823ca07a0b87b794bd828d14c83df6ca656a84c9da8c73b5768aa015e1dafdf9

Analysis

max time kernel
136s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

823ca07a0b87b794bd828d14c83df6ca656a84c9da8c73b5768aa015e1dafdf9.exe
Size

59KB
MD5

bd7d0d65161fb5c6a586c5c5ba7c1413
SHA1

3043236e15f3befc751df813328d5468e0ea894c
SHA256

823ca07a0b87b794bd828d14c83df6ca656a84c9da8c73b5768aa015e1dafdf9
SHA512

c9f407d95745ee4965874088e0f4398f6dc795d879f64b0033651e01dddfc44318f4399551d0e8236c9cb0752d0ae620764423b3ed812c3fb499eb26b27f5e04
SSDEEP

768:1l54s0wufT8gN7BU8WjbeRI8Y1A//4SMFzzetzMGZ/1H5Q5nf1fZMEBFELvkVgFa:1tY7Bi6I8Y1K4SMBWZmNCyVso

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckpamabg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcekfnkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gclafmej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	823ca07a0b87b794bd828d14c83df6ca656a84c9da8c73b5768aa015e1dafdf9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkjfakng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcghkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjjjgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfbbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dahfkimd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dahfkimd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Famhmfkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnqcfjae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkedonpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekngemhd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cigkdmel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqnejaff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekljpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkjfakng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqnejaff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknnoofg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egkddo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekljpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egkddo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edaaccbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkemfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnjocf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqikob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccblbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkaiphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkbgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckpamabg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqikob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgqpkip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdmaoahm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpalgenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eddnic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjjjgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdjblf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnqcfjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkedonpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgklmacf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnngpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdeiqgkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgiohbfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enopghee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjcmngnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkcpql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fboecfii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdgdeppb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmedjl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpcpfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqdbdbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkcigjel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgiohbfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddklbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enjfli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnmlhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdgdeppb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	823ca07a0b87b794bd828d14c83df6ca656a84c9da8c73b5768aa015e1dafdf9.exe

Executes dropped EXE 64 IoCs

pid	Process
4472	Bdeiqgkj.exe
4844	Ckpamabg.exe
1132	Cpljehpo.exe
2020	Cgfbbb32.exe
1816	Cienon32.exe
1036	Calfpk32.exe
912	Cdjblf32.exe
976	Cgiohbfi.exe
944	Cigkdmel.exe
4156	Cancekeo.exe
4848	Cgklmacf.exe
4632	Cmedjl32.exe
3396	Cpcpfg32.exe
3548	Ccblbb32.exe
3832	Cmgqpkip.exe
3180	Cdaile32.exe
3752	Dkkaiphj.exe
3976	Dmjmekgn.exe
1744	Dphiaffa.exe
4936	Dknnoofg.exe
3084	Dahfkimd.exe
2032	Dcibca32.exe
4476	Dnngpj32.exe
1152	Ddhomdje.exe
2284	Dkbgjo32.exe
2868	Dnqcfjae.exe
3188	Ddklbd32.exe
1500	Dkedonpo.exe
4364	Dncpkjoc.exe
624	Dpalgenf.exe
2532	Ddmhhd32.exe
984	Egkddo32.exe
1088	Enemaimp.exe
1380	Edoencdm.exe
3592	Ekimjn32.exe
184	Enhifi32.exe
224	Edaaccbj.exe
692	Ekljpm32.exe
1316	Enjfli32.exe
4908	Eddnic32.exe
396	Ekngemhd.exe
1892	Eahobg32.exe
2016	Ecikjoep.exe
3728	Ejccgi32.exe
4440	Enopghee.exe
2792	Edihdb32.exe
1968	Fkcpql32.exe
4428	Famhmfkl.exe
780	Fdkdibjp.exe
3964	Fkemfl32.exe
4216	Fboecfii.exe
4736	Fdmaoahm.exe
4784	Fjjjgh32.exe
4608	Fqdbdbna.exe
3208	Fcbnpnme.exe
4940	Fkjfakng.exe
2336	Fnhbmgmk.exe
4952	Fcekfnkb.exe
2540	Fjocbhbo.exe
3104	Fnjocf32.exe
2340	Fqikob32.exe
948	Gcghkm32.exe
2880	Gnmlhf32.exe
3196	Gqkhda32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Egkddo32.exe	Ddmhhd32.exe
File created	C:\Windows\SysWOW64\Enemaimp.exe	Egkddo32.exe
File created	C:\Windows\SysWOW64\Dknnoofg.exe	Dphiaffa.exe
File created	C:\Windows\SysWOW64\Hdedgjno.dll	Dknnoofg.exe
File opened for modification	C:\Windows\SysWOW64\Enhifi32.exe	Ekimjn32.exe
File created	C:\Windows\SysWOW64\Jodamh32.dll	Ekngemhd.exe
File created	C:\Windows\SysWOW64\Calfpk32.exe	Cienon32.exe
File created	C:\Windows\SysWOW64\Fdkdibjp.exe	Famhmfkl.exe
File created	C:\Windows\SysWOW64\Fkjfakng.exe	Fcbnpnme.exe
File created	C:\Windows\SysWOW64\Gqkhda32.exe	Gnmlhf32.exe
File created	C:\Windows\SysWOW64\Dkbgjo32.exe	Ddhomdje.exe
File created	C:\Windows\SysWOW64\Ddklbd32.exe	Dnqcfjae.exe
File created	C:\Windows\SysWOW64\Enhifi32.exe	Ekimjn32.exe
File created	C:\Windows\SysWOW64\Cancekeo.exe	Cigkdmel.exe
File created	C:\Windows\SysWOW64\Cmgqpkip.exe	Ccblbb32.exe
File created	C:\Windows\SysWOW64\Ekngemhd.exe	Eddnic32.exe
File created	C:\Windows\SysWOW64\Eocmgd32.dll	Gqnejaff.exe
File created	C:\Windows\SysWOW64\Mgqaip32.dll	Dkkaiphj.exe
File created	C:\Windows\SysWOW64\Ohjckodg.dll	Ddhomdje.exe
File opened for modification	C:\Windows\SysWOW64\Dncpkjoc.exe	Dkedonpo.exe
File opened for modification	C:\Windows\SysWOW64\Eddnic32.exe	Enjfli32.exe
File created	C:\Windows\SysWOW64\Bdeiqgkj.exe	823ca07a0b87b794bd828d14c83df6ca656a84c9da8c73b5768aa015e1dafdf9.exe
File created	C:\Windows\SysWOW64\Dkkaiphj.exe	Cdaile32.exe
File created	C:\Windows\SysWOW64\Jgjjlakk.dll	Ejccgi32.exe
File created	C:\Windows\SysWOW64\Hnmanm32.dll	Cgfbbb32.exe
File created	C:\Windows\SysWOW64\Cgilho32.dll	Edaaccbj.exe
File created	C:\Windows\SysWOW64\Fkcpql32.exe	Edihdb32.exe
File created	C:\Windows\SysWOW64\Adbofa32.dll	Fkemfl32.exe
File created	C:\Windows\SysWOW64\Gkcigjel.exe	Gclafmej.exe
File created	C:\Windows\SysWOW64\Labnlj32.dll	Bdeiqgkj.exe
File opened for modification	C:\Windows\SysWOW64\Ddklbd32.exe	Dnqcfjae.exe
File created	C:\Windows\SysWOW64\Kminigbj.dll	Fnjocf32.exe
File opened for modification	C:\Windows\SysWOW64\Ddhomdje.exe	Dnngpj32.exe
File created	C:\Windows\SysWOW64\Eddnic32.exe	Enjfli32.exe
File created	C:\Windows\SysWOW64\Fnhbmgmk.exe	Fkjfakng.exe
File created	C:\Windows\SysWOW64\Gcghkm32.exe	Fqikob32.exe
File created	C:\Windows\SysWOW64\Ncbigo32.dll	Ddmhhd32.exe
File opened for modification	C:\Windows\SysWOW64\Ekngemhd.exe	Eddnic32.exe
File created	C:\Windows\SysWOW64\Fdmaoahm.exe	Fboecfii.exe
File created	C:\Windows\SysWOW64\Fjjjgh32.exe	Fdmaoahm.exe
File created	C:\Windows\SysWOW64\Fqdbdbna.exe	Fjjjgh32.exe
File opened for modification	C:\Windows\SysWOW64\Fcbnpnme.exe	Fqdbdbna.exe
File opened for modification	C:\Windows\SysWOW64\Gdgdeppb.exe	Gqkhda32.exe
File opened for modification	C:\Windows\SysWOW64\Edoencdm.exe	Enemaimp.exe
File created	C:\Windows\SysWOW64\Gbjlkd32.dll	Fqdbdbna.exe
File created	C:\Windows\SysWOW64\Dnhpfk32.dll	Dpalgenf.exe
File created	C:\Windows\SysWOW64\Lifcnk32.dll	Gnmlhf32.exe
File created	C:\Windows\SysWOW64\Hjmgbm32.dll	Gkcigjel.exe
File created	C:\Windows\SysWOW64\Pjcblekh.dll	Dnngpj32.exe
File created	C:\Windows\SysWOW64\Kplqhmfl.dll	Ecikjoep.exe
File created	C:\Windows\SysWOW64\Hdeeipfp.dll	Fdmaoahm.exe
File opened for modification	C:\Windows\SysWOW64\Fqdbdbna.exe	Fjjjgh32.exe
File opened for modification	C:\Windows\SysWOW64\Fkjfakng.exe	Fcbnpnme.exe
File opened for modification	C:\Windows\SysWOW64\Gqkhda32.exe	Gnmlhf32.exe
File opened for modification	C:\Windows\SysWOW64\Fboecfii.exe	Fkemfl32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmhhd32.exe	Dpalgenf.exe
File opened for modification	C:\Windows\SysWOW64\Ekimjn32.exe	Edoencdm.exe
File created	C:\Windows\SysWOW64\Fkemfl32.exe	Fdkdibjp.exe
File created	C:\Windows\SysWOW64\Cpljehpo.exe	Ckpamabg.exe
File opened for modification	C:\Windows\SysWOW64\Cienon32.exe	Cgfbbb32.exe
File created	C:\Windows\SysWOW64\Ccblbb32.exe	Cpcpfg32.exe
File created	C:\Windows\SysWOW64\Kamonn32.dll	Eddnic32.exe
File opened for modification	C:\Windows\SysWOW64\Fcekfnkb.exe	Fnhbmgmk.exe
File opened for modification	C:\Windows\SysWOW64\Cdjblf32.exe	Calfpk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5420	5308	WerFault.exe	163

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnqcfjae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekimjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecikjoep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqdbdbna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpljehpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgiohbfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdaile32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkedonpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekljpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkcpql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkjfakng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpalgenf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edoencdm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Famhmfkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjjjgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcekfnkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpcpfg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enemaimp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eahobg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkemfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqikob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcghkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnmlhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	823ca07a0b87b794bd828d14c83df6ca656a84c9da8c73b5768aa015e1dafdf9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjmekgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdmaoahm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edihdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcbnpnme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gqkhda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgqpkip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enopghee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjcmngnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gqnejaff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgklmacf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dahfkimd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcibca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddhomdje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnjocf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejccgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnhbmgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdeiqgkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cigkdmel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddklbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egkddo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkcigjel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calfpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccblbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckpamabg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdjblf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enhifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cancekeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknnoofg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkbgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enjfli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekngemhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjocbhbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cienon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnngpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dncpkjoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edaaccbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdgdeppb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfbbb32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jodamh32.dll"	Ekngemhd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enopghee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppkjigdd.dll"	Famhmfkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fboecfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Edoencdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egkddo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dncpkjoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dahfkimd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enjfli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqikob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	823ca07a0b87b794bd828d14c83df6ca656a84c9da8c73b5768aa015e1dafdf9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Edaaccbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enhifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgiohbfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkedonpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nailkcbb.dll"	Fdkdibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdeiqgkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnngpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fachkklb.dll"	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqnejaff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkaiphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qecffhdo.dll"	Calfpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqkhda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckpamabg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddklbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejccgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnjocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gclafmej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	823ca07a0b87b794bd828d14c83df6ca656a84c9da8c73b5768aa015e1dafdf9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjmekgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djojepof.dll"	Fboecfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	823ca07a0b87b794bd828d14c83df6ca656a84c9da8c73b5768aa015e1dafdf9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohoiloe.dll"	Fcekfnkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjocbhbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eemeqinf.dll"	Dcibca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcibca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgiohbfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdfepi32.dll"	Dphiaffa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enhifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqdbdbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdgdeppb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnqcfjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekljpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpcpfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjckodg.dll"	Ddhomdje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddklbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpalgenf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnjocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjlpn32.dll"	Gqkhda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	823ca07a0b87b794bd828d14c83df6ca656a84c9da8c73b5768aa015e1dafdf9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldjigql.dll"	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmojj32.dll"	Enemaimp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpljehpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dncpkjoc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fofobm32.dll"	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqkhda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkedonpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncbigo32.dll"	Ddmhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnhbmgmk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 4472	1376	823ca07a0b87b794bd828d14c83df6ca656a84c9da8c73b5768aa015e1dafdf9.exe	91
PID 1376 wrote to memory of 4472	1376	823ca07a0b87b794bd828d14c83df6ca656a84c9da8c73b5768aa015e1dafdf9.exe	91
PID 1376 wrote to memory of 4472	1376	823ca07a0b87b794bd828d14c83df6ca656a84c9da8c73b5768aa015e1dafdf9.exe	91
PID 4472 wrote to memory of 4844	4472	Bdeiqgkj.exe	92
PID 4472 wrote to memory of 4844	4472	Bdeiqgkj.exe	92
PID 4472 wrote to memory of 4844	4472	Bdeiqgkj.exe	92
PID 4844 wrote to memory of 1132	4844	Ckpamabg.exe	93
PID 4844 wrote to memory of 1132	4844	Ckpamabg.exe	93
PID 4844 wrote to memory of 1132	4844	Ckpamabg.exe	93
PID 1132 wrote to memory of 2020	1132	Cpljehpo.exe	94
PID 1132 wrote to memory of 2020	1132	Cpljehpo.exe	94
PID 1132 wrote to memory of 2020	1132	Cpljehpo.exe	94
PID 2020 wrote to memory of 1816	2020	Cgfbbb32.exe	95
PID 2020 wrote to memory of 1816	2020	Cgfbbb32.exe	95
PID 2020 wrote to memory of 1816	2020	Cgfbbb32.exe	95
PID 1816 wrote to memory of 1036	1816	Cienon32.exe	96
PID 1816 wrote to memory of 1036	1816	Cienon32.exe	96
PID 1816 wrote to memory of 1036	1816	Cienon32.exe	96
PID 1036 wrote to memory of 912	1036	Calfpk32.exe	97
PID 1036 wrote to memory of 912	1036	Calfpk32.exe	97
PID 1036 wrote to memory of 912	1036	Calfpk32.exe	97
PID 912 wrote to memory of 976	912	Cdjblf32.exe	98
PID 912 wrote to memory of 976	912	Cdjblf32.exe	98
PID 912 wrote to memory of 976	912	Cdjblf32.exe	98
PID 976 wrote to memory of 944	976	Cgiohbfi.exe	100
PID 976 wrote to memory of 944	976	Cgiohbfi.exe	100
PID 976 wrote to memory of 944	976	Cgiohbfi.exe	100
PID 944 wrote to memory of 4156	944	Cigkdmel.exe	101
PID 944 wrote to memory of 4156	944	Cigkdmel.exe	101
PID 944 wrote to memory of 4156	944	Cigkdmel.exe	101
PID 4156 wrote to memory of 4848	4156	Cancekeo.exe	102
PID 4156 wrote to memory of 4848	4156	Cancekeo.exe	102
PID 4156 wrote to memory of 4848	4156	Cancekeo.exe	102
PID 4848 wrote to memory of 4632	4848	Cgklmacf.exe	103
PID 4848 wrote to memory of 4632	4848	Cgklmacf.exe	103
PID 4848 wrote to memory of 4632	4848	Cgklmacf.exe	103
PID 4632 wrote to memory of 3396	4632	Cmedjl32.exe	104
PID 4632 wrote to memory of 3396	4632	Cmedjl32.exe	104
PID 4632 wrote to memory of 3396	4632	Cmedjl32.exe	104
PID 3396 wrote to memory of 3548	3396	Cpcpfg32.exe	105
PID 3396 wrote to memory of 3548	3396	Cpcpfg32.exe	105
PID 3396 wrote to memory of 3548	3396	Cpcpfg32.exe	105
PID 3548 wrote to memory of 3832	3548	Ccblbb32.exe	106
PID 3548 wrote to memory of 3832	3548	Ccblbb32.exe	106
PID 3548 wrote to memory of 3832	3548	Ccblbb32.exe	106
PID 3832 wrote to memory of 3180	3832	Cmgqpkip.exe	107
PID 3832 wrote to memory of 3180	3832	Cmgqpkip.exe	107
PID 3832 wrote to memory of 3180	3832	Cmgqpkip.exe	107
PID 3180 wrote to memory of 3752	3180	Cdaile32.exe	109
PID 3180 wrote to memory of 3752	3180	Cdaile32.exe	109
PID 3180 wrote to memory of 3752	3180	Cdaile32.exe	109
PID 3752 wrote to memory of 3976	3752	Dkkaiphj.exe	110
PID 3752 wrote to memory of 3976	3752	Dkkaiphj.exe	110
PID 3752 wrote to memory of 3976	3752	Dkkaiphj.exe	110
PID 3976 wrote to memory of 1744	3976	Dmjmekgn.exe	111
PID 3976 wrote to memory of 1744	3976	Dmjmekgn.exe	111
PID 3976 wrote to memory of 1744	3976	Dmjmekgn.exe	111
PID 1744 wrote to memory of 4936	1744	Dphiaffa.exe	112
PID 1744 wrote to memory of 4936	1744	Dphiaffa.exe	112
PID 1744 wrote to memory of 4936	1744	Dphiaffa.exe	112
PID 4936 wrote to memory of 3084	4936	Dknnoofg.exe	113
PID 4936 wrote to memory of 3084	4936	Dknnoofg.exe	113
PID 4936 wrote to memory of 3084	4936	Dknnoofg.exe	113
PID 3084 wrote to memory of 2032	3084	Dahfkimd.exe	115

C:\Users\Admin\AppData\Local\Temp\823ca07a0b87b794bd828d14c83df6ca656a84c9da8c73b5768aa015e1dafdf9.exe
"C:\Users\Admin\AppData\Local\Temp\823ca07a0b87b794bd828d14c83df6ca656a84c9da8c73b5768aa015e1dafdf9.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\SysWOW64\Bdeiqgkj.exe
  C:\Windows\system32\Bdeiqgkj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4472
- - C:\Windows\SysWOW64\Ckpamabg.exe
    C:\Windows\system32\Ckpamabg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Windows\SysWOW64\Cpljehpo.exe
      C:\Windows\system32\Cpljehpo.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1132
    - - C:\Windows\SysWOW64\Cgfbbb32.exe
        
        C:\Windows\system32\Cgfbbb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2020
      - C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Cdjblf32.exe
        
        C:\Windows\system32\Cdjblf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\SysWOW64\Cgiohbfi.exe
        
        C:\Windows\system32\Cgiohbfi.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SysWOW64\Cigkdmel.exe
        
        C:\Windows\system32\Cigkdmel.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\SysWOW64\Cancekeo.exe
        
        C:\Windows\system32\Cancekeo.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Cgklmacf.exe
        
        C:\Windows\system32\Cgklmacf.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Cmedjl32.exe
        
        C:\Windows\system32\Cmedjl32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Cpcpfg32.exe
        
        C:\Windows\system32\Cpcpfg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\Windows\SysWOW64\Ccblbb32.exe
        
        C:\Windows\system32\Ccblbb32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Cmgqpkip.exe
        
        C:\Windows\system32\Cmgqpkip.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3832
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\Dmjmekgn.exe
        
        C:\Windows\system32\Dmjmekgn.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\Dknnoofg.exe
        
        C:\Windows\system32\Dknnoofg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Dahfkimd.exe
        
        C:\Windows\system32\Dahfkimd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\SysWOW64\Dcibca32.exe
        
        C:\Windows\system32\Dcibca32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Dnngpj32.exe
        
        C:\Windows\system32\Dnngpj32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Ddhomdje.exe
        
        C:\Windows\system32\Ddhomdje.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Dkbgjo32.exe
        
        C:\Windows\system32\Dkbgjo32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\SysWOW64\Dnqcfjae.exe
        
        C:\Windows\system32\Dnqcfjae.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Ddklbd32.exe
        
        C:\Windows\system32\Ddklbd32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\Dkedonpo.exe
        
        C:\Windows\system32\Dkedonpo.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Dncpkjoc.exe
        
        C:\Windows\system32\Dncpkjoc.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Dpalgenf.exe
        
        C:\Windows\system32\Dpalgenf.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Ddmhhd32.exe
        
        C:\Windows\system32\Ddmhhd32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Egkddo32.exe
        
        C:\Windows\system32\Egkddo32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:984
        
        C:\Windows\SysWOW64\Enemaimp.exe
        
        C:\Windows\system32\Enemaimp.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\Edoencdm.exe
        
        C:\Windows\system32\Edoencdm.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Ekimjn32.exe
        
        C:\Windows\system32\Ekimjn32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3592
        
        C:\Windows\SysWOW64\Enhifi32.exe
        
        C:\Windows\system32\Enhifi32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:184
        
        C:\Windows\SysWOW64\Edaaccbj.exe
        
        C:\Windows\system32\Edaaccbj.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Ekljpm32.exe
        
        C:\Windows\system32\Ekljpm32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:692
        
        C:\Windows\SysWOW64\Enjfli32.exe
        
        C:\Windows\system32\Enjfli32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\Eddnic32.exe
        
        C:\Windows\system32\Eddnic32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4908
        
        C:\Windows\SysWOW64\Ekngemhd.exe
        
        C:\Windows\system32\Ekngemhd.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Eahobg32.exe
        
        C:\Windows\system32\Eahobg32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        C:\Windows\SysWOW64\Ecikjoep.exe
        
        C:\Windows\system32\Ecikjoep.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Ejccgi32.exe
        
        C:\Windows\system32\Ejccgi32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Enopghee.exe
        
        C:\Windows\system32\Enopghee.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Edihdb32.exe
        
        C:\Windows\system32\Edihdb32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\Fkcpql32.exe
        
        C:\Windows\system32\Fkcpql32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\Famhmfkl.exe
        
        C:\Windows\system32\Famhmfkl.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Fdkdibjp.exe
        
        C:\Windows\system32\Fdkdibjp.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:780
        
        C:\Windows\SysWOW64\Fkemfl32.exe
        
        C:\Windows\system32\Fkemfl32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3964
        
        C:\Windows\SysWOW64\Fboecfii.exe
        
        C:\Windows\system32\Fboecfii.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\Fdmaoahm.exe
        
        C:\Windows\system32\Fdmaoahm.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        C:\Windows\SysWOW64\Fjjjgh32.exe
        
        C:\Windows\system32\Fjjjgh32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4784
        
        C:\Windows\SysWOW64\Fqdbdbna.exe
        
        C:\Windows\system32\Fqdbdbna.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Fcbnpnme.exe
        
        C:\Windows\system32\Fcbnpnme.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Fkjfakng.exe
        
        C:\Windows\system32\Fkjfakng.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Fcekfnkb.exe
        
        C:\Windows\system32\Fcekfnkb.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Fjocbhbo.exe
        
        C:\Windows\system32\Fjocbhbo.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Fnjocf32.exe
        
        C:\Windows\system32\Fnjocf32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Fqikob32.exe
        
        C:\Windows\system32\Fqikob32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Gcghkm32.exe
        
        C:\Windows\system32\Gcghkm32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:948
        
        C:\Windows\SysWOW64\Gnmlhf32.exe
        
        C:\Windows\system32\Gnmlhf32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\SysWOW64\Gqkhda32.exe
        
        C:\Windows\system32\Gqkhda32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Gdgdeppb.exe
        
        C:\Windows\system32\Gdgdeppb.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:844
        
        C:\Windows\SysWOW64\Gjcmngnj.exe
        
        C:\Windows\system32\Gjcmngnj.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5140
        
        C:\Windows\SysWOW64\Gqnejaff.exe
        
        C:\Windows\system32\Gqnejaff.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Gclafmej.exe
        
        C:\Windows\system32\Gclafmej.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Gkcigjel.exe
        
        C:\Windows\system32\Gkcigjel.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5268
        
        C:\Windows\SysWOW64\Gbmadd32.exe
        
        C:\Windows\system32\Gbmadd32.exe
        71⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5308 -s 412
        72⤵
        Program crash
        
        PID:5420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5308 -ip 5308
1⤵
PID:5388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4400,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=3864 /prefetch:8
1⤵
PID:6048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bdeiqgkj.exe

Filesize
59KB

MD5
04c6a8e972d186c33db560e9bc03cbce

SHA1
631fe22ec82303da1f2fa699c0f40adec798f28b

SHA256
0fa32e72fbf17718563cd67dfed2b0b4c6d43f3f477d9dcf0400b3445f14973f

SHA512
5b38589135f394fc9b863deade9aa1f40990f06d4b3eb72ff778bca1578933b11fbfb5c27ec29a32a00c602a5fa5bd165a03a90e119f37ad54b02c1f05e46218

Download Submit
C:\Windows\SysWOW64\Calfpk32.exe

Filesize
59KB

MD5
ea605247e8b6a94b421c1a1b042bf23a

SHA1
c0ba876748cd61ad422f9d8b78bc31f8c8154d5a

SHA256
51de6a452932180915c5f316d47e967889703d3882abb0b50521856f18698af7

SHA512
dd097d5e9b31dc66641c10d50e8ae6f13a979e6c8115b2d66fda52f03b132793d029dcdd841687d417be136d049bf01a590c48c26dc50eae9a7fceaf2ce22fc9

Download Submit
C:\Windows\SysWOW64\Cancekeo.exe

Filesize
59KB

MD5
deadcb970a8984a0882336027429399e

SHA1
4fc0ab5fd9b8d0fe9bbd530746bc40aa8234005f

SHA256
fe931d424732ce90798fa36ea44c5b90c4f26dc84a9d65e47f1ffcfa151c7ff9

SHA512
64d7a4c4e19f777bb56ef028ae71e2d7646a0df3ae0a609d260d00937b6908d9b58af0d5b225641dfe1c8b865c404c7fe24d4a1226ba3050ed7839bb76a0d55b

Download Submit
C:\Windows\SysWOW64\Ccblbb32.exe

Filesize
59KB

MD5
304bf5a19e9349ef90390e04e61c78b4

SHA1
b9e3e1b49430151a3af63a8806fc04c725ece21b

SHA256
4802cf4157585fc4a3689e9573d76c48a3c41ce63614b37a4ecc0a2e438f16dc

SHA512
061c0f2563b2ca18cc4f93ca90fd3f0d848a98aa0dc5beeaa8017605591da3ead5eea52a0e6ecb6c8cad4eed024f1d37a4d461bce281ecde63ef4ebcb790a72a

Download Submit
C:\Windows\SysWOW64\Cdaile32.exe

Filesize
59KB

MD5
14f1573a783bf38f480b6f4620108447

SHA1
46a1e97248c739ac494b129f5bc3311b35e07c8e

SHA256
422a1ee8a06902dacbea661351439498b4cd898f1d3c5ac76d9d639b84e74463

SHA512
54ca0629835a912b54d23f37b46c433ecb7db67ef9ed7d6c70f182ea9898fd42341d5454c1955ca0a60a13cbe9832b14a5bc450a08f2d1abcd799ab87807764c

Download Submit
C:\Windows\SysWOW64\Cdjblf32.exe

Filesize
59KB

MD5
4eb43235bd0784d695c413122ae65664

SHA1
95a6aa4eef55595e4307da9832e124bc94c6acbb

SHA256
583595a909debe9366ab430e25ffdbe0cc5de87b6cfdb44da503e675491f56b2

SHA512
f29bdbc702d043aa2fe32cac8283355a0e361cb579a1f1342992f6f04b10146e6ecf2e4e0552a68ce029148b416c5be01304b0fc0afcf75b56ada8628cacb0e2

Download Submit
C:\Windows\SysWOW64\Cgfbbb32.exe

Filesize
59KB

MD5
c5f343e933fde4f7e52da4eae5aa35a3

SHA1
9103fe6784d5e28007d069aca312e5956da40763

SHA256
c54823e5de9a0a4c536d61c864248974e39921f0ff3d1d9a3e4d375262252f1e

SHA512
13e4ae36c4efb86571ed0c4ce6c343724fd13db786c8f8209ada73dc886ad3ed4b4318c7d2e965711f2258f588475e58f26b5aa29fb0d0a642a6fad386028119

Download Submit
C:\Windows\SysWOW64\Cgiohbfi.exe

Filesize
59KB

MD5
6802e2404514e0d0d6d81595b5bf45d1

SHA1
1fd8fed8f21c92a23723cf6397faddd6304d2f9d

SHA256
a84a63fa8a30b6fe60eab152b9417b946504562fff44e0908bfbb74ba28b7d0b

SHA512
21a80115cfe896ad86cbb7808a59a2c55417ffc5f359f54e2e4dc33d49cc5e1ab8145b11e18dd6f80f0245b8129cafeb306c4a4ae7ddaddc479f052fc18c9c17

Download Submit
C:\Windows\SysWOW64\Cgklmacf.exe

Filesize
59KB

MD5
c9c7f4c6528cae4a0d7ea83c33a84aae

SHA1
8a2c2c5f4a1e10f25ffa99ccf7eec67b7de0fc3a

SHA256
e84da97f65ce6c6a7c426e5b782adeed319eacab570b2ef6a3d0ba9bba348ab8

SHA512
9a4058830b2914bbafec78e65e9945b2d15a480ced537f3ec7c8273b4303233518ac9fcce8cdf955ec9712c403111f461dc8ce87d139924af0d460c25e8ac1a3

Download Submit
C:\Windows\SysWOW64\Cienon32.exe

Filesize
59KB

MD5
87899b12ff92e41c53d124cda22205ab

SHA1
d328868fee2d617891bb8cb13f121a30f4f52b0a

SHA256
7558d3186448b2181f9b9b898192c63960fceccfe7f0c3227d109c7ad4fe61ef

SHA512
c2d0fb03e57bece2611cbe72b9bedbcaf4cf19c0616aebf08b0c78e568df62ef54bb713323bccd2847c16dfacbcc3d32783abd937e7eb559a1cb8dc7ab77106b

Download Submit
C:\Windows\SysWOW64\Cigkdmel.exe

Filesize
59KB

MD5
c58c52f9b2407b9fd1fa2ba6c395c577

SHA1
385a183c82abafe3d09ea61d1ea64d17a3fcfdd9

SHA256
8e5d987de3f3c91989677b7910da7ae853d83516375f36a801b2609e9ce9e73a

SHA512
e0a4372c41633aef6bbf3d40476cddb0bbd8d123129aa9b010c160e57bfcadf5b4437f4a47b9a38721f383110119239956fb14664319e99a96fdb65fe58590f4

Download Submit
C:\Windows\SysWOW64\Ckpamabg.exe

Filesize
59KB

MD5
60c7aabc9c476994f1a89cfd94845491

SHA1
0cfc2bc72bdc7bb603acd683f8e2228fcbffa9fa

SHA256
8c2415f1d513529dc30707ddcda12ef7c46e8687402e007d8be5cc8dd5499bc0

SHA512
0626926390e75d67c4f318088d1748b500c752af713a3459be14f77bb556c356c7f0882b97996215ce3599c7231765f320cc2fffe438f7fac3749ff686efc222

Download Submit
C:\Windows\SysWOW64\Cmedjl32.exe

Filesize
59KB

MD5
b662e74bda038ccff17877686fd60b5c

SHA1
94fc03272cd64c3f85f83469c52a6c8880abe706

SHA256
c1d87a3e661b84ec0623e94be08b79fe0b560267c560067ea00c0a70dac1faab

SHA512
bbf559305f294bb7cb9be5f631007157d3456f5016a02f2a4c0817ab6f62f639492d40e3856a101d9d6eb5e3a7e31c9676bbf0a77fd1c20345be3874fab4ddc7

Download Submit
C:\Windows\SysWOW64\Cmgqpkip.exe

Filesize
59KB

MD5
3b14ea977385ccda4696f02f19b33195

SHA1
8a989eae284dc441714afcd9f72aa97f10a3fa16

SHA256
4fceacd89a221f0adae8cce61a19236c2126a260d4bd4a8d8ce72e587d86babd

SHA512
0a46b64e2261301a5b299e1ca57c5ca3fdd30bd3313a6c4d98fb450bc9e1faa27a4c5196656abbd3615f6cc00839b94b517e6bc85adb46f06f6ac9d3feff8eec

Download Submit
C:\Windows\SysWOW64\Cpcpfg32.exe

Filesize
59KB

MD5
3c408c39fa4a8cce179a841395e45f9b

SHA1
69af3d2fbe0d38ef309d74c28df18d1e37f1e37e

SHA256
cf73d3152f46793f33dde273e94b07d2544073ddce1c667214dcc5054bd7cf02

SHA512
dbbdca116adcddddbe6ba10e8b4db8c8dd854968adbe4961b9d9ccf3db274ec837616fdcf4aa80e224d0d029b6e1021b32c00864bc8d1754b3ce635a5c4a3099

Download Submit
C:\Windows\SysWOW64\Cpljehpo.exe

Filesize
59KB

MD5
9a357446b1f2222beb26475465496191

SHA1
4b3ea76eda6ce68015d2a1ac48e9a13e1ccf8205

SHA256
55fcec89537dd27e9f96cf457364b936cb4453d7a91864b817e1c2f59b1f0df0

SHA512
38feb54d2f6db2e2d5a06c62c093f16f652ec86840b4d5d693f4584bcfac80c8b1e4095cdde4c95f20231c1fb380102a7c61239281a6ce5e333621f12b21d7a7

Download Submit
C:\Windows\SysWOW64\Dahfkimd.exe

Filesize
59KB

MD5
c5083de8a90e6f96ac0d47c01880a013

SHA1
9ed85046acb22c3d3fad42c926a25622e941ef87

SHA256
2cd4a951d471fe8bb08cad4069790b369ed03039bb2f26b2e7492caf313c2574

SHA512
9235c41c1bf2f9ebc97bfdda556de9d54487c2f8b0860561a0a534528b8719c5c937faccaad2511646e1fdf3d9c90f60f640ba278609254dbb6a67aaaebf3502

Download Submit
C:\Windows\SysWOW64\Dcibca32.exe

Filesize
59KB

MD5
7c1f4e70bfa94df1059616f265200060

SHA1
6dbe38777f9479b8a765476d89ab2277abb91398

SHA256
6700403a12aee93cfb4dd685b7848d80a9a1d1052869871e6093d09f9da8e9a7

SHA512
e033a4864084e862526704e95155dae242487c6d1c6a7206daa5bb0dcef6d2bd505d62f577efb0549f698d23a76c1b1d7d2ffa023d5eeb86aa976a420d27fbaa

Download Submit
C:\Windows\SysWOW64\Ddhomdje.exe

Filesize
59KB

MD5
849ce4121eb8db6159f9840b14c08aa1

SHA1
704f539ce4be304a522269c44546e9bf6558c96a

SHA256
9562ae3d7bbfe0e9c1262d60a1f4a57363b6ffe8e1ea34ed87bebc5323a48f7c

SHA512
922cfa3e8ddb718ce979c80ad0800f293c3c6997f612359570b021186fb86e4168944a205a3e9d172c77ced91d8c8b4e2d05b91b50f3fbd1df5d1ed1e975a883

Download Submit
C:\Windows\SysWOW64\Ddklbd32.exe

Filesize
59KB

MD5
648990830c656c31f93e520d0f9766f0

SHA1
3e9c080b5b486cdf43f4bd68b31e5443b694f87a

SHA256
f391ceb9d54f35aa3af8cd7dd9fef9770def5bd149508342cf6b6a9395e54287

SHA512
a0fa4db4113eca5631fbeced9e2b6e5e798797d986493619bf9e8d660c700ae65307465055f5da6164af9e9bec731cdad577f26d746659fc0896e6dbc85f1ee5

Download Submit
C:\Windows\SysWOW64\Ddmhhd32.exe

Filesize
59KB

MD5
f8d1aa1f8114ddb727ff915a07f621a8

SHA1
91c4457ddb45aae1d0bcd37ea18273914163f430

SHA256
b0b22b64a45b731b6cd469428496b519374b85812837e106ccac8561f2704514

SHA512
d75ca25d238df94e1020ceef7c27ba4cdecd02ebd3d55d7c8a555c3158607f51c843587fdc01ef5519a90aafef5f91194101a574298e86911ad0ec8dcc1903b9

Download Submit
C:\Windows\SysWOW64\Dkbgjo32.exe

Filesize
59KB

MD5
14eb5144d42ba4827b5b82a878585949

SHA1
c8cbe6c5b1d4e3c47b5f4546c32bb4f6f4ce267d

SHA256
884eb983f0a56d1a43f0da943ea3fb68fca7b4e9b9b48be55730d9b800874f24

SHA512
ad7e539e5f52c58ee03f9e14ea6c339150a17c29a431ec58edf5b8151aadb375476ef2d34d88063cff10d28ce65e464111f05d86973687903762d7bf74324827

Download Submit
C:\Windows\SysWOW64\Dkedonpo.exe

Filesize
59KB

MD5
9b792007a676db980273e6f93dbd0c48

SHA1
1a20dbe8d859b528a37f8483db37f8e476821dbd

SHA256
e3e3a73228cf67d258367043f29d34ad59853138d0b0d880748f3b6eb51ebf62

SHA512
77138f6f6ca3c7009a4e88f5aed6797a16b32f3e35537fdefb486c5574b439ed0133557c829585b4f5cfa83b8ceff08d3913508d9f98cffb1efa540e151ec13e

Download Submit
C:\Windows\SysWOW64\Dkkaiphj.exe

Filesize
59KB

MD5
6c68b579710c8482e1735aafd36d4d53

SHA1
3ce39fd75c71bd5d613bb96b059509d97d1dfd4b

SHA256
7c8feb951d86d0b780adf50f8cb884a17970f19ab758fd5199684af9496326d9

SHA512
ed0a662ea37ab4fb2c01776b514bd890d7f164a5103d045f06c2362e4243637eafe427b2a6bc2f760da3a574e303f7cd7a39d5c8698903d2718f175914e1769b

Download Submit
C:\Windows\SysWOW64\Dknnoofg.exe

Filesize
59KB

MD5
b9d43543590824e18814021604207115

SHA1
f7989f5c02cb68df2cf687c1af0ce5061115a4a0

SHA256
d782b64f68a87991f8b63f2f91ea6a0462a907bea3d458068bce2ad03447ef22

SHA512
85c903a4fc04bb5ec45a018c66d7ad579ba7c3cf44910b71ce82ffe3a1fd49e8f3c6c7859060ec7a645ca1c343c70bbf02105bc533bcb4c1749b08631b371c83

Download Submit
C:\Windows\SysWOW64\Dmjmekgn.exe

Filesize
59KB

MD5
2e383b87a97758032b9501892936f3d9

SHA1
5d0e4552796c3a3cde945baa514d2171febe010d

SHA256
8b31af758b6ed87dea37ceec3e5af2479e217a7dcd40ea484dcf27fdff159f6e

SHA512
760c10579492ca0dfcae30c593a5755a193f2fb03df7404f2baef4910f58ac57a961718d403215270be6bb2387b835242587fa22d8bd8346885047fd2d5a5662

Download Submit
C:\Windows\SysWOW64\Dncpkjoc.exe

Filesize
59KB

MD5
8262b467ff6ef821012c0fa9409d7e75

SHA1
ff3f98efe752ed0bdc99507d615c48b95eb7c714

SHA256
cba8c6d4ddc90ac60d4445ff4ff9a73b4e9d0c182de489f6a6b1840955681edc

SHA512
8de96a60971af338b9aca62a0b76306bf5dde162427d6e4006f0bb8639a0a27bc26ef7bb93ad3e32f190c8f9d0b3eb7100cc518992da5b665ced676276a10572

Download Submit
C:\Windows\SysWOW64\Dnngpj32.exe

Filesize
59KB

MD5
224926b0b3c732df6094283a84845519

SHA1
3ea4889491a96a5e11ed56913daab270f95784ad

SHA256
a4e11382ebf91d5bbf8dd8a5b6698ff8827d8f50249579f442377861b8d1be37

SHA512
06fe9f7c744cdf31531943bcf2f13b3f265d63a042d1ec0b344472dd27b7ec332cdba16a47abe5457cd9a17bf4e9d46678971569f4fb9cb4db94f940effc6725

Download Submit
C:\Windows\SysWOW64\Dnqcfjae.exe

Filesize
59KB

MD5
9725d9039bc44d20d89b7f7b6f67ce3c

SHA1
6fc2b68b129e3e7cca0b528ce0a3aa6c97f3898a

SHA256
eabbc39561392d5049f60cb0353a01a97579a739e69938ec035420e417503dbe

SHA512
c53fd72ec15f6ce6dbcb6f682f0e1ae7a668063ba5e2e33310865ae955991520c4a600dc55b15f818076ebeb3860c0b102171cc7afc990f610f2f4b5d1cfee6f

Download Submit
C:\Windows\SysWOW64\Dpalgenf.exe

Filesize
59KB

MD5
74b593d33fbb2353eb132c59955f01d6

SHA1
5cd71df93d9d1f724fa398c41b23a6917aeed893

SHA256
20ee058adaab3b0287d621b1cb23b79a4f98573f737390e60e6c19ad4cdda598

SHA512
ab4cdb179fb3b63e71a85ecc1a5692ca896efb90361e2f7e7789373918cc9d08b7269905341e685ac49c80fb2430a4d9550059597b1222f79e00d3a85501d416

Download Submit
C:\Windows\SysWOW64\Dphiaffa.exe

Filesize
59KB

MD5
2e9dd671783163b2926ee01b040b2450

SHA1
dbfcf7311641e35f9f3c00caa744e691271f7fd8

SHA256
087d9d6a98940041749e7fba3eb05857a9fcb29ba7f7fc6488b42f5788021c39

SHA512
3b6685c9e06fea2803c07df2d3fcc1b9307f1f28995f5dfc193c4717d0b57d760732763bea3ce35dc72bd3ad1c9fcc482d555a945f3d1cbc1f0749aa92df4402

Download Submit
C:\Windows\SysWOW64\Egkddo32.exe

Filesize
59KB

MD5
dfd95f3563a1e0c07b1dced8d32c2ba0

SHA1
b6786e1e62e61b3b71c2592872c5f666d64d5a44

SHA256
f562a7bbe23bef346aaa90c44459afd5b3589b2434aa7893f7d50d46560ca446

SHA512
a13216f01aa087c4adfd7bf1332964e003c63eda24733cfa462dfe3b584a73feec3609c80b96b9ff115f56c17200e31385ffb8d24aaebe0a7e156c757e61a64a

Download Submit
C:\Windows\SysWOW64\Ekljpm32.exe

Filesize
59KB

MD5
8d69afc03503de95b536d6e731fc6fd2

SHA1
2199da39ed6180846a49297acbcfeae0e81c5f1a

SHA256
ad6adf7ffb966452a9766b87de5bddecf72fca752730580e08cb30d9fdd80ee6

SHA512
88f9253509b72ea0dd266fdfad7c9cb8642a31136eecfd46b860e92ef0ef6a8864f85b806e9f01019603da4c9360493ef45c86ae59352ef7d42934c216c26735

Download Submit
C:\Windows\SysWOW64\Fkcpql32.exe

Filesize
59KB

MD5
a863538923b8d9bf98614bfbc8050530

SHA1
f4d8775b2742ca3e981dd2d8d1e61dc2b1fbcb02

SHA256
72a1ede6f9557cefa83cffc016a6cdb921f5a15adb36a906b5022c4007624e09

SHA512
2c37afc61c80fe4c1bbc93ab2fc5d4534cffa420d4f2603acb989bf98acce5f68be9bb0603899af5f4ed2f61c2094b9d1bf231b541c2a72d9349352cdbe0e846

Download Submit
C:\Windows\SysWOW64\Fkemfl32.exe

Filesize
59KB

MD5
a9f5ead4a958e60cde2448c2220528ac

SHA1
e59524104f668c79f7e6b413944e44cb45f21b31

SHA256
28509d8e415ef262ba3f1647595fb6c4df4cca0c19298ad25c51e7d09259c34a

SHA512
ba61436cc08e23a83b7efdaa3764941289c50818d9afaf82c4b2bf2dd34fba5ee1d37f8e0013a7cffc26e09448e518eb444d20855d80bc46c08a4eda7b98e13c

Download Submit
memory/184-280-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/224-286-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/396-310-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/624-240-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/692-292-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/780-358-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/780-505-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/844-454-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/844-490-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/912-55-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/944-71-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/948-492-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/948-436-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/976-64-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/984-255-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1036-47-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1088-262-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1132-23-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1152-191-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1316-298-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1376-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1380-268-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1500-223-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1744-151-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1816-39-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1892-316-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1968-507-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1968-346-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2016-322-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2020-32-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2032-176-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2284-203-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2336-406-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2336-497-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2340-430-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2340-493-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2532-248-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2540-495-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2540-418-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2792-508-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2792-340-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2868-207-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2880-491-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2880-442-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3084-167-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3104-424-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3104-494-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3180-127-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3188-215-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3196-452-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3208-499-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3208-394-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3396-104-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3548-111-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3592-274-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3728-328-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3752-136-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3832-120-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3964-504-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3964-364-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3976-143-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4156-80-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4216-503-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4216-370-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4364-231-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4428-352-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4428-506-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4440-509-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4440-334-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4472-7-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4476-183-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4608-388-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4608-500-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4632-96-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4736-502-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4736-376-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4784-382-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4784-501-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4844-15-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4848-87-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4908-304-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4936-159-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4940-498-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4940-404-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4952-412-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4952-496-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5140-489-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5140-460-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5180-466-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5180-488-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5228-487-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5228-472-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5268-486-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5268-478-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5308-484-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5308-485-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads