df9a0e93da3b7ab1b8c03d3918744a70b0baf54ea9c413f70a75b322695cb4ff

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf83e1e47b6117f33fcf23455cfb9390N.exe
Size

55KB
MD5

cf83e1e47b6117f33fcf23455cfb9390
SHA1

939c8bb537a7b10546996d2a620cd0657960aca3
SHA256

df9a0e93da3b7ab1b8c03d3918744a70b0baf54ea9c413f70a75b322695cb4ff
SHA512

68ba0af6eb9f26b09f87791c31bdbc298d0bef00ce696ac0344c31558b21fe9998c1cf65330e1349706adb185ac3922ad5e007f1b1c775dec4f993596edd989d
SSDEEP

1536:21v+bG4g0Hv83VCnsk/kmgp3YobXiO6DxhauR5FNSoNSd0A3shxD6:21G1Hv83VCnsk/kmmYobXibN5FNXNW0x

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egnajocq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eaceghcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbkdod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gnaecedp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdmoafdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekgqennl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkaiphj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecikjoep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbkdod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnaecedp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcffnbee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dickplko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ephbhd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgdemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eaceghcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbfkceca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddhomdje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enjfli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edihdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fgnjqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddhomdje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkbgjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgnjqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egbken32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejccgi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkalbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdjblf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckidcpjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknnoofg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejagaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdmoafdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnljkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gggmgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejagaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enopghee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkemfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdbkja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajjjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdolgfbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgqpkip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcghkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbaahf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnhbmgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gggmgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ephbhd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edihdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkcpql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpopbepi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdbkja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcghkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calfpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknnoofg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Famhmfkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckdkhq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdolgfbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejlnfjbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkcpql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqbeoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	cf83e1e47b6117f33fcf23455cfb9390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cancekeo.exe

Executes dropped EXE 64 IoCs

pid	Process
2088	Bgdemb32.exe
1928	Cajjjk32.exe
2284	Cdhffg32.exe
1964	Cgfbbb32.exe
820	Calfpk32.exe
840	Cdjblf32.exe
948	Ckdkhq32.exe
752	Cancekeo.exe
1016	Cdmoafdb.exe
1532	Ciihjmcj.exe
1820	Caqpkjcl.exe
1988	Cdolgfbp.exe
548	Ckidcpjl.exe
3548	Cmgqpkip.exe
1208	Cdaile32.exe
4852	Dkkaiphj.exe
1316	Dmjmekgn.exe
2292	Ddcebe32.exe
1380	Dcffnbee.exe
4256	Dknnoofg.exe
2924	Dnljkk32.exe
3088	Dcibca32.exe
4124	Dickplko.exe
4416	Ddhomdje.exe
3960	Dkbgjo32.exe
396	Dpopbepi.exe
4856	Dgihop32.exe
3376	Dncpkjoc.exe
4376	Ddmhhd32.exe
4848	Ekgqennl.exe
1580	Epdime32.exe
2792	Egnajocq.exe
3224	Ejlnfjbd.exe
1968	Eaceghcg.exe
3752	Egpnooan.exe
4108	Enjfli32.exe
1092	Ephbhd32.exe
4868	Egbken32.exe
452	Ejagaj32.exe
4652	Eahobg32.exe
2100	Ecikjoep.exe
1808	Ejccgi32.exe
976	Enopghee.exe
1864	Edihdb32.exe
4324	Fkcpql32.exe
2800	Fjeplijj.exe
2104	Famhmfkl.exe
4448	Fcneeo32.exe
4012	Fkemfl32.exe
4104	Fqbeoc32.exe
2960	Fglnkm32.exe
208	Fbaahf32.exe
1500	Fgnjqm32.exe
1612	Fnhbmgmk.exe
4496	Fdbkja32.exe
184	Fklcgk32.exe
3600	Fbfkceca.exe
1744	Gcghkm32.exe
4784	Gjaphgpl.exe
1948	Gqkhda32.exe
2984	Gdgdeppb.exe
2208	Gkalbj32.exe
1692	Gjcmngnj.exe
2948	Gbkdod32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Calfpk32.exe	Cgfbbb32.exe
File created	C:\Windows\SysWOW64\Binfdh32.dll	Egpnooan.exe
File opened for modification	C:\Windows\SysWOW64\Dkkaiphj.exe	Cdaile32.exe
File created	C:\Windows\SysWOW64\Ajgqdaoi.dll	Famhmfkl.exe
File created	C:\Windows\SysWOW64\Fklcgk32.exe	Fdbkja32.exe
File created	C:\Windows\SysWOW64\Pqgpcnpb.dll	Fbfkceca.exe
File created	C:\Windows\SysWOW64\Gnaecedp.exe	Gggmgk32.exe
File created	C:\Windows\SysWOW64\Pknjieep.dll	Bgdemb32.exe
File created	C:\Windows\SysWOW64\Cdmoafdb.exe	Cancekeo.exe
File created	C:\Windows\SysWOW64\Daqfhf32.dll	Cancekeo.exe
File created	C:\Windows\SysWOW64\Enopghee.exe	Ejccgi32.exe
File opened for modification	C:\Windows\SysWOW64\Gkalbj32.exe	Gdgdeppb.exe
File created	C:\Windows\SysWOW64\Faagecfk.dll	Cdolgfbp.exe
File created	C:\Windows\SysWOW64\Fqbeoc32.exe	Fkemfl32.exe
File created	C:\Windows\SysWOW64\Fbfkceca.exe	Fklcgk32.exe
File opened for modification	C:\Windows\SysWOW64\Ekgqennl.exe	Ddmhhd32.exe
File created	C:\Windows\SysWOW64\Flpbbbdk.dll	Ejlnfjbd.exe
File created	C:\Windows\SysWOW64\Dooaccfg.dll	Cdjblf32.exe
File created	C:\Windows\SysWOW64\Ddcebe32.exe	Dmjmekgn.exe
File created	C:\Windows\SysWOW64\Hmcipf32.dll	Fnhbmgmk.exe
File created	C:\Windows\SysWOW64\Cgfbbb32.exe	Cdhffg32.exe
File opened for modification	C:\Windows\SysWOW64\Cgfbbb32.exe	Cdhffg32.exe
File opened for modification	C:\Windows\SysWOW64\Fklcgk32.exe	Fdbkja32.exe
File created	C:\Windows\SysWOW64\Dkbgjo32.exe	Ddhomdje.exe
File opened for modification	C:\Windows\SysWOW64\Dncpkjoc.exe	Dgihop32.exe
File opened for modification	C:\Windows\SysWOW64\Fqbeoc32.exe	Fkemfl32.exe
File created	C:\Windows\SysWOW64\Iolgql32.dll	Fgnjqm32.exe
File opened for modification	C:\Windows\SysWOW64\Gdgdeppb.exe	Gqkhda32.exe
File created	C:\Windows\SysWOW64\Icpjna32.dll	Caqpkjcl.exe
File opened for modification	C:\Windows\SysWOW64\Dnljkk32.exe	Dknnoofg.exe
File created	C:\Windows\SysWOW64\Egnajocq.exe	Epdime32.exe
File opened for modification	C:\Windows\SysWOW64\Egbken32.exe	Ephbhd32.exe
File created	C:\Windows\SysWOW64\Pjcblekh.dll	Dickplko.exe
File opened for modification	C:\Windows\SysWOW64\Ephbhd32.exe	Enjfli32.exe
File opened for modification	C:\Windows\SysWOW64\Cancekeo.exe	Ckdkhq32.exe
File created	C:\Windows\SysWOW64\Ddmhhd32.exe	Dncpkjoc.exe
File opened for modification	C:\Windows\SysWOW64\Eaceghcg.exe	Ejlnfjbd.exe
File created	C:\Windows\SysWOW64\Eafbac32.dll	Cgfbbb32.exe
File opened for modification	C:\Windows\SysWOW64\Gbkdod32.exe	Gjcmngnj.exe
File created	C:\Windows\SysWOW64\Dknnoofg.exe	Dcffnbee.exe
File created	C:\Windows\SysWOW64\Ekgqennl.exe	Ddmhhd32.exe
File created	C:\Windows\SysWOW64\Elfahb32.dll	Ddmhhd32.exe
File opened for modification	C:\Windows\SysWOW64\Gqkhda32.exe	Gjaphgpl.exe
File opened for modification	C:\Windows\SysWOW64\Ddhomdje.exe	Dickplko.exe
File created	C:\Windows\SysWOW64\Ephbhd32.exe	Enjfli32.exe
File opened for modification	C:\Windows\SysWOW64\Gjaphgpl.exe	Gcghkm32.exe
File opened for modification	C:\Windows\SysWOW64\Fdbkja32.exe	Fnhbmgmk.exe
File created	C:\Windows\SysWOW64\Pnlhmpgg.dll	Cajjjk32.exe
File created	C:\Windows\SysWOW64\Aldjigql.dll	Ckdkhq32.exe
File created	C:\Windows\SysWOW64\Ejagaj32.exe	Egbken32.exe
File created	C:\Windows\SysWOW64\Gihfoi32.dll	Fbaahf32.exe
File opened for modification	C:\Windows\SysWOW64\Ckdkhq32.exe	Cdjblf32.exe
File created	C:\Windows\SysWOW64\Kdfepi32.dll	Dcffnbee.exe
File created	C:\Windows\SysWOW64\Foolmeif.dll	Dcibca32.exe
File created	C:\Windows\SysWOW64\Dpopbepi.exe	Dkbgjo32.exe
File created	C:\Windows\SysWOW64\Hjmgbm32.dll	Gnaecedp.exe
File opened for modification	C:\Windows\SysWOW64\Ddcebe32.exe	Dmjmekgn.exe
File created	C:\Windows\SysWOW64\Fgnjqm32.exe	Fbaahf32.exe
File created	C:\Windows\SysWOW64\Qjfpkhpm.dll	Gcghkm32.exe
File created	C:\Windows\SysWOW64\Gdiakp32.exe	Gbkdod32.exe
File opened for modification	C:\Windows\SysWOW64\Fkemfl32.exe	Fcneeo32.exe
File opened for modification	C:\Windows\SysWOW64\Famhmfkl.exe	Fjeplijj.exe
File created	C:\Windows\SysWOW64\Egnelfnm.dll	Fglnkm32.exe
File created	C:\Windows\SysWOW64\Fdbkja32.exe	Fnhbmgmk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5336	5236	WerFault.exe	161

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihjmcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcffnbee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnljkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkemfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf83e1e47b6117f33fcf23455cfb9390N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddhomdje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dncpkjoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eaceghcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqbeoc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdiakp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjmekgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkbgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejagaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edihdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fglnkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdmoafdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckidcpjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcibca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejccgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdbkja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdgdeppb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgdemb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgqpkip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egpnooan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjeplijj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Famhmfkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgnjqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calfpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdaile32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbmadd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckdkhq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dickplko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejlnfjbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjaphgpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddcebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnhbmgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fklcgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enjfli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ephbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbfkceca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajjjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfbbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkaiphj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egnajocq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eahobg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdolgfbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknnoofg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecikjoep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbaahf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekgqennl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnaecedp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gggmgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caqpkjcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpopbepi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epdime32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egbken32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcneeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcghkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gqkhda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhffg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdjblf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cancekeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgihop32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eafbac32.dll"	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdfepi32.dll"	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqbeoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgfbbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdjblf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgqpkip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdmoafdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgqaip32.dll"	Dkkaiphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncjiib32.dll"	Dgihop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Celhnb32.dll"	Fdbkja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aammfkln.dll"	Dmjmekgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofjljj32.dll"	Enopghee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgqdaoi.dll"	Famhmfkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Backedki.dll"	Gbkdod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddhomdje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgihop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcneeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjaphgpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bigpblgh.dll"	Cdaile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcibca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkaiphj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egnajocq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkemfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	cf83e1e47b6117f33fcf23455cfb9390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgqpkip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dncpkjoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egpnooan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjaphgpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqkhda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epdime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodfed32.dll"	Eahobg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjlpn32.dll"	Gqkhda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gdgdeppb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkcpql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmgbm32.dll"	Gnaecedp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	cf83e1e47b6117f33fcf23455cfb9390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknjieep.dll"	Bgdemb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciihjmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elfahb32.dll"	Ddmhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjnmkgom.dll"	Dpopbepi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejlnfjbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqbeoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fklcgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcneeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	cf83e1e47b6117f33fcf23455cfb9390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	cf83e1e47b6117f33fcf23455cfb9390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpagekkf.dll"	Ciihjmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dickplko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egpnooan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejccgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcghkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caqpkjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daqfhf32.dll"	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faagecfk.dll"	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Epdime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gggmgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdbkja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egbken32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glkkmjeh.dll"	Fjeplijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqgpcnpb.dll"	Fbfkceca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	cf83e1e47b6117f33fcf23455cfb9390N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2088	2200	cf83e1e47b6117f33fcf23455cfb9390N.exe	91
PID 2200 wrote to memory of 2088	2200	cf83e1e47b6117f33fcf23455cfb9390N.exe	91
PID 2200 wrote to memory of 2088	2200	cf83e1e47b6117f33fcf23455cfb9390N.exe	91
PID 2088 wrote to memory of 1928	2088	Bgdemb32.exe	92
PID 2088 wrote to memory of 1928	2088	Bgdemb32.exe	92
PID 2088 wrote to memory of 1928	2088	Bgdemb32.exe	92
PID 1928 wrote to memory of 2284	1928	Cajjjk32.exe	93
PID 1928 wrote to memory of 2284	1928	Cajjjk32.exe	93
PID 1928 wrote to memory of 2284	1928	Cajjjk32.exe	93
PID 2284 wrote to memory of 1964	2284	Cdhffg32.exe	94
PID 2284 wrote to memory of 1964	2284	Cdhffg32.exe	94
PID 2284 wrote to memory of 1964	2284	Cdhffg32.exe	94
PID 1964 wrote to memory of 820	1964	Cgfbbb32.exe	95
PID 1964 wrote to memory of 820	1964	Cgfbbb32.exe	95
PID 1964 wrote to memory of 820	1964	Cgfbbb32.exe	95
PID 820 wrote to memory of 840	820	Calfpk32.exe	96
PID 820 wrote to memory of 840	820	Calfpk32.exe	96
PID 820 wrote to memory of 840	820	Calfpk32.exe	96
PID 840 wrote to memory of 948	840	Cdjblf32.exe	97
PID 840 wrote to memory of 948	840	Cdjblf32.exe	97
PID 840 wrote to memory of 948	840	Cdjblf32.exe	97
PID 948 wrote to memory of 752	948	Ckdkhq32.exe	98
PID 948 wrote to memory of 752	948	Ckdkhq32.exe	98
PID 948 wrote to memory of 752	948	Ckdkhq32.exe	98
PID 752 wrote to memory of 1016	752	Cancekeo.exe	99
PID 752 wrote to memory of 1016	752	Cancekeo.exe	99
PID 752 wrote to memory of 1016	752	Cancekeo.exe	99
PID 1016 wrote to memory of 1532	1016	Cdmoafdb.exe	100
PID 1016 wrote to memory of 1532	1016	Cdmoafdb.exe	100
PID 1016 wrote to memory of 1532	1016	Cdmoafdb.exe	100
PID 1532 wrote to memory of 1820	1532	Ciihjmcj.exe	101
PID 1532 wrote to memory of 1820	1532	Ciihjmcj.exe	101
PID 1532 wrote to memory of 1820	1532	Ciihjmcj.exe	101
PID 1820 wrote to memory of 1988	1820	Caqpkjcl.exe	102
PID 1820 wrote to memory of 1988	1820	Caqpkjcl.exe	102
PID 1820 wrote to memory of 1988	1820	Caqpkjcl.exe	102
PID 1988 wrote to memory of 548	1988	Cdolgfbp.exe	103
PID 1988 wrote to memory of 548	1988	Cdolgfbp.exe	103
PID 1988 wrote to memory of 548	1988	Cdolgfbp.exe	103
PID 548 wrote to memory of 3548	548	Ckidcpjl.exe	104
PID 548 wrote to memory of 3548	548	Ckidcpjl.exe	104
PID 548 wrote to memory of 3548	548	Ckidcpjl.exe	104
PID 3548 wrote to memory of 1208	3548	Cmgqpkip.exe	105
PID 3548 wrote to memory of 1208	3548	Cmgqpkip.exe	105
PID 3548 wrote to memory of 1208	3548	Cmgqpkip.exe	105
PID 1208 wrote to memory of 4852	1208	Cdaile32.exe	106
PID 1208 wrote to memory of 4852	1208	Cdaile32.exe	106
PID 1208 wrote to memory of 4852	1208	Cdaile32.exe	106
PID 4852 wrote to memory of 1316	4852	Dkkaiphj.exe	107
PID 4852 wrote to memory of 1316	4852	Dkkaiphj.exe	107
PID 4852 wrote to memory of 1316	4852	Dkkaiphj.exe	107
PID 1316 wrote to memory of 2292	1316	Dmjmekgn.exe	108
PID 1316 wrote to memory of 2292	1316	Dmjmekgn.exe	108
PID 1316 wrote to memory of 2292	1316	Dmjmekgn.exe	108
PID 2292 wrote to memory of 1380	2292	Ddcebe32.exe	109
PID 2292 wrote to memory of 1380	2292	Ddcebe32.exe	109
PID 2292 wrote to memory of 1380	2292	Ddcebe32.exe	109
PID 1380 wrote to memory of 4256	1380	Dcffnbee.exe	110
PID 1380 wrote to memory of 4256	1380	Dcffnbee.exe	110
PID 1380 wrote to memory of 4256	1380	Dcffnbee.exe	110
PID 4256 wrote to memory of 2924	4256	Dknnoofg.exe	112
PID 4256 wrote to memory of 2924	4256	Dknnoofg.exe	112
PID 4256 wrote to memory of 2924	4256	Dknnoofg.exe	112
PID 2924 wrote to memory of 3088	2924	Dnljkk32.exe	113

C:\Users\Admin\AppData\Local\Temp\cf83e1e47b6117f33fcf23455cfb9390N.exe
"C:\Users\Admin\AppData\Local\Temp\cf83e1e47b6117f33fcf23455cfb9390N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\SysWOW64\Bgdemb32.exe
  C:\Windows\system32\Bgdemb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\SysWOW64\Cajjjk32.exe
    C:\Windows\system32\Cajjjk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Windows\SysWOW64\Cdhffg32.exe
      C:\Windows\system32\Cdhffg32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2284
    - - C:\Windows\SysWOW64\Cgfbbb32.exe
        
        C:\Windows\system32\Cgfbbb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1964
      - C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Windows\SysWOW64\Cdjblf32.exe
        
        C:\Windows\system32\Cdjblf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\SysWOW64\Ckdkhq32.exe
        
        C:\Windows\system32\Ckdkhq32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\SysWOW64\Cancekeo.exe
        
        C:\Windows\system32\Cancekeo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SysWOW64\Cdmoafdb.exe
        
        C:\Windows\system32\Cdmoafdb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Caqpkjcl.exe
        
        C:\Windows\system32\Caqpkjcl.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Cdolgfbp.exe
        
        C:\Windows\system32\Cdolgfbp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Ckidcpjl.exe
        
        C:\Windows\system32\Ckidcpjl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Cmgqpkip.exe
        
        C:\Windows\system32\Cmgqpkip.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\SysWOW64\Dmjmekgn.exe
        
        C:\Windows\system32\Dmjmekgn.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\SysWOW64\Ddcebe32.exe
        
        C:\Windows\system32\Ddcebe32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\SysWOW64\Dknnoofg.exe
        
        C:\Windows\system32\Dknnoofg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\SysWOW64\Dnljkk32.exe
        
        C:\Windows\system32\Dnljkk32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Dcibca32.exe
        
        C:\Windows\system32\Dcibca32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Dickplko.exe
        
        C:\Windows\system32\Dickplko.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4124
        
        C:\Windows\SysWOW64\Ddhomdje.exe
        
        C:\Windows\system32\Ddhomdje.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Dkbgjo32.exe
        
        C:\Windows\system32\Dkbgjo32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Windows\SysWOW64\Dpopbepi.exe
        
        C:\Windows\system32\Dpopbepi.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Dgihop32.exe
        
        C:\Windows\system32\Dgihop32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Dncpkjoc.exe
        
        C:\Windows\system32\Dncpkjoc.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3376
        
        C:\Windows\SysWOW64\Ddmhhd32.exe
        
        C:\Windows\system32\Ddmhhd32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Ekgqennl.exe
        
        C:\Windows\system32\Ekgqennl.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Windows\SysWOW64\Epdime32.exe
        
        C:\Windows\system32\Epdime32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Egnajocq.exe
        
        C:\Windows\system32\Egnajocq.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Ejlnfjbd.exe
        
        C:\Windows\system32\Ejlnfjbd.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3224
        
        C:\Windows\SysWOW64\Eaceghcg.exe
        
        C:\Windows\system32\Eaceghcg.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\Egpnooan.exe
        
        C:\Windows\system32\Egpnooan.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Enjfli32.exe
        
        C:\Windows\system32\Enjfli32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4108
        
        C:\Windows\SysWOW64\Ephbhd32.exe
        
        C:\Windows\system32\Ephbhd32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Windows\SysWOW64\Egbken32.exe
        
        C:\Windows\system32\Egbken32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Ejagaj32.exe
        
        C:\Windows\system32\Ejagaj32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:452
        
        C:\Windows\SysWOW64\Eahobg32.exe
        
        C:\Windows\system32\Eahobg32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Ecikjoep.exe
        
        C:\Windows\system32\Ecikjoep.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\Ejccgi32.exe
        
        C:\Windows\system32\Ejccgi32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Enopghee.exe
        
        C:\Windows\system32\Enopghee.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:976
        
        C:\Windows\SysWOW64\Edihdb32.exe
        
        C:\Windows\system32\Edihdb32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Windows\SysWOW64\Fkcpql32.exe
        
        C:\Windows\system32\Fkcpql32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Fjeplijj.exe
        
        C:\Windows\system32\Fjeplijj.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Famhmfkl.exe
        
        C:\Windows\system32\Famhmfkl.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Fcneeo32.exe
        
        C:\Windows\system32\Fcneeo32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Fkemfl32.exe
        
        C:\Windows\system32\Fkemfl32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Fqbeoc32.exe
        
        C:\Windows\system32\Fqbeoc32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Fglnkm32.exe
        
        C:\Windows\system32\Fglnkm32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\Fbaahf32.exe
        
        C:\Windows\system32\Fbaahf32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:208
        
        C:\Windows\SysWOW64\Fgnjqm32.exe
        
        C:\Windows\system32\Fgnjqm32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Fdbkja32.exe
        
        C:\Windows\system32\Fdbkja32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Fklcgk32.exe
        
        C:\Windows\system32\Fklcgk32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:184
        
        C:\Windows\SysWOW64\Fbfkceca.exe
        
        C:\Windows\system32\Fbfkceca.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Gcghkm32.exe
        
        C:\Windows\system32\Gcghkm32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Gjaphgpl.exe
        
        C:\Windows\system32\Gjaphgpl.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Gqkhda32.exe
        
        C:\Windows\system32\Gqkhda32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Gdgdeppb.exe
        
        C:\Windows\system32\Gdgdeppb.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Gkalbj32.exe
        
        C:\Windows\system32\Gkalbj32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2208
        
        C:\Windows\SysWOW64\Gjcmngnj.exe
        
        C:\Windows\system32\Gjcmngnj.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1692
        
        C:\Windows\SysWOW64\Gbkdod32.exe
        
        C:\Windows\system32\Gbkdod32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Gdiakp32.exe
        
        C:\Windows\system32\Gdiakp32.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\Gggmgk32.exe
        
        C:\Windows\system32\Gggmgk32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Gnaecedp.exe
        
        C:\Windows\system32\Gnaecedp.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Gbmadd32.exe
        
        C:\Windows\system32\Gbmadd32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:5236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5236 -s 400
        70⤵
        Program crash
        
        PID:5336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5236 -ip 5236
1⤵
PID:5292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4388,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=1044 /prefetch:8
1⤵
PID:5240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bgdemb32.exe

Filesize
55KB

MD5
a11ef3460baaa7978677c00fffe35cd7

SHA1
b5c3a54ec69bed61138df40297530b3c5497708e

SHA256
49f8e4d87c2ef4c9675208b82fdb4442064b32e9817a36021ffb3311c0b251c1

SHA512
18c30b11fcd6cb0b6a4cb818ef81918a203221c8db9a0564007c3f6c4c79b8fc9a5ec5d58f25b36033f5d22ef5cb4c03b876d392b68dbc3f4b5cd89745059ee0

Download Submit
C:\Windows\SysWOW64\Cajjjk32.exe

Filesize
55KB

MD5
723ad5d481463a97db7259c2958181d3

SHA1
8c61a1a4845c8f18febf49c22968b89d9b9271f2

SHA256
a0d7d039e2dfc27b3ba8721d40fa92aa04ff8693e81a7235e844dd596427c53d

SHA512
80d1181583eb050921bcbd5e4f6bf97d6b71ee0b6cd6e241e2143f00d88b43c34b3fa8d9d9e75e32b3a8448c1b6c55bd1d0f8e3ad9304608dc26e113e2ea3a3a

Download Submit
C:\Windows\SysWOW64\Calfpk32.exe

Filesize
55KB

MD5
75382448c32fec646b59a12339597e4f

SHA1
cd0094ecfa03f1f84ea943539a61eca9d5477634

SHA256
b3777eeef312a63e8dd1540c577ad44016ecbe3d0a8224927960f691e445fe62

SHA512
d385fc86f2d0a7b6e770b874427b4ac0d331af8fa0f5d3694b68638995fb018c0fe9eaf3304b05f09deaef0c406bceb84832f1108822b8fa29d2327eddeee08a

Download Submit
C:\Windows\SysWOW64\Cancekeo.exe

Filesize
55KB

MD5
dbec7b43fb0da5d76e789eefd8dd4057

SHA1
9ee5da2b62a720e6c33e331400a680d5a796fce2

SHA256
966e76591f1d4fd8e99421f36579deb76228c0ea5dff29a5d4720067eb9ff3e3

SHA512
65c5e863c849004ef3c488a44f9bd10348488db6d103780743e1eebb1d91be41210073d1c5f2a903672a9b2bdbd0547d3dd38f588fb556baed2480038a5ea1d3

Download Submit
C:\Windows\SysWOW64\Caqpkjcl.exe

Filesize
55KB

MD5
ec623351747ba328b9a0c29b8e91682e

SHA1
d27696c4fd4eb91b61b24e4c1a96a8bb00c8a445

SHA256
55890f1de113acac8b146823da49828806e2bfb50b8506b0152b4d54ca7d023a

SHA512
0c133f489bd752c8b3bf07804e259ce62e62a1076dd2ce087391ec647857071c136e6dc3d0ee11ef2706ed1d727aef1a5b43d38c844bf68f223cfba7a99fa6d0

Download Submit
C:\Windows\SysWOW64\Cdaile32.exe

Filesize
55KB

MD5
25993c126ab84e5dcfa54f6e39bf4326

SHA1
db693dd97c4ed26e9973b5d470a475227f62117d

SHA256
38f4f9b56d53aa4d13577348745203a17ad5c641d8d06679d9df0b20dc22f7c6

SHA512
861f210e68c8b6b2d9a83fdffe6dec078fa2bd3babc7ccaa63a49a29e7b10054b8a1ddbdd23b4d5535f0f6250d30c7245f2655c04dcaf9edf10e444fa015af6d

Download Submit
C:\Windows\SysWOW64\Cdhffg32.exe

Filesize
55KB

MD5
17b60e94e3f8ad3a9a85b15d0fa41caa

SHA1
9915b4309dd0bd1a653cc2d195b8fbf45adf18d7

SHA256
b9af39a22ef345de80541924b86da9ec23f542074914b2be0aeade5890bf0031

SHA512
e0dddb81b0912d9e14f338e37710bc1c67a5efd824361539cf89072d51da8492493f2dfc01e0156bc5141aca85412a1669697a83f884eaae5bbae0084827f7f4

Download Submit
C:\Windows\SysWOW64\Cdjblf32.exe

Filesize
55KB

MD5
432569d27c414f15c38d6c30436fa14c

SHA1
f058eb6e998c03e9ac605b8453a4237bb79cc5c7

SHA256
92b052397552c1a28ef52653120ee9310a75d3441db30924208768d989cfbca4

SHA512
77811a502672882884bae821a35deb26dcd03ae8d0e50949306c004ff7add7bbac15bed6d0a066160bbafd105c5ba55ee2b81e8233de42d70fa6aa481230624b

Download Submit
C:\Windows\SysWOW64\Cdmoafdb.exe

Filesize
55KB

MD5
ccc5c447fb4473b421cf0766c574f821

SHA1
52b2bfb4982b8a932f029140506f42b72e526e52

SHA256
ebd731140c7f301b6bc382de450c209752ec4811097ad31e7d8a48539227c68c

SHA512
af4159dc7e54f7f6bcf78ec4756ec727c7dac3b99f9085c15c18609a3266882934d4bb95b942a31d0ce89c18ceecc66c2a607b3b286b5bd6cbf0134a55fbbda6

Download Submit
C:\Windows\SysWOW64\Cdolgfbp.exe

Filesize
55KB

MD5
851e9c90fc989284e51f6bd7644c7078

SHA1
9f7bee4c560f769b59f5450835f1dc6d3e5dcdf5

SHA256
c867f759b885d014c16ef02a72a17de32e6c59120c4ff0f6787e9d35b31472fd

SHA512
f7c43860208a40e5e5dbe90c6256a0dd83a7b6ca85285d177d3bd44ff4ea5eadff0a1ddd5f4b16f0a0baf8fcd94880dc6ae6f8e4301321c3c522799bdd9e4bb5

Download Submit
C:\Windows\SysWOW64\Cgfbbb32.exe

Filesize
55KB

MD5
37dc21910026d62e105ec780c8c6a7b9

SHA1
6ab741590e6c57448fe6b2b4cb321b90af24330a

SHA256
a65d934baa349a2a64b9e1455a6a065061beeafb10965e6bf234d770bdfd7622

SHA512
897f6787a6741150b4fa16db64fe597488c77f58ecd20c5d1a886a58d1654b23bdeae19d8429ccdf1ec0d2fec974438ce81e6100ff4298c2e9dbd393abc7bc54

Download Submit
C:\Windows\SysWOW64\Ciihjmcj.exe

Filesize
55KB

MD5
a6e724f2f9070beef9bd0d36d3a693d8

SHA1
5c812fb5f357d2e241d64ea44f9fb6206eb67db7

SHA256
ef9c10e5cc95be086390fdc3b1cff78a071aad9a085303459689e7806e9ebb6d

SHA512
b4201221a570f406b605dcb996db7fe5417eb36c241bf499da7cf1a6296aba78c54f651df32f2de2450a82aed7731d844435d958097c7f39cd356cb02501da88

Download Submit
C:\Windows\SysWOW64\Ckdkhq32.exe

Filesize
55KB

MD5
8bee8a0fbf2ad23047c2b80f62f40aed

SHA1
143ad19ff9a020a5139b6fc3ae753db771795691

SHA256
f4db546877c7b3272d3170b693498daf0bfbb6e22a7391449c2c5d3de9994712

SHA512
9b4bb11873df38c350497feead5d1bbc40a7ac93d0fbbffb8a03e360ff16c47bab68c134a8778d358df98d8a41c74cad9b303182413b2277820506f43ccc5cca

Download Submit
C:\Windows\SysWOW64\Ckidcpjl.exe

Filesize
55KB

MD5
585848e395a6f05dc6bc73bd8793b4a8

SHA1
47bd8da108539236503c40a2c0fb47def2103382

SHA256
d023072ba177d154a149e6e2f124f4c55eca36fb6a224f56868bb3b193e54a66

SHA512
64b14768a315e440525152500a1f833deb6408674e0eaaefd99afbcda0bb9afe20465c89f1187b88e8c8aff03d804c31a107e5d9f18f3e199587403297a3b397

Download Submit
C:\Windows\SysWOW64\Cmgqpkip.exe

Filesize
55KB

MD5
6ba5c94dd81a6c041d2496de197ed9c0

SHA1
bef318bdcfdc4dd85f025a17cd8e4ab5c0f01154

SHA256
028506e7cc9b00510fd19de905b0c1828c6e34f91b30c41de01f75d089aa9bfd

SHA512
30413ad57968c93274bd7286f8642a04288e30e8268ad162f8f777c4a4ad55865d6ee241d87fc4fc04c81f7faa1008d8c43e1214411781e5acb331082d7d2510

Download Submit
C:\Windows\SysWOW64\Dcffnbee.exe

Filesize
55KB

MD5
f9caa2f8d5dfafa8e3e142211d6824a3

SHA1
a591908d1852351d990da5d9cc1af57acf218654

SHA256
ab63aa975d3b3cb543d17db4b937f7efdcc8e72d7c108fe8e286d4140773848e

SHA512
c435543a9c88359d513f31daad7a9da1d47f0d6d6fce9dc14c32c07780f390fe5e0f47f930b7c5bd0b85670f021a2664a63cb86008debf5b989ff24f4cf89690

Download Submit
C:\Windows\SysWOW64\Dcibca32.exe

Filesize
55KB

MD5
6f303ba31fce9d6ecf394e12324b67b2

SHA1
a57009fd94cbf5161218b0e00db1b1e5fc3c183e

SHA256
62cec17b4bc96a7b87d28179bf2710afba67085b334b42e8245b107e192e70fa

SHA512
444d7bba749e8eb82af6d2680ca6ce81c3696e3c4fb97baa485aae28d4d68c49e47935f96ff8e3e80ee6719a35488e906f91bea3a992b9bd84a9232be3c5df15

Download Submit
C:\Windows\SysWOW64\Ddcebe32.exe

Filesize
55KB

MD5
b827f87a72edc26ee21eebfdeda80103

SHA1
46bcd826d74deeaebf50ac83e16bd742e84227a2

SHA256
14a313dad9efb4dd6d1ea1649d530fdd2438f814c88205a31f1f1124c9f28aa0

SHA512
1c681ffceaf8aab2ef1ae9806e4cc95dede21eeb94934eaa5f53e5a0baba56244129005a7966badf050da0e47251c2ba026569a286dd405a1a94ba21a775e099

Download Submit
C:\Windows\SysWOW64\Ddhomdje.exe

Filesize
55KB

MD5
371c5f61836d54e18b838fe33508d9b7

SHA1
ef0730d6bcb3ffcea2ea440acd7e8e3f89c77495

SHA256
112eb03143fa1e07055b1fdec79be9017e69cc9cc9331b4d97b676a381a47a9d

SHA512
f51363623dcaf9d1b3ac083941a947e77ce558a3f10886993617278f4cfa6257115ac330b2a8b54dac79f5a39ce23390924dba5542b7990e0b29d038e6b0d756

Download Submit
C:\Windows\SysWOW64\Ddmhhd32.exe

Filesize
55KB

MD5
ff287657db65d2ea66a746afacc1d1f5

SHA1
3a8e3b24908998c087bbccccb588169efdda0bac

SHA256
721791ab34bab1ca76704c1d51bb58a5e12194f0fd384acb9b4701e6f3188bd4

SHA512
8250eef4be4e58009d560ccce83a0037e414e0d8861e36da33b5c203e2f1fbd73177f4e28d9fb736b32c1354c81f07b2c8596b1f41a4e0abe541a79f8aeebf53

Download Submit
C:\Windows\SysWOW64\Dgihop32.exe

Filesize
55KB

MD5
c265db97bccd8fb8a479fb6484e2c021

SHA1
06107dc8ca927f5dba42df4fabbf813f21e7f5da

SHA256
37e6652fec6eaebd06a84e2d18911af6ad191debab4823b2acc94a6fda9d3a6f

SHA512
6067c6bd36b5b2e21154c899a3104110361cdac366174c698b05b0937faf4a6b46427af70f963c5e264118c0994cc8265d940fb713a058de839159ac69b420f9

Download Submit
C:\Windows\SysWOW64\Dickplko.exe

Filesize
55KB

MD5
28d439d29d379e8d4481d8607035f21f

SHA1
c089e389a36e82b51041fca52ef5f322158f177c

SHA256
355e7f0aea835fb69a023ec78121b4846dccf509c9f7d2ead017ad6992a63a60

SHA512
7d35154d2be75ffe5210219caedd2e9063f8cab41ca23dda78be34638b410403e2509df0a164d1e61d2ee9ffff48bc850553f61fb0ddd115f366b20dd7c950ca

Download Submit
C:\Windows\SysWOW64\Dkbgjo32.exe

Filesize
55KB

MD5
4cc6b906134043357387f06b31fa1681

SHA1
9055329d9b3e3e51e17aa7c4bf5d03862e43ead2

SHA256
61f8a02d5ddb3850932a5c0dcdf61f10a8ba8de1ae4f8a1a12599148b17976df

SHA512
1ed67c8d1fd6a3d02c0bf0284d8b327c5ea3491918f3a7c3441de38c16ce889f20838f599c5f00361ec459111f8c45dddb6ac1c934d034c6c341afec556ba617

Download Submit
C:\Windows\SysWOW64\Dkkaiphj.exe

Filesize
55KB

MD5
cdbb1ef1d739fb5f9f9c113154719267

SHA1
aeec528b2105bb3d69dcb801b1c0c2710f3ea407

SHA256
458d6d358de73524045f6832c888eb63e2543b4c26aab027cb37d9ef1651a0b0

SHA512
27381c4fb31cdec485e1e6febc0d8310a465c3f666bd9dba06f3ac547961ece229c4719da8923264e51e03d83caeb105e7b5107e36ec3f7bb58b07c2d12c7804

Download Submit
C:\Windows\SysWOW64\Dknnoofg.exe

Filesize
55KB

MD5
f4997cc2222a5f05cf485090450537fe

SHA1
94ee9d10fcac6683d3b4b2e6e3f5ce7db3877079

SHA256
071601003c00ddb2d33e97cbcd274db6a6bd04d40b24f05532dffe61ec88d43e

SHA512
275290854e6fbcb0901d34489a34d9641e762a09984a8fa4baf6584abc3940a1272908cd971ef502de005ec641ffb5fe659c0a79181b1a1cab114aee4760b049

Download Submit
C:\Windows\SysWOW64\Dmjmekgn.exe

Filesize
55KB

MD5
4c9f984e4a806991694d36625ff3959c

SHA1
69d51a1eff25004d0aa1b66ed072623b0a7d135f

SHA256
080df2f9c5fb9f42c8b6a79a5dc986529ba5170398ab1b99191c293fce423a8b

SHA512
9599dfc71eec7440c5afb0fa66af2bed1b903afd9048a130c5e10ed74349d869b5cb1b9f20a54436d4703da851613a518bf22c1568c027d0073015c5a658cf6e

Download Submit
C:\Windows\SysWOW64\Dncpkjoc.exe

Filesize
55KB

MD5
deb0866b493eacd28e784dc8b1047297

SHA1
b6a89306aff054bbab45c5667265855e520ff010

SHA256
06d9cedd4e2afb910102551b1f72e8ef5c8cebe5f91453d71d6aa36e06c5e689

SHA512
738a8b6ff9accfe23105c253a851a9bf54d0979efea66f3d3d624b0affbabe9e306eb2abe675118865c316263c28d360347d79ae93093872e4d6d8318c4e31c4

Download Submit
C:\Windows\SysWOW64\Dnljkk32.exe

Filesize
55KB

MD5
96f8881e7c3c21e53de0774b41c8c670

SHA1
7d535ffa5b0363da1cd3e517d24a832b4d6fb26c

SHA256
e946ef89f16551e50c41049c35b21b2f3182e52da6ad6c755f800526b2206d71

SHA512
884cd05b505831f9c219729fb4029eb95b3a62e7a393e1a79064292f09c6b38ad91be352ee1b20db46b5c380ecc194095e7fdaa582cd4ef33e7d48c5dd82b270

Download Submit
C:\Windows\SysWOW64\Dpopbepi.exe

Filesize
55KB

MD5
0230499317135e1578bc9c3e04d431ab

SHA1
9a568aeedef4b15f79928c707d8c4978c7bdb080

SHA256
18e6301079baf3161a396bb70969af110f72d845ce5bbe49240612e795feee77

SHA512
f35fb45276d688ccee19eab9180fc06b6e909fadb7da63a33fa1f3655937158554bed2ae98856e95432cf2623338e1977195169f5be3f1c494db6ac3dd32f8df

Download Submit
C:\Windows\SysWOW64\Egnajocq.exe

Filesize
55KB

MD5
e2a70ba0e63103cab5a585d7c44044b8

SHA1
640bc57716f4ba5e8f4cb378de1c2d902cffcdb5

SHA256
cc24440bc351948b7462f00b3cf8b4d5d6125fe703e638d4b3903927fcbeef60

SHA512
883e2c379e950a26ca8a6362c0046cd165f8fef8b38c4d7b792c0231aee307a639574d599181a83745aa87e6913118726fa78f9a78bc1699822f2ce3ea254b47

Download Submit
C:\Windows\SysWOW64\Ejccgi32.exe

Filesize
55KB

MD5
92477b1e24733e322b6523d35c303755

SHA1
c9a265007467c0689a41a3381cce4ac51b9cc196

SHA256
91680930b1c8b3b4b385591e46327f594b1229194c669cd17322c15612dd987d

SHA512
7bb1be96ff540a39f120ee7c72a3505c046cf06b137c9a55fa3e593c3877242991968dd19c1e84565eb3ace2470398517e7785bec8363fd589a986843eac3e9a

Download Submit
C:\Windows\SysWOW64\Ekgqennl.exe

Filesize
55KB

MD5
c17b4124822c2de77eeecf7265023990

SHA1
0de8901224b0f428f671a79d662f26e339cda0e5

SHA256
dd552f0ee7d19ecae8277b0a5611503803817a5ede66af40d01d70d8d2969c8d

SHA512
9255b82c7e3d82ceedf9aa3b97f93d43f03aed965f3c2539307bb0f0cade05a17dacaec9213d97cd7395a2030fe4a5eedb3d72a0f21d996e2b1b42b0fef4ea64

Download Submit
C:\Windows\SysWOW64\Epdime32.exe

Filesize
55KB

MD5
328f5405b58e88af71a07ab29177f6fa

SHA1
a52a0a3a41b37c32b71415b8eced19f1e46bbf6a

SHA256
b2edf63579f040d039cbc978ac24b8b8f0d3efeaf946abc2ab81a397d8c10544

SHA512
c946f76a850ac5578684dba65c0d4d259e1d9782e317fcc7db669cc50584bd19bd8b0e24e7fc74ea01d0c3fbb5507096d49d146dfc5fc538d36967ab1ea3c6a0

Download Submit
C:\Windows\SysWOW64\Ephbhd32.exe

Filesize
55KB

MD5
54b6a6d9e6e81c4dae85c603295ae14d

SHA1
6d5d74307f5693e90d10016dd86bd429d8d9ecb0

SHA256
be645b59c9180076a0f0d2a88ee1e238017c04db391ee1c5c70fc0b89818b51a

SHA512
df43a02578722c4d2bf790d10ea3a2176b4643c3109437308b24d1e0bb368b6caa914387b1d133fe4492167fc9f3f5457570f3cfa0875f822f7a779ccdf8e7ad

Download Submit
memory/184-494-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/184-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/208-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/208-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/396-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/452-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/452-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/548-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/752-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/820-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/840-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/948-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/976-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/976-518-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1016-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1092-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1092-530-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1208-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1316-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1380-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1500-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1500-500-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1532-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1580-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1612-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1612-498-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1692-446-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1744-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1744-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1808-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1808-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1820-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1864-516-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1864-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1928-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1948-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1948-487-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1964-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1968-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1988-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2088-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2100-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2100-522-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2104-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2104-512-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2200-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2208-483-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2208-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2284-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2292-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2776-458-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2792-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2800-344-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2924-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2948-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2948-480-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2960-504-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2960-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2984-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2984-485-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3088-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3224-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3376-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3548-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3600-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3600-492-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3752-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3960-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4012-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4012-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4104-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4104-506-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4108-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4108-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4124-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4256-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4324-338-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4376-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4416-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4448-510-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4448-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4496-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4496-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4652-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4652-524-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4784-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4784-488-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4848-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4852-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4856-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4868-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4868-528-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5156-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5156-479-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5196-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5196-475-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5236-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5236-476-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads