6ea2c524f7555a5f2366b1855dccba112c30c947627ee20f69e440495b8450b9

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2024 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c57acf85924ea4c4f285f901b25992b0N.exe
Size

64KB
MD5

c57acf85924ea4c4f285f901b25992b0
SHA1

02fa6e9cb450ac69ad5fbdb49dc5c22c8bb8a321
SHA256

6ea2c524f7555a5f2366b1855dccba112c30c947627ee20f69e440495b8450b9
SHA512

b7d54bab817c3065c353b4c48e55c6fb769bfb768ca0ce56a8f3eff523519a374b27131e74d50df79f469604254d91302fa5274b4e9a319faacc18dc7b4f7687
SSDEEP

1536:4+lPWOrHNlqcsgwdtEDtLX+OVGRXUwXfzwv:bPzNlq7gwdtEDtLBGFPzwv

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdbkja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkbgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eahobg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnhbmgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqfojblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdeiqgkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dckoia32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecbeip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbaahf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqfojblo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdbkja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgpeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekngemhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Famhmfkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekgqennl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enjfli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dalofi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekgqennl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnffhgon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c57acf85924ea4c4f285f901b25992b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekljpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edfknb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eaceghcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkemfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpmcmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dckoia32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enemaimp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmpjoloh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccppmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dickplko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fggdpnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcneeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjjjgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccppmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekimjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqmlccdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enjfli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcneeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fgnjqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpalgenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eaceghcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fggdpnkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecdbop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekljpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eahobg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cancekeo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Famhmfkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fboecfii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjeplijj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckpamabg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbanq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnljkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcibca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpalgenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekngemhd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnffhgon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fgqgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbkfbcpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmedjl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckidcpjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdpnda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c57acf85924ea4c4f285f901b25992b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dphiaffa.exe

Executes dropped EXE 61 IoCs

pid	Process
612	Bdeiqgkj.exe
1928	Ckpamabg.exe
4652	Cpljehpo.exe
2336	Cbkfbcpb.exe
2264	Cmpjoloh.exe
2564	Cdjblf32.exe
3188	Ckdkhq32.exe
2420	Cancekeo.exe
3900	Ccppmc32.exe
876	Cmedjl32.exe
4740	Cdolgfbp.exe
1536	Ckidcpjl.exe
3052	Cpfmlghd.exe
4852	Dgpeha32.exe
1168	Dphiaffa.exe
3752	Dgbanq32.exe
3976	Dnljkk32.exe
1744	Dcibca32.exe
3576	Dickplko.exe
4976	Dpmcmf32.exe
1808	Dckoia32.exe
4412	Dkbgjo32.exe
2088	Dalofi32.exe
3896	Ddklbd32.exe
2436	Djgdkk32.exe
3304	Dpalgenf.exe
3376	Ekgqennl.exe
3212	Enemaimp.exe
3288	Ecbeip32.exe
3484	Ekimjn32.exe
4276	Eaceghcg.exe
4864	Ecdbop32.exe
2208	Ekljpm32.exe
2532	Enjfli32.exe
4012	Eafbmgad.exe
2268	Ecgodpgb.exe
1804	Ekngemhd.exe
2228	Eahobg32.exe
3960	Edfknb32.exe
1920	Egegjn32.exe
840	Enopghee.exe
752	Eqmlccdi.exe
4364	Fggdpnkf.exe
1644	Fjeplijj.exe
3736	Famhmfkl.exe
1532	Fcneeo32.exe
2536	Fkemfl32.exe
3936	Fncibg32.exe
3196	Fboecfii.exe
2020	Fcpakn32.exe
2732	Fjjjgh32.exe
852	Fnffhgon.exe
3624	Fbaahf32.exe
2416	Fdpnda32.exe
3036	Fgnjqm32.exe
1152	Fnhbmgmk.exe
632	Fqfojblo.exe
1988	Fdbkja32.exe
3068	Fgqgfl32.exe
3740	Fnjocf32.exe
816	Gddgpqbe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nmlpen32.dll	Ddklbd32.exe
File created	C:\Windows\SysWOW64\Fdaleh32.dll	Eaceghcg.exe
File created	C:\Windows\SysWOW64\Ekngemhd.exe	Ecgodpgb.exe
File opened for modification	C:\Windows\SysWOW64\Gddgpqbe.exe	Fnjocf32.exe
File created	C:\Windows\SysWOW64\Jnblgj32.dll	Cancekeo.exe
File opened for modification	C:\Windows\SysWOW64\Dckoia32.exe	Dpmcmf32.exe
File created	C:\Windows\SysWOW64\Dgpeha32.exe	Cpfmlghd.exe
File created	C:\Windows\SysWOW64\Ekimjn32.exe	Ecbeip32.exe
File created	C:\Windows\SysWOW64\Enjfli32.exe	Ekljpm32.exe
File created	C:\Windows\SysWOW64\Binfdh32.dll	Ekljpm32.exe
File created	C:\Windows\SysWOW64\Fnffhgon.exe	Fjjjgh32.exe
File created	C:\Windows\SysWOW64\Ejnnldhi.dll	Cpljehpo.exe
File created	C:\Windows\SysWOW64\Cmedjl32.exe	Ccppmc32.exe
File created	C:\Windows\SysWOW64\Camgolnm.dll	Enemaimp.exe
File created	C:\Windows\SysWOW64\Bdeiqgkj.exe	c57acf85924ea4c4f285f901b25992b0N.exe
File created	C:\Windows\SysWOW64\Ohjckodg.dll	Dckoia32.exe
File opened for modification	C:\Windows\SysWOW64\Cdjblf32.exe	Cmpjoloh.exe
File created	C:\Windows\SysWOW64\Fbaahf32.exe	Fnffhgon.exe
File created	C:\Windows\SysWOW64\Foolmeif.dll	Dcibca32.exe
File opened for modification	C:\Windows\SysWOW64\Edfknb32.exe	Eahobg32.exe
File created	C:\Windows\SysWOW64\Jgjjlakk.dll	Egegjn32.exe
File created	C:\Windows\SysWOW64\Egnelfnm.dll	Fnffhgon.exe
File opened for modification	C:\Windows\SysWOW64\Fgqgfl32.exe	Fdbkja32.exe
File created	C:\Windows\SysWOW64\Cbkfbcpb.exe	Cpljehpo.exe
File opened for modification	C:\Windows\SysWOW64\Cbkfbcpb.exe	Cpljehpo.exe
File opened for modification	C:\Windows\SysWOW64\Dpalgenf.exe	Djgdkk32.exe
File created	C:\Windows\SysWOW64\Aolphl32.dll	Enjfli32.exe
File created	C:\Windows\SysWOW64\Kamonn32.dll	Ecgodpgb.exe
File opened for modification	C:\Windows\SysWOW64\Famhmfkl.exe	Fjeplijj.exe
File created	C:\Windows\SysWOW64\Bejceb32.dll	Fbaahf32.exe
File opened for modification	C:\Windows\SysWOW64\Fdbkja32.exe	Fqfojblo.exe
File created	C:\Windows\SysWOW64\Cancekeo.exe	Ckdkhq32.exe
File opened for modification	C:\Windows\SysWOW64\Dcibca32.exe	Dnljkk32.exe
File created	C:\Windows\SysWOW64\Gddgpqbe.exe	Fnjocf32.exe
File created	C:\Windows\SysWOW64\Dphiaffa.exe	Dgpeha32.exe
File created	C:\Windows\SysWOW64\Dalofi32.exe	Dkbgjo32.exe
File opened for modification	C:\Windows\SysWOW64\Fboecfii.exe	Fncibg32.exe
File created	C:\Windows\SysWOW64\Fgnjqm32.exe	Fdpnda32.exe
File created	C:\Windows\SysWOW64\Qecffhdo.dll	Cmpjoloh.exe
File created	C:\Windows\SysWOW64\Icpjna32.dll	Cmedjl32.exe
File opened for modification	C:\Windows\SysWOW64\Dalofi32.exe	Dkbgjo32.exe
File created	C:\Windows\SysWOW64\Eacdhhjj.dll	Fggdpnkf.exe
File opened for modification	C:\Windows\SysWOW64\Fkemfl32.exe	Fcneeo32.exe
File created	C:\Windows\SysWOW64\Fboecfii.exe	Fncibg32.exe
File opened for modification	C:\Windows\SysWOW64\Fdpnda32.exe	Fbaahf32.exe
File opened for modification	C:\Windows\SysWOW64\Fnhbmgmk.exe	Fgnjqm32.exe
File created	C:\Windows\SysWOW64\Ckpamabg.exe	Bdeiqgkj.exe
File created	C:\Windows\SysWOW64\Dkbgjo32.exe	Dckoia32.exe
File opened for modification	C:\Windows\SysWOW64\Ddklbd32.exe	Dalofi32.exe
File opened for modification	C:\Windows\SysWOW64\Ecdbop32.exe	Eaceghcg.exe
File opened for modification	C:\Windows\SysWOW64\Eahobg32.exe	Ekngemhd.exe
File opened for modification	C:\Windows\SysWOW64\Enopghee.exe	Egegjn32.exe
File created	C:\Windows\SysWOW64\Fqfojblo.exe	Fnhbmgmk.exe
File opened for modification	C:\Windows\SysWOW64\Ckpamabg.exe	Bdeiqgkj.exe
File created	C:\Windows\SysWOW64\Nlkppnab.dll	Dphiaffa.exe
File created	C:\Windows\SysWOW64\Begndj32.dll	Fkemfl32.exe
File created	C:\Windows\SysWOW64\Nnimkcjf.dll	Fjjjgh32.exe
File opened for modification	C:\Windows\SysWOW64\Fqfojblo.exe	Fnhbmgmk.exe
File created	C:\Windows\SysWOW64\Cpfmlghd.exe	Ckidcpjl.exe
File opened for modification	C:\Windows\SysWOW64\Fcneeo32.exe	Famhmfkl.exe
File created	C:\Windows\SysWOW64\Djgdkk32.exe	Ddklbd32.exe
File created	C:\Windows\SysWOW64\Elfahb32.dll	Dpalgenf.exe
File created	C:\Windows\SysWOW64\Hdeeipfp.dll	Fcpakn32.exe
File created	C:\Windows\SysWOW64\Bdbbme32.dll	Ckpamabg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5148	816	WerFault.exe	154

System Location Discovery: System Language Discovery 1 TTPs 62 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckdkhq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmlghd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dickplko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecgodpgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eahobg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enopghee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdbkja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpalgenf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkemfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c57acf85924ea4c4f285f901b25992b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdjblf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dphiaffa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eafbmgad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egegjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fggdpnkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcneeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgpeha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnljkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecbeip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnjocf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpjoloh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fncibg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enemaimp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekngemhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjjjgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgqgfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Famhmfkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbanq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgdkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecdbop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnffhgon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbkfbcpb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddklbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eaceghcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbaahf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpmcmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekljpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcpakn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccppmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckidcpjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enjfli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edfknb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnhbmgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dckoia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dalofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgnjqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdeiqgkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckpamabg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkbgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdpnda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpljehpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdolgfbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcibca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekgqennl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekimjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqmlccdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fboecfii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cancekeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjeplijj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqfojblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gddgpqbe.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anijgd32.dll"	Ecbeip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kojkgebl.dll"	Eafbmgad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjeplijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Famhmfkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcneeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmpjoloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccppmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dckoia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbaahf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnhbmgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldicpljn.dll"	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmpjoloh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enjfli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcggmk32.dll"	Fnjocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dalofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckdkhq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfmlghd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jodamh32.dll"	Ekngemhd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Famhmfkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkhpmopi.dll"	Fdbkja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdolgfbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckidcpjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbaohka.dll"	Dgbanq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fboecfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckpamabg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckidcpjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjckodg.dll"	Dckoia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nailkcbb.dll"	Fcneeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnjocf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c57acf85924ea4c4f285f901b25992b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecbeip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpbbbdk.dll"	Ekimjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fgqgfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kamonn32.dll"	Ecgodpgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glkkmjeh.dll"	Fjeplijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqfojblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fdbkja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpljehpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfmlghd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgpeha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecdbop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eafbmgad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekngemhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eahobg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fkemfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnblgj32.dll"	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cancekeo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dickplko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqmlccdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccppmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmedjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkodbfgo.dll"	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eaceghcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcneeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnimkcjf.dll"	Fjjjgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Labnlj32.dll"	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qecffhdo.dll"	Cmpjoloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmkfp32.dll"	Djgdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blghiiea.dll"	Eqmlccdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjeplijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Begndj32.dll"	Fkemfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbaahf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3176 wrote to memory of 612	3176	c57acf85924ea4c4f285f901b25992b0N.exe	91
PID 3176 wrote to memory of 612	3176	c57acf85924ea4c4f285f901b25992b0N.exe	91
PID 3176 wrote to memory of 612	3176	c57acf85924ea4c4f285f901b25992b0N.exe	91
PID 612 wrote to memory of 1928	612	Bdeiqgkj.exe	92
PID 612 wrote to memory of 1928	612	Bdeiqgkj.exe	92
PID 612 wrote to memory of 1928	612	Bdeiqgkj.exe	92
PID 1928 wrote to memory of 4652	1928	Ckpamabg.exe	93
PID 1928 wrote to memory of 4652	1928	Ckpamabg.exe	93
PID 1928 wrote to memory of 4652	1928	Ckpamabg.exe	93
PID 4652 wrote to memory of 2336	4652	Cpljehpo.exe	94
PID 4652 wrote to memory of 2336	4652	Cpljehpo.exe	94
PID 4652 wrote to memory of 2336	4652	Cpljehpo.exe	94
PID 2336 wrote to memory of 2264	2336	Cbkfbcpb.exe	95
PID 2336 wrote to memory of 2264	2336	Cbkfbcpb.exe	95
PID 2336 wrote to memory of 2264	2336	Cbkfbcpb.exe	95
PID 2264 wrote to memory of 2564	2264	Cmpjoloh.exe	96
PID 2264 wrote to memory of 2564	2264	Cmpjoloh.exe	96
PID 2264 wrote to memory of 2564	2264	Cmpjoloh.exe	96
PID 2564 wrote to memory of 3188	2564	Cdjblf32.exe	97
PID 2564 wrote to memory of 3188	2564	Cdjblf32.exe	97
PID 2564 wrote to memory of 3188	2564	Cdjblf32.exe	97
PID 3188 wrote to memory of 2420	3188	Ckdkhq32.exe	98
PID 3188 wrote to memory of 2420	3188	Ckdkhq32.exe	98
PID 3188 wrote to memory of 2420	3188	Ckdkhq32.exe	98
PID 2420 wrote to memory of 3900	2420	Cancekeo.exe	99
PID 2420 wrote to memory of 3900	2420	Cancekeo.exe	99
PID 2420 wrote to memory of 3900	2420	Cancekeo.exe	99
PID 3900 wrote to memory of 876	3900	Ccppmc32.exe	101
PID 3900 wrote to memory of 876	3900	Ccppmc32.exe	101
PID 3900 wrote to memory of 876	3900	Ccppmc32.exe	101
PID 876 wrote to memory of 4740	876	Cmedjl32.exe	102
PID 876 wrote to memory of 4740	876	Cmedjl32.exe	102
PID 876 wrote to memory of 4740	876	Cmedjl32.exe	102
PID 4740 wrote to memory of 1536	4740	Cdolgfbp.exe	103
PID 4740 wrote to memory of 1536	4740	Cdolgfbp.exe	103
PID 4740 wrote to memory of 1536	4740	Cdolgfbp.exe	103
PID 1536 wrote to memory of 3052	1536	Ckidcpjl.exe	105
PID 1536 wrote to memory of 3052	1536	Ckidcpjl.exe	105
PID 1536 wrote to memory of 3052	1536	Ckidcpjl.exe	105
PID 3052 wrote to memory of 4852	3052	Cpfmlghd.exe	106
PID 3052 wrote to memory of 4852	3052	Cpfmlghd.exe	106
PID 3052 wrote to memory of 4852	3052	Cpfmlghd.exe	106
PID 4852 wrote to memory of 1168	4852	Dgpeha32.exe	107
PID 4852 wrote to memory of 1168	4852	Dgpeha32.exe	107
PID 4852 wrote to memory of 1168	4852	Dgpeha32.exe	107
PID 1168 wrote to memory of 3752	1168	Dphiaffa.exe	108
PID 1168 wrote to memory of 3752	1168	Dphiaffa.exe	108
PID 1168 wrote to memory of 3752	1168	Dphiaffa.exe	108
PID 3752 wrote to memory of 3976	3752	Dgbanq32.exe	109
PID 3752 wrote to memory of 3976	3752	Dgbanq32.exe	109
PID 3752 wrote to memory of 3976	3752	Dgbanq32.exe	109
PID 3976 wrote to memory of 1744	3976	Dnljkk32.exe	110
PID 3976 wrote to memory of 1744	3976	Dnljkk32.exe	110
PID 3976 wrote to memory of 1744	3976	Dnljkk32.exe	110
PID 1744 wrote to memory of 3576	1744	Dcibca32.exe	112
PID 1744 wrote to memory of 3576	1744	Dcibca32.exe	112
PID 1744 wrote to memory of 3576	1744	Dcibca32.exe	112
PID 3576 wrote to memory of 4976	3576	Dickplko.exe	113
PID 3576 wrote to memory of 4976	3576	Dickplko.exe	113
PID 3576 wrote to memory of 4976	3576	Dickplko.exe	113
PID 4976 wrote to memory of 1808	4976	Dpmcmf32.exe	114
PID 4976 wrote to memory of 1808	4976	Dpmcmf32.exe	114
PID 4976 wrote to memory of 1808	4976	Dpmcmf32.exe	114
PID 1808 wrote to memory of 4412	1808	Dckoia32.exe	115

C:\Users\Admin\AppData\Local\Temp\c57acf85924ea4c4f285f901b25992b0N.exe
"C:\Users\Admin\AppData\Local\Temp\c57acf85924ea4c4f285f901b25992b0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Windows\SysWOW64\Bdeiqgkj.exe
  C:\Windows\system32\Bdeiqgkj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:612
- - C:\Windows\SysWOW64\Ckpamabg.exe
    C:\Windows\system32\Ckpamabg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Windows\SysWOW64\Cpljehpo.exe
      C:\Windows\system32\Cpljehpo.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4652
    - - C:\Windows\SysWOW64\Cbkfbcpb.exe
        
        C:\Windows\system32\Cbkfbcpb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2336
      - C:\Windows\SysWOW64\Cmpjoloh.exe
        
        C:\Windows\system32\Cmpjoloh.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Cdjblf32.exe
        
        C:\Windows\system32\Cdjblf32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Ckdkhq32.exe
        
        C:\Windows\system32\Ckdkhq32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\Cancekeo.exe
        
        C:\Windows\system32\Cancekeo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Ccppmc32.exe
        
        C:\Windows\system32\Ccppmc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\Cmedjl32.exe
        
        C:\Windows\system32\Cmedjl32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\Cdolgfbp.exe
        
        C:\Windows\system32\Cdolgfbp.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Ckidcpjl.exe
        
        C:\Windows\system32\Ckidcpjl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\SysWOW64\Cpfmlghd.exe
        
        C:\Windows\system32\Cpfmlghd.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\SysWOW64\Dgbanq32.exe
        
        C:\Windows\system32\Dgbanq32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\Dnljkk32.exe
        
        C:\Windows\system32\Dnljkk32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\Dcibca32.exe
        
        C:\Windows\system32\Dcibca32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\Dickplko.exe
        
        C:\Windows\system32\Dickplko.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Dpmcmf32.exe
        
        C:\Windows\system32\Dpmcmf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Dckoia32.exe
        
        C:\Windows\system32\Dckoia32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\Dkbgjo32.exe
        
        C:\Windows\system32\Dkbgjo32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4412
        
        C:\Windows\SysWOW64\Dalofi32.exe
        
        C:\Windows\system32\Dalofi32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Ddklbd32.exe
        
        C:\Windows\system32\Ddklbd32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3896
        
        C:\Windows\SysWOW64\Djgdkk32.exe
        
        C:\Windows\system32\Djgdkk32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Dpalgenf.exe
        
        C:\Windows\system32\Dpalgenf.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3304
        
        C:\Windows\SysWOW64\Ekgqennl.exe
        
        C:\Windows\system32\Ekgqennl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3376
        
        C:\Windows\SysWOW64\Enemaimp.exe
        
        C:\Windows\system32\Enemaimp.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\Windows\SysWOW64\Ecbeip32.exe
        
        C:\Windows\system32\Ecbeip32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3288
        
        C:\Windows\SysWOW64\Ekimjn32.exe
        
        C:\Windows\system32\Ekimjn32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Eaceghcg.exe
        
        C:\Windows\system32\Eaceghcg.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Ecdbop32.exe
        
        C:\Windows\system32\Ecdbop32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Ekljpm32.exe
        
        C:\Windows\system32\Ekljpm32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\SysWOW64\Enjfli32.exe
        
        C:\Windows\system32\Enjfli32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Eafbmgad.exe
        
        C:\Windows\system32\Eafbmgad.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Ecgodpgb.exe
        
        C:\Windows\system32\Ecgodpgb.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Ekngemhd.exe
        
        C:\Windows\system32\Ekngemhd.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Eahobg32.exe
        
        C:\Windows\system32\Eahobg32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Edfknb32.exe
        
        C:\Windows\system32\Edfknb32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Windows\SysWOW64\Egegjn32.exe
        
        C:\Windows\system32\Egegjn32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\SysWOW64\Enopghee.exe
        
        C:\Windows\system32\Enopghee.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Windows\SysWOW64\Eqmlccdi.exe
        
        C:\Windows\system32\Eqmlccdi.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Fggdpnkf.exe
        
        C:\Windows\system32\Fggdpnkf.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4364
        
        C:\Windows\SysWOW64\Fjeplijj.exe
        
        C:\Windows\system32\Fjeplijj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Famhmfkl.exe
        
        C:\Windows\system32\Famhmfkl.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Fcneeo32.exe
        
        C:\Windows\system32\Fcneeo32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Fkemfl32.exe
        
        C:\Windows\system32\Fkemfl32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Fncibg32.exe
        
        C:\Windows\system32\Fncibg32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3936
        
        C:\Windows\SysWOW64\Fboecfii.exe
        
        C:\Windows\system32\Fboecfii.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Fcpakn32.exe
        
        C:\Windows\system32\Fcpakn32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\Fjjjgh32.exe
        
        C:\Windows\system32\Fjjjgh32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Fnffhgon.exe
        
        C:\Windows\system32\Fnffhgon.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:852
        
        C:\Windows\SysWOW64\Fbaahf32.exe
        
        C:\Windows\system32\Fbaahf32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Fdpnda32.exe
        
        C:\Windows\system32\Fdpnda32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Windows\SysWOW64\Fgnjqm32.exe
        
        C:\Windows\system32\Fgnjqm32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Fqfojblo.exe
        
        C:\Windows\system32\Fqfojblo.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Fdbkja32.exe
        
        C:\Windows\system32\Fdbkja32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Fgqgfl32.exe
        
        C:\Windows\system32\Fgqgfl32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Fnjocf32.exe
        
        C:\Windows\system32\Fnjocf32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 408
        63⤵
        Program crash
        
        PID:5148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 816 -ip 816
1⤵
PID:4632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4180,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4608 /prefetch:8
1⤵
PID:6100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bdeiqgkj.exe

Filesize
64KB

MD5
0bc6124d587f3f2367e474de54e5a92b

SHA1
5c5dd2a0f1ded7b8f6f2b5bab8470ba12dbd33f3

SHA256
a51f5cf6ff891a1ecf0e82c1977411cdfe9374e45271de3c31e3502ba5d054ae

SHA512
469a872ac6471eff6310e5b21d1ec595657c62023dc00dae0971d50128152ad309cdb11aa679f7520d3305d2aec8cf8a6f3d9fd7e5989846aac59affddbc08b5

Download Submit
C:\Windows\SysWOW64\Cancekeo.exe

Filesize
64KB

MD5
1dfb8b4b6df161aafccfa60d084679e7

SHA1
143f7a4e3081cec6242ac258cdc7b73a2d135566

SHA256
75258eb17fa8844180332037448f79d37f59ff34ec44b969e98944aa044aa068

SHA512
13554050d8b2f24a2f2b362b29636d0377bd839abad1230969909443a4d66edc1a7c1282e2ba4d3242f0071466b4b0f8ccb9eef1715bc659e1d5c3b1fcabbfaf

Download Submit
C:\Windows\SysWOW64\Cbkfbcpb.exe

Filesize
64KB

MD5
1b52163f8e974f6257dddcc09d4d305b

SHA1
7f7d6cde4e6599beb646b041423d50c8e4e2a8b6

SHA256
3125d9eeb43046ee703bc59e7ea336a25bc779c382b29754ed32f4a7a72e5de8

SHA512
b9b35ac94d9834e909433edae29f903fe86c26b7e370284e348bda60997991b58cf253765cf2daee8c344110a920c836b7b5a56dca3ad5f4228d4f47fe25dbbf

Download Submit
C:\Windows\SysWOW64\Ccppmc32.exe

Filesize
64KB

MD5
6f5d9cb1e5167de4d5fb977049a7a69b

SHA1
eeb3292b617c248dd6920daecedaad61086fad54

SHA256
1274ae8cfbfccd89f6b5ebb7dd76ab95d4df6ed7e0d9063c765f83195aafa829

SHA512
00e22800c6f2fe2171857a1835119814c5451ec6206d5be502033c34ecc30a8024f8fbe178a0dfaaa4df701bed519f544f14391de05433b68e38db6de4e0ad98

Download Submit
C:\Windows\SysWOW64\Cdjblf32.exe

Filesize
64KB

MD5
41a5562e05e94e2a9dc4ef064a118b31

SHA1
c76d4556705c7decdc06f2c398c18a300fecd6ee

SHA256
cb6581c80f60343919e6e236e64d39c6f0edc2a325a01dfb50e11d9f85fa842c

SHA512
46a8f5067df68fd2c31ec90c6b65a51dcf9d75805edd856488ae4d448f934d6b2c3bcbf102669494941b89cd425865737a8ab879b6dec719a9f878ac26e04286

Download Submit
C:\Windows\SysWOW64\Cdolgfbp.exe

Filesize
64KB

MD5
6b8e13d37ab1578fba9c7a871199c1da

SHA1
636e302eabfcec699f8ad88174c43881d5ca8659

SHA256
1fcda00ad93076ae1cfe91071e77e1152830f5d009f16658412bb133b655d19a

SHA512
13f06a5abe4bd7ae50f6469024534644f4fbb39a4482b5198f30294a8ec48095fb8367ed7680bd2e3c51318671901aec9adb12a8497380d30bd4eb497ee53019

Download Submit
C:\Windows\SysWOW64\Ckdkhq32.exe

Filesize
64KB

MD5
e6b7fa36a69496d223b6cf1604e46328

SHA1
4d558c9ccb906da7185ec362b27d6c8dc9ee5717

SHA256
a28c139582e90ee392bad99982777950ceb51ec48473ab6cd3825716e4845e00

SHA512
efe3d3ca5d761d57faeed1e024e48e547215e8b1091392d4259204e7a63ab58d66e8b71191aa7a7f6d8b62b5e9b12cfebfea6beed89023b6fe1d6c9625f25fe5

Download Submit
C:\Windows\SysWOW64\Ckidcpjl.exe

Filesize
64KB

MD5
1a4a93ea71781c3bd127b0fbf922aed1

SHA1
461f541ce450bc4ab5ed3737c882ed032e3fea39

SHA256
4efd11118895ab5d55e5895c6d68e1f616e1b3810822c9a12f1050c790d08290

SHA512
ec61e2c71ac2c11b315342b8cb85a80209d562c31f8bfbfe2b6cba962bf5f9f3a55e5c837e7603393c92d2f27adacaa76a0fe2d1bd658b8285b688913b604257

Download Submit
C:\Windows\SysWOW64\Ckpamabg.exe

Filesize
64KB

MD5
b1a56fc02a4b31b282ff76fcd7d6ac17

SHA1
ee8ace8d184f445d08d5c001cc73a996ab47a964

SHA256
1817f28d4baad2ea263e050bc6610d19a208b7444d3fcc82a3b00176cf7e455c

SHA512
29cf93730d6b7f1053da09d0a66ec217d8939f6c953faeeb85bf27fc146510ca38be2498839bf60d86f67d1657f91439dd1d2965427f92c65329e0d91d07d7d6

Download Submit
C:\Windows\SysWOW64\Cmedjl32.exe

Filesize
64KB

MD5
bc45ff6dcfa23f9c28c2d18382015cdb

SHA1
92ded2ce4a8ed6d41b9665c7fa579f12017cf4fa

SHA256
ea6067e2fc43937dc28763fb25492dbaff5f18a36cf09c1f30db29f872615f81

SHA512
f85e9560f4e4ce650e2a120b8d6822fb9ec84d3ce0683053dc87e459eb2c9daa740c242ed13bb375b2a5cb1a2c8379d21f103865ff6576c049eabdfb632e596e

Download Submit
C:\Windows\SysWOW64\Cmpjoloh.exe

Filesize
64KB

MD5
0afea811358a102c74f746c1c6da24da

SHA1
a7f1d90e77e6630b205c2cb8cf5f89197d1f3eff

SHA256
eeead5904c0e6e82c5bbad58e25eb41166544d58c71b6a86581b18694e915531

SHA512
3f6b19926d4e29dad59e570a0ab223c8d440d3124b7eb9d790ddb20062b3fd7e051a078a2708cc7d36e63d9ece12888fc818be7bbb6cdfceeac60468f64b9f02

Download Submit
C:\Windows\SysWOW64\Cpfmlghd.exe

Filesize
64KB

MD5
4804cd5b9ee6d46dc90844d772398c94

SHA1
806861a468e1dbfac5dfb628631c645f3c165704

SHA256
f8b973ef0a51180b251feebe196ded78cbcbf6aa6bfaa8355735a967f851cee2

SHA512
9cf432f5c43270ea4d82f3f1d7986bb4818bdd4a089f18e753805ce063477f1af6d14f2fc1486e40bd6fc7d77b1e6bba924744b60ced1bea9a58ed506da11cab

Download Submit
C:\Windows\SysWOW64\Cpljehpo.exe

Filesize
64KB

MD5
25b64aae0eef786e982dc97ac00f7aba

SHA1
5670be7a02ff884c6c0578e16823ae6b35433de6

SHA256
bd150cd24f6665d4e3ee285032b6ef689de6c1ad03a5339bfa9b2a5acbc78631

SHA512
24d509a2d22e4d22795b22d256874edf292fe2a01777edb021c1464b9ebdd244cf0e48a55797ffcfdd95cdc833bd5ef5e4f77b81febdc3e3dbd9278f0db6deff

Download Submit
C:\Windows\SysWOW64\Dalofi32.exe

Filesize
64KB

MD5
43678abd7263de6368c7dc76dc042606

SHA1
72765357eedbb1634225269403a8479b83c04d0b

SHA256
63d5cfcfd2db2c08abe8d703ec28e7f32db63f739f77eab052b64a3845b7fc9f

SHA512
950c9d1585a8319e0a00e138b83364c8aba2ab4ef83eb36e8f15dc2b22efca9ed3e193f29936854e700921eb8a4344cf7bcda29e659e0b24728188672ea8d173

Download Submit
C:\Windows\SysWOW64\Dcibca32.exe

Filesize
64KB

MD5
f6b51d98267454ce6197de2e5216b66f

SHA1
6a280a3723dbf8e12be71513a436cc3fc55feb7a

SHA256
b661e8ce133793c2544943c4fb0659a02d8b45a9066144853706cf1e6767ff46

SHA512
475595c6d314216fc95d6fa8b4059de895a7c66ce1aeaf5715801a8a2e6662643d2793634a843cfb4d40c3f7f3948d08be2661a8c46de79b2a18693744fdcf3a

Download Submit
C:\Windows\SysWOW64\Dckoia32.exe

Filesize
64KB

MD5
4caba4e065d5a3d6cc4daf22b3b8c117

SHA1
9c3e5236410f1d880641e8b49bf55ac15ca652d7

SHA256
8b05e5cc89cdd67933e1d5273b7d6ee24ffa42e34d476221c8b487eb8fe5f61b

SHA512
8ddf76ba0f55c98d8803a161d648ab159466c03c43ac7bf442912c2d52b654e36c9a935a5e10b884b1c3412fbfafaf6bf85033d5ed451b6a3b6302b47f23db15

Download Submit
C:\Windows\SysWOW64\Ddklbd32.exe

Filesize
64KB

MD5
912ba8cba318d0c2cde910179151a1bf

SHA1
86f7e1d21b4db77af9c335285a9ee9095dfed6df

SHA256
d1b732271b939eb2d0da3e6e60d4ec490c5c45ee2b11ea02edf2a735462038ee

SHA512
19a13bf81e18ea5624c6ddf18ae71d57133693ea90f28b5446b04abe0434ecfec8f36d0f7790ce22adcbcd316c757c1e95f562ff5786e9aa91239e72dc906c0e

Download Submit
C:\Windows\SysWOW64\Dgbanq32.exe

Filesize
64KB

MD5
f9bf64303e85ca1c45a4fe40a9e652ab

SHA1
f8f7f633f3fb7e7bf9dac3dc8cb4b93bad66ed8a

SHA256
28d76a47bbcacd030cf80e8f1aa6f409a714c5c0f24cbcdcc4a2f3f1ad3ce319

SHA512
ce48b3605c1c450fcab806b0c57b2669edcee4d5ba587f53d0ab961b52b5a17da21bce640763f5bb3a2ae18e5eb7d576cd3a36a3a86cff59e6f7013f96745203

Download Submit
C:\Windows\SysWOW64\Dgpeha32.exe

Filesize
64KB

MD5
66525fee1dfbf22c75cdb9fdd88c25ff

SHA1
b2224593b042b306741b7d4f8bda252c3bef2e5a

SHA256
d0173ff487485fa86c6bf19f981915de6c9efa7869eb80336f449c067843cbc3

SHA512
36d592eb5f939e31dfc0d0184dd7d68d8296e80feb4c9589d237c3bf25e938f22a83494716c243a345496d672678eef2c4f9f7de50a0361cf5b50960dff4101b

Download Submit
C:\Windows\SysWOW64\Dickplko.exe

Filesize
64KB

MD5
b734dc50f742d39348381a2ae4b3503f

SHA1
bb5b5d7cf3b48934059a29dcec4102419fb71fe9

SHA256
3c80ec32d778c6ceb8d3dcb1da1d63e5ae3c2acb866ae75ec7e51252df65f626

SHA512
27117beedb1f81d87a9877f0ac28b09ba9d7807950f88c467933451b196d3def71ea16213a2815ca7382b1a4c2c2a86886d0a6ec3644ef36b3ebbc4799a99891

Download Submit
C:\Windows\SysWOW64\Djgdkk32.exe

Filesize
64KB

MD5
59f3d68151c187022064dee6e2b27d94

SHA1
fd0d498a6c17fafcab5104326f7c6662af07802d

SHA256
e942a5a8da90e65cf7fe52bcd5d4c9daf1279386cfddd0bbb3283b420ff1c14f

SHA512
81447523ed7cd22e1b60dc31b69d9913e12932ce24bb787d3b1683c693f48d358ae798ad99c524f40a3138e62ce9a4f0c6e07ce9d57e70ae902da4da9b73ba6a

Download Submit
C:\Windows\SysWOW64\Dkbgjo32.exe

Filesize
64KB

MD5
54d262ef29afcacfe876fe78291a44b0

SHA1
2ee5a9021307fd500329f2581f2ce495a11efaf6

SHA256
5b598b22a14eb4d54dca24890aede2a339f9a567b76db56d75ae0ecc07e8e014

SHA512
8e76954713704a54820364e6c84ec3a54f43300a495ded9f8b0f36d8bb29999595304f4837783b2567937fa29ad9e34faeadf4143d2e8e4f56efec3d63ec3011

Download Submit
C:\Windows\SysWOW64\Dnljkk32.exe

Filesize
64KB

MD5
ed695f88b14e50de2c3d05c94fb25489

SHA1
be6c4fcda01b2ea6afef14907d0102356974d259

SHA256
402eb41411cb093be376a7e7b8dc2446364006a43b65b2201b3760b75eaaacd4

SHA512
c1fdec3f7c29f38ff645207a245b070fd38eb2e0ea0251334b1ac55adacf0011857e1b3d29c85b6ba2dfd927839ea44a3d8fc9a8f92891952e465ed8072f7fc1

Download Submit
C:\Windows\SysWOW64\Dpalgenf.exe

Filesize
64KB

MD5
fef6d77f0b0a6d81626bbc8556dd304e

SHA1
ee519fab94364805092fa98ff4b63c916f152b48

SHA256
e72ee532e73b62c94083e72c548d73afab097b4be8f3f9fb75f33fb04f70c12c

SHA512
7c20f557dca42906e0a21c3be06f7de37bf78219a9c99eaa46d48095ec952587e81e4e82e9b08b1535ba301533dd71726711bb2fa7127a33aa28bd4fbf4b02f8

Download Submit
C:\Windows\SysWOW64\Dphiaffa.exe

Filesize
64KB

MD5
f0324ffb50da779e5e56dd5eee840ca7

SHA1
441e4f7ad18f230e0a1223ff705ca2a3deee3e59

SHA256
0c076f367875a48109cfcce92dd2b9074a196587ed80fd7e8cb6b6cbbc8cd5a3

SHA512
8610bc5fd1b2793d2e2d1f0ad8382ac7291d2bab6b1e94adbacadb2c7c27267837bb13929d0b71bd50b306cc1fda9f8aec817cffe0a737f80fc7fde3b6672a89

Download Submit
C:\Windows\SysWOW64\Dpmcmf32.exe

Filesize
64KB

MD5
20df6be9fdbb09461d37b125f82abfc0

SHA1
93db864f2fed5edd8d23e904e03ed3368611349a

SHA256
ed03c7d42eeab2d42ef6164d4eb2a059de60040c8eaa0b73788bd8a0a754e56b

SHA512
232e86cba9871ce8a00738dfbe7ca3ed9c12935620f3e5bd7f8538ac2d7a23f22acc76193972194f3219faafe636591f9c4ceb93f874f13c3487cb8986ec80c6

Download Submit
C:\Windows\SysWOW64\Eaceghcg.exe

Filesize
64KB

MD5
a12990bf8bee97bddad1d0df1934c03d

SHA1
5c5aaa4c8573da125185d8fa5239439943bd9ea7

SHA256
1a33a64a59953922865413c83ac7acd232a92442cc61166a0311762293651420

SHA512
e569e8878dbfe28feac57c0bb45aa2e0d78ac76fcabd792908c68c8acacb26e400b24c5317486654e8ce34f72acfdade1042eb566a9019695d6f77e3e66e60e3

Download Submit
C:\Windows\SysWOW64\Ecbeip32.exe

Filesize
64KB

MD5
25e14a5616c7794df1bea34a36c6d8a4

SHA1
4b2432d6f3b969a70b38505ccff10e2095ba9a32

SHA256
141b1745f4e972cbd08beca7cf2ddd8ae6d7e528022ac4233399efabb27cd27d

SHA512
73f9e352dedf89861c03f3c32c7a622ea32f3baf42192370cc2bab66b0bb29f8f3c969e0ecb035fcc948abe9814484b4c144652deb451c46ed8a65bb4a67a8ae

Download Submit
C:\Windows\SysWOW64\Ecdbop32.exe

Filesize
64KB

MD5
afc738683808c88eea53616fc6cb8487

SHA1
171129ef1c172e28aaf2fd572c319ebeb52bd1d6

SHA256
477e517bce8f9c573bb47fd729128ca8670bf427001b97d199c21d59129497d8

SHA512
dc2413c53179a3d31e190d2c1307ca235cfd654afe2411b382d154e71b7211dac64e4c08355321caa8757f0e0a99f16528039791c9a157c37a76cfa722b780f9

Download Submit
C:\Windows\SysWOW64\Ekgqennl.exe

Filesize
64KB

MD5
edcee3d270d19742328dbde5bee00b10

SHA1
026357491d51d74b0400311c701e67074615754f

SHA256
6d11dcde8510a6a4b8b33428238e9d3130a1ee93cd6cd26f1db11d6e685a170e

SHA512
97022d4c42ad9506d985c4136ef761cb4671666943ad81548fb78efa1c20960c130a075d8dce45673a32510269badaf7f1e0c3d1fd7181682a54a5089e467fad

Download Submit
C:\Windows\SysWOW64\Ekimjn32.exe

Filesize
64KB

MD5
05db6d24c8d781b4efc521deb8dbe8b7

SHA1
f705996c195312a603f07c531628a0c7238e8903

SHA256
83e7588d22ee6c7e2ac1a68895e4d1280462f9d6318f4d9ab1905adf0a55a90b

SHA512
500c38dcaca9241ae045bc390d14b07b20d0d6ef62f9f57ec12f0babcb02499de3c067bdb565e0dde33b1c80c672c4c1d34932af9943253894c04ae9bfe59a43

Download Submit
C:\Windows\SysWOW64\Enemaimp.exe

Filesize
64KB

MD5
096a32b721e5144fa597df6447670311

SHA1
a24e3a2297ed90097abd5ff350619bb8c7862334

SHA256
89c4b2bdc503997b5dc6735926ace634ac4ac33e3116a0581bb9eb95e38ca844

SHA512
2cc8ada9c062d6d865c845c911953f79cac60901afa970a0fa74c749e41f407631082240812ae67cbb6fc0f5a830c965820afa280be495473a64635e74d0f719

Download Submit
C:\Windows\SysWOW64\Enopghee.exe

Filesize
64KB

MD5
1f691b6f5cc9dfefef18aecdad663c62

SHA1
24acd8008305bd910ec5c352932feb1aac9069c3

SHA256
e684b7eb47d7ab2ae5da04350b4b8f6b14d34f06af0fca1024d8c23bae8911cf

SHA512
03bcea207aa6f94ab9720014e833199f41b832a3dd3f65ca6add32aba7c4efb32aceddb4a0bd8dd07a4504824dfbbf4f3f02b45fb2521af6fc47e844e4935655

Download Submit
C:\Windows\SysWOW64\Gddgpqbe.exe

Filesize
64KB

MD5
12c167934fb4e88d48bcdf68e3cd7757

SHA1
a054cd21e17fe907e02d2dcf455e76740bc09f07

SHA256
78ecc032682ccee448b8c792114e6865168280cc5c28abe4b312759bf12165f4

SHA512
b215b1bc78236fbc5ae068d7d750946905512590421f377542f4cf22f3ca83dd8ad511bcde7c144d59954ffa4421f1b0eb48216aadd90a48d8095a001f11cbef

Download Submit
memory/612-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/632-439-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/632-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/752-468-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/752-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/816-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/840-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/840-470-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/852-380-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/876-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1152-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1168-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1532-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1532-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1536-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1644-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1644-464-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1744-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1804-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1804-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1808-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1920-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1920-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1928-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1988-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1988-438-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2020-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2020-452-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2088-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2208-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2208-485-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2228-476-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2228-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2264-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2268-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2268-480-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2336-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2416-445-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2416-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2420-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2436-501-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2436-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-273-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2536-458-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2536-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2564-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-450-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3036-441-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3036-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3052-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3068-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3068-435-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3176-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3188-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3196-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3196-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3212-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3212-495-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3288-493-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3288-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3304-499-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3304-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3376-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3376-497-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3484-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3484-491-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3576-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3624-447-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3624-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3736-462-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3736-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3740-434-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3740-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3752-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3896-503-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3896-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3900-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3936-456-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3936-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3960-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3960-474-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3976-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4012-482-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4012-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4276-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4276-489-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4364-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4364-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4412-180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4652-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4740-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4852-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4864-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4864-487-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4976-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads