322c5a6399ff024393e162ac5a026480eb1348c21c75cbc91cd926d218c3f67e

Analysis

max time kernel
137s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16/08/2024, 20:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

322c5a6399ff024393e162ac5a026480eb1348c21c75cbc91cd926d218c3f67e.exe
Size

404KB
MD5

c7e0f262221cbfb74b3b43a9dead1d02
SHA1

f8d6b5c115a3c78ee3b1c5b64e53fa7d8476f10a
SHA256

322c5a6399ff024393e162ac5a026480eb1348c21c75cbc91cd926d218c3f67e
SHA512

2e99ef18db3d315d3875b990524622cf058981464429de59394eb8078a8b96df43124a464fb5367d3de3e5cd9661cbff87b3a3cf79bcf64a2c8df9f7ead38ae9
SSDEEP

6144:k1NcNhuovENm+3Mpui6yYPaIGckfru5xyDpui6yYPaIGckSU05836S5:UqAlwcMpV6yYP4rbpV6yYPg058KS

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecgodpgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fclhpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dggkipii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjhmbihg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enhifi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnffhgon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgdemb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekimjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ejccgi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egkddo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enlcahgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fjhmbihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddfbgelh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckbncapd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgiohbfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckdkhq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epffbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fqbeoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fnffhgon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	322c5a6399ff024393e162ac5a026480eb1348c21c75cbc91cd926d218c3f67e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Edfknb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fjeplijj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dncpkjoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ecdbop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eddnic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejccgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ekimjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Egkddo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eqmlccdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkgillpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fbfkceca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddfbgelh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eahobg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgihop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgqgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fnjocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fdpnda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fclhpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbaahf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edfknb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eahobg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fncibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddcebe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekljpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekngemhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ekngemhd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgiaemic.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqfojblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgiohbfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbfkceca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egegjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddklbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Epffbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eafbmgad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fgiaemic.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckbncapd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecdbop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fqfojblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dpalgenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fggdpnkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjeplijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Caqpkjcl.exe

Executes dropped EXE 59 IoCs

pid	Process
612	Bdeiqgkj.exe
1928	Bgdemb32.exe
1584	Ckbncapd.exe
3924	Cgiohbfi.exe
3664	Ckdkhq32.exe
816	Caqpkjcl.exe
1532	Cildom32.exe
4784	Cdaile32.exe
1516	Ddcebe32.exe
2152	Ddfbgelh.exe
4608	Dgdncplk.exe
1652	Dggkipii.exe
1400	Dnqcfjae.exe
2360	Ddklbd32.exe
3208	Dgihop32.exe
4064	Dncpkjoc.exe
1176	Dpalgenf.exe
2764	Egkddo32.exe
3236	Ejjaqk32.exe
4004	Ekimjn32.exe
5112	Enhifi32.exe
1848	Epffbd32.exe
2008	Ecdbop32.exe
2264	Ekljpm32.exe
5072	Enjfli32.exe
2564	Eafbmgad.exe
2776	Eddnic32.exe
1644	Ecgodpgb.exe
2812	Ekngemhd.exe
1208	Enlcahgh.exe
2236	Eahobg32.exe
32	Edfknb32.exe
3240	Egegjn32.exe
4904	Ejccgi32.exe
4036	Eqmlccdi.exe
2340	Fclhpo32.exe
960	Fggdpnkf.exe
2924	Fjeplijj.exe
2356	Famhmfkl.exe
2988	Fdkdibjp.exe
4396	Fgiaemic.exe
2488	Fjhmbihg.exe
4012	Fncibg32.exe
1756	Fqbeoc32.exe
5164	Fcpakn32.exe
5200	Fkgillpj.exe
5244	Fnffhgon.exe
5276	Fbaahf32.exe
5324	Fdpnda32.exe
5364	Fgnjqm32.exe
5396	Fjmfmh32.exe
5444	Fnhbmgmk.exe
5476	Fqfojblo.exe
5516	Fdbkja32.exe
5564	Fgqgfl32.exe
5604	Fklcgk32.exe
5636	Fnjocf32.exe
5684	Fbfkceca.exe
5716	Gddgpqbe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fdakcc32.dll	Bgdemb32.exe
File opened for modification	C:\Windows\SysWOW64\Cdaile32.exe	Cildom32.exe
File opened for modification	C:\Windows\SysWOW64\Dgdncplk.exe	Ddfbgelh.exe
File created	C:\Windows\SysWOW64\Eafbmgad.exe	Enjfli32.exe
File created	C:\Windows\SysWOW64\Ldicpljn.dll	Fnhbmgmk.exe
File opened for modification	C:\Windows\SysWOW64\Cgiohbfi.exe	Ckbncapd.exe
File opened for modification	C:\Windows\SysWOW64\Epffbd32.exe	Enhifi32.exe
File created	C:\Windows\SysWOW64\Ejccgi32.exe	Egegjn32.exe
File opened for modification	C:\Windows\SysWOW64\Fjmfmh32.exe	Fgnjqm32.exe
File created	C:\Windows\SysWOW64\Celhnb32.dll	Fgqgfl32.exe
File created	C:\Windows\SysWOW64\Pjcfndog.dll	322c5a6399ff024393e162ac5a026480eb1348c21c75cbc91cd926d218c3f67e.exe
File created	C:\Windows\SysWOW64\Anijgd32.dll	Ejjaqk32.exe
File opened for modification	C:\Windows\SysWOW64\Fqfojblo.exe	Fnhbmgmk.exe
File created	C:\Windows\SysWOW64\Mkddhfnh.dll	Bdeiqgkj.exe
File created	C:\Windows\SysWOW64\Ikfbpdlg.dll	Ddfbgelh.exe
File created	C:\Windows\SysWOW64\Dooaccfg.dll	Cgiohbfi.exe
File created	C:\Windows\SysWOW64\Obhmcdfq.dll	Dnqcfjae.exe
File opened for modification	C:\Windows\SysWOW64\Fdkdibjp.exe	Famhmfkl.exe
File created	C:\Windows\SysWOW64\Fbaahf32.exe	Fnffhgon.exe
File opened for modification	C:\Windows\SysWOW64\Fdpnda32.exe	Fbaahf32.exe
File created	C:\Windows\SysWOW64\Jcggmk32.dll	Fbfkceca.exe
File created	C:\Windows\SysWOW64\Enlcahgh.exe	Ekngemhd.exe
File created	C:\Windows\SysWOW64\Mfikmmob.dll	Ekngemhd.exe
File created	C:\Windows\SysWOW64\Kplqhmfl.dll	Egegjn32.exe
File created	C:\Windows\SysWOW64\Ppkjigdd.dll	Famhmfkl.exe
File created	C:\Windows\SysWOW64\Fncibg32.exe	Fjhmbihg.exe
File opened for modification	C:\Windows\SysWOW64\Fnhbmgmk.exe	Fjmfmh32.exe
File created	C:\Windows\SysWOW64\Fgqgfl32.exe	Fdbkja32.exe
File opened for modification	C:\Windows\SysWOW64\Caqpkjcl.exe	Ckdkhq32.exe
File created	C:\Windows\SysWOW64\Dgihop32.exe	Ddklbd32.exe
File created	C:\Windows\SysWOW64\Ncjiib32.dll	Dgihop32.exe
File opened for modification	C:\Windows\SysWOW64\Dpalgenf.exe	Dncpkjoc.exe
File created	C:\Windows\SysWOW64\Ejjaqk32.exe	Egkddo32.exe
File created	C:\Windows\SysWOW64\Eclbio32.dll	Eqmlccdi.exe
File created	C:\Windows\SysWOW64\Fbfkceca.exe	Fnjocf32.exe
File created	C:\Windows\SysWOW64\Eahobg32.exe	Enlcahgh.exe
File created	C:\Windows\SysWOW64\Jodamh32.dll	Enlcahgh.exe
File created	C:\Windows\SysWOW64\Aammfkln.dll	Cdaile32.exe
File created	C:\Windows\SysWOW64\Dncpkjoc.exe	Dgihop32.exe
File opened for modification	C:\Windows\SysWOW64\Dncpkjoc.exe	Dgihop32.exe
File opened for modification	C:\Windows\SysWOW64\Ecdbop32.exe	Epffbd32.exe
File created	C:\Windows\SysWOW64\Ekljpm32.exe	Ecdbop32.exe
File opened for modification	C:\Windows\SysWOW64\Eddnic32.exe	Eafbmgad.exe
File created	C:\Windows\SysWOW64\Fnjocf32.exe	Fklcgk32.exe
File opened for modification	C:\Windows\SysWOW64\Gddgpqbe.exe	Fbfkceca.exe
File opened for modification	C:\Windows\SysWOW64\Cildom32.exe	Caqpkjcl.exe
File created	C:\Windows\SysWOW64\Clbidkde.dll	Cildom32.exe
File created	C:\Windows\SysWOW64\Ncbigo32.dll	Dpalgenf.exe
File created	C:\Windows\SysWOW64\Aolphl32.dll	Enjfli32.exe
File created	C:\Windows\SysWOW64\Gihfoi32.dll	Fdpnda32.exe
File created	C:\Windows\SysWOW64\Eqmlccdi.exe	Ejccgi32.exe
File opened for modification	C:\Windows\SysWOW64\Fgqgfl32.exe	Fdbkja32.exe
File created	C:\Windows\SysWOW64\Bgdemb32.exe	Bdeiqgkj.exe
File opened for modification	C:\Windows\SysWOW64\Ckdkhq32.exe	Cgiohbfi.exe
File created	C:\Windows\SysWOW64\Dnqcfjae.exe	Dggkipii.exe
File opened for modification	C:\Windows\SysWOW64\Enjfli32.exe	Ekljpm32.exe
File created	C:\Windows\SysWOW64\Kamonn32.dll	Ecgodpgb.exe
File opened for modification	C:\Windows\SysWOW64\Edfknb32.exe	Eahobg32.exe
File opened for modification	C:\Windows\SysWOW64\Ekngemhd.exe	Ecgodpgb.exe
File created	C:\Windows\SysWOW64\Fqbeoc32.exe	Fncibg32.exe
File created	C:\Windows\SysWOW64\Bdeiqgkj.exe	322c5a6399ff024393e162ac5a026480eb1348c21c75cbc91cd926d218c3f67e.exe
File opened for modification	C:\Windows\SysWOW64\Bgdemb32.exe	Bdeiqgkj.exe
File created	C:\Windows\SysWOW64\Caqpkjcl.exe	Ckdkhq32.exe
File created	C:\Windows\SysWOW64\Dggkipii.exe	Dgdncplk.exe

Program crash 1 IoCs

pid	pid_target	Process
5808	5716	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 60 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcpakn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgnjqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fklcgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnjocf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgdemb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgiohbfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cildom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epffbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fclhpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgiaemic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fncibg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnffhgon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbfkceca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eahobg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edfknb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fggdpnkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjeplijj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjhmbihg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgqgfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caqpkjcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqmlccdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqfojblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpalgenf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egegjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdbkja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	322c5a6399ff024393e162ac5a026480eb1348c21c75cbc91cd926d218c3f67e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekljpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddfbgelh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgihop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejjaqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecdbop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eafbmgad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekngemhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckdkhq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enhifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecgodpgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdaile32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddcebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddklbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egkddo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnhbmgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgdncplk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekimjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eddnic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Famhmfkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqbeoc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbaahf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdeiqgkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdkdibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enjfli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enlcahgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gddgpqbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckbncapd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dggkipii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnqcfjae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dncpkjoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkgillpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdpnda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejccgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjmfmh32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cgiohbfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bopnkd32.dll"	Dgdncplk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dpalgenf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ekimjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eddnic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glkkmjeh.dll"	Fjeplijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcfndog.dll"	322c5a6399ff024393e162ac5a026480eb1348c21c75cbc91cd926d218c3f67e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fgnjqm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Egkddo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kamonn32.dll"	Ecgodpgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojimfh32.dll"	Ejccgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fjeplijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fnhbmgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Caqpkjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dooaccfg.dll"	Cgiohbfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddcebe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddklbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdaleh32.dll"	Epffbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fjhmbihg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fqbeoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjinnekj.dll"	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bdeiqgkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fkgillpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Epffbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Edfknb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Egegjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fggdpnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fjhmbihg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fbfkceca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dgihop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ejjaqk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddfbgelh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dnqcfjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icembg32.dll"	Ekimjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfikmmob.dll"	Ekngemhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cildom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Epffbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ecdbop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eddnic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ejccgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okkbgpmc.dll"	Fdkdibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkhpmopi.dll"	Fdbkja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dpalgenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Enhifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kojkgebl.dll"	Eddnic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ecgodpgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Egegjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eqmlccdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fclhpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcipf32.dll"	Fqfojblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgdemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ejjaqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aammfkln.dll"	Cdaile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dnqcfjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dncpkjoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncbigo32.dll"	Dpalgenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binfdh32.dll"	Ekljpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Edfknb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ejccgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Famhmfkl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 340 wrote to memory of 612	340	322c5a6399ff024393e162ac5a026480eb1348c21c75cbc91cd926d218c3f67e.exe	91
PID 340 wrote to memory of 612	340	322c5a6399ff024393e162ac5a026480eb1348c21c75cbc91cd926d218c3f67e.exe	91
PID 340 wrote to memory of 612	340	322c5a6399ff024393e162ac5a026480eb1348c21c75cbc91cd926d218c3f67e.exe	91
PID 612 wrote to memory of 1928	612	Bdeiqgkj.exe	92
PID 612 wrote to memory of 1928	612	Bdeiqgkj.exe	92
PID 612 wrote to memory of 1928	612	Bdeiqgkj.exe	92
PID 1928 wrote to memory of 1584	1928	Bgdemb32.exe	94
PID 1928 wrote to memory of 1584	1928	Bgdemb32.exe	94
PID 1928 wrote to memory of 1584	1928	Bgdemb32.exe	94
PID 1584 wrote to memory of 3924	1584	Ckbncapd.exe	95
PID 1584 wrote to memory of 3924	1584	Ckbncapd.exe	95
PID 1584 wrote to memory of 3924	1584	Ckbncapd.exe	95
PID 3924 wrote to memory of 3664	3924	Cgiohbfi.exe	96
PID 3924 wrote to memory of 3664	3924	Cgiohbfi.exe	96
PID 3924 wrote to memory of 3664	3924	Cgiohbfi.exe	96
PID 3664 wrote to memory of 816	3664	Ckdkhq32.exe	98
PID 3664 wrote to memory of 816	3664	Ckdkhq32.exe	98
PID 3664 wrote to memory of 816	3664	Ckdkhq32.exe	98
PID 816 wrote to memory of 1532	816	Caqpkjcl.exe	100
PID 816 wrote to memory of 1532	816	Caqpkjcl.exe	100
PID 816 wrote to memory of 1532	816	Caqpkjcl.exe	100
PID 1532 wrote to memory of 4784	1532	Cildom32.exe	101
PID 1532 wrote to memory of 4784	1532	Cildom32.exe	101
PID 1532 wrote to memory of 4784	1532	Cildom32.exe	101
PID 4784 wrote to memory of 1516	4784	Cdaile32.exe	102
PID 4784 wrote to memory of 1516	4784	Cdaile32.exe	102
PID 4784 wrote to memory of 1516	4784	Cdaile32.exe	102
PID 1516 wrote to memory of 2152	1516	Ddcebe32.exe	103
PID 1516 wrote to memory of 2152	1516	Ddcebe32.exe	103
PID 1516 wrote to memory of 2152	1516	Ddcebe32.exe	103
PID 2152 wrote to memory of 4608	2152	Ddfbgelh.exe	104
PID 2152 wrote to memory of 4608	2152	Ddfbgelh.exe	104
PID 2152 wrote to memory of 4608	2152	Ddfbgelh.exe	104
PID 4608 wrote to memory of 1652	4608	Dgdncplk.exe	105
PID 4608 wrote to memory of 1652	4608	Dgdncplk.exe	105
PID 4608 wrote to memory of 1652	4608	Dgdncplk.exe	105
PID 1652 wrote to memory of 1400	1652	Dggkipii.exe	106
PID 1652 wrote to memory of 1400	1652	Dggkipii.exe	106
PID 1652 wrote to memory of 1400	1652	Dggkipii.exe	106
PID 1400 wrote to memory of 2360	1400	Dnqcfjae.exe	107
PID 1400 wrote to memory of 2360	1400	Dnqcfjae.exe	107
PID 1400 wrote to memory of 2360	1400	Dnqcfjae.exe	107
PID 2360 wrote to memory of 3208	2360	Ddklbd32.exe	108
PID 2360 wrote to memory of 3208	2360	Ddklbd32.exe	108
PID 2360 wrote to memory of 3208	2360	Ddklbd32.exe	108
PID 3208 wrote to memory of 4064	3208	Dgihop32.exe	109
PID 3208 wrote to memory of 4064	3208	Dgihop32.exe	109
PID 3208 wrote to memory of 4064	3208	Dgihop32.exe	109
PID 4064 wrote to memory of 1176	4064	Dncpkjoc.exe	110
PID 4064 wrote to memory of 1176	4064	Dncpkjoc.exe	110
PID 4064 wrote to memory of 1176	4064	Dncpkjoc.exe	110
PID 1176 wrote to memory of 2764	1176	Dpalgenf.exe	111
PID 1176 wrote to memory of 2764	1176	Dpalgenf.exe	111
PID 1176 wrote to memory of 2764	1176	Dpalgenf.exe	111
PID 2764 wrote to memory of 3236	2764	Egkddo32.exe	112
PID 2764 wrote to memory of 3236	2764	Egkddo32.exe	112
PID 2764 wrote to memory of 3236	2764	Egkddo32.exe	112
PID 3236 wrote to memory of 4004	3236	Ejjaqk32.exe	113
PID 3236 wrote to memory of 4004	3236	Ejjaqk32.exe	113
PID 3236 wrote to memory of 4004	3236	Ejjaqk32.exe	113
PID 4004 wrote to memory of 5112	4004	Ekimjn32.exe	114
PID 4004 wrote to memory of 5112	4004	Ekimjn32.exe	114
PID 4004 wrote to memory of 5112	4004	Ekimjn32.exe	114
PID 5112 wrote to memory of 1848	5112	Enhifi32.exe	115

C:\Users\Admin\AppData\Local\Temp\322c5a6399ff024393e162ac5a026480eb1348c21c75cbc91cd926d218c3f67e.exe
"C:\Users\Admin\AppData\Local\Temp\322c5a6399ff024393e162ac5a026480eb1348c21c75cbc91cd926d218c3f67e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:340
- C:\Windows\SysWOW64\Bdeiqgkj.exe
  C:\Windows\system32\Bdeiqgkj.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:612
- - C:\Windows\SysWOW64\Bgdemb32.exe
    C:\Windows\system32\Bgdemb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Windows\SysWOW64\Ckbncapd.exe
      C:\Windows\system32\Ckbncapd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1584
    - - C:\Windows\SysWOW64\Cgiohbfi.exe
        
        C:\Windows\system32\Cgiohbfi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3924
      - C:\Windows\SysWOW64\Ckdkhq32.exe
        
        C:\Windows\system32\Ckdkhq32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\Caqpkjcl.exe
        
        C:\Windows\system32\Caqpkjcl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Ddcebe32.exe
        
        C:\Windows\system32\Ddcebe32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Ddfbgelh.exe
        
        C:\Windows\system32\Ddfbgelh.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Dgdncplk.exe
        
        C:\Windows\system32\Dgdncplk.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Dggkipii.exe
        
        C:\Windows\system32\Dggkipii.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Dnqcfjae.exe
        
        C:\Windows\system32\Dnqcfjae.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\Ddklbd32.exe
        
        C:\Windows\system32\Ddklbd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Dgihop32.exe
        
        C:\Windows\system32\Dgihop32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\Dncpkjoc.exe
        
        C:\Windows\system32\Dncpkjoc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Dpalgenf.exe
        
        C:\Windows\system32\Dpalgenf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Egkddo32.exe
        
        C:\Windows\system32\Egkddo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Ejjaqk32.exe
        
        C:\Windows\system32\Ejjaqk32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\SysWOW64\Ekimjn32.exe
        
        C:\Windows\system32\Ekimjn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\SysWOW64\Enhifi32.exe
        
        C:\Windows\system32\Enhifi32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\Epffbd32.exe
        
        C:\Windows\system32\Epffbd32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Ecdbop32.exe
        
        C:\Windows\system32\Ecdbop32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Ekljpm32.exe
        
        C:\Windows\system32\Ekljpm32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Enjfli32.exe
        
        C:\Windows\system32\Enjfli32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\Windows\SysWOW64\Eafbmgad.exe
        
        C:\Windows\system32\Eafbmgad.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\Eddnic32.exe
        
        C:\Windows\system32\Eddnic32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Ecgodpgb.exe
        
        C:\Windows\system32\Ecgodpgb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Ekngemhd.exe
        
        C:\Windows\system32\Ekngemhd.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Enlcahgh.exe
        
        C:\Windows\system32\Enlcahgh.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1208
        
        C:\Windows\SysWOW64\Eahobg32.exe
        
        C:\Windows\system32\Eahobg32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\Edfknb32.exe
        
        C:\Windows\system32\Edfknb32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:32
        
        C:\Windows\SysWOW64\Egegjn32.exe
        
        C:\Windows\system32\Egegjn32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\Ejccgi32.exe
        
        C:\Windows\system32\Ejccgi32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Eqmlccdi.exe
        
        C:\Windows\system32\Eqmlccdi.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Fclhpo32.exe
        
        C:\Windows\system32\Fclhpo32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Fggdpnkf.exe
        
        C:\Windows\system32\Fggdpnkf.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\Fjeplijj.exe
        
        C:\Windows\system32\Fjeplijj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Famhmfkl.exe
        
        C:\Windows\system32\Famhmfkl.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Fdkdibjp.exe
        
        C:\Windows\system32\Fdkdibjp.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Fgiaemic.exe
        
        C:\Windows\system32\Fgiaemic.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Fjhmbihg.exe
        
        C:\Windows\system32\Fjhmbihg.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Fncibg32.exe
        
        C:\Windows\system32\Fncibg32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4012
        
        C:\Windows\SysWOW64\Fqbeoc32.exe
        
        C:\Windows\system32\Fqbeoc32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Fcpakn32.exe
        
        C:\Windows\system32\Fcpakn32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Fkgillpj.exe
        
        C:\Windows\system32\Fkgillpj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Fnffhgon.exe
        
        C:\Windows\system32\Fnffhgon.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5244
        
        C:\Windows\SysWOW64\Fbaahf32.exe
        
        C:\Windows\system32\Fbaahf32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5276
        
        C:\Windows\SysWOW64\Fdpnda32.exe
        
        C:\Windows\system32\Fdpnda32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5324
        
        C:\Windows\SysWOW64\Fgnjqm32.exe
        
        C:\Windows\system32\Fgnjqm32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Fjmfmh32.exe
        
        C:\Windows\system32\Fjmfmh32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5396
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Fqfojblo.exe
        
        C:\Windows\system32\Fqfojblo.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Fdbkja32.exe
        
        C:\Windows\system32\Fdbkja32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Fgqgfl32.exe
        
        C:\Windows\system32\Fgqgfl32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5564
        
        C:\Windows\SysWOW64\Fklcgk32.exe
        
        C:\Windows\system32\Fklcgk32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5604
        
        C:\Windows\SysWOW64\Fnjocf32.exe
        
        C:\Windows\system32\Fnjocf32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5636
        
        C:\Windows\SysWOW64\Fbfkceca.exe
        
        C:\Windows\system32\Fbfkceca.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 412
        61⤵
        Program crash
        
        PID:5808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5716 -ip 5716
1⤵
PID:5784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4180,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4612 /prefetch:8
1⤵
PID:3252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bdeiqgkj.exe

Filesize
404KB

MD5
d2a81af9e0e2d74000ab7a9ecfd99e53

SHA1
6315701ad27c4da84577d7a12eb757f563933d5a

SHA256
8143af7ab82feae9d462bf6298c99fe539eddb530b58768ab3a96134b18e46aa

SHA512
b5ab615a0cf92852dfdd7f62fbad1be2abfa98587b604fc6b77bc89bbc039382cd9ead8ae02dee3dbcd40b81644fb7faeb88389ae307a584c119b64d0372399b

Download Submit
C:\Windows\SysWOW64\Bgdemb32.exe

Filesize
404KB

MD5
36897ea171eff4f7cd05e1da15c84b89

SHA1
af4f8038a61390ee2e06f871579d4d1163e6762a

SHA256
efbd7727c087491c6b067b3663b021f82b0e1d404a16dff79fc8c3e2ababcddc

SHA512
cae585afc3d09ce34dfec5c293b338fc895353ec6ebca070867a3c62f798e7320557a59d8d55edd95f249cde9dfdbe67202adc7f0ca18cf305edafed43e4521c

Download Submit
C:\Windows\SysWOW64\Caqpkjcl.exe

Filesize
404KB

MD5
3fe54c54361338dbc9b6d032b3769e64

SHA1
31698d12f674cbce78b8d1dcf725fe72b42996a4

SHA256
5a1c79c8a7ad611c6974c55260130db07fc4512d103d029d9a20c978d45e9fbd

SHA512
ee79915beda2e047847cafc2dc07c12cd8b865cdad0e27adc1b5dc9253af2279f2f75966c470afbe342de471f9384c1b18f52734bafd6acd8b4e8e73b41ee4de

Download Submit
C:\Windows\SysWOW64\Cdaile32.exe

Filesize
404KB

MD5
ec3bb9ebe9bd0e41f1fc867b8bf5f664

SHA1
7941059be7212cc21e7aceca705fd15901afa43f

SHA256
6e30f1f0ddf6b688781c7933a0bc7cccf0895b96cc254390b9c62ab2e0d25c86

SHA512
8867404fcc862288243e45eb692eabf6a28f3c10d97eb02adc837b25906b5b527f30ea764f7c66e56fe7c98a3c7d51286e2b42973c7878ecba9d894161e3abf7

Download Submit
C:\Windows\SysWOW64\Cgiohbfi.exe

Filesize
404KB

MD5
023034165ec1bc1f61e6feb38f8e798f

SHA1
eb5eb4380ab4754f62cc9f06efeea27b5211b441

SHA256
020c612f64314fa85a77af5ab35f6d194af35bb47b16804eff07ac7709403a05

SHA512
490ce1a67d5c947332dc51dac24b6abe2dc280c69ff105998d959a9b6cc4a514c521f22ab60ab36afd94893b34ba773aad0819159049a1525308fee874ac4d5f

Download Submit
C:\Windows\SysWOW64\Cildom32.exe

Filesize
404KB

MD5
ccf947e16722584a24e5551e7eb2fad4

SHA1
2b518548d3863e3fd71fb9f7666a3850f42ec7a4

SHA256
4b194b2552658f06a6e1a6c1fc0587efab421374a1da228333be1d93006f2cad

SHA512
e97704f820561858ef4d2b9511bc0fa2012e0401f2520ce9351bb60ebf7d6975e17da14f9338df33a97251b001aef0ac51f5eeb6f09caca2216c1f3d488659bc

Download Submit
C:\Windows\SysWOW64\Ckbncapd.exe

Filesize
404KB

MD5
5c7559a79d38f65c8dd556d327308ba8

SHA1
0c6e61a0260b4e01e81cec3bb5393b703c492bf1

SHA256
c13b014d0c51d2efaa8e79549d5411e4b04afb6d4194bab69d4725b19be640ab

SHA512
7ad766c24763c3809dc5c4dfc553565209bd76a4f8bc765f16eab388712f80379542ea2910d7883fe804f1e1985398a84a7fc0fe020060c4ae5b0f6d2808358c

Download Submit
C:\Windows\SysWOW64\Ckdkhq32.exe

Filesize
404KB

MD5
0af647ae53651351e63ef8d81c40f777

SHA1
77fb9c820fe3c9cbb60f26b07fa214716526abe9

SHA256
8eb2e413182d17225cf878cda821efbd5e3afeae81f9431cf941a813fa65fac6

SHA512
484232d08c5bd8e72203b23d84a764c6f5046049d7059af91cfcbfcc8b5c607fd6a97ea6733ff44b5f63870f15ce86e012d8708ea8f749478a2d8f6c7ea350b8

Download Submit
C:\Windows\SysWOW64\Ddcebe32.exe

Filesize
404KB

MD5
0ffe9fca96dc03319e2f736675e00c5b

SHA1
d9544ace631e68344e4e7d845f99d3a7776e8e87

SHA256
6fde4d03f45f714d591921aa887338ecf2d577bdf759d691122b7bcd6528cf46

SHA512
75e4a54d4fe94e5818cb4bc43e4fce35e4033fb90b4f9beca9c69674f3738ef486a029e6e3ef5250687d9d9e0ddd1b4f107f3121349c06002bfceb2670136240

Download Submit
C:\Windows\SysWOW64\Ddfbgelh.exe

Filesize
404KB

MD5
95c202244d8d78774a00819c83121f04

SHA1
1fce164792540d9de38f3a563584a66c84ca0baf

SHA256
11a069b7e4dfee034910b80fe376780590de89a78b400af7e4a2aac724cba872

SHA512
ac72ff424b635b5bceda35a47974caef736b61e5c1895fe7bca81039496787750430d629b54b29a7aebeca463066b4a2587fc5358cbc1f42ab14cc89f8520a6c

Download Submit
C:\Windows\SysWOW64\Ddklbd32.exe

Filesize
404KB

MD5
65e374b7f0dd1119731b286c09ae62ea

SHA1
b162720f8fcf117d1ad97e0b9579f26cdce6f956

SHA256
206307ff867e34878f86aaf4c359d77672d559ba12bc5a1302a621645d1ac6c8

SHA512
dce159d561646e6d5c64226e3905948e7c09907855aa96c184e399d407d83dccbbfc8d2556c4f1f2ac6e216a77492c4ee2fc8fb1ba2317ab003476cd2c9fef94

Download Submit
C:\Windows\SysWOW64\Dgdncplk.exe

Filesize
404KB

MD5
e2243231c60ea976381ee42b2cf8f4a5

SHA1
57a016312ddcb9920c4b4ff5bd5a7f8c77256487

SHA256
22f8c27e34d4801ca4aa5304537e369c6a4ae26cdd1c914f2d9b54bc85e5196b

SHA512
2643d23843553b7cf19762c41b2cb9056759dcca1fb0ae6e6e5623bd8f476548d2be752b08afa5d67b4bfaf6177f1cc94ba0a59bd0964b8c716212ef6567054b

Download Submit
C:\Windows\SysWOW64\Dggkipii.exe

Filesize
404KB

MD5
ca5239b09cb5450e06f040fdaf76a815

SHA1
db9b8ce125a5a9c795bca30beb0fa832e3b988a2

SHA256
a03a230ec5ab7af065b8e56b1a9f77977227cb22bf6edaea8bfd1740c8e0324c

SHA512
4189ba2857e44460cabddc0f856d04d26bb60fb4bdc4ad92f0a0b5a09b1f0a24ed5bdbfb9bff164b046d550119fe365c12a94d4804bf7e6e9a5f9d1de26d5b88

Download Submit
C:\Windows\SysWOW64\Dgihop32.exe

Filesize
404KB

MD5
90e472be07de38ff8b3e7fde1797be7e

SHA1
5f39d3b12b49736e09487fe891f71a2612f67479

SHA256
c4ae5d70d3abf3e51c52ba9a3ac144cb722c0fe85e0ea074710aeb46367f1ddc

SHA512
4fd9fdb177ab2af2172ea200d9b1b3cf16010bd8387890315066fb965c1d51a73cc7c9b2aa1c81e5834069a907db03062fc32c1ccb5d83d691c5acd29cef12bb

Download Submit
C:\Windows\SysWOW64\Dncpkjoc.exe

Filesize
404KB

MD5
760a672bc1023484dd9038957a081783

SHA1
0ea6bedee8ef7881287c16468cf802172e167cdf

SHA256
e62dad0e1a50f6ed15d246f3ce43b6eec37ce02f3605a14832bbf1930d4899af

SHA512
4c94cd13649748feee95b30c1567306141c2cad51c6a66b5e1cf62b6748de429d63701d26287a71c65bb5ffa4727dd9557cc4b83963555f3fe4a8c5b7d48e281

Download Submit
C:\Windows\SysWOW64\Dnqcfjae.exe

Filesize
404KB

MD5
6e6939b0bbce45680729277da09f0c5a

SHA1
404aa4a166c015fa217eef5bb52a00389e23322e

SHA256
76572a00079e0896976657a9eefc9f4f6bfc0e5ecb59cb67977febbd1a68a640

SHA512
820d7f9d6f3c175657bb10b9beb7e8c057d7b0838c52e715d5c1e9c6bbf22a7b0fa305485d176bff99c350846a76eefaf69e86072c7334bb3e54c246f3ceb512

Download Submit
C:\Windows\SysWOW64\Dooaccfg.dll

Filesize
7KB

MD5
e9487cefc8a3f6f1b85cea6f0963b0f7

SHA1
0a1d90b07064fa9e94fee8d634a6ce25078097b9

SHA256
c8aee7d7e70fdc12da21892a7a501511f34a38003320c28f6ff44b7e7ca8da41

SHA512
28820a7f2073762aa6abcb48cd6df2a4c9e83a377ea71a186c35c8ebae71e1fb791fbccc09fc944faa62586bed71dd5578ddc16f4cc6ace80c34b21812bf21df

Download Submit
C:\Windows\SysWOW64\Dpalgenf.exe

Filesize
404KB

MD5
76de97ab8d3abed9c0a10cc59851853e

SHA1
3ee936613ca2f5487be7c3943b5ca18e62731fed

SHA256
645dfb86c9640b80a70dccdd1620f53cf71034a9987c624a44536611c44d8d39

SHA512
2cbb3d8b1773d0675ad3fde6c6697ab1f802c885049a3683f80e7c1424bdca3c2ccc298c7050d596d9846844df48473a4bdbddd4adc148b2ce41905a1fb6952d

Download Submit
C:\Windows\SysWOW64\Eafbmgad.exe

Filesize
404KB

MD5
c080034a8d541e7f0c2b2b8cc71c8944

SHA1
39b3d822793f1172c65476db32a86fc8ac5e8627

SHA256
15fa499842b97cc1c0a29a97322231924dfeef032b129e75e5b3fcba0413e53c

SHA512
1948f7cb235c2301ed12a2c4d7a0dc781a29190e08d81a57734c527eedd12eeeca7134940025ff3ca51ce0ba91b86c83ba46e764e22059e64dbb9d0d5ce3bb2d

Download Submit
C:\Windows\SysWOW64\Eahobg32.exe

Filesize
404KB

MD5
65da558e392c170650556f33ecc4d6a3

SHA1
cf45d07a26f9a34dd97ec87374e6feb54c88644e

SHA256
17bb97994310ad82c0f406d3e25cbc866c8def1603daa35e1d8918666eb440bf

SHA512
94a55967a728bbd6452b27101c621b45a5b7c51f5e7747af4fa082fb8b3a775a6e29c3ad1b08353a628da8c9eb580644a8a184a3dc29d314ef88876b597ee764

Download Submit
C:\Windows\SysWOW64\Ecdbop32.exe

Filesize
404KB

MD5
75a31d7742a5cc99cb13394404ee4d54

SHA1
e42f2151d7952bcc8a1fd4e862d1b85e47d7e71e

SHA256
78c70089eaa7fd07f686bff5cbec864259a9cb92a42ddfe93e757f0c2f2c7f47

SHA512
32f4ee886597a68a7dbf3f9cb4634b910b82d6b6c0e44620cf8a0c6f255f2e80d743e18947167dd23af888b64cf0c32e2271a401e68cfbf1d57264af0dcf3657

Download Submit
C:\Windows\SysWOW64\Ecgodpgb.exe

Filesize
404KB

MD5
f95daab225493e6584cbaf89b2aeb122

SHA1
8e1e5fc5563fbc04f670029a74f34ef927b414bf

SHA256
9158e4c4821b26e3ff0dbaf8eed6722d92886645accbc24143a19cebbb3b4f45

SHA512
d9901bceaa15d3ea5b9297f91116b5ff9544e2bd5f36e436b4b3f503e779c569e4bbfafbb95edec821f14c368bc9e2587303d2372fa8229c7e298a8865b4ef62

Download Submit
C:\Windows\SysWOW64\Eddnic32.exe

Filesize
404KB

MD5
e13aa18aa5c286676e53c59e7eea5b79

SHA1
2cf37d03b16e414f3533d3884e29aca9cae69b16

SHA256
f676c590d842722bf4ce1c4c2188ae83414616b1c13db193e46caf7a2682a96f

SHA512
21f63a3fe465bc930aebe131bacfe31d17d7275a228f7ce16057c8c8f5ba0e95fb462a3f588d20adb586dc41bb2c4b8da63275c54129180fbbf6691b2aca53aa

Download Submit
C:\Windows\SysWOW64\Edfknb32.exe

Filesize
404KB

MD5
e1d133da0a1718a1c3e9b9f828cbca61

SHA1
72f978632848a14b0a8ce63a2175e481dbe5b191

SHA256
490e6467755954a2ce741060afecfdd27abc306fbda47ac7717ad4290118d365

SHA512
c7c2d3def96ce13ceba58bd8a56bf565a30448b61c994dc5a1b3a25f39cba46640cf8ac04e74a490d54aef5b0766cecfaf669fb36b5df6996341a23e1542757b

Download Submit
C:\Windows\SysWOW64\Egkddo32.exe

Filesize
404KB

MD5
83d7907fa76846b5f32997bd88cd2366

SHA1
0bb3035880839fb04efd81b54ade636d61d97aea

SHA256
e07cb7c0b0835a78be392502f00028aa73e41aa5708f87e6331bae3be608a7e1

SHA512
866059c7c10b87aca2f76f23c01f8ccc171dd2541ce6ce30f70c0deb8c2181b0ad80cc63d102289095a6ca1cfa08f71c9a373efd33f87f96df7cb95997ae8548

Download Submit
C:\Windows\SysWOW64\Ejjaqk32.exe

Filesize
404KB

MD5
9b0e5af09ac094f34b9f378e97893c28

SHA1
2e9ad297f4f0824582e3264ac1c695c3d5170d22

SHA256
173aace9bd1f4026d4e72877951e25b6aa8c32b4821a7ece2be60bab930c6e1e

SHA512
b91442550d54bfae7066fe0c6050ad7bab29b58287e74ccf4472f188a06f01fbf8a7963831b240982589b4c4fe77855871a258003b49f0cbf9c7ce9168e1c9d3

Download Submit
C:\Windows\SysWOW64\Ekimjn32.exe

Filesize
404KB

MD5
02dfefb81c61cd921143d434ad5c22b2

SHA1
9aa9b27f7ab064dcc2117cf6891f35b7ab5b3173

SHA256
17ef7fef1f026fa079f5e6b2ba571b865b742e25b57eb2c2318ecce2e46a8238

SHA512
a2823ebb1a1e0c95c1ee23c1e8b43537311523106fedbe11bf1be98f10c8541a9c81dff84cc3e7e882ca460ec9aea44f38fbd1ae8f3a429a448ed5f228b453ea

Download Submit
C:\Windows\SysWOW64\Ekljpm32.exe

Filesize
404KB

MD5
9cb0be0b164342c25579adb9dfb1c91d

SHA1
77f952a4f3aaed4c07b6104a70ed140228d0cb49

SHA256
6795c7b61e2ac95ad87b1adce3f598056db8d1a30db277b46338ded691ffd372

SHA512
35f79ae816c8c9c5adf8e5ed637767c03b1b587cb4f2f7a3107078acf4307ead6bbea8932cfc14b1d9500e63029df3d2b08c3f3fabde2517445c0e1b01e0fc83

Download Submit
C:\Windows\SysWOW64\Ekngemhd.exe

Filesize
404KB

MD5
a9456451320661dea249a1e0eed8c068

SHA1
978ddc6a429538386d6b6a85f0a67356336835fe

SHA256
fd7bb87a71d8879f3fcc8fab752c1fb252e40781c73ee811c1595c309f4e1869

SHA512
ade25e99ab288c81cf2ce3d4d11ec416f5873304ef93fafad3177aa5068a168852dee91ce0d29580ce8196dc66b7cfed49bf06414c6caef479f8d312028c3d94

Download Submit
C:\Windows\SysWOW64\Enhifi32.exe

Filesize
404KB

MD5
bc9e3019b89069f6ca74730d50415932

SHA1
a5f89c64ee0b18d1f54719f98733a1d2db802580

SHA256
8cff2988daa8f99dab64f79a50553132b8cacae9d5d89e44fe3f648b2bf36c01

SHA512
03d659f04b86eae90cc9c7b677ab8fe531b124d1a5d7b77ced2932b54440828c1c41338912fe8c0a2954887e9e82df5b3b3fb0fc47997808e323d76d91021255

Download Submit
C:\Windows\SysWOW64\Enjfli32.exe

Filesize
404KB

MD5
12a0ce3c784642ee56add221dcab9f57

SHA1
2bda563a74c14f6ff30f6ea48c0a4a408758ed0a

SHA256
ac19634f9f56fd514c9d174361d7fba6f4b0d5b2ebe36ab7c09741c19f4d3bff

SHA512
8ade653abc74bf48420728a7114981b3da8ae5d9b141fe15361429a7ee9bd07bbe1c08c38119580fb508106ea5ef64543cbeca41ac5553cd024e5b69d1e0a061

Download Submit
C:\Windows\SysWOW64\Enlcahgh.exe

Filesize
404KB

MD5
c9d00bbf10db2b9408c4350626e8abf5

SHA1
7b568ec2c8a8c2f71107c7a932e4b72cfa987db9

SHA256
bd210fbfd531fa1c584cf4acc40b5ac9f3fbeb61031ebff469d3c23ac5a1c841

SHA512
32d3db73596ab4197888869b2324b2417cd0db81518a5a4d4c30bcfc81477a6656835a61cf73c9f1c8757a6bc0b3a991793c8f3903cbea21db303bac75eac0ac

Download Submit
C:\Windows\SysWOW64\Epffbd32.exe

Filesize
404KB

MD5
d732450d61ade123c6c27c8c5ea0eb34

SHA1
2712d49c08329c7ac2849b681de0d4c1085b3452

SHA256
1b2127c1cbbf37b5301d455bf52cc1365010f3b0ca3e143fd365e14fd0e82c91

SHA512
4438c1826a1b517e244bb09fef6a179d56adcce52607019d7f317042f9b2fb330c50b2faceac9458d67d79a3381370c44772747fb6b6497610522d1fdbb0a7e1

Download Submit
memory/32-274-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/340-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/340-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/612-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/612-12-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/816-138-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/816-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/960-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1176-148-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1208-258-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1400-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1516-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1516-165-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1532-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1532-147-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1584-111-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1584-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1644-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1652-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1652-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1756-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1848-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1928-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1928-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2008-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2152-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2152-174-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2236-266-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2264-210-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2340-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2356-316-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2360-117-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2360-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2488-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2564-226-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2764-157-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2776-234-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2812-250-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2924-310-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2988-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3208-130-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3236-166-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3240-280-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3664-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3664-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3924-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3924-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4004-175-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4012-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4036-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4064-139-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4396-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4608-183-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4608-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4784-156-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4784-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4904-286-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5072-218-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5112-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5164-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5200-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5244-364-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5276-370-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5324-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5364-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5396-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5444-394-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5476-400-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5516-406-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5564-412-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5604-418-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5636-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5684-430-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5716-432-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads