Analysis
-
max time kernel
96s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 21:19
Static task
static1
Behavioral task
behavioral1
Sample
a3f40816c78aa980ec7c8a303fc5053cb8479add5da0aaa6974ebdfc0faa4216N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a3f40816c78aa980ec7c8a303fc5053cb8479add5da0aaa6974ebdfc0faa4216N.exe
Resource
win10v2004-20241007-en
General
-
Target
a3f40816c78aa980ec7c8a303fc5053cb8479add5da0aaa6974ebdfc0faa4216N.exe
-
Size
64KB
-
MD5
e48c1a7b23a94c7a748213d1107f0240
-
SHA1
e2c7ee59676ee69a982c62a9d46350824ae288d8
-
SHA256
a3f40816c78aa980ec7c8a303fc5053cb8479add5da0aaa6974ebdfc0faa4216
-
SHA512
ca0dae9a4c6f305d0974f1c9858044dbb8eeacb81fad068b7067bfc34a940cf90f37a5148789febc4e63bbb7f26d5651e7fe2996b7e66b41613c92911bcedc2d
-
SSDEEP
1536:hxNN29QERH7QuOP4jauf4CUXruCHcpzt/Idn:bVEhs1uf9pFwn
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfkedibe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnjnnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcgffqei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddonekbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doilmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qddfkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anadoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmbplc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cndikf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnicfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aclpap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjddphlq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Belebq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmcibama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfiafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmgbnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcjlcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bclhhnca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfmajipb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cndikf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfpnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agoabn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cagobalc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdfkolkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddmaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfpnph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmiflbel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qddfkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeklkchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aadifclh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmbplc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfkedibe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnbmefbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhkjej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkifae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmjocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dknpmdfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdfkolkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmgbnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daconoae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deagdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acjclpcf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agoabn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmiflbel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfdhkhjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqkgpedc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anadoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjagjhnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhkjej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddakjkqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chcddk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnnlaehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dogogcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" a3f40816c78aa980ec7c8a303fc5053cb8479add5da0aaa6974ebdfc0faa4216N.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bganhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmngqdpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dknpmdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddmaok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmngqdpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjagjhnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdcoim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkplejl.exe -
Executes dropped EXE 64 IoCs
pid Process 1896 Qnjnnj32.exe 4140 Qddfkd32.exe 1708 Qcgffqei.exe 1452 Ajanck32.exe 3696 Aqkgpedc.exe 4632 Acjclpcf.exe 1348 Afhohlbj.exe 1792 Ambgef32.exe 2216 Aclpap32.exe 4972 Afjlnk32.exe 3028 Anadoi32.exe 620 Aeklkchg.exe 1588 Afmhck32.exe 3796 Amgapeea.exe 4380 Aeniabfd.exe 4376 Afoeiklb.exe 4152 Aadifclh.exe 2276 Agoabn32.exe 3212 Bnhjohkb.exe 3576 Bagflcje.exe 1396 Bganhm32.exe 752 Bnkgeg32.exe 3056 Bmngqdpj.exe 3600 Bjagjhnc.exe 376 Bcjlcn32.exe 1536 Bjddphlq.exe 4456 Bmbplc32.exe 3944 Bclhhnca.exe 2032 Bfkedibe.exe 1388 Bnbmefbg.exe 2076 Belebq32.exe 2908 Cfmajipb.exe 396 Cndikf32.exe 2832 Cfpnph32.exe 2236 Cmiflbel.exe 3852 Cdcoim32.exe 4940 Chokikeb.exe 1492 Cnicfe32.exe 3920 Cagobalc.exe 3816 Cdfkolkf.exe 4344 Cfdhkhjj.exe 3204 Cnkplejl.exe 2964 Ceehho32.exe 4060 Chcddk32.exe 4488 Cnnlaehj.exe 1648 Cegdnopg.exe 940 Dfiafg32.exe 1556 Djdmffnn.exe 1856 Dmcibama.exe 372 Ddmaok32.exe 628 Djgjlelk.exe 724 Dmefhako.exe 4012 Ddonekbl.exe 3112 Dhkjej32.exe 1592 Dkifae32.exe 2104 Dmgbnq32.exe 3180 Daconoae.exe 3064 Ddakjkqi.exe 2056 Dfpgffpm.exe 4496 Dogogcpo.exe 3280 Dmjocp32.exe 3888 Deagdn32.exe 2604 Dhocqigp.exe 1484 Dknpmdfc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Afhohlbj.exe Acjclpcf.exe File created C:\Windows\SysWOW64\Hjjdjk32.dll Bjagjhnc.exe File created C:\Windows\SysWOW64\Dkifae32.exe Dhkjej32.exe File created C:\Windows\SysWOW64\Lbabpnmn.dll Dfpgffpm.exe File created C:\Windows\SysWOW64\Hjfgfh32.dll Qnjnnj32.exe File created C:\Windows\SysWOW64\Anadoi32.exe Afjlnk32.exe File created C:\Windows\SysWOW64\Afmhck32.exe Aeklkchg.exe File opened for modification C:\Windows\SysWOW64\Afoeiklb.exe Aeniabfd.exe File created C:\Windows\SysWOW64\Bnkgeg32.exe Bganhm32.exe File created C:\Windows\SysWOW64\Leqcid32.dll Bnkgeg32.exe File created C:\Windows\SysWOW64\Cfpnph32.exe Cndikf32.exe File created C:\Windows\SysWOW64\Echdno32.dll Cnicfe32.exe File created C:\Windows\SysWOW64\Oammoc32.dll Dmgbnq32.exe File created C:\Windows\SysWOW64\Bobiobnp.dll Dogogcpo.exe File created C:\Windows\SysWOW64\Gmdlbjng.dll Afmhck32.exe File created C:\Windows\SysWOW64\Aadifclh.exe Afoeiklb.exe File opened for modification C:\Windows\SysWOW64\Cdfkolkf.exe Cagobalc.exe File created C:\Windows\SysWOW64\Jbpbca32.dll Ddonekbl.exe File created C:\Windows\SysWOW64\Daconoae.exe Dmgbnq32.exe File opened for modification C:\Windows\SysWOW64\Dmllipeg.exe Doilmc32.exe File created C:\Windows\SysWOW64\Qcgffqei.exe Qddfkd32.exe File created C:\Windows\SysWOW64\Afhohlbj.exe Acjclpcf.exe File created C:\Windows\SysWOW64\Gdeahgnm.dll Anadoi32.exe File created C:\Windows\SysWOW64\Hjlena32.dll Amgapeea.exe File created C:\Windows\SysWOW64\Abkobg32.dll Bnhjohkb.exe File created C:\Windows\SysWOW64\Nnjaqjfh.dll Bclhhnca.exe File opened for modification C:\Windows\SysWOW64\Bnbmefbg.exe Bfkedibe.exe File opened for modification C:\Windows\SysWOW64\Ddakjkqi.exe Daconoae.exe File opened for modification C:\Windows\SysWOW64\Doilmc32.exe Dknpmdfc.exe File opened for modification C:\Windows\SysWOW64\Anadoi32.exe Afjlnk32.exe File created C:\Windows\SysWOW64\Aeklkchg.exe Anadoi32.exe File opened for modification C:\Windows\SysWOW64\Bmbplc32.exe Bjddphlq.exe File created C:\Windows\SysWOW64\Pjngmo32.dll Cfdhkhjj.exe File created C:\Windows\SysWOW64\Ehfnmfki.dll Ajanck32.exe File opened for modification C:\Windows\SysWOW64\Agoabn32.exe Aadifclh.exe File opened for modification C:\Windows\SysWOW64\Bjddphlq.exe Bcjlcn32.exe File opened for modification C:\Windows\SysWOW64\Dmcibama.exe Djdmffnn.exe File created C:\Windows\SysWOW64\Jjjald32.dll Dmcibama.exe File created C:\Windows\SysWOW64\Dknpmdfc.exe Dhocqigp.exe File opened for modification C:\Windows\SysWOW64\Qcgffqei.exe Qddfkd32.exe File created C:\Windows\SysWOW64\Ibaabn32.dll Afhohlbj.exe File opened for modification C:\Windows\SysWOW64\Bagflcje.exe Bnhjohkb.exe File created C:\Windows\SysWOW64\Cndikf32.exe Cfmajipb.exe File opened for modification C:\Windows\SysWOW64\Dfiafg32.exe Cegdnopg.exe File created C:\Windows\SysWOW64\Kmdjdl32.dll Ddakjkqi.exe File created C:\Windows\SysWOW64\Ajanck32.exe Qcgffqei.exe File created C:\Windows\SysWOW64\Amgapeea.exe Afmhck32.exe File created C:\Windows\SysWOW64\Bnbmefbg.exe Bfkedibe.exe File created C:\Windows\SysWOW64\Cdcoim32.exe Cmiflbel.exe File opened for modification C:\Windows\SysWOW64\Djdmffnn.exe Dfiafg32.exe File created C:\Windows\SysWOW64\Pdheac32.dll Dhkjej32.exe File opened for modification C:\Windows\SysWOW64\Daconoae.exe Dmgbnq32.exe File created C:\Windows\SysWOW64\Nokpao32.dll Dhocqigp.exe File created C:\Windows\SysWOW64\Hpoddikd.dll Aeklkchg.exe File opened for modification C:\Windows\SysWOW64\Cnkplejl.exe Cfdhkhjj.exe File opened for modification C:\Windows\SysWOW64\Ceehho32.exe Cnkplejl.exe File created C:\Windows\SysWOW64\Ingfla32.dll Chcddk32.exe File created C:\Windows\SysWOW64\Dmefhako.exe Djgjlelk.exe File created C:\Windows\SysWOW64\Kahdohfm.dll Dmjocp32.exe File created C:\Windows\SysWOW64\Mkfdhbpg.dll Bfkedibe.exe File created C:\Windows\SysWOW64\Dogogcpo.exe Dfpgffpm.exe File created C:\Windows\SysWOW64\Dmjocp32.exe Dogogcpo.exe File created C:\Windows\SysWOW64\Deagdn32.exe Dmjocp32.exe File created C:\Windows\SysWOW64\Aeniabfd.exe Amgapeea.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1140 2440 WerFault.exe 151 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afhohlbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkgeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnbmefbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmajipb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnicfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cegdnopg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddmaok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dogogcpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deagdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aclpap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceehho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkifae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afmhck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddakjkqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfpgffpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqkgpedc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agoabn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bagflcje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Belebq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cndikf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdcoim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnnlaehj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhkjej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chcddk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djdmffnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmefhako.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daconoae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhocqigp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doilmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeniabfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnhjohkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a3f40816c78aa980ec7c8a303fc5053cb8479add5da0aaa6974ebdfc0faa4216N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aadifclh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcibama.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dknpmdfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acjclpcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjddphlq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmbplc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdfkolkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajanck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeklkchg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djgjlelk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cagobalc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmngqdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcjlcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bclhhnca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfkedibe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chokikeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnkplejl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmjocp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qddfkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjagjhnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmiflbel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddonekbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anadoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amgapeea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bganhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgbnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllipeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcgffqei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afoeiklb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfdhkhjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnjnnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ambgef32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnicfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnkplejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll" Dmefhako.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aclpap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll" Aclpap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll" Aeniabfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcjlcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agoabn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll" Dmcibama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll" Deagdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node a3f40816c78aa980ec7c8a303fc5053cb8479add5da0aaa6974ebdfc0faa4216N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll" Afjlnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll" Afmhck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll" Agoabn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bagflcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnkgeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfkedibe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfmajipb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" a3f40816c78aa980ec7c8a303fc5053cb8479add5da0aaa6974ebdfc0faa4216N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afjlnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afmhck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aadifclh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfdhkhjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkifae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djgjlelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djgjlelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daconoae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ambgef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll" Bjagjhnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfiafg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmcibama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll" Cfdhkhjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll" Qnjnnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll" Aqkgpedc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnhjohkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjddphlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll" Dknpmdfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID a3f40816c78aa980ec7c8a303fc5053cb8479add5da0aaa6974ebdfc0faa4216N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmiflbel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkifae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfpgffpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfpnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll" Cfpnph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdcoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll" Cagobalc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qcgffqei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acjclpcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnbmefbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll" Bnbmefbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll" Dfiafg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmjocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll" Ceehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmefhako.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Deagdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dknpmdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qddfkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anadoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll" Cdcoim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdfkolkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnnlaehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmgbnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnbmefbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chokikeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnkplejl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 772 wrote to memory of 1896 772 a3f40816c78aa980ec7c8a303fc5053cb8479add5da0aaa6974ebdfc0faa4216N.exe 84 PID 772 wrote to memory of 1896 772 a3f40816c78aa980ec7c8a303fc5053cb8479add5da0aaa6974ebdfc0faa4216N.exe 84 PID 772 wrote to memory of 1896 772 a3f40816c78aa980ec7c8a303fc5053cb8479add5da0aaa6974ebdfc0faa4216N.exe 84 PID 1896 wrote to memory of 4140 1896 Qnjnnj32.exe 85 PID 1896 wrote to memory of 4140 1896 Qnjnnj32.exe 85 PID 1896 wrote to memory of 4140 1896 Qnjnnj32.exe 85 PID 4140 wrote to memory of 1708 4140 Qddfkd32.exe 86 PID 4140 wrote to memory of 1708 4140 Qddfkd32.exe 86 PID 4140 wrote to memory of 1708 4140 Qddfkd32.exe 86 PID 1708 wrote to memory of 1452 1708 Qcgffqei.exe 87 PID 1708 wrote to memory of 1452 1708 Qcgffqei.exe 87 PID 1708 wrote to memory of 1452 1708 Qcgffqei.exe 87 PID 1452 wrote to memory of 3696 1452 Ajanck32.exe 88 PID 1452 wrote to memory of 3696 1452 Ajanck32.exe 88 PID 1452 wrote to memory of 3696 1452 Ajanck32.exe 88 PID 3696 wrote to memory of 4632 3696 Aqkgpedc.exe 89 PID 3696 wrote to memory of 4632 3696 Aqkgpedc.exe 89 PID 3696 wrote to memory of 4632 3696 Aqkgpedc.exe 89 PID 4632 wrote to memory of 1348 4632 Acjclpcf.exe 91 PID 4632 wrote to memory of 1348 4632 Acjclpcf.exe 91 PID 4632 wrote to memory of 1348 4632 Acjclpcf.exe 91 PID 1348 wrote to memory of 1792 1348 Afhohlbj.exe 92 PID 1348 wrote to memory of 1792 1348 Afhohlbj.exe 92 PID 1348 wrote to memory of 1792 1348 Afhohlbj.exe 92 PID 1792 wrote to memory of 2216 1792 Ambgef32.exe 93 PID 1792 wrote to memory of 2216 1792 Ambgef32.exe 93 PID 1792 wrote to memory of 2216 1792 Ambgef32.exe 93 PID 2216 wrote to memory of 4972 2216 Aclpap32.exe 94 PID 2216 wrote to memory of 4972 2216 Aclpap32.exe 94 PID 2216 wrote to memory of 4972 2216 Aclpap32.exe 94 PID 4972 wrote to memory of 3028 4972 Afjlnk32.exe 95 PID 4972 wrote to memory of 3028 4972 Afjlnk32.exe 95 PID 4972 wrote to memory of 3028 4972 Afjlnk32.exe 95 PID 3028 wrote to memory of 620 3028 Anadoi32.exe 96 PID 3028 wrote to memory of 620 3028 Anadoi32.exe 96 PID 3028 wrote to memory of 620 3028 Anadoi32.exe 96 PID 620 wrote to memory of 1588 620 Aeklkchg.exe 97 PID 620 wrote to memory of 1588 620 Aeklkchg.exe 97 PID 620 wrote to memory of 1588 620 Aeklkchg.exe 97 PID 1588 wrote to memory of 3796 1588 Afmhck32.exe 98 PID 1588 wrote to memory of 3796 1588 Afmhck32.exe 98 PID 1588 wrote to memory of 3796 1588 Afmhck32.exe 98 PID 3796 wrote to memory of 4380 3796 Amgapeea.exe 100 PID 3796 wrote to memory of 4380 3796 Amgapeea.exe 100 PID 3796 wrote to memory of 4380 3796 Amgapeea.exe 100 PID 4380 wrote to memory of 4376 4380 Aeniabfd.exe 101 PID 4380 wrote to memory of 4376 4380 Aeniabfd.exe 101 PID 4380 wrote to memory of 4376 4380 Aeniabfd.exe 101 PID 4376 wrote to memory of 4152 4376 Afoeiklb.exe 102 PID 4376 wrote to memory of 4152 4376 Afoeiklb.exe 102 PID 4376 wrote to memory of 4152 4376 Afoeiklb.exe 102 PID 4152 wrote to memory of 2276 4152 Aadifclh.exe 103 PID 4152 wrote to memory of 2276 4152 Aadifclh.exe 103 PID 4152 wrote to memory of 2276 4152 Aadifclh.exe 103 PID 2276 wrote to memory of 3212 2276 Agoabn32.exe 104 PID 2276 wrote to memory of 3212 2276 Agoabn32.exe 104 PID 2276 wrote to memory of 3212 2276 Agoabn32.exe 104 PID 3212 wrote to memory of 3576 3212 Bnhjohkb.exe 105 PID 3212 wrote to memory of 3576 3212 Bnhjohkb.exe 105 PID 3212 wrote to memory of 3576 3212 Bnhjohkb.exe 105 PID 3576 wrote to memory of 1396 3576 Bagflcje.exe 106 PID 3576 wrote to memory of 1396 3576 Bagflcje.exe 106 PID 3576 wrote to memory of 1396 3576 Bagflcje.exe 106 PID 1396 wrote to memory of 752 1396 Bganhm32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3f40816c78aa980ec7c8a303fc5053cb8479add5da0aaa6974ebdfc0faa4216N.exe"C:\Users\Admin\AppData\Local\Temp\a3f40816c78aa980ec7c8a303fc5053cb8479add5da0aaa6974ebdfc0faa4216N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\Qnjnnj32.exeC:\Windows\system32\Qnjnnj32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Qddfkd32.exeC:\Windows\system32\Qddfkd32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\Qcgffqei.exeC:\Windows\system32\Qcgffqei.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Ajanck32.exeC:\Windows\system32\Ajanck32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\Aqkgpedc.exeC:\Windows\system32\Aqkgpedc.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\Acjclpcf.exeC:\Windows\system32\Acjclpcf.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\Afhohlbj.exeC:\Windows\system32\Afhohlbj.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\Ambgef32.exeC:\Windows\system32\Ambgef32.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Aclpap32.exeC:\Windows\system32\Aclpap32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Afjlnk32.exeC:\Windows\system32\Afjlnk32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\Anadoi32.exeC:\Windows\system32\Anadoi32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Aeklkchg.exeC:\Windows\system32\Aeklkchg.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\Afmhck32.exeC:\Windows\system32\Afmhck32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Amgapeea.exeC:\Windows\system32\Amgapeea.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Windows\SysWOW64\Aeniabfd.exeC:\Windows\system32\Aeniabfd.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\Afoeiklb.exeC:\Windows\system32\Afoeiklb.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\Aadifclh.exeC:\Windows\system32\Aadifclh.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\SysWOW64\Agoabn32.exeC:\Windows\system32\Agoabn32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Bnhjohkb.exeC:\Windows\system32\Bnhjohkb.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\Bagflcje.exeC:\Windows\system32\Bagflcje.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\SysWOW64\Bganhm32.exeC:\Windows\system32\Bganhm32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\Bnkgeg32.exeC:\Windows\system32\Bnkgeg32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:752 -
C:\Windows\SysWOW64\Bmngqdpj.exeC:\Windows\system32\Bmngqdpj.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\Bjagjhnc.exeC:\Windows\system32\Bjagjhnc.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3600 -
C:\Windows\SysWOW64\Bcjlcn32.exeC:\Windows\system32\Bcjlcn32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:376 -
C:\Windows\SysWOW64\Bjddphlq.exeC:\Windows\system32\Bjddphlq.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1536 -
C:\Windows\SysWOW64\Bmbplc32.exeC:\Windows\system32\Bmbplc32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4456 -
C:\Windows\SysWOW64\Bclhhnca.exeC:\Windows\system32\Bclhhnca.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3944 -
C:\Windows\SysWOW64\Bfkedibe.exeC:\Windows\system32\Bfkedibe.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1388 -
C:\Windows\SysWOW64\Belebq32.exeC:\Windows\system32\Belebq32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2076 -
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Cndikf32.exeC:\Windows\system32\Cndikf32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:396 -
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Cmiflbel.exeC:\Windows\system32\Cmiflbel.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Cdcoim32.exeC:\Windows\system32\Cdcoim32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3852 -
C:\Windows\SysWOW64\Chokikeb.exeC:\Windows\system32\Chokikeb.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4940 -
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Cagobalc.exeC:\Windows\system32\Cagobalc.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3920 -
C:\Windows\SysWOW64\Cdfkolkf.exeC:\Windows\system32\Cdfkolkf.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3816 -
C:\Windows\SysWOW64\Cfdhkhjj.exeC:\Windows\system32\Cfdhkhjj.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4344 -
C:\Windows\SysWOW64\Cnkplejl.exeC:\Windows\system32\Cnkplejl.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3204 -
C:\Windows\SysWOW64\Ceehho32.exeC:\Windows\system32\Ceehho32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Chcddk32.exeC:\Windows\system32\Chcddk32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4060 -
C:\Windows\SysWOW64\Cnnlaehj.exeC:\Windows\system32\Cnnlaehj.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4488 -
C:\Windows\SysWOW64\Cegdnopg.exeC:\Windows\system32\Cegdnopg.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1648 -
C:\Windows\SysWOW64\Dfiafg32.exeC:\Windows\system32\Dfiafg32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:940 -
C:\Windows\SysWOW64\Djdmffnn.exeC:\Windows\system32\Djdmffnn.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1556 -
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1856 -
C:\Windows\SysWOW64\Ddmaok32.exeC:\Windows\system32\Ddmaok32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:372 -
C:\Windows\SysWOW64\Djgjlelk.exeC:\Windows\system32\Djgjlelk.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:628 -
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:724 -
C:\Windows\SysWOW64\Ddonekbl.exeC:\Windows\system32\Ddonekbl.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4012 -
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3112 -
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Daconoae.exeC:\Windows\system32\Daconoae.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3180 -
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Windows\SysWOW64\Dfpgffpm.exeC:\Windows\system32\Dfpgffpm.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4496 -
C:\Windows\SysWOW64\Dmjocp32.exeC:\Windows\system32\Dmjocp32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3280 -
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3888 -
C:\Windows\SysWOW64\Dhocqigp.exeC:\Windows\system32\Dhocqigp.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2604 -
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1484 -
C:\Windows\SysWOW64\Doilmc32.exeC:\Windows\system32\Doilmc32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:228 -
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe67⤵
- System Location Discovery: System Language Discovery
PID:2440 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 39668⤵
- Program crash
PID:1140
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2440 -ip 24401⤵PID:428
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5a51b1bdadfa8b5be0a636fde0d3c1b9f
SHA178c64a552a4bc4f8a6819bd6daa23f310a456fe4
SHA256e638c60a8cb9c242c0ce9ed071283b713370c078271dc2f3156b942903c78acd
SHA512ea494729e100d5075d7c2d19a89e344bab1417eb53ee4723244e6ce55737f78cbb038eb9504719875acdce085c68ae9b582c3cab55b72d0aa267eb0e7fd9640a
-
Filesize
64KB
MD57494c98a71fc2e68be72184a988123e8
SHA1326e25337f1e86944c2b6cb0fc025e76456778f5
SHA2566214c985b953d483c0685938d5e58b3a37161722302744aee5ff3060a6923a5a
SHA512c247788de059468e0292b4f101f6b69a9a98230dde91df3307b671653d597b03d2a9077f36e02756235862b09f740773279b1fc2bdeca493aa562bd2c07a677a
-
Filesize
64KB
MD58d3da55af3c99006f0b44d8e47efd3d0
SHA1d23f4cb3bab70a81cf563061c77831de38c5531b
SHA25611a25d6de853d4180c7338c5de3165d045de2f538c71744034386faaaf98d4aa
SHA512eb2ceaa2e5da62cf6eb440d97a7f10e65044949e9249eda781b8012b28a6410b2c9a2be6f3996f8cd880b8d3c44a79ba3a8e2e78987fd625578318606223fcd8
-
Filesize
64KB
MD568b05132e3352652ef3ff3804c20fcb2
SHA19ea8f003059714e2359f0677ab39f49688e87735
SHA25613b962371965b72ba66b20b1edc8ce4e3b437a32d675ca53bc3b41badb22f582
SHA5126d6db4ea7417993945128ce6e497550302f92d418b70b700272a3253a8dada74fa1b82cbe79c9ac31b0245426289a08b7b45146f8efe850b5d44259797f391a3
-
Filesize
64KB
MD5e7ed8865381c70054b1b11f3b7912ce1
SHA191c39e10b8d35ea45bee67ddfb920995a80bfeb5
SHA256795ac575e5f9f778e6e65eb0322892a260feb5889f2c472ab57b53b505eb36f5
SHA51263755b08babecd84f6fa0f09e5ed1703fcb227200c83e92079b2fe43706c1baa7d411e6295895ef5cbb1ec35b5c8e2264a2e0c5c4c03ebb79f9c11ff7ed1e574
-
Filesize
64KB
MD547187395dbed7ae5e4f2ae2ec858c637
SHA17f309e7471b4610059a5fea1192c957277aaf595
SHA256d9c964e7e518c79337136768e0994473d00571c96ca998153d0d4bb8d52323ff
SHA512cf6335ca00eb4e76675bb43a3cf2f4202ec18b6ce0fd63f61e5a19059ccd08768109e615e1c622cf50ac66f4f9fec09363214efbd5bce73ef6ddab1a5b742c60
-
Filesize
64KB
MD5666bec1d71ea3b023a545bc60c518ac3
SHA1a33c590b023712569f8529ef32a1eda3fe6e2f32
SHA256f54c761e96ec7496ad7464b01be5f855f3c788f08d995b66d415ec4300289a30
SHA512ea175e9ed238de83395e458030aaedda4e4d1ec7f25155b018a1dcac32022341c54ec36ea8b83d82aad9bfc27af573420d4335a3602fbad234ef9f0008896745
-
Filesize
64KB
MD5684c1cb1cf55ae2e839bb46184380e55
SHA1ab63243348c66d13dbd1b1a174e25d8dfe4a5ee4
SHA25664494d3f5ca0c7a7e5f33cb625deee1d28f02bd38fbc73eb8fb5a47baaac82c8
SHA51200de65894f61bb1331189ce98d3e90b8abe3360917b694ed75fc97a497b8874829cbfe6fc16ac90fb6ee7db2c963d45e7380801c186ee5f30523feb64a45d9f9
-
Filesize
64KB
MD59f556f5faa9acb9fcecce75dbda74acf
SHA10846566b73aeef149d936dcfc27c2232df30bbc3
SHA256b26de73c4469bbe94757a2e2481e02e693d22f55051f2e97eb4ec8b3b80dcbdf
SHA5120b520d0a76d3e4df076bd2b39a184bc928c1cdcd402332640bb1000e44bdb643f61a48fcdd064193873a298be6b30fc73f72475fa5ae9edcf8e191f8a1d0d7ea
-
Filesize
64KB
MD5e14aeb24eb39c0bc8c03a9052d0196ca
SHA10515cb4444fb26f27a50f2a77a54609ad6c642ee
SHA2561f54ff1a56e531af57b26dc4a51333041bc67035920b5f58576c4c34ca2e1bcd
SHA512c6b8bf62f3b95f7bfe8c23647dfb72d7c15392609f85b05580a4dd73e3f8ce4011fe17991cf228cfd1fbba0e3cc6de9348c6cc954b2cfb20f1261d0ff578b28c
-
Filesize
64KB
MD541ae440ab1640c9b56d21480aa16a876
SHA103f8d283e5d7e3bf321ea164c8cf3d0856553ab4
SHA25684eec6daf416296a9efdaeb8f9037bc211f3812be89537aed68ee88a8ff80be7
SHA512308feb080da79a0d79b6b446230b708831d4437ace2904f98825892e84ff3544a28265ef17617d741df4fd8c5dc279025d05900dec2d953ab253460a5d33be70
-
Filesize
64KB
MD5437e04045b917983a955a4fd0b047fe6
SHA133bba586a6aefd18b5d52f9e2cb972cbb774d425
SHA2567d1661463c40281dfca35a76b1878a522cf9144e9d8d532ba290bd95b0e7967c
SHA5128eea48bc08dd2ad540411bc9cafcb79c2d50bbf0d24ec25d92aae92543e493a0450d8b97e42c4d80988319cbfb97a11360b9c70eada538b5f5109b5fb82a8e58
-
Filesize
64KB
MD58867f8dfac52c1ac5f4bdd019562992b
SHA1d84459e1d81c985ec1449e7b3dc165724fd542d9
SHA256e96dfb5b399db7369bad4d7703966b18209059afc9f71377e7392158bc7126d5
SHA512d1a416609967174a5b2dc7770c882691369ab92fdf7f332f2beb84967bf5f66762059bf49486a5d11265ad44b95b6c77584eb54e0d002dc7ecf24a117335f169
-
Filesize
64KB
MD5c6a0ae4d5c1dabf7115ca2e6cd4018dd
SHA17d3648f7b4d607ca9d20b391868a72ddf6e2a4a3
SHA256ebca46e9aecfe6da501897f88b618adfe6ae7f77c5c4b8e0c4aee64da1a2270b
SHA51216d3b3bd5a6b9769b75e26a0af9bb3ad6734c980de1251b0422f53c4c87c9c135915ab6f6b2b595db5640955d4c7d705d6c677bce18bdecdd74fe11e6ad630d4
-
Filesize
64KB
MD553ced643aab60badd6298a7ff115374f
SHA1ef95979bfb24871ad6f1762cb03c72d73e2c3be0
SHA256b0f5f84782c285eba10a93fcb75cbe0b2c31a1a2dfa7d5c3cde8d84aa02ddb3c
SHA5124cf562c59cbe57ecbe4d1689348df7a2bba0a367117b1e00f4333b4493d66f96b4eadd71cc8b300319333c044a03ee6a1e9e0941b1242a1fc55051ab28bf1961
-
Filesize
64KB
MD511f007d9d529d7f3cddd8df922b7e691
SHA1c214c6165b0ed7770cde7effcb394dd46581957d
SHA256d854d8de589130309ee0edb7400412d420e2aad379022e697484a3dad5cd4d46
SHA51224f2ad3caa46393602a781154b9d66be3c5cadee44d3e63e938bbebbc88e1b7b830ec8794faba9bcb95667d30f97fae5509814c828270c80a04f25e537068e74
-
Filesize
64KB
MD50831a6fead0eb40f46341b724930aacb
SHA10d3c803eb606567a7c131299671278e21c1b02ba
SHA2563e5c649808151775ed77475ebb3741e734b0aa5e64a7e01eb59f49101d1b8610
SHA5129056c43b68b326d2334ac30846d999a59252dc192917a5284a06f0c290280f83dee863ab5ae9c06a68bbfcd1ac8b24ba64360d550ce9bcc031c4c7687eadd4e6
-
Filesize
64KB
MD5ad559423292152a71c6ea55756c27529
SHA187b9efe7fcb11b22cf7ef7d7edadbd472cc5630a
SHA2568d8fe177c4f6df5e5282840d8c16392a2df8440a561e8dc70622750d5ac9c3ff
SHA512da2e5a425e6b63cc7ecc6323e2d4172ea0c4c68da81e7ca74793bf7b3a03417b0014d3ce1bb3746b7352ca78c5b52fc4321b7d28ee0f5b0139438fdd0d6ec6bb
-
Filesize
64KB
MD55b8ee7e3faca3b3ed460fa3455f6bd4e
SHA1175d40dfc760582ca491f915ae5f39275f902935
SHA2565309eb86ff4c115bfd16824de8767241839771187ec136b42e0668c57a859fea
SHA512113e07f7148030ac7dd88da93e9c95833e38f637a05f4006e48511d0021a3fd6308585442e0f1e2c233fb837934061ed6a8673b0903faffd337237049440665e
-
Filesize
64KB
MD5d287a1da0db5c8635199c1efd1c91f88
SHA1209b4115655d888f9c656a9b39d0171032d440af
SHA256ed9da034da0e14c18c4cfb86aa6dd433aa231f0b53dc8becb29da3363ff22a46
SHA512f455be2dc03f0996e5c1289c28a40b6ebeb20e386f96ebb762ec9a9c40decb5a3f6f48f70f3350b51f4db7113cf0c14d0ee9697a3c9051b5c0823b8edbdf9fc3
-
Filesize
64KB
MD5a8b1f7ec006c6a17627e2baa0061b850
SHA14e8291a7dc2d6106a63426085c2bda1c776e06ea
SHA25676153552f1bb6e55a9272dd0e69c7074ee16fb756fdc02813a102618b93fddc9
SHA512357cc0c86df3c944571837669a3f995eb8ab13a4ee6f8a99ba5404ba7e7eb2b68bd0ba9beda955d758012952ea6022156693ed722d6f361d9c457f35db05c16f
-
Filesize
64KB
MD59fd72faa8a6f615d74bf9dccb1553bf7
SHA10a71f156c96b46097220c26fb1abe78b8922941c
SHA256f35685d273d1711674478ca174f86c513c85aea02a1fec9fe8ccb3caa2345365
SHA5126ada65592b22fe9303eea54951f0d746caff4dc1fddae7938a02f0ff752c344f6a812d1e098f0487025e30d262f7935c6dbec547cbdb0ec07f05f095ebab1344
-
Filesize
64KB
MD57079f44da975cdef07abb1aab0eeefe1
SHA103b3c7a68f7dca61f688da31fc98bf21364ee9ce
SHA256ad59978721d3799e1838e1522e018e74f39f25643ebf636f5e89fb24fa723690
SHA5129008fed1d78e6edd0489da207b8d7c8309af199c393ffb0aa1bc4033b48d0dcf6d3d7ac625225e730fedd715f4af8873244c5ebb4bf758c670110dfee45096de
-
Filesize
64KB
MD541b18b91c427f61cc9a179bf22022c99
SHA18fbf0a644de35afc9fa232f0915d384b390d0ba6
SHA2565ed384b7d351da716d8e91f55000fe2c719a893b3d289573634cf46748aa046e
SHA512ae8b2bb0b23646bf5267ec80d4b10bd2cc908682a7466bb05d130b40b357b70fac62751b30d22be1f558aa49e82580e919f0d7c08a606512d21d189c983d013f
-
Filesize
64KB
MD52bd1b57c4eda12058182016f6f22359e
SHA1b734e81e22b7ad9b587dd3af263ffb251e119b82
SHA2562e70f8f098630c3c6196c5560e4498589fb567ec89597bff95b1a1111d9c6bf6
SHA5124d10a3f763cbfb6b976c67085d329fb01d72007e5b7c9b60e7aa965d79ffc7282f2c3b64bf8a1805d29fe5ef4aac05a586c3176c00dfb2b690585a39a06e43f5
-
Filesize
64KB
MD543b46f59506668fef96345a332c90a4c
SHA168ea3da8c9945a782e076bf539d2b9cac79d555c
SHA256696c56fc99ce526c5629ad1e3e63fdbf2ee424732808a93b7a397930bbfcd083
SHA512a7406319b389275984379154c2f904c1a2cd8af9ac26a2628109c5ee83f26d1df3bb6b51e21eaab8b3c1f984a753072933bcaa687d241c293f33d05aa8826a5e
-
Filesize
64KB
MD5f779a3ec63d49ea7c543c73a58b31890
SHA16dbbeda34b52f82977d1c347f90f43060a35f176
SHA256ef993559e56e9881eba7040ac28c1350d8b2be9fc4a9083a59de3dc5a0f11eba
SHA5121befbf51a902a0ccb9ba80c56b3c36349ca7565bd90b0009f8be7c77feb6b625499ebeb096b02c2e83a49f27647a1b1242e8af2d814ebdaaef55da9593d836a8
-
Filesize
64KB
MD5a0c9954e3e847f538da49f798726b5c8
SHA1ccd64fe17eb03a8898f8443ad53de1974fb8af74
SHA25661260172dfb88e40f76ca120eff980c7b1fabcabde5fe4a3af08ec24d63c89d7
SHA51243f652bf9c2d9498fca889ae3e3a911adc396876a2d48faffa37af74a61fba818eba576826d066634cd37e0ae713999ac7e7e3d15b99ec49f1719fe05f5a4e1d
-
Filesize
64KB
MD563423f0398acbfd44dd4c71bba8cf174
SHA19a91eb2bacfde12f091838cb818042c5421ac1fe
SHA2569bd96dc70bfdeaf007f907d3c622deb16015e330b8ff4a98fe9b7bd33ab72bb8
SHA5126443c7eb05dd0c267df9dd1ada700e54f3c2ea9565b016f9ffe36182b70107efe1486806318979f42697e0ba1f203a27c104e567e8e9467161e9747e33eb566e
-
Filesize
64KB
MD5746b0aa5447d53786ad60bec0277023a
SHA18976d1db7b5c077ce6ffe76fa8150a71fefae8c7
SHA256ff02c7d9d0cdbaa3f372421d8cf07a15e8e3fa58741ecb15467a33dbdd392a46
SHA5124352d5143a7bd5fe764735150aab5953eab021dd51ecd320aa3863805f4732695836859a117905eec72c182e05e0855e16ebe727c532aa61a3f1f4ee1c089f34
-
Filesize
64KB
MD5e3a7e0feea6ec6168769f13943a51ecc
SHA107c010250e9db5d31ec0f84106b9618e90f74fda
SHA2564b74350132bbb7e76bbaba2fd4a1802e6944f8b1babb992d1c9622790fad94f7
SHA5125a6b5dd30d8b8ea351b094b25682f03b489020a7ddc52292e6900557f987100cc606293bb6dc565a7280b1641be8e60a73ae5df8694a503c0c8170a3a6f1ca58
-
Filesize
64KB
MD58952875d634c67bf11d0e8e49bcbbbf6
SHA1290592f5431a11ff098c9304883db1581624b62d
SHA256bb146fa7b72a448129a4049cc8bea475a7ad1a8e4ddb7ec313d526c266ac098b
SHA5121ba70e9f9de6d02c06545559c45b247c228af24681ee6d621765ed6a3365c5f8b3d77861a0c8346b021105be6b6aab402320c9c2626fb89ab1e1772debe0e396