08e4282bbcecf39b869f3c879ab1537bbe7958ed2d4b8ee1d9d65fd91c3e4b60

Analysis

max time kernel
96s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2024 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08e4282bbcecf39b869f3c879ab1537bbe7958ed2d4b8ee1d9d65fd91c3e4b60.exe
Size

320KB
MD5

ce9c737db5e0959496bad01c8c7f7262
SHA1

dc75c3dd5d3a4ec64bcf5fa1436a6cea56e20338
SHA256

08e4282bbcecf39b869f3c879ab1537bbe7958ed2d4b8ee1d9d65fd91c3e4b60
SHA512

fd09ea442b54bb32e9409823fcf90dbabaa5d8963effb685607179102dddbcfb2f9c1489fe82d02fb00bee85c9e64e61b25b9f835849511fc1d6e76d041523a7
SSDEEP

6144:mCeRsVQ///NR5fLvQ///NREQ///NR5fLYG3eujj:7nw/Nq/NZ/NcZq

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe

Executes dropped EXE 64 IoCs

pid	Process
756	Anmjcieo.exe
3676	Ampkof32.exe
1108	Adgbpc32.exe
2708	Ageolo32.exe
2836	Afhohlbj.exe
2712	Ajckij32.exe
2532	Ambgef32.exe
2100	Aeiofcji.exe
1404	Agglboim.exe
1836	Afjlnk32.exe
4232	Ajfhnjhq.exe
2032	Accfbokl.exe
444	Agoabn32.exe
4288	Bjmnoi32.exe
2148	Bnhjohkb.exe
1324	Bebblb32.exe
4668	Bganhm32.exe
3584	Bjokdipf.exe
2164	Bnkgeg32.exe
4092	Bmngqdpj.exe
1752	Baicac32.exe
4800	Bchomn32.exe
1432	Bgcknmop.exe
3832	Bffkij32.exe
3988	Bjagjhnc.exe
4552	Bnmcjg32.exe
4756	Balpgb32.exe
1860	Beglgani.exe
3512	Bcjlcn32.exe
460	Bgehcmmm.exe
1348	Bjddphlq.exe
1536	Banllbdn.exe
2240	Beihma32.exe
2360	Bhhdil32.exe
404	Bfkedibe.exe
3840	Bjfaeh32.exe
4576	Bnbmefbg.exe
1700	Bapiabak.exe
1696	Belebq32.exe
3696	Bcoenmao.exe
3052	Chjaol32.exe
2044	Cjinkg32.exe
2704	Cndikf32.exe
2492	Cabfga32.exe
1232	Cenahpha.exe
4784	Cjkjpgfi.exe
4364	Cmiflbel.exe
532	Ceqnmpfo.exe
1644	Chokikeb.exe
3468	Cjmgfgdf.exe
4832	Cnicfe32.exe
4220	Cagobalc.exe
3472	Cdfkolkf.exe
3900	Cfdhkhjj.exe
4660	Cjpckf32.exe
1692	Cmnpgb32.exe
5080	Ceehho32.exe
3648	Chcddk32.exe
2244	Cffdpghg.exe
512	Cnnlaehj.exe
3744	Calhnpgn.exe
1412	Cegdnopg.exe
3636	Dhfajjoj.exe
4996	Djdmffnn.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Banllbdn.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Ambgef32.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Accfbokl.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	08e4282bbcecf39b869f3c879ab1537bbe7958ed2d4b8ee1d9d65fd91c3e4b60.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1036	4972	WerFault.exe	160

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	08e4282bbcecf39b869f3c879ab1537bbe7958ed2d4b8ee1d9d65fd91c3e4b60.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	08e4282bbcecf39b869f3c879ab1537bbe7958ed2d4b8ee1d9d65fd91c3e4b60.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	08e4282bbcecf39b869f3c879ab1537bbe7958ed2d4b8ee1d9d65fd91c3e4b60.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	08e4282bbcecf39b869f3c879ab1537bbe7958ed2d4b8ee1d9d65fd91c3e4b60.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	08e4282bbcecf39b869f3c879ab1537bbe7958ed2d4b8ee1d9d65fd91c3e4b60.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Beglgani.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 756	2924	08e4282bbcecf39b869f3c879ab1537bbe7958ed2d4b8ee1d9d65fd91c3e4b60.exe	82
PID 2924 wrote to memory of 756	2924	08e4282bbcecf39b869f3c879ab1537bbe7958ed2d4b8ee1d9d65fd91c3e4b60.exe	82
PID 2924 wrote to memory of 756	2924	08e4282bbcecf39b869f3c879ab1537bbe7958ed2d4b8ee1d9d65fd91c3e4b60.exe	82
PID 756 wrote to memory of 3676	756	Anmjcieo.exe	83
PID 756 wrote to memory of 3676	756	Anmjcieo.exe	83
PID 756 wrote to memory of 3676	756	Anmjcieo.exe	83
PID 3676 wrote to memory of 1108	3676	Ampkof32.exe	84
PID 3676 wrote to memory of 1108	3676	Ampkof32.exe	84
PID 3676 wrote to memory of 1108	3676	Ampkof32.exe	84
PID 1108 wrote to memory of 2708	1108	Adgbpc32.exe	85
PID 1108 wrote to memory of 2708	1108	Adgbpc32.exe	85
PID 1108 wrote to memory of 2708	1108	Adgbpc32.exe	85
PID 2708 wrote to memory of 2836	2708	Ageolo32.exe	86
PID 2708 wrote to memory of 2836	2708	Ageolo32.exe	86
PID 2708 wrote to memory of 2836	2708	Ageolo32.exe	86
PID 2836 wrote to memory of 2712	2836	Afhohlbj.exe	87
PID 2836 wrote to memory of 2712	2836	Afhohlbj.exe	87
PID 2836 wrote to memory of 2712	2836	Afhohlbj.exe	87
PID 2712 wrote to memory of 2532	2712	Ajckij32.exe	88
PID 2712 wrote to memory of 2532	2712	Ajckij32.exe	88
PID 2712 wrote to memory of 2532	2712	Ajckij32.exe	88
PID 2532 wrote to memory of 2100	2532	Ambgef32.exe	89
PID 2532 wrote to memory of 2100	2532	Ambgef32.exe	89
PID 2532 wrote to memory of 2100	2532	Ambgef32.exe	89
PID 2100 wrote to memory of 1404	2100	Aeiofcji.exe	90
PID 2100 wrote to memory of 1404	2100	Aeiofcji.exe	90
PID 2100 wrote to memory of 1404	2100	Aeiofcji.exe	90
PID 1404 wrote to memory of 1836	1404	Agglboim.exe	91
PID 1404 wrote to memory of 1836	1404	Agglboim.exe	91
PID 1404 wrote to memory of 1836	1404	Agglboim.exe	91
PID 1836 wrote to memory of 4232	1836	Afjlnk32.exe	92
PID 1836 wrote to memory of 4232	1836	Afjlnk32.exe	92
PID 1836 wrote to memory of 4232	1836	Afjlnk32.exe	92
PID 4232 wrote to memory of 2032	4232	Ajfhnjhq.exe	93
PID 4232 wrote to memory of 2032	4232	Ajfhnjhq.exe	93
PID 4232 wrote to memory of 2032	4232	Ajfhnjhq.exe	93
PID 2032 wrote to memory of 444	2032	Accfbokl.exe	94
PID 2032 wrote to memory of 444	2032	Accfbokl.exe	94
PID 2032 wrote to memory of 444	2032	Accfbokl.exe	94
PID 444 wrote to memory of 4288	444	Agoabn32.exe	95
PID 444 wrote to memory of 4288	444	Agoabn32.exe	95
PID 444 wrote to memory of 4288	444	Agoabn32.exe	95
PID 4288 wrote to memory of 2148	4288	Bjmnoi32.exe	96
PID 4288 wrote to memory of 2148	4288	Bjmnoi32.exe	96
PID 4288 wrote to memory of 2148	4288	Bjmnoi32.exe	96
PID 2148 wrote to memory of 1324	2148	Bnhjohkb.exe	97
PID 2148 wrote to memory of 1324	2148	Bnhjohkb.exe	97
PID 2148 wrote to memory of 1324	2148	Bnhjohkb.exe	97
PID 1324 wrote to memory of 4668	1324	Bebblb32.exe	98
PID 1324 wrote to memory of 4668	1324	Bebblb32.exe	98
PID 1324 wrote to memory of 4668	1324	Bebblb32.exe	98
PID 4668 wrote to memory of 3584	4668	Bganhm32.exe	99
PID 4668 wrote to memory of 3584	4668	Bganhm32.exe	99
PID 4668 wrote to memory of 3584	4668	Bganhm32.exe	99
PID 3584 wrote to memory of 2164	3584	Bjokdipf.exe	100
PID 3584 wrote to memory of 2164	3584	Bjokdipf.exe	100
PID 3584 wrote to memory of 2164	3584	Bjokdipf.exe	100
PID 2164 wrote to memory of 4092	2164	Bnkgeg32.exe	101
PID 2164 wrote to memory of 4092	2164	Bnkgeg32.exe	101
PID 2164 wrote to memory of 4092	2164	Bnkgeg32.exe	101
PID 4092 wrote to memory of 1752	4092	Bmngqdpj.exe	102
PID 4092 wrote to memory of 1752	4092	Bmngqdpj.exe	102
PID 4092 wrote to memory of 1752	4092	Bmngqdpj.exe	102
PID 1752 wrote to memory of 4800	1752	Baicac32.exe	103

C:\Users\Admin\AppData\Local\Temp\08e4282bbcecf39b869f3c879ab1537bbe7958ed2d4b8ee1d9d65fd91c3e4b60.exe
"C:\Users\Admin\AppData\Local\Temp\08e4282bbcecf39b869f3c879ab1537bbe7958ed2d4b8ee1d9d65fd91c3e4b60.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\SysWOW64\Anmjcieo.exe
  C:\Windows\system32\Anmjcieo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Windows\SysWOW64\Ampkof32.exe
    C:\Windows\system32\Ampkof32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3676
  - - C:\Windows\SysWOW64\Adgbpc32.exe
      C:\Windows\system32\Adgbpc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1108
    - - C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3988
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4756
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:460
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1348
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1536
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3840
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3696
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4784
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3900
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5080
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:512
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1412
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3636
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4996
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1252
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4868
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4404
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3300
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:760
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1196
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 404
        81⤵
        Program crash
        
        PID:1036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4972 -ip 4972
1⤵
PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
320KB

MD5
3f367f22d659f57fe2223a770a46c79d

SHA1
3ce015ab52137a1b646f748981cc51bfc087607c

SHA256
f16d9b2708539f0371fceea5e36c9c369dcfa3a0d4292ef05cc386c5927993bd

SHA512
300344e16a7ce76b6c958511062cb44dd47526340b4e6d77f83c144730adfa1085e23836864ccc208949a464cd5461cea7766cdd706e1b62fff9c759b8e115c1

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
320KB

MD5
f1169abbb1c90553b6a5c3df36cadc89

SHA1
04896c3243592bd3fa723bc83355d8e871ac76e1

SHA256
50204c36992325e69a3695e2dd5e3ce74ee5aa6a72f4b062a34dfd3516042d71

SHA512
7887f4b66722186350d72f4ab3ef3a52999a6f241c463e03bafbb9f169d46071fee05b64578dc5b8737e153357c76d61607567c8a2f5072ce90a165f20b86cf7

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
320KB

MD5
2a87ad4a21cf31bb412c065ee6796d7e

SHA1
3f8ceae7f3494d65a13a80bc07c19bebb8dbc911

SHA256
10ca11e7aa1f5f5c69c539464b4182544bb938aae234662195f8a631bda59756

SHA512
c29b2df287dc9e2006cbb83e12c574e8b1b22cdca2a5ee8e4f5f4fc4ff0cf558549a8dee04226ded760daf4c520a94ff71ff9f1876e93deb347e8a54cd09dc67

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
320KB

MD5
ff1f621533a88f01bc33da287a277f67

SHA1
ad38c7bf54ce9cd1442aa2285cd7cd16dde3ca5c

SHA256
9e846dae7198482effadfb02b3c3394d702d68a0c9aae0b59e5a960b15ce9ab6

SHA512
87eff066c27fb590a597de673f901148c9c57a319b068dc5754ae8b5a96ac86f78cbaf646e7e500c85aff1650d7ce75f3fec7347ab71fa3e7eff50d80677b64a

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
320KB

MD5
ab7b6cb5e6ba36deb204ecfd33262d32

SHA1
158e8d45926cc5857f837087ca5cc98968bd2a63

SHA256
06a4af92b5ca2a38fdd7c8313e2633e1625544941728f089be29e9595f37b8e7

SHA512
b6d534fc1cebed44e709e6989e0e75bf3e8cdec7c41a87826a07fe00157fd17564ef46f7b82ae222d68bc7722fab2059f9c466770c4636564c9c6938f62e5c84

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
320KB

MD5
bad218de3140703b88f2e73bbc5dea02

SHA1
60bccc54857628b4d75484b11812b80a4fd928e9

SHA256
146016276066a67524ec27a91cd202ade58d171a11de76bc40d98025285dbab8

SHA512
e175776d18e31bfbb70b98c6a615cf07a03425c7801b70c7b3cbb2d6a9e01dcf3cdbd0be22c393b2e89d6520bbb23efd08b312d12028cf77bbc1d6bf4d4d8c98

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
320KB

MD5
b646b3b0139037a379950e6631cf4b55

SHA1
10332fff271b76e72f01dbd1ef26b616b4384ec3

SHA256
50a67986485ac9d37bf30020075ae5f160036889a7942b6320654a91ce4f87d4

SHA512
d4b86cf457074c18112363b53a39464226c6b6c833dd056cfe640acb74bed779929d35fb1737aff37eb30d34450c251a9a55464e3da6aa0fe3cc9da356397c87

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
320KB

MD5
11e5161fc1988297506b20d87b397a42

SHA1
3efcdfdd7dda996d4ff15dd240e229040de216ec

SHA256
b6c33a4d049387274b6490d75c8dd82b5e19ed35fa9a8e513df89bdce0092e76

SHA512
d13dbfa93572f5419838118674dc4c773ef381fddf365e0dbac83d50e37c82fe1fe0306f6b16347b0e627d39e993621ca650b8cff7d6a5acb1fdd7878442674f

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
320KB

MD5
95e773287e91cc26bcafc191f97e2de9

SHA1
efeb9f14088b539aa68a9ddecbe22e1311ed13b6

SHA256
e1bf5aac134fa1a0225c0b6903beecf56bcaefd4a16ad78a947d3988a5c944a0

SHA512
0147395916c51b60ee183c6c5e3cf7cadf2040683dae9e5d90b16b6dad60ecf0737c167a8bdf2751c34815b53e615159123b711b4bcc66231b8c24d480749f10

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
320KB

MD5
4b05627bc43566e4a3b0088885470927

SHA1
c309d06532d74d99689b2ef21ab36162b71e557b

SHA256
40bba08b99bb7acf59f174e4289c5faa2c3d096c33fa2b2b6d5eb66a65718173

SHA512
5ccc0f086e29b556954d1c317aff4bd789d4f7f39fd24d6fce0eb0d56dee639509e2b6596cbbd1b1fb0a9a7276dde613f48b3997d4bd9c7d547f5520948f0f64

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
320KB

MD5
df14e02a3f825c38a071f1ea5fe4e694

SHA1
2db82f679cb610e5e447b5faa4d9c6f0f4699662

SHA256
fba2a9c34195cd9f04bb157d3a0abd40c44e9e5ce50211c741097c5ccf121a7f

SHA512
eadb6306b20eae954001472474e3c1e36e5a0ff41d62b97c2353a3e589c3e3b9b006775eab752dc57feac07e7e4e11ea6584b895e90d0649f6c4d5e6f9f62903

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
320KB

MD5
1bbef451e30c34f111dc62d77686f1f6

SHA1
df151b77db3cd1e1a935f851716e6c5da065061e

SHA256
dd5e14e95fd5a4a421d02614d18fa335fd3f266e366f0a7134847a4c33b6eb6d

SHA512
4984653218fdc32c0f0cf772a20cc26342573b905100fa68e72d5093625a16fb2b19100d000310a033ee948f3bf32f60e3f9fa6fa4d9ee211bd7b3d43b7516bc

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
320KB

MD5
b3dd260a0e1d44ab2d2cb1e192a04312

SHA1
fc03a6250c41d33ba02c60504f9d94925c4ade64

SHA256
a3a542d6d624f715a58874cf9b04d6ae4f6d556b276886d517f4428edc0f5a17

SHA512
4cf9f66e68b026a720a236cd1821631daf64863cbf4ee9546a567e64259b1bfde89926836d66bd245c3a7203d0c6952f5a6f336d20d82b1ef148129fde9e3bc9

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
320KB

MD5
0ceda98f5c3652bd8f9d0add983fa34c

SHA1
ee2c7d9a1f4bf1b6a584adbc379855593d547461

SHA256
08ab738c3323594f2e69641c326946dcc8c1be694cf913de4388dfbed0df288c

SHA512
80608884083a0c51bdfc979ebe58a9dad34bd6787b779dea993ac32c910a4b42778b8467363f4da43a8a591e8ccc02194ce93fd73287471ee430419b572ed551

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
320KB

MD5
8a592fda0d9807a3b8ea9e39a04af156

SHA1
f1d5fbfc4e484c51f4b077a275605fe6ed556356

SHA256
b3662549ee9dd118c5b2e46b952bfbb2943b4e0d5b1c81b30f06e6a7b08277d7

SHA512
820bb7d14f4d217601244f9107b8146c1bbc31befa0194df1f9f1d529cd1deba24038544626315a19d9b115fb96fe8dda549744a9115d8f1260bd869ebd79497

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
320KB

MD5
db8d7f1fe3ccfff6da552abf5d47eacd

SHA1
c1fbc969af0a836ae372f0cb5e348e9c1801b08f

SHA256
e4228ba0a7bf346c3b7b5b2824d37d8d5934f4d91b11202518d78610ca1a8796

SHA512
e1200f139a5dbf607efc768f6939fc20deb496a5bec804a6bfe8ef6144292cb2a070e6f52e1a0e264306ebd06c4a84afe10938a2b5d6b88b408f71741f519cc0

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
320KB

MD5
09ae0c82f1a99930ce28a487d8326c07

SHA1
57e151012d208ce8018cb5dae04a8f40bfd6f4a7

SHA256
d19f716143efabe3b9a4b6b70ad2d9eae9a3b63a06794f910c9dd14c28a277e0

SHA512
8140bf6f77c611b0951a313b75b150dff8b44b93d0dc6ea41ba85f2325ad37da1b03685d1894c1b8fd222aeae673201a6be03065a144337054fa499e5c5c87ac

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
320KB

MD5
2a7766707aa9fd8125ca69cc6273358e

SHA1
c1b87452ea7c85c9359523825d211fef530c70b9

SHA256
9eead24503635e929c0ac83379f1e9eb23dcdbc94577ed04f291653823084f6c

SHA512
b679a81bca6f026fbe50fee1f5df9e86d67680ee0091a6a3a17f23ba8114dffff051272270b7d5e44ed36da6cf7c67363bfa2abdc9e5a89b693c4d28486bf185

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
320KB

MD5
0a48df792301a6a436777b8e08631f30

SHA1
4305284102d735a50781392a4f217ba46d33fdc3

SHA256
0479573eff024b59acee34ddb71b843b224332460852aba533bfe0df89d12c99

SHA512
f3cd52a756104d127fbe13c7b0b671323ea553adcb7ac3a831cbb3eda308a2df8d16918bc8ee34fddbd49d16ccca4f6f67502c5079cca94e00d9ab9f52203b82

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
320KB

MD5
5fd41e7da0f01d855a90c6f00f2aa1ee

SHA1
fc0af10111e9ad7affe53ea7612f8f4a51b2a004

SHA256
4cbfba18dfe9fcd8be6ea33112ce0a811fc07c014cdc1e0f8d80253cbf0f55b4

SHA512
8ce366a71d98c8d9312195136939d4f4fc8aa02bc513d0ac60d422d41ca600d6f20b393031caaddd182ea607451a1c221e954744545f1ad265c90a8b996dfa20

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
320KB

MD5
c76d1e7a62853a269a0a2effae34942b

SHA1
d5cc95ecfb88ab3f46da8d9af696ec70a9a08770

SHA256
da9f1773344b3284c244ab0f641e11df5cda1dc39e657dc2e4eabc48d427d93a

SHA512
b400e540f1860cdd5d759d8ebf52f3e4e84b8afb222f9355b48cf03b84e4738ac52ecef6412007e7411b750b596da6cf99cfc92e3bd30b5f802856c127c33b6a

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
320KB

MD5
dd6b6867b0fde6b70f43be1fcbc25108

SHA1
a696287d7e5978c2df4b96ab736ab0f9117773ca

SHA256
0a889f9867af7cb4e55a2079771a1e2f2456a2db3029aeb505da388419e113b2

SHA512
ad18312838bc8dfcf66745ad2ef3f199d8edab7445a0f7f4c6f1372a55810044969a9d28cfc1a8a627c6412c0de07c7a6400a057a384ebe4f0e07a7576fc3986

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
320KB

MD5
32d41eacf2a1b3b13e2be90e06058a72

SHA1
974db36e3133e6ba6d45d9539532e2a7b4210901

SHA256
fd58c7bd9557474ee24ede0bbae8042f89cc4fa8925c2d455a64ab173913e5f7

SHA512
7aba575d251f9c6cb0b4b930bc199da347571f42b5775ad0691451b4932af78fc45f756f58b31c99ddd46bbfc88f7e2aa289e0d3a9b1f1f7db0ba2337978242f

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
320KB

MD5
0183677b36d62ac752da20b0504d1a0e

SHA1
e199bbcd464f4806d68289fe6d5e41682c2b50d8

SHA256
4c8ade7960972547494aebd04e74391aac6f611be08d4cf9bbd96d1e0faf8b54

SHA512
ff3c0087194b65243bfe3f83e2d6101317a7de7cd2aba4d941f2a6cd9a7d1ab73a571d38a829a6165548bf9134955f1cb0cfe44b3958d2889e33b1ecc52abc11

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
320KB

MD5
00eb52f3c2f6b567ba95633e372fbd33

SHA1
29cf004d543ab5ac3b8c1b2287f1f4ecd293ba9e

SHA256
67de1b61ba7af46b44c84b79c3b7a1f6a9e98bff2762d4252a5c93edb509cb2e

SHA512
2eef2e4b2e0dc0e0ccb19bf302397fb3ae351a1e49115c67d72bd535c2f4491d43e8c3892e8aeaff722d9201399ff4c505643ca3ffa3b927826ced1147a4531f

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
320KB

MD5
b202c4f095e792b89bf0db1a744f0617

SHA1
3588244dd4e9eb27d0c785420d1275b291bb18e6

SHA256
d9af021bdcd5bf4e6e860132ca752bcd0ba64051b9192c32ba8429e047180c38

SHA512
237e8d46f1349120b6d859aafe6c5060979379c3c710e96987b815ef14d79b808b0c79e7a7d5597f3d843b8c83642dc54def9e19c186350d679b6e14feadaaf2

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
320KB

MD5
cfdefe4b82705691501d7f9302bb450f

SHA1
1f1ffe7c4255afc2c35ef0e3493a9e0f9df45af1

SHA256
4e77897cbe4755186e6ebc4ce392ad3b8388cc3e54243b64c3d0ff5bac6cc95e

SHA512
19154eeff2a823bba44b9256645425dd84d408fb4b287736d8aebb256bd9e681c4bd8d300ab4c056d6d941f5db5dd77d3232e74dd11da37c34edf31a35d2088a

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
320KB

MD5
fe762c9d497fa41fa9848656d6638e12

SHA1
a656e6949fb246ec7ff4219add41eef5623dbedd

SHA256
6eb21f2a91b52e1852228200edbfe61a8b75bda7c17799a0b7fadae3069532d9

SHA512
5856f658b8849d02a891bac6d23fd2fe889f954e8058ffcd07b785b1d663357f8ea3713be22891f9327e54be5651c9f45d2a348cd57bbcb9cb70c67f908c544a

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
320KB

MD5
030d1a106b939e36f870fa05f143e957

SHA1
649a74c0785f5b198c63949b3e07eb710563f74d

SHA256
f69ee0985fe1f0348b8d0125fcc53dc205429fb92415af50da4a7beee19fdb68

SHA512
8a4460da7e28bf5652591ab901826f1fa7aa4821448989038b58671656db41e0f4b3d68cad5575ab566fd158ac1abbe8f50f0fd610767eb4d0e89bb80d39db8b

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
320KB

MD5
2d2f79ab893614798042ee8e69c2fbf7

SHA1
a8bd961c737119e17bebda4c5f509c1cbe58fccc

SHA256
fd69f1de860ac72bca23f6cfef7b2616e7e1aebb2dead0f52bdf6742c323ffa8

SHA512
1379358593e3630dda05c91817a1861755e998bc05107bba3996e5d9bbe8e8baa098a4880d23671c65bb455b599aa44f73c7519a58919ebbda29f1e05ae62b86

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
320KB

MD5
72f643dbcc8befbbfd3cdc30d1a9e324

SHA1
923c9e6290e959f065092315427d2cca49c41188

SHA256
665f8565cbd18378d4a11d0563142490ae9ebf89c1ff4f3768389cf6834a3345

SHA512
1792c0149f6a0687424271d9ac7dca09eb6ed7c9af58014cd2fc610616d89db8c5060f80b6b48771487938144b44485a135b36c17ab347a28c0b3436c58b2add

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
320KB

MD5
4c2f6a151d872c8c1f2c3182d0c29624

SHA1
3963395631a774af33ec3e11703a0ba662ef3872

SHA256
2143959f26069d420083f6e2f1f3ff7430b743965aca19d53eff252c7e74fd2b

SHA512
7e92808d0ea3593b036cd497e581af0e7576a8ac4007a2c71aca5aa102c46000da6df753d89564af766d1d54d2630d23df37736c6d3a0324bc17eea3dcd30dc8

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
320KB

MD5
874dca8d1a40932e5de8ab9796eb3905

SHA1
7813d121da6bbf4449cae933729691159d7787d3

SHA256
d84cb4ed35cbd6e531618090a49aa049f86ce35281deccbe2899d5576a156f89

SHA512
ee82c9de8a2ad569d228c727a03defeef8e65e33189d6d0e527ac35017482e7c7c5a1d0df758f6ac502d0c1e0f1c5cc12f5ac4bc61a29cb7cda5fedf7aed52a3

Download Submit
memory/404-279-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/444-104-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/460-246-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/512-555-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/532-579-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/532-355-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/756-8-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/760-485-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/760-530-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1016-508-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1016-523-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1108-24-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1196-528-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1252-545-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1292-524-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1292-502-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1324-128-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1348-254-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1404-77-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1412-551-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1432-189-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1536-262-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1644-577-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1692-563-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1692-399-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1696-302-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1700-296-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1752-173-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1836-85-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1860-229-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1928-526-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1928-496-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2032-96-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2044-320-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2100-65-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2104-467-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2104-537-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2148-120-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2164-157-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2244-557-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2360-273-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2492-331-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2532-57-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2704-326-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2708-33-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2712-49-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2836-45-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2924-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2924-0-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2924-515-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3052-314-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3300-479-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3468-575-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3472-569-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3512-238-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3584-149-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3636-549-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3648-559-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3672-539-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3676-16-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3696-308-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3744-553-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3744-426-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3832-197-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3900-387-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3900-567-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3988-205-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4092-165-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4220-376-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4220-571-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4232-88-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4288-112-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4324-533-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4324-473-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4364-581-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4364-349-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4404-541-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4552-213-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4576-290-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4660-565-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4660-393-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4668-136-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4724-535-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4756-221-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4784-343-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4784-583-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4800-181-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4832-573-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4868-543-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4972-519-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4972-516-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4996-547-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5036-514-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5036-520-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5080-405-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5080-561-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads