d34d9f8d7edc8a71a2c19241e08f01d397d0f2feb1a7040bf410

Download Submit
C:\Windows\SysWOW64\Aagdnn32.exe

Filesize
59KB

MD5
b6bd110e1e9cd909ae0989787217112b

SHA1
99015f42375941d2f77475dfeff3b4c9d89e3d00

SHA256
d950560f08003c0b63af0f7794891f4e5b6135be4d29892ecf08fa53605a7c4e

SHA512
3d18ba8b796dda786add3357a4d8b96845677422c8083e3c0ab1407ca098145fc938c9173bfbd49cf51832927e118fe5b1df6c0da28fdc9d62039305bc83d92d

Download Submit
C:\Windows\SysWOW64\Abfdpfaj.exe

Filesize
59KB

MD5
93a9d6135f47d80148a0b1fa44dede9f

SHA1
8a1c7a4f20c0c4ea3481fc4c21ca10497114c2c7

SHA256
d21e2c928146008ef29db61bdd62e973c62c364d14ffb530012eb33e2e638443

SHA512
3883f6949a5a88f3cdd5b418ba87a3a49545e2041d4b2471970c169df40e70f0ab1794a3eb783b967181841e5e05e73090f9b0d22522a751bb346c8363c971ed

Download Submit
C:\Windows\SysWOW64\Abjmkf32.exe

Filesize
59KB

MD5
2612b9f5f01c9f6c76f8aa51e5fb2ad2

SHA1
ce5bc6943636eb1cfba65c92bc1dbfe8bcd5ef4c

SHA256
08acdb6899d5d4e825e5c27957f124276bf16f06b360b7453546fae8535a765e

SHA512
d6600cfb175e5a018e42eaed0aa2d302b3fff50aeeb78c2b24bd2275c9d51245ff090c8a8500c2ce65bcca1cd6a30deda518ff33937ed94e3977700419df90b0

Download Submit
C:\Windows\SysWOW64\Acqgojmb.exe

Filesize
59KB

MD5
7bbf7737513a67e1e3f40a2c7e36f3e2

SHA1
9601f899a67d73e058fbac40236b2c677ab3b527

SHA256
d55e66c5a3bd55ad0916afb43e01f0bb85091e284569c1a49cb9e2ef7d9b1699

SHA512
44051d560f5be1c17b72be488bf7d2844387be88de8160dabaf0de5e4eb6030b7084857b27b4a831d75e5606f12f1e4d76ef8b7d4ade573f7848707d96794483

Download Submit
C:\Windows\SysWOW64\Adjjeieh.exe

Filesize
59KB

MD5
a096ec935b709a27f3940ea23f5a015c

SHA1
f17c369e5c8df89e34b9b76ecffce463939a26ab

SHA256
c01a597207d96c7d185280b78c29f5029cea6d9126d0479dbabdf0d0e871c7e9

SHA512
652e63437b19703c6b678f553fa86a4b0d214bb58dcd2f55f5cd70510441f3397e2d36ed25a7682797ef410773de2ed852fe862aedd41bbd6ed23a1745e66d8b

Download Submit
C:\Windows\SysWOW64\Aidehpea.exe

Filesize
59KB

MD5
de7bde2d3f7a7bb69c25946739f662d7

SHA1
1e73b0b1836398c8f72d8f5aa4c1575c993c5036

SHA256
b5f1e0e6d476535328a839509625de99407459e4dbce0f5ce910a7616af5c882

SHA512
14de5051bd8492b980bbeb442288ec09d46afd4cd859d93c96cbfaffa35ac5c4e356a5ddc28c299b6c7628e4bc9ad2805bc4a692db1be864ad3b9dd94717ce33

Download Submit
C:\Windows\SysWOW64\Aimogakj.exe

Filesize
59KB

MD5
7f7a976949e4ea245ce66995c6fdbd0e

SHA1
2a3f7e6f87b38ee441083ad270c38bf69105b4ce

SHA256
e18410b6367262380f4ea62815e8b2b949d86e4132542c0058395a9295e6b5e8

SHA512
88fb7461e8d111d0409e1267ac050156e31b9020dcbf55c59b0789e11f1fdf4fabb724f46763d3cf4a126f8f7879fb33f75cc9d1dc746f0e07aa3cfd0d984639

Download Submit
C:\Windows\SysWOW64\Aiplmq32.exe

Filesize
59KB

MD5
7f3a1366a03156d7faddb58aea67cb20

SHA1
0a5fdd67929799c3701aa13b29aff2c82b8e7263

SHA256
eab160a2367e37aa261294aaee17bba634e342971fb12bdf81be47e19d308445

SHA512
900bec8ba53b130f02800dca84ffa51d7f24c443c6ae13368f65a01c623c8e32e132ea59baff81cb3fc1e19af3c92b16f8eb4096febffcd71d3ebb79b8c1ac0a

Download Submit
C:\Windows\SysWOW64\Ajdbac32.exe

Filesize
59KB

MD5
6652dbcccece345ffa4334558a3ebcb9

SHA1
ad1964568b163d2a6c64a6bf36e543aedf4a1139

SHA256
46d57947666859b24f9590426267c4003636e509fbf769a813ecf8e7f937364e

SHA512
24c4212b7ade29a93ad4e6e39999303cf2c36035e17e016e087ba7f340834bbd7168bcb0e34aa8fc5bfea515eab65692d56a5cedb98782dc9656c22abed9b107

Download Submit
C:\Windows\SysWOW64\Ajohfcpj.exe

Filesize
59KB

MD5
fba37bda53d0418a71edc0d667d6a81f

SHA1
897615fd39c997d280dd627650e5df42b73d6cd1

SHA256
2e8a374253b5a164f3681638db8181b3cdc89b52539f30c3378437b42a3d1f8e

SHA512
05feb770fdc95b0399bcdafbfc69e6553542068e18b28a0c97aeacc124931967a12f3814af36209ba898705f6768d5d4676822368df5a8501b66b11766d52cdf

Download Submit
C:\Windows\SysWOW64\Amnebo32.exe

Filesize
59KB

MD5
02998ff798afe8d44d688ecb210d9c4a

SHA1
588cb6e68aea728bc21f83c9a7ffe22c79fe68d0

SHA256
ba5b491a31d181d57df55a280d481d051b02336d6b9b28e1e69048aef916fd10

SHA512
c2e4476c6c21c5d3b03938adc8ed4c6fc4300fd0080fb2e1bf0f23197ec98f34317c6b2c9af1d72276de4e9a13ec7610fc9bde61a648a326703fc6a9281af174

Download Submit
C:\Windows\SysWOW64\Apeknk32.exe

Filesize
59KB

MD5
6e6b94765d34c4d1c5f8556dc76a16e4

SHA1
bd45f534136aeb67206a81378a833a1d692dab2a

SHA256
b2e6860d131e53a466ca531f75992227664883d5c4982952c574c4ccbefe04d5

SHA512
f2199f6611ab1bbc15ca2e53085e0090105e6b7e9631d6636ac3b00f47c9e6166c21e04db648e9afba290515c2dcc6ed4ee40a95decd10b2c59ffbbd7dc7746e

Download Submit
C:\Windows\SysWOW64\Bagmdllg.exe

Filesize
59KB

MD5
9929121d6d399078ff7fef317897b7b3

SHA1
5345bdc49359848c6e8e2edd346d6b1aeb7790d5

SHA256
fe4d9adfebbc3d1f13714c579ed554a5fb236e9e4772ae5a0c87142283d65877

SHA512
fcd9708a536b9267165db67421a438154249cc85a32f768ec6efc8d665f195e90f34e08d1dc5153d4e0562b347391109429c27bf750014b795f6ff1472f54180

Download Submit
C:\Windows\SysWOW64\Bbaclegm.exe

Filesize
59KB

MD5
37e787ef2cb029a46ee3557dcfddf76f

SHA1
6291ade99d96d29229a896b67f0d698da9c7964f

SHA256
877f6bf64459ef37c88cc0693ee6d250d5b282b16393599a8df02e7c2442bccc

SHA512
32b6d17ee148206fd19a3ba8e6bff700732e627fe2f0d716b82f331fd8171955ce489c619b3c6136eab16f3e2da70556721998ad331c40736f9fb798d2a36a1b

Download Submit
C:\Windows\SysWOW64\Bdeiqgkj.exe

Filesize
59KB

MD5
cf1ae49efb219a49741bb8274eac94c5

SHA1
f9ae1b766b518e192f3e0612cbcb69049e6eb9af

SHA256
6df9430a87c1ff0acda5058c16d3fd6305ee4939f1eee68fa2434f51a21b339b

SHA512
49ad4d5990479a063769386237726d2a5d90877b0565c75d5ec9d218633288ffbebe4b1199dc4223f0ab36c45feb9ceb06fcf441e3a15f09c55ce49bd55d6bc6

Download Submit
C:\Windows\SysWOW64\Bfkbfd32.exe

Filesize
59KB

MD5
507a2cecefbb14eff344f60896e8c10a

SHA1
652844047f157caef0ed242a1f415d418de9cc54

SHA256
bea65698f24d60c6910418369d19d76c21558338aa4bc075ec78758dbb6d88bb

SHA512
1fb593902a57d113b8c50fca4bc9fa8029f190e252fef8cdb328f6def42468d1af9cb10f905023e66088bc2e912539006982d1666ee1cbb91a28be7561db5b54

Download Submit
C:\Windows\SysWOW64\Bfolacnc.exe

Filesize
59KB

MD5
15e40b1972151830d180949de7c4910c

SHA1
cf76b6ad3363e030d7967f5d7658ca97d2dd7a9c

SHA256
f0a335917a610cde9b925dddeb9ca967f5ad87844887bc5b507309990e3f5770

SHA512
da59f290a6aee62141a7c3d866a13eab5e021b6aecf42287926606e704ecfec0aad65caae31cbcff4b0be7ab5ee57e8741bd565f6080df2d8e1a3390c5cb5825

Download Submit
C:\Windows\SysWOW64\Biiobo32.exe

Filesize
59KB

MD5
dad7991a7f2894df2c8b0dfaca517ec1

SHA1
396341e16904f9ecf18eaecda7730a614d1ff6e6

SHA256
08a4c8af7de8463252062fb93d0bf9c87d3167964129d330c260ade33ebe4581

SHA512
4e769149f2728bc646b108d3e0fcc67f016c54f75a2496246bff7586bf16f7fb09711db306fcabb36b7b12c72b5d7b9b44e1adf331fe9121531aa411082265c4

Download Submit
C:\Windows\SysWOW64\Biklho32.exe

Filesize
59KB

MD5
db5d34a004b64ed1b4764b49aca2c413

SHA1
d5b76e34ab84a1044900b5737923e7e536accf8c

SHA256
56b0ac8da9b043bc4bc8a9d045de499e9b81e37f1df468369104b50fe9c48f60

SHA512
0ec214c54f9c203362c04e2a88f68f19629ef62727f883dac8d618a4f305251aba5eacaa4c18453772ee6a116b728871a51de7c8d14f3c504db6655dad093326

Download Submit
C:\Windows\SysWOW64\Binhnomg.exe

Filesize
59KB

MD5
8eeaefd880b09acb2dd2623a15c1c3f5

SHA1
b418311a0f07cbbaddaf8303d56d129afe0a7e1f

SHA256
38636b71c929a2b77f9a575df7fb96b0ef66aa1b784fd97f33b52d0b6c39e32a

SHA512
96129fb7c1fb0cf1e682a7d5d2746bec48e0d84583c79d608abee35b5e5766cc901ad7fe5449b7c12d1aea38f3745b34488fbd21b0e606ecc8e4c6961616e8b2

Download Submit
C:\Windows\SysWOW64\Bpedeiff.exe

Filesize
59KB

MD5
e950d654dd21dd33ca831a69ef08971b

SHA1
16fe0c4b7173e42821c3482f3e79172c4b6ba205

SHA256
e9367d1c93c48da97ff516450e46f446e3485d5f6e9fb7b5c5cb64cdbb141f27

SHA512
ea6ece779d4cb379e45b612135d4d776d9be6edef133f37f21a4d5bc782025a8ebf61d3a4c6efcfa99dcf5db5193cbb3826f913a2f139ea464487d786deceba3

Download Submit
C:\Windows\SysWOW64\Bpqjjjjl.exe

Filesize
59KB

MD5
e22476d03868b9593ece6aff909be593

SHA1
f23b0658fc987edba22f46a8d1580b63dc3a5db0

SHA256
6517daefe1a278b2deab458e4b30895250314a39abebab022e139fd9b8968d34

SHA512
0b304d6ec5fbf67bd6d8ff3fb750ebb824f0c33b2ea0c0c5158780be565a5d4ced8f31b11561bff1920a82e161a7fe2f109c8c2d4467e4f8e4fad94c3e5b1672

Download Submit
C:\Windows\SysWOW64\Cajjjk32.exe

Filesize
59KB

MD5
baea61dd6cc1c7a568e6602a2a97707f

SHA1
0bcd3340b457f9db374da5ae28dd8aa373e8d948

SHA256
5584ea3f9990043443efb923022386d03a8174e8e2f74e906b934e77bc36c5c6

SHA512
fe3a765a7970bba6c6f3ea602cabeeaba96f09bd1d5fa288ebbf270bb1e5451a33a3960799c32a2ea9c0fe041e9f0434d724ec181fa470e1c0e88d6e63e9742b

Download Submit
C:\Windows\SysWOW64\Cdmoafdb.exe

Filesize
59KB

MD5
c689783225f59569ec6a3f3e25733ddb

SHA1
6076fab2badd7b97d5d6b37d11744bd6f2e6582f

SHA256
ddf51ad4b08157232b66a3d82149bb234778cf8ba0207395d731ddf1723c0531

SHA512
b51066b915a99b7dfbdbe1032b1c46630535f070a47c9bd592d59164f2f571a86e3bc3496d0144a7226559ac2d7c0dcd01d31ae39a9f4ad66fc4e5b66b77bc8c

Download Submit
C:\Windows\SysWOW64\Ckdkhq32.exe

Filesize
59KB

MD5
6ce1117c6112b00683caf5155aef4c45

SHA1
2d683a751e9d93fdf345434edd21f2177654824a

SHA256
37554e1299d31883aa3861dfb879799d721ed047ecafbac11f215d97556afaf6

SHA512
afa044b6b780e86592851f071d03710b49c860130ea28b079ba97029b12016a8136214f8fc5bc165ffcdd36a2486041ce51c315258cc45ecc0ad781df995bc8a

Download Submit
C:\Windows\SysWOW64\Cmedjl32.exe

Filesize
59KB

MD5
7d4f17664b32161c4e8d28f86583f726

SHA1
1ed7d635ad51b3f75da7caeda22c95993db2218b

SHA256
bd24aff4e7909b1900bb5ccaab698745ddda658b8642e30318e67dd518605e6a

SHA512
72d7528b00966cc1968b8f7da0c1c3ce6af4d3974aaa57ca672da8fbd67cfd59ece842004faf86c6e252b790126bd65b1202fea91a410573ad8408b5a736e049

Download Submit
C:\Windows\SysWOW64\Daollh32.exe

Filesize
59KB

MD5
bb693a65db8efe84fdc2c6054aee19db

SHA1
015ae6ddc9c5c9485c5e568ae66783924298e5b2

SHA256
496f61725326616f2315bd98e253356c87e35decfc6a1b41fb43a93a814988b5

SHA512
3f2aac27646f857f82ea5ce8541b4562719820a5046b7815fbe787ebfaa2c8ac8a61fc85f64e16902bca302007a6c9470660793c890da600c413c13592854f36

Download Submit
C:\Windows\SysWOW64\Dgpeha32.exe

Filesize
59KB

MD5
eaefefd0100f5e4263f37869cf07d8e2

SHA1
48a967083a56a508109757d22eab8f9d808ac8ac

SHA256
682937dd67a139f140dfdfd4b6990223b6b342fea65c48a8c6d9de0bc672ef2f

SHA512
4fdb7219e95b1d386308296fa883596733c8f05c17574cae06e4c6d8cddf87035f5b2325d94b9d5636be179c8cac945c3222afa5ac871489957c19b298691d9a

Download Submit
C:\Windows\SysWOW64\Enemaimp.exe

Filesize
59KB

MD5
07d53ff6daffc43cfabab2b35388ea56

SHA1
3da566685f3643847b6c914ad3e1ea7ce79ccd8c

SHA256
55b017f63e074624cdface65b05a0de63ce12416b177934a971c0c961a584da9

SHA512
adfebb0182eb791c27b3ed2dbc514463cba89deaa7e43e65948aec17bddd739b035f5402dfa25a4d89c5f99e3f749fb7d1491b561699252051b0811ecaa02c23

Download Submit
C:\Windows\SysWOW64\Fclhpo32.exe

Filesize
59KB

MD5
97034730c2ef8951d2090af878eaf658

SHA1
98d353e9aaa17c9b0a8191b8fe9de496d884b8f6

SHA256
d77039659192828c29db99cb706302659891bd5d4f290b365d42b03e851dbfc1

SHA512
b2e438e994dada5da4782868d63873f5a9cc9633d8baab4adba3f5882491fc4520b09bc7cabff7648861f0c7d252bdcee7f055990cc0f516f20f6ee83fb1b92a

Download Submit
C:\Windows\SysWOW64\Fdpnda32.exe

Filesize
59KB

MD5
99b0ce99d066d78b9b5a6229ba93fd16

SHA1
bb814f10e8eec71069de1f494644e43fda06d48a

SHA256
77d6fd736ab5c22cddefa9b8af0e227f59dcd786576af5961d3272530c7d58b9

SHA512
76d662fc9391ee261a8efd3094c8499341d309b0a16d45d0031c795f63bb8a7b14b06190afe49f55571467906ecf28de90927ff24d618d9a9cf9a007d18898b2

Download Submit
C:\Windows\SysWOW64\Pmbegqjk.exe

Filesize
59KB

MD5
4f776fa07ff2b22de88cb4bd5ac58c0d

SHA1
59503893576a3cf881db3f6ee10e631563814bef

SHA256
5ed4f1e54d215e15741c95c102104ea88b3a169fc1e1c963954e0e15fbf6554d

SHA512
e001255a38c0331cf816723facd997193f714b22dac3abe261da2420a99562e0d6a3feaddc3d37851a9d43ce93d22499fc023bfadce1f864ae6e060f980c8a54

Download Submit
C:\Windows\SysWOW64\Qapnmopa.exe

Filesize
59KB

MD5
5aca736dc699eb5c232f1bbb06584bae

SHA1
eed2a052ed687a707127752e5b3e80cf1d876477

SHA256
a10d2783e03e044428fd646cd0eda4ea01f4546f0a3315cc81f564f260307445

SHA512
8e4324776e2aa1201c145ee78adc4e29f1ec33651504ec14c6a06abe06aae13152efcf8fac13087cfea0180edb750e509575bd87919ea8f56be4198cb9be6873

Download Submit
C:\Windows\SysWOW64\Qbajeg32.exe

Filesize
59KB

MD5
12b84f53242e953ab42cb0418f620220

SHA1
263913289bec90d534188c4242a3aa54607e690b

SHA256
e7760e3dc43de071337c59fb567b7cf851bf99a711b87b8519ecdba6f4ff741a

SHA512
2aec1a18e1c6f78986c193aef9265ac935635f141a5fee3e6c202043cc63bc08d0b4559fc47fe00af525b50f26bdd3fd46aaed8df184ce53dac5a55daf7795ae

Download Submit
C:\Windows\SysWOW64\Qikbaaml.exe

Filesize
59KB

MD5
211202e9f10636c74d2e4cc942a8210a

SHA1
54a2fb181bd276861c96797d8ec62200f0888318

SHA256
820aaa5dc203904bc5a46aad6e3ac828d93aa726349bc17241398c4f285649b5

SHA512
4a6b2e257fa570571b32c3a2dc2dc2709e6e33959b1ecf179e8aeef6c97f93490359ef6c1046915633c68a704c92f7ad36492fef187cdf46151de1b4af5e9306

Download Submit
C:\Windows\SysWOW64\Qjffpe32.exe

Filesize
59KB

MD5
b4f288e805969268d3de5760aafeaf3e

SHA1
8cfc558cc17968554288e83080a61947cf1f78be

SHA256
7906d1f9aa14395290df1053c9f6cb341329f1aaaec6c58ad694f08e26ea78c3

SHA512
13483379729787250073c1ef311d43b3c7f8a330d093374c8dda88e4c206115da89509a50c881c4c98b3db10f6a8813d2205f94170c2d1cf9c43358f4ed2b3a3

Download Submit
C:\Windows\SysWOW64\Qppaclio.exe

Filesize
59KB

MD5
b7f88873d0fedca11a53f6f9bccb6fbf

SHA1
875cf210a5fc804ec93b82080eb3e0cd4fa459b8

SHA256
610f96719e6eb338e6053f3b506a5d300b5e04a7279fc345f79a4f1ff6a9fdda

SHA512
6533b0c65b1e5134ce924f75606f8a19fec7c7b7751ce48c01990e674508b3e2bc27b2c2eb9df67c768cfcbfc21398f79aada4db1f4af3d443df936f2cb496c8

Download Submit
memory/400-360-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/400-481-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/512-426-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/512-459-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/548-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/636-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/752-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/784-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/828-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1136-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1172-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1172-501-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-276-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1500-465-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1500-408-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1632-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1652-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1672-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1712-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1724-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1860-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1860-495-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1968-507-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1968-282-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2012-420-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2012-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2088-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2108-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2132-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2132-477-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2280-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2352-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2352-499-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2364-378-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2364-475-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2484-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2484-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2492-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2492-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2528-458-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2528-438-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2540-396-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2540-469-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2576-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-505-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-288-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2852-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3016-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-487-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3024-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3124-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3164-493-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3164-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3212-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3216-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3236-1-0x0000000000433000-0x0000000000434000-memory.dmp

Filesize
4KB

Download
memory/3236-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3264-414-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3264-463-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3308-491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3308-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3340-366-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3340-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3356-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3364-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3496-264-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3520-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3520-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3524-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3580-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3580-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3860-489-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3860-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4092-471-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4092-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4136-453-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4136-444-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4308-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4308-483-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4324-457-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4324-432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4424-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4424-450-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4468-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4492-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4576-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4576-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4732-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4736-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5020-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5032-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5108-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads