e8f6b96b253d4734cd5840cf16ccd0b2493d2cfb92c2b0b8a12ae7ba22b2c272

Analysis

max time kernel
125s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8f6b96b253d4734cd5840cf16ccd0b2493d2cfb92c2b0b8a12ae7ba22b2c272.exe
Size

487KB
MD5

a6cdd721594e5f6daa7f24a14f5183c1
SHA1

04eefbf598975a9d8b393769782d5dc5a4c8e235
SHA256

e8f6b96b253d4734cd5840cf16ccd0b2493d2cfb92c2b0b8a12ae7ba22b2c272
SHA512

0aa8b765b6308f485439e2751a32b999e6ddc6bc274a369f46f35197aa448a8b3578a28d52c74ba394280770a0d69b58f0cc28594177729a6ebd7560c46a7ca5
SSDEEP

6144:88PmmhI2y/JAQ///NR5fLYG3eujPQ///NR5f:jyTx/NcZ7/N

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beoimjce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bliajd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpnpqakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfakcj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dipgpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dibdeegc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aecialmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abjfqpji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apngjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bldgoeog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bemlhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmfqngcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdebfago.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cemeoh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amkabind.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmjhlklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acdioc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcicjbal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfoegm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbjogmlf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbmlmmjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmbpjfij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocfdgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bifkcioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bimach32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cekhihig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddcogo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abcppq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apkjddke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cemeoh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddekmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oheienli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alpnde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcicjbal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clpgkcdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abemep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alpnde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cboibm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aecialmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bliajd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmbpjfij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmdmpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpefaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Almanf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcpika32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blknpdho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabmmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpqlfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfbmdabh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aiabhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bipnihgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbmlmmjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dllffa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfbmdabh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apgqie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abemep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bifkcioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbalaoda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blnjecfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cefoni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddqbbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmjhlklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddcogo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpllbp32.exe

Executes dropped EXE 64 IoCs

pid	Process
816	Ocfdgg32.exe
4804	Ofgmib32.exe
2028	Oheienli.exe
3168	Oflfdbip.exe
2024	Pfncia32.exe
4308	Pfppoa32.exe
3092	Pmjhlklg.exe
1996	Pfbmdabh.exe
2188	Pkabbgol.exe
1396	Qkdohg32.exe
1552	Qcncodki.exe
2712	Apddce32.exe
904	Abcppq32.exe
2740	Aealll32.exe
2772	Apgqie32.exe
2340	Abemep32.exe
2300	Aecialmb.exe
5060	Amkabind.exe
2136	Almanf32.exe
1928	Acdioc32.exe
3428	Abgjkpll.exe
2896	Afceko32.exe
4872	Aiabhj32.exe
2420	Alpnde32.exe
1940	Apkjddke.exe
2040	Abjfqpji.exe
4416	Aehbmk32.exe
1464	Amoknh32.exe
2972	Apngjd32.exe
2868	Bcicjbal.exe
3360	Bfhofnpp.exe
876	Bifkcioc.exe
2044	Bldgoeog.exe
3652	Bclppboi.exe
1916	Bfjllnnm.exe
2784	Bemlhj32.exe
780	Bmddihfj.exe
4864	Bpbpecen.exe
1948	Bbalaoda.exe
5056	Beoimjce.exe
2184	Bmfqngcg.exe
5104	Bliajd32.exe
1400	Bcpika32.exe
3364	Bfoegm32.exe
1460	Bimach32.exe
2388	Blknpdho.exe
2080	Bcbeqaia.exe
2908	Bfabmmhe.exe
4032	Bipnihgi.exe
892	Blnjecfl.exe
1764	Cdebfago.exe
1056	Cbhbbn32.exe
4324	Cefoni32.exe
5148	Cmmgof32.exe
5188	Clpgkcdj.exe
5228	Cbjogmlf.exe
5268	Cehlcikj.exe
5308	Cidgdg32.exe
5348	Cpnpqakp.exe
5388	Cbmlmmjd.exe
5428	Cekhihig.exe
5472	Cmbpjfij.exe
5504	Cpqlfa32.exe
5544	Cboibm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pkabbgol.exe	Pfbmdabh.exe
File created	C:\Windows\SysWOW64\Abemep32.exe	Apgqie32.exe
File opened for modification	C:\Windows\SysWOW64\Bfjllnnm.exe	Bclppboi.exe
File opened for modification	C:\Windows\SysWOW64\Bemlhj32.exe	Bfjllnnm.exe
File created	C:\Windows\SysWOW64\Nfcnnnil.dll	Cpnpqakp.exe
File opened for modification	C:\Windows\SysWOW64\Cpcila32.exe	Cmdmpe32.exe
File opened for modification	C:\Windows\SysWOW64\Qcncodki.exe	Qkdohg32.exe
File created	C:\Windows\SysWOW64\Bbalaoda.exe	Bpbpecen.exe
File opened for modification	C:\Windows\SysWOW64\Cbmlmmjd.exe	Cpnpqakp.exe
File created	C:\Windows\SysWOW64\Mondkfmh.dll	Cemeoh32.exe
File created	C:\Windows\SysWOW64\Ggociklh.dll	Abcppq32.exe
File created	C:\Windows\SysWOW64\Cqbolk32.dll	Bfjllnnm.exe
File created	C:\Windows\SysWOW64\Idcdeb32.dll	Bpbpecen.exe
File created	C:\Windows\SysWOW64\Cpnpqakp.exe	Cidgdg32.exe
File opened for modification	C:\Windows\SysWOW64\Oflfdbip.exe	Oheienli.exe
File created	C:\Windows\SysWOW64\Nonhbi32.dll	Pfbmdabh.exe
File opened for modification	C:\Windows\SysWOW64\Apgqie32.exe	Aealll32.exe
File created	C:\Windows\SysWOW64\Mdphmfph.dll	Bclppboi.exe
File created	C:\Windows\SysWOW64\Nffopp32.dll	Dgdgijhp.exe
File created	C:\Windows\SysWOW64\Oheienli.exe	Ofgmib32.exe
File created	C:\Windows\SysWOW64\Lkafdjmc.dll	Afceko32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhofnpp.exe	Bcicjbal.exe
File opened for modification	C:\Windows\SysWOW64\Cbjogmlf.exe	Clpgkcdj.exe
File opened for modification	C:\Windows\SysWOW64\Cmbpjfij.exe	Cekhihig.exe
File created	C:\Windows\SysWOW64\Aoedfmpf.dll	Cpqlfa32.exe
File created	C:\Windows\SysWOW64\Cemeoh32.exe	Cboibm32.exe
File opened for modification	C:\Windows\SysWOW64\Cmdmpe32.exe	Cemeoh32.exe
File opened for modification	C:\Windows\SysWOW64\Apddce32.exe	Qcncodki.exe
File created	C:\Windows\SysWOW64\Agccao32.dll	Bbalaoda.exe
File opened for modification	C:\Windows\SysWOW64\Bcbeqaia.exe	Blknpdho.exe
File created	C:\Windows\SysWOW64\Cmmgof32.exe	Cefoni32.exe
File created	C:\Windows\SysWOW64\Dllffa32.exe	Dinjjf32.exe
File opened for modification	C:\Windows\SysWOW64\Ofgmib32.exe	Ocfdgg32.exe
File created	C:\Windows\SysWOW64\Oflfdbip.exe	Oheienli.exe
File created	C:\Windows\SysWOW64\Ldhopqko.dll	Beoimjce.exe
File created	C:\Windows\SysWOW64\Cbmlmmjd.exe	Cpnpqakp.exe
File created	C:\Windows\SysWOW64\Ebldoh32.dll	Dllffa32.exe
File created	C:\Windows\SysWOW64\Cbjogmlf.exe	Clpgkcdj.exe
File created	C:\Windows\SysWOW64\Dpaohckm.dll	Dpefaq32.exe
File opened for modification	C:\Windows\SysWOW64\Aecialmb.exe	Abemep32.exe
File created	C:\Windows\SysWOW64\Bcicjbal.exe	Apngjd32.exe
File created	C:\Windows\SysWOW64\Cboibm32.exe	Cpqlfa32.exe
File created	C:\Windows\SysWOW64\Cekhihig.exe	Cbmlmmjd.exe
File created	C:\Windows\SysWOW64\Nfmcle32.dll	Ddcogo32.exe
File opened for modification	C:\Windows\SysWOW64\Dbkhnk32.exe	Dpllbp32.exe
File opened for modification	C:\Windows\SysWOW64\Cemeoh32.exe	Cboibm32.exe
File created	C:\Windows\SysWOW64\Dlncla32.exe	Dipgpf32.exe
File created	C:\Windows\SysWOW64\Naefjl32.dll	Dpllbp32.exe
File opened for modification	C:\Windows\SysWOW64\Qkdohg32.exe	Pkabbgol.exe
File created	C:\Windows\SysWOW64\Aiabhj32.exe	Afceko32.exe
File created	C:\Windows\SysWOW64\Kdogqi32.dll	Amoknh32.exe
File created	C:\Windows\SysWOW64\Dmabgl32.dll	Bfoegm32.exe
File created	C:\Windows\SysWOW64\Qkdohg32.exe	Pkabbgol.exe
File opened for modification	C:\Windows\SysWOW64\Cidgdg32.exe	Cehlcikj.exe
File created	C:\Windows\SysWOW64\Cbaehl32.exe	Cpcila32.exe
File created	C:\Windows\SysWOW64\Cbccbiml.dll	Dlncla32.exe
File created	C:\Windows\SysWOW64\Pgoikbje.dll	Ocfdgg32.exe
File created	C:\Windows\SysWOW64\Aehbmk32.exe	Abjfqpji.exe
File opened for modification	C:\Windows\SysWOW64\Abemep32.exe	Apgqie32.exe
File created	C:\Windows\SysWOW64\Aahgec32.dll	Bmfqngcg.exe
File created	C:\Windows\SysWOW64\Ddcogo32.exe	Dllffa32.exe
File opened for modification	C:\Windows\SysWOW64\Abjfqpji.exe	Apkjddke.exe
File opened for modification	C:\Windows\SysWOW64\Abcppq32.exe	Apddce32.exe
File created	C:\Windows\SysWOW64\Adljdi32.dll	Abemep32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5180	548	WerFault.exe	172

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beoimjce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbaehl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfakcj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amkabind.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oheienli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflfdbip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhofnpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bifkcioc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfoegm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofgmib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cemeoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddekmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpbpecen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apkjddke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abjfqpji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dllffa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acdioc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abcppq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfjllnnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmddihfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcpika32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpnpqakp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmdmpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpcila32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkabbgol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgdgijhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddcogo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bldgoeog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmfqngcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbjogmlf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aecialmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfppoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclppboi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bimach32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdebfago.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpqlfa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepadh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpefaq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfncia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aehbmk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alpnde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcicjbal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bemlhj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bliajd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbmlmmjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aiabhj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cefoni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dinjjf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apngjd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cidgdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmbpjfij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dipgpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocfdgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcncodki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abgjkpll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amoknh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blknpdho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bipnihgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cehlcikj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cekhihig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmjhlklg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aealll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbhbbn32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abgjkpll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amoknh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbalaoda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbmlmmjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpqlfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdogqi32.dll"	Amoknh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmmgof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddqbbo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dllffa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmjhlklg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkabbgol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abjfqpji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aehbmk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfakcj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bemlhj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpcila32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aofbkbfe.dll"	Oflfdbip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piifjomf.dll"	Bcbeqaia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clpgkcdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfcnnnil.dll"	Cpnpqakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggociklh.dll"	Abcppq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahmla32.dll"	Aecialmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbhbbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beoimjce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpnpqakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfbmfbn.dll"	Cmbpjfij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cepadh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbalaoda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qkdohg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgilmo32.dll"	Qcncodki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afceko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpbpecen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqbpidem.dll"	Dipgpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oheienli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfbmdabh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aealll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmdmpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aehbmk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddcogo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbccbiml.dll"	Dlncla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddekmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e8f6b96b253d4734cd5840cf16ccd0b2493d2cfb92c2b0b8a12ae7ba22b2c272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjokai32.dll"	Pmjhlklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmdmpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acdioc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdebfago.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoedfmpf.dll"	Cpqlfa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e8f6b96b253d4734cd5840cf16ccd0b2493d2cfb92c2b0b8a12ae7ba22b2c272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Alpnde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bipnihgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddcogo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oheienli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abcppq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmfqngcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbjogmlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djbehfpe.dll"	Cbmlmmjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amkejmgc.dll"	Cekhihig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imdnon32.dll"	Dfakcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpllbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebcgjl32.dll"	Apddce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adljdi32.dll"	Abemep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abdagi32.dll"	Bcicjbal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbjogmlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Almanf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 816	4720	e8f6b96b253d4734cd5840cf16ccd0b2493d2cfb92c2b0b8a12ae7ba22b2c272.exe	89
PID 4720 wrote to memory of 816	4720	e8f6b96b253d4734cd5840cf16ccd0b2493d2cfb92c2b0b8a12ae7ba22b2c272.exe	89
PID 4720 wrote to memory of 816	4720	e8f6b96b253d4734cd5840cf16ccd0b2493d2cfb92c2b0b8a12ae7ba22b2c272.exe	89
PID 816 wrote to memory of 4804	816	Ocfdgg32.exe	90
PID 816 wrote to memory of 4804	816	Ocfdgg32.exe	90
PID 816 wrote to memory of 4804	816	Ocfdgg32.exe	90
PID 4804 wrote to memory of 2028	4804	Ofgmib32.exe	91
PID 4804 wrote to memory of 2028	4804	Ofgmib32.exe	91
PID 4804 wrote to memory of 2028	4804	Ofgmib32.exe	91
PID 2028 wrote to memory of 3168	2028	Oheienli.exe	92
PID 2028 wrote to memory of 3168	2028	Oheienli.exe	92
PID 2028 wrote to memory of 3168	2028	Oheienli.exe	92
PID 3168 wrote to memory of 2024	3168	Oflfdbip.exe	93
PID 3168 wrote to memory of 2024	3168	Oflfdbip.exe	93
PID 3168 wrote to memory of 2024	3168	Oflfdbip.exe	93
PID 2024 wrote to memory of 4308	2024	Pfncia32.exe	94
PID 2024 wrote to memory of 4308	2024	Pfncia32.exe	94
PID 2024 wrote to memory of 4308	2024	Pfncia32.exe	94
PID 4308 wrote to memory of 3092	4308	Pfppoa32.exe	95
PID 4308 wrote to memory of 3092	4308	Pfppoa32.exe	95
PID 4308 wrote to memory of 3092	4308	Pfppoa32.exe	95
PID 3092 wrote to memory of 1996	3092	Pmjhlklg.exe	96
PID 3092 wrote to memory of 1996	3092	Pmjhlklg.exe	96
PID 3092 wrote to memory of 1996	3092	Pmjhlklg.exe	96
PID 1996 wrote to memory of 2188	1996	Pfbmdabh.exe	97
PID 1996 wrote to memory of 2188	1996	Pfbmdabh.exe	97
PID 1996 wrote to memory of 2188	1996	Pfbmdabh.exe	97
PID 2188 wrote to memory of 1396	2188	Pkabbgol.exe	98
PID 2188 wrote to memory of 1396	2188	Pkabbgol.exe	98
PID 2188 wrote to memory of 1396	2188	Pkabbgol.exe	98
PID 1396 wrote to memory of 1552	1396	Qkdohg32.exe	99
PID 1396 wrote to memory of 1552	1396	Qkdohg32.exe	99
PID 1396 wrote to memory of 1552	1396	Qkdohg32.exe	99
PID 1552 wrote to memory of 2712	1552	Qcncodki.exe	100
PID 1552 wrote to memory of 2712	1552	Qcncodki.exe	100
PID 1552 wrote to memory of 2712	1552	Qcncodki.exe	100
PID 2712 wrote to memory of 904	2712	Apddce32.exe	101
PID 2712 wrote to memory of 904	2712	Apddce32.exe	101
PID 2712 wrote to memory of 904	2712	Apddce32.exe	101
PID 904 wrote to memory of 2740	904	Abcppq32.exe	102
PID 904 wrote to memory of 2740	904	Abcppq32.exe	102
PID 904 wrote to memory of 2740	904	Abcppq32.exe	102
PID 2740 wrote to memory of 2772	2740	Aealll32.exe	103
PID 2740 wrote to memory of 2772	2740	Aealll32.exe	103
PID 2740 wrote to memory of 2772	2740	Aealll32.exe	103
PID 2772 wrote to memory of 2340	2772	Apgqie32.exe	104
PID 2772 wrote to memory of 2340	2772	Apgqie32.exe	104
PID 2772 wrote to memory of 2340	2772	Apgqie32.exe	104
PID 2340 wrote to memory of 2300	2340	Abemep32.exe	105
PID 2340 wrote to memory of 2300	2340	Abemep32.exe	105
PID 2340 wrote to memory of 2300	2340	Abemep32.exe	105
PID 2300 wrote to memory of 5060	2300	Aecialmb.exe	106
PID 2300 wrote to memory of 5060	2300	Aecialmb.exe	106
PID 2300 wrote to memory of 5060	2300	Aecialmb.exe	106
PID 5060 wrote to memory of 2136	5060	Amkabind.exe	107
PID 5060 wrote to memory of 2136	5060	Amkabind.exe	107
PID 5060 wrote to memory of 2136	5060	Amkabind.exe	107
PID 2136 wrote to memory of 1928	2136	Almanf32.exe	108
PID 2136 wrote to memory of 1928	2136	Almanf32.exe	108
PID 2136 wrote to memory of 1928	2136	Almanf32.exe	108
PID 1928 wrote to memory of 3428	1928	Acdioc32.exe	109
PID 1928 wrote to memory of 3428	1928	Acdioc32.exe	109
PID 1928 wrote to memory of 3428	1928	Acdioc32.exe	109
PID 3428 wrote to memory of 2896	3428	Abgjkpll.exe	110

C:\Users\Admin\AppData\Local\Temp\e8f6b96b253d4734cd5840cf16ccd0b2493d2cfb92c2b0b8a12ae7ba22b2c272.exe
"C:\Users\Admin\AppData\Local\Temp\e8f6b96b253d4734cd5840cf16ccd0b2493d2cfb92c2b0b8a12ae7ba22b2c272.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Windows\SysWOW64\Ocfdgg32.exe
  C:\Windows\system32\Ocfdgg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Windows\SysWOW64\Ofgmib32.exe
    C:\Windows\system32\Ofgmib32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4804
  - - C:\Windows\SysWOW64\Oheienli.exe
      C:\Windows\system32\Oheienli.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2028
    - - C:\Windows\SysWOW64\Oflfdbip.exe
        
        C:\Windows\system32\Oflfdbip.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3168
      - C:\Windows\SysWOW64\Pfncia32.exe
        
        C:\Windows\system32\Pfncia32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Pfppoa32.exe
        
        C:\Windows\system32\Pfppoa32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\SysWOW64\Pmjhlklg.exe
        
        C:\Windows\system32\Pmjhlklg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\SysWOW64\Pfbmdabh.exe
        
        C:\Windows\system32\Pfbmdabh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\Qkdohg32.exe
        
        C:\Windows\system32\Qkdohg32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\Qcncodki.exe
        
        C:\Windows\system32\Qcncodki.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Apddce32.exe
        
        C:\Windows\system32\Apddce32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Abcppq32.exe
        
        C:\Windows\system32\Abcppq32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:904
        
        C:\Windows\SysWOW64\Aealll32.exe
        
        C:\Windows\system32\Aealll32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Apgqie32.exe
        
        C:\Windows\system32\Apgqie32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Abemep32.exe
        
        C:\Windows\system32\Abemep32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Aecialmb.exe
        
        C:\Windows\system32\Aecialmb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\Amkabind.exe
        
        C:\Windows\system32\Amkabind.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Almanf32.exe
        
        C:\Windows\system32\Almanf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Acdioc32.exe
        
        C:\Windows\system32\Acdioc32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Abgjkpll.exe
        
        C:\Windows\system32\Abgjkpll.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\SysWOW64\Afceko32.exe
        
        C:\Windows\system32\Afceko32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Aiabhj32.exe
        
        C:\Windows\system32\Aiabhj32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Windows\SysWOW64\Alpnde32.exe
        
        C:\Windows\system32\Alpnde32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Apkjddke.exe
        
        C:\Windows\system32\Apkjddke.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\Abjfqpji.exe
        
        C:\Windows\system32\Abjfqpji.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Aehbmk32.exe
        
        C:\Windows\system32\Aehbmk32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Amoknh32.exe
        
        C:\Windows\system32\Amoknh32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Apngjd32.exe
        
        C:\Windows\system32\Apngjd32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\Bcicjbal.exe
        
        C:\Windows\system32\Bcicjbal.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Bfhofnpp.exe
        
        C:\Windows\system32\Bfhofnpp.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3360
        
        C:\Windows\SysWOW64\Bifkcioc.exe
        
        C:\Windows\system32\Bifkcioc.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Windows\SysWOW64\Bldgoeog.exe
        
        C:\Windows\system32\Bldgoeog.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\Bclppboi.exe
        
        C:\Windows\system32\Bclppboi.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\Windows\SysWOW64\Bfjllnnm.exe
        
        C:\Windows\system32\Bfjllnnm.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\Bemlhj32.exe
        
        C:\Windows\system32\Bemlhj32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Bmddihfj.exe
        
        C:\Windows\system32\Bmddihfj.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:780
        
        C:\Windows\SysWOW64\Bpbpecen.exe
        
        C:\Windows\system32\Bpbpecen.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Bbalaoda.exe
        
        C:\Windows\system32\Bbalaoda.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Beoimjce.exe
        
        C:\Windows\system32\Beoimjce.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Bmfqngcg.exe
        
        C:\Windows\system32\Bmfqngcg.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Bliajd32.exe
        
        C:\Windows\system32\Bliajd32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Windows\SysWOW64\Bcpika32.exe
        
        C:\Windows\system32\Bcpika32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Windows\SysWOW64\Bfoegm32.exe
        
        C:\Windows\system32\Bfoegm32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3364
        
        C:\Windows\SysWOW64\Bimach32.exe
        
        C:\Windows\system32\Bimach32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1460
        
        C:\Windows\SysWOW64\Blknpdho.exe
        
        C:\Windows\system32\Blknpdho.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\Bcbeqaia.exe
        
        C:\Windows\system32\Bcbeqaia.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Bfabmmhe.exe
        
        C:\Windows\system32\Bfabmmhe.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2908
        
        C:\Windows\SysWOW64\Bipnihgi.exe
        
        C:\Windows\system32\Bipnihgi.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\Blnjecfl.exe
        
        C:\Windows\system32\Blnjecfl.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:892
        
        C:\Windows\SysWOW64\Cdebfago.exe
        
        C:\Windows\system32\Cdebfago.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1764
        
        C:\Windows\SysWOW64\Cbhbbn32.exe
        
        C:\Windows\system32\Cbhbbn32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Cefoni32.exe
        
        C:\Windows\system32\Cefoni32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Windows\SysWOW64\Cmmgof32.exe
        
        C:\Windows\system32\Cmmgof32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Clpgkcdj.exe
        
        C:\Windows\system32\Clpgkcdj.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Cbjogmlf.exe
        
        C:\Windows\system32\Cbjogmlf.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Cehlcikj.exe
        
        C:\Windows\system32\Cehlcikj.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5268
        
        C:\Windows\SysWOW64\Cidgdg32.exe
        
        C:\Windows\system32\Cidgdg32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5308
        
        C:\Windows\SysWOW64\Cpnpqakp.exe
        
        C:\Windows\system32\Cpnpqakp.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Cbmlmmjd.exe
        
        C:\Windows\system32\Cbmlmmjd.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Cekhihig.exe
        
        C:\Windows\system32\Cekhihig.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Cmbpjfij.exe
        
        C:\Windows\system32\Cmbpjfij.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Cpqlfa32.exe
        
        C:\Windows\system32\Cpqlfa32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Cboibm32.exe
        
        C:\Windows\system32\Cboibm32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5544
        
        C:\Windows\SysWOW64\Cemeoh32.exe
        
        C:\Windows\system32\Cemeoh32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5584
        
        C:\Windows\SysWOW64\Cmdmpe32.exe
        
        C:\Windows\system32\Cmdmpe32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Cpcila32.exe
        
        C:\Windows\system32\Cpcila32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Cbaehl32.exe
        
        C:\Windows\system32\Cbaehl32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:5704
        
        C:\Windows\SysWOW64\Cepadh32.exe
        
        C:\Windows\system32\Cepadh32.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Cmgjee32.exe
        
        C:\Windows\system32\Cmgjee32.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:5788
        
        C:\Windows\SysWOW64\Dpefaq32.exe
        
        C:\Windows\system32\Dpefaq32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5820
        
        C:\Windows\SysWOW64\Ddqbbo32.exe
        
        C:\Windows\system32\Ddqbbo32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Dfonnk32.exe
        
        C:\Windows\system32\Dfonnk32.exe
        74⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Dinjjf32.exe
        
        C:\Windows\system32\Dinjjf32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5940
        
        C:\Windows\SysWOW64\Dllffa32.exe
        
        C:\Windows\system32\Dllffa32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Ddcogo32.exe
        
        C:\Windows\system32\Ddcogo32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Dfakcj32.exe
        
        C:\Windows\system32\Dfakcj32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Dipgpf32.exe
        
        C:\Windows\system32\Dipgpf32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Dlncla32.exe
        
        C:\Windows\system32\Dlncla32.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Ddekmo32.exe
        
        C:\Windows\system32\Ddekmo32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Dgdgijhp.exe
        
        C:\Windows\system32\Dgdgijhp.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\SysWOW64\Dibdeegc.exe
        
        C:\Windows\system32\Dibdeegc.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:552
        
        C:\Windows\SysWOW64\Dpllbp32.exe
        
        C:\Windows\system32\Dpllbp32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:596
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        85⤵
        
        PID:548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 400
        86⤵
        Program crash
        
        PID:5180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 548 -ip 548
1⤵
PID:1784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4464,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=3908 /prefetch:8
1⤵
PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abcppq32.exe

Filesize
487KB

MD5
d2cdf0b96f93796a5a63e490fefddea5

SHA1
55b6e4ea1323748152392864832ca59dbb7014f7

SHA256
92044416b2b58ff57dd3647978efa888b2f4870b9405024ebab4dc73a879aaa5

SHA512
899a98990de32f063b5e36a73b15acdb01c3bdd025d7767d4df6ed284014d7c47bb205419747702e271941b9e1183dcb20d71c57be531170a3b2caac4d92574c

Download Submit
C:\Windows\SysWOW64\Abemep32.exe

Filesize
487KB

MD5
723b231e6206269a6cc7aec8ade8f2b7

SHA1
8a13908a3f2154b5464da45364beede22eb100b0

SHA256
77b447b3aacf09a4a0eb0992067776f01218b0b54ff7194727135a705f9e355f

SHA512
6fd54cf274d611caecfa2ce1f0dd345ab7c61fe2bfb9297f61d3e1430829806dc6263be940616fbc4e4bca1ad0764f86f229c8ee337da60882f35d27b7ef5b4b

Download Submit
C:\Windows\SysWOW64\Abgjkpll.exe

Filesize
487KB

MD5
3c5e0bff75de1f62e8dd567bbda5798f

SHA1
0a3529e547ed1aa5ef5f2629f2d0537769ea79f9

SHA256
75c8e29f47ead3a9df1b520678e4c185680046d88170ab2d59f09aef24cc24f4

SHA512
33e8e449b188e38764a5cb421d7cd392eeedd6e1e066505977cd61feb1a324e77c4b69daf2e3b358f8423f609dc27a9d5ce6228993a6f2ae0bcc1f620e0fbff7

Download Submit
C:\Windows\SysWOW64\Abjfqpji.exe

Filesize
487KB

MD5
e79a3738d6ebec75febeb2c69f316b47

SHA1
a692390baccd45ed21b3ed752bbf51bc52dcf518

SHA256
daa8019196263595f7c1f403894bcffdbe2e390e4671219a05a55326d584345d

SHA512
8c2ad1654f0202e41b1d1edc851d81b9ace9aa3595ceee3619dc661e26a97810c4b1050994e5a69f74b8ee8da53b601eca247a923ac9d991a16749582c154d03

Download Submit
C:\Windows\SysWOW64\Acdioc32.exe

Filesize
487KB

MD5
5fbbf5de2e652a729ae36b3eb5b14111

SHA1
444796843f5d1f4a57b398acc6523ef027c99c10

SHA256
e3b05655ed09935a28cc0d33e82de916dd37ca37fa2fc4ed9f5c3fc31f1a5c27

SHA512
92c44f2c7508b85fd1c418d8e862d3ff9a3645dd597b592e14fd8f57e6b20beb5489614c0b0709f1dc32a045e7406a00d01211fd0e2715e00d6c0f3e59f8a29f

Download Submit
C:\Windows\SysWOW64\Aealll32.exe

Filesize
487KB

MD5
bbc9b1ba527e1aee8f2722ec926e8067

SHA1
20584720491fb572ff98bee749706cacf2ff0c50

SHA256
3bee9340d0f2bd89c5ad827adf081935d1c120d4d73a0fd713897644a857ced5

SHA512
0c4e463aea0136e0d6ad34f8d4c14a9bbd565ff68c0f986ec98767a9472be846b38b97515d966831f4759ebc8538d7901663ba6e0c30f330964b8dd3e0ecb9d6

Download Submit
C:\Windows\SysWOW64\Aecialmb.exe

Filesize
487KB

MD5
9b864a20ff826e7ec041ca0402e95908

SHA1
e9fccdc351ce0f5ebecd782e3cd22656d0c0df61

SHA256
dd66f800022f4ac49a0d77036a662b63b1635f6442b32b630d2cab5764ffff02

SHA512
2f2b8cd9657225dec679c5e254db8de9140a44ffd27851930fafaf13f85ec10a5ee543b1dc4ddd602d767d7bac2b7e56632fac1b8595f506f4d6dbaaf1356fcf

Download Submit
C:\Windows\SysWOW64\Aehbmk32.exe

Filesize
487KB

MD5
cc27bc07fb5cfabcc89502d0a4edae91

SHA1
9b4e5e00470dcd1eb904b56b0409eaaf036ee913

SHA256
bec260477710a0ac58c1bcc8281aa3f1361d20cc807e0acbab0a53a1cde106c2

SHA512
4139a49edc6116d2ef53887a39e4c7afe069c8566d68d6e3fd0334de3350e90e05071bdbdbf31b2bbf7e27944d755b333644bf5022c115e7c97b3d4ca7561c00

Download Submit
C:\Windows\SysWOW64\Afceko32.exe

Filesize
487KB

MD5
cfaca8526b15deb8f0ff43e4ae4bbf53

SHA1
50fd0b6ccce8ac5dedbfca064c244e1bcec3e5ab

SHA256
c87c280c3350fb42b5f11c4c582f4dc4c55480929fdb3db03ecf9c904c2b9191

SHA512
3a98b2c72b5325ea09474788c6f621c81d06a9f8ebff066901ac1c5adf3f37ad6a791560a04323c6bfdb7c1aa8dc85877f4503694d54c98df292a98bf3ed3138

Download Submit
C:\Windows\SysWOW64\Aiabhj32.exe

Filesize
487KB

MD5
c83a5cad24c216e3d7d7ebd1d67f6e19

SHA1
2274c05ed70e7d71783318deae1efcec492ee0ef

SHA256
fbc9406ebfc129f6663e763543fe2bfc06c606527295f5c9e2bce8e98fd8b053

SHA512
cc1df8983f748ea63fdb1708b1f9ae9490896f903c33c644278aa04e6d67981ae6bbc3dd173e7729711f485dbf335adc8787f5185391f5b67e45951250c75d01

Download Submit
C:\Windows\SysWOW64\Almanf32.exe

Filesize
487KB

MD5
ab01a89df7c3c39ce69df6c2b5d207d6

SHA1
e0bd3998fcb58069c2f1587db99ba88c7a166547

SHA256
9e8903726d07e6e17eb0c6a5170a6750493c9a0710223830cadaa588bd60e1ed

SHA512
3a86f1d0a9dff5fa20c0b0e0b846e38df8b5dbd39102f9458efa6f0b6115a7cf6449b46c169f49b43cb3f7a14aca192075b2ca2bfcfd1b5df506bdf5c417fcbc

Download Submit
C:\Windows\SysWOW64\Alpnde32.exe

Filesize
487KB

MD5
570d3658b656bde34c61f1637c047aeb

SHA1
d554f5d6205f9dfbb7b7af2f7279fdd312cf182a

SHA256
1ae0aeeb1c9be4388f5577e5a3fcbd7c3b5eb2db61f607711c503c60f92e0d5e

SHA512
a250cad305accee71cd5aedf07cc31664116808cad977a9fd385b87019923e21a4411f23d9f01254d69be5348b0c0fdefeaf2696852ce0ce0e6141e2de1d65c7

Download Submit
C:\Windows\SysWOW64\Amkabind.exe

Filesize
487KB

MD5
ed1a7f0bf37f6775d327e444f583c9ae

SHA1
29f434e0e524759a657274e54b28fd3841244654

SHA256
76ba1e6b23912f252bcdc23dc10c4cbfbe377bfb050c6d027ca8989ecdc18689

SHA512
eff090b140712b893a88ed55266252f8250fec7435d9cf4d5d22c4d3e3cae88c0533ebe5ebb88305f61b20fa22519940dd90d1073111702ac2007ab38c262f2b

Download Submit
C:\Windows\SysWOW64\Amoknh32.exe

Filesize
487KB

MD5
d50139254fd96133eadaf64c75afd0ac

SHA1
dbc7c8db3600ea8a9ab67ed53e64467406b5db9c

SHA256
abc2c535ba9ad6ef8b35fd9392b5bf02f728b70552aadf4b93a8e697aeb26d0f

SHA512
4e864c4790c8317fb67ef8d20c6783847d943a0c569a6117713f54022fdb6bba97cb4d8a5ece87053f0613d68aaa097ff2b56a563ad4e320461ef3520854ede9

Download Submit
C:\Windows\SysWOW64\Apddce32.exe

Filesize
487KB

MD5
09027142e38957b2e0aac32494950f57

SHA1
ab8951fef0121bfc696923d244fda283f7dd2908

SHA256
2c2b57685c3c6059c45eb5a582a2342cc50c771fcade5ff8466b3299e90ff4cf

SHA512
452a86f2c2b47e98d0c19346e16e788642bd0917261b030838b061038cec52da81dea4ce9894b8e69d40f919059b33202ba2d2f221879875642e47049a8bf805

Download Submit
C:\Windows\SysWOW64\Apgqie32.exe

Filesize
487KB

MD5
15865749e8581e5aef7e8bfa0c309347

SHA1
6406bcdfdd25e3c762c39b4ce6c99d0f387dd3e9

SHA256
e054ed4910345d257eaddc04316a7b7fd22b007dd98ae487461084ca1f1c23f4

SHA512
09b9c71a1f25f60340f5379f4973cf81c3c70e58b8657ca36f5215f671d386d3daaa1d6c859ac3b535225c2475a45ed6cc7f6c146f644b0fe384db3525e3a002

Download Submit
C:\Windows\SysWOW64\Apkjddke.exe

Filesize
487KB

MD5
f01e38bf0d68729acc7e4f5223e4a3ed

SHA1
cd4a1a0045df242401be3e48659c4e8a1326c63e

SHA256
1dfa30d4145ed39b41ece2a12df167ea1ad950aa033a05b3979377e53ee6603c

SHA512
eab947a4f3372fc8c4682e5cdc989ffa12c039d1268ba5d085ab34f43349d04cbde47b2103343dfa996370e0a31bb664e937a89614902e028c8c5d4e5f9c9a66

Download Submit
C:\Windows\SysWOW64\Apngjd32.exe

Filesize
487KB

MD5
4c93a1841f797074e1271b2d9b1ed29a

SHA1
24d9961ec8a63e20619ceb28b91c22689068643b

SHA256
8a020ae80d0e8db32dc183d90900a1b86f134b63a3247c99adfd027e9d8dc5b3

SHA512
e7a8f02d00ae1c345653506d8ef9eb31e1f57d9c8222232d5a25685f44c082d7ac18dbb7aa233995470aa6df689e12504c2ebdb98965060f3788868a68359f8d

Download Submit
C:\Windows\SysWOW64\Bcicjbal.exe

Filesize
487KB

MD5
f3b62819ff43bbcdf0a4035db37e5346

SHA1
5bac4f08d41c963a7ad5ce9292d7540a8e31aad7

SHA256
125c84637c41dd8751f3da3fff1c8e5d419bd38953ab5952b745493e69fca45b

SHA512
6b3cde9be3d503bb207337e67724a38ea68b6bde7ff6f98aee59ee0ed4ff6d1cdfc84559bc7ce6132d15ba4dbb93b62f5113996c3f65c594d06bfa73595b47d3

Download Submit
C:\Windows\SysWOW64\Bfhofnpp.exe

Filesize
487KB

MD5
13ee44346ad35ef710e2c0758fc696d3

SHA1
45beb0b4d12286af873d3635992075edb99d6449

SHA256
6fd73830516a04e524e8c392f9c5aca0d17c68cf959bd95e78a7ab9fa5980320

SHA512
7388724854520b5b1be6a74812e11046cb532a3ee4121837928ad499f715d334323480a573683e51c61b65ac44451ac0ac5e218aedcae0f488cc064f9f7144c5

Download Submit
C:\Windows\SysWOW64\Bifkcioc.exe

Filesize
487KB

MD5
7e3ad9041d5db44a0b5bbd564b8fa207

SHA1
63f4f77f56f5a6242b143775f3c1786ba7b66188

SHA256
053fa024ddc31700a1305d91981eebafced21435e2b797d42f02b8b5a0c6ef42

SHA512
e30e397e9a57b018431e430bc5215407583605a295aaaf644b350619a044b417cdfc77dc06b7c47a91594c059ea1c50770f5e01f521a5df3fcd114aa7cb0e39e

Download Submit
C:\Windows\SysWOW64\Ocfdgg32.exe

Filesize
487KB

MD5
93350f98ad6f30a3e80b08aa1af26ae5

SHA1
c62b25f334d468e18b98fb76efa6da2b6aaf46a7

SHA256
ab2d15f6eaf947911f192182e516c6e9cff7ffa843fa4bd0ca67c95c14416a26

SHA512
afc0c40064ab6a210d54944166d3743b79d1af150a339a1b856e481d5d0de8dd9501618876e41d81d049b94097616e9cbb4bbb96c6f60aaf26fb96385c6a998e

Download Submit
C:\Windows\SysWOW64\Ofgmib32.exe

Filesize
487KB

MD5
90787f14c2c3baaf0b2ab80c56c31319

SHA1
4fc6b3238317077ea850a1af981095c3d24dca30

SHA256
af4f7b0c72ce1a683a83656a487860bf9bebc592db465ab64c294ce555f6d8a8

SHA512
087b3bba62b354d07d07fa35423085a802fff9ffd7000e04fbda17bfd00f781d542e6b4bfe5bd687a54710293e86999e55c3a4cfcd05b8277f4d37f0e3a4e32b

Download Submit
C:\Windows\SysWOW64\Oflfdbip.exe

Filesize
487KB

MD5
00f0687e35147b4faa064b83a61f8b76

SHA1
c871a32546d986209ba41a27aa37b766dc153532

SHA256
e2f78eb7379b59c86bfcc90a485394bb4531e65ad765925f073da0d8e1671962

SHA512
3c69e8c2f897ab1783606ce3cb887f6ed0eea5f0c26ee0f43bb9d8fbc9a50144b602525f1c40f299aeb574bc6d2eda0bcc0b28561928cd846b416e368126c101

Download Submit
C:\Windows\SysWOW64\Oheienli.exe

Filesize
487KB

MD5
90e6a4c1983d50ac40c204de26a4a8ad

SHA1
9929c91006dd4947b85e12651bd3f0182d4662fb

SHA256
80077d2186abf56db5033ad425b4e2f1823a143b082ca40edb20af0f52244931

SHA512
5c1af6319189cb7dde92974a3698d0d5a180f05876a5c33713387b9d5b6583b63c541902ec4ecc63964f10e9159f63032acb48e0d38ce9aefdd4adc99c357164

Download Submit
C:\Windows\SysWOW64\Pfbmdabh.exe

Filesize
487KB

MD5
cab8ed01aaa78543a61b8b83feaa12f6

SHA1
4f3b7563990536d41aa286647a62b577b048a0b3

SHA256
364a59c580a2ca648b3af70f04b882def589243fb07eb92608364b9be9fc3b00

SHA512
cb56ae8f007d50fab8c4a7edef803c64d57bd6305686079d59dac0fe947a3490c6e94dac6761421acfb08fcbcc806f403ac2b189fcc6e7c09968a6cc9d7074ad

Download Submit
C:\Windows\SysWOW64\Pfncia32.exe

Filesize
487KB

MD5
3c21021bce45d5cc1a0075fdc7843159

SHA1
b7a58912d46ca46fa392c64433b57e369c2be8d7

SHA256
5467fe2a37f6a05df921aa918f576b41cb3e6faea287b9a8e60a9362e512cb37

SHA512
f2cab4b5751c492f4bc070cad6053f105895766d128b977c12d24667ad4ab0f37476cfac47f526780707e028b24d2a4c17dbf087a70c021f0122a381410cd252

Download Submit
C:\Windows\SysWOW64\Pfppoa32.exe

Filesize
487KB

MD5
77ac420eb6eb05d281670f581760da14

SHA1
758217b12e00d1c390dfd0193bb1fc5662dcf619

SHA256
42d8cb08e0e6c6ceeaee74d4e563ec0749acaa3ea7821da3963fc8b4ec29b19b

SHA512
39c9c0633eee2e6f08bdc32647d8c3e881e659700a16dd2ba47240ea5c01b761dad0565d955e2f18b4c1d2709c40ff5d5e167add89e4eff9a46532f2ab346885

Download Submit
C:\Windows\SysWOW64\Pkabbgol.exe

Filesize
487KB

MD5
b566a439f326898903cfca1bef12d75f

SHA1
14512ced11ebcb16a2816a2e430f0ed6b0f6f559

SHA256
00540b54493d9e0b76b73667962867d262a09f442dacdb7f5ff74082405f505f

SHA512
d49f934b239842342f6afddf745be5400bab9ecb357821644ea5d049842f9bbdd1b7714e7469ace6d12c71863b7b476ce05fa63a76292553127a081194aa90aa

Download Submit
C:\Windows\SysWOW64\Pmjhlklg.exe

Filesize
487KB

MD5
ff639ee6debc447bdcccc0d9a98bcd24

SHA1
22b6659edfe650cf1f98dd088ed0752284d6abb7

SHA256
c2c53998dd42cc3a6de4e662c98711f980349ed0a765feed78a0be11eeb40373

SHA512
192555657f802cbd8f5b5ff32625f8c8ee94e80da02862091a37314e88c80bc2737d5d509dc2d33b0e52bd37d8149e42766f5efa8e359e0dd7170cd01bf87c17

Download Submit
C:\Windows\SysWOW64\Qcncodki.exe

Filesize
487KB

MD5
bc0f4577c0d41fe3f3bf388b6e8b6a16

SHA1
98389c9321f01b5caa9eb6294233700eaa460eee

SHA256
64286f15e2cbaedb1bdf6f3cab1c483817102ff22ba2736e9fb272fe56cf4297

SHA512
8e1eeca444952288c80eceef874398bc64edaba55b281f46a5af484a4f7466255d2e2065b690c392b088e949be32d9eeb141e4804abc8bde55c69ac2bd2c113d

Download Submit
C:\Windows\SysWOW64\Qkdohg32.exe

Filesize
487KB

MD5
03a4ebbd7b26349e481a4306db70730d

SHA1
68a8a307482d8b94aa75067116dfb434028dc086

SHA256
4551b983e7e2aba787fb0a18ce030e0cd97cdef340c5cf8497df9613035eb454

SHA512
1ef0a990bffa6e41cf03294392232a55b08f22c6f34dda1ca32fae55087602de2011a95e6d07a7e21f2946648fa1b4b8d7373fa77a124e3df71550dac221ee47

Download Submit
memory/548-567-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/548-569-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/552-573-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/552-558-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/596-565-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/596-571-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/780-291-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/816-8-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/816-550-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/876-261-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/892-368-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/904-109-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1056-380-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1396-80-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1400-326-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1460-338-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1464-229-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1552-88-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1764-374-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1916-278-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1928-166-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1940-204-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1948-303-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1996-65-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2024-40-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2028-564-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2028-25-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2040-213-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2044-266-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2064-575-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2080-350-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2136-157-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2184-314-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2188-72-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2300-141-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2340-128-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2388-344-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2448-545-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2448-577-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2712-102-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2740-117-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2772-126-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2784-285-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2868-245-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2896-182-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2908-356-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2972-237-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3092-61-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3168-566-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3168-33-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3360-253-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3364-332-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3428-174-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3652-273-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4032-361-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4308-48-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4324-390-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4416-221-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4720-537-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4720-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4720-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4804-16-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4804-556-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4864-297-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4872-190-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5060-149-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5104-320-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5148-392-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5188-398-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5228-404-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5268-410-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5308-416-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5348-422-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5428-432-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5472-439-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5504-445-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5544-451-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5584-457-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5624-463-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5704-474-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5740-479-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5788-486-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5860-497-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5896-591-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5896-503-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5940-589-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5976-514-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5976-587-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/6012-585-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/6012-520-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/6052-526-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/6052-583-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/6092-532-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/6092-581-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/6132-539-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/6132-579-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads