8badd475badfdc9c12b702009b61d4d1244b3306ab23d88bc615a16d5ef01f81

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d87109ceb31e71207444994bc107e240N.exe
Size

64KB
MD5

d87109ceb31e71207444994bc107e240
SHA1

e14df5077480030476d2dd159d0e596166513d40
SHA256

8badd475badfdc9c12b702009b61d4d1244b3306ab23d88bc615a16d5ef01f81
SHA512

937fa84f3d4c91329ab948ed9f2a7428948ddd09a5919a1e10f79b4ec889520f198167148003d60872e6865f438e9a1ada6e8b733d9e5cd8041153d6d3700852
SSDEEP

1536:KuZ6pKLhUfx0EQ7/pyMhQQvXchNOXC7ETxvlf5ZRA5tC2:v1UfxTQVBCNOXCoxvlhZ0I2

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdiakp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cibain32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgqpkip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eaceghcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egbken32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fggdpnkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecikjoep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkgillpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpedeiff.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdeiqgkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdaile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcibca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpalgenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbaahf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjaphgpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edoencdm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkbfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbkfbcpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpalgenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fgnjqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkaiphj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbaahf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eddnic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fklcgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbhhieao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmcgcmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgklmacf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enemaimp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fggdpnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fgiaemic.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkkhbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbfmgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdaile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dphiaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edihdb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgnjqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcghkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biklho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedjl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgqpkip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dggkipii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekqckmfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkalbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkcigjel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkalbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbkdod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbkfbcpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccblbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egkddo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbfkceca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcghkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d87109ceb31e71207444994bc107e240N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdeiqgkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekljpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekljpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjmfmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpedeiff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cigkdmel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcjdam32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enjfli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enlcahgh.exe

Executes dropped EXE 64 IoCs

pid	Process
4700	Bfkbfd32.exe
4556	Bmdkcnie.exe
4980	Bbaclegm.exe
2712	Biklho32.exe
2320	Bpedeiff.exe
1460	Bkkhbb32.exe
1340	Baepolni.exe
3960	Bbfmgd32.exe
3732	Bipecnkd.exe
3584	Bdeiqgkj.exe
4392	Cibain32.exe
2400	Cbkfbcpb.exe
1056	Calfpk32.exe
2380	Ccmcgcmp.exe
5104	Cigkdmel.exe
2552	Cpacqg32.exe
748	Cgklmacf.exe
1944	Cmedjl32.exe
4520	Ccblbb32.exe
1896	Cmgqpkip.exe
3244	Cdaile32.exe
3140	Dkkaiphj.exe
5084	Dphiaffa.exe
2068	Dgbanq32.exe
1848	Dnljkk32.exe
4000	Dcibca32.exe
464	Dajbaika.exe
2296	Dggkipii.exe
2092	Dnqcfjae.exe
4284	Dcnlnaom.exe
3572	Djgdkk32.exe
3424	Dpalgenf.exe
1140	Egkddo32.exe
4796	Enemaimp.exe
3328	Edoencdm.exe
2200	Ekimjn32.exe
4396	Eaceghcg.exe
2592	Ekljpm32.exe
2772	Enjfli32.exe
4280	Eddnic32.exe
4496	Egbken32.exe
3940	Enlcahgh.exe
5020	Eqkondfl.exe
2240	Ecikjoep.exe
2428	Ekqckmfb.exe
1924	Enopghee.exe
3948	Edihdb32.exe
3952	Fggdpnkf.exe
448	Fgiaemic.exe
2628	Fncibg32.exe
1624	Fdmaoahm.exe
3928	Fkgillpj.exe
3056	Fbaahf32.exe
1540	Fgnjqm32.exe
4852	Fjmfmh32.exe
1940	Fqfojblo.exe
3832	Fdbkja32.exe
5072	Fklcgk32.exe
3024	Fbfkceca.exe
2740	Gcghkm32.exe
3512	Gjaphgpl.exe
1724	Gbhhieao.exe
3132	Gcjdam32.exe
4476	Gkalbj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dajbaika.exe	Dcibca32.exe
File created	C:\Windows\SysWOW64\Cgilho32.dll	Eaceghcg.exe
File created	C:\Windows\SysWOW64\Dnqcfjae.exe	Dggkipii.exe
File created	C:\Windows\SysWOW64\Nmlpen32.dll	Dcnlnaom.exe
File opened for modification	C:\Windows\SysWOW64\Edoencdm.exe	Enemaimp.exe
File opened for modification	C:\Windows\SysWOW64\Eddnic32.exe	Enjfli32.exe
File created	C:\Windows\SysWOW64\Dodfed32.dll	Eqkondfl.exe
File created	C:\Windows\SysWOW64\Mgmqkimh.dll	d87109ceb31e71207444994bc107e240N.exe
File opened for modification	C:\Windows\SysWOW64\Bipecnkd.exe	Bbfmgd32.exe
File created	C:\Windows\SysWOW64\Gihfoi32.dll	Fbaahf32.exe
File created	C:\Windows\SysWOW64\Dgbanq32.exe	Dphiaffa.exe
File created	C:\Windows\SysWOW64\Eclhcj32.dll	Ecikjoep.exe
File opened for modification	C:\Windows\SysWOW64\Ekqckmfb.exe	Ecikjoep.exe
File created	C:\Windows\SysWOW64\Begndj32.dll	Fgiaemic.exe
File opened for modification	C:\Windows\SysWOW64\Gcghkm32.exe	Fbfkceca.exe
File created	C:\Windows\SysWOW64\Dnljkk32.exe	Dgbanq32.exe
File opened for modification	C:\Windows\SysWOW64\Dcnlnaom.exe	Dnqcfjae.exe
File created	C:\Windows\SysWOW64\Fbcolk32.dll	Calfpk32.exe
File created	C:\Windows\SysWOW64\Ccblbb32.exe	Cmedjl32.exe
File created	C:\Windows\SysWOW64\Dcnlnaom.exe	Dnqcfjae.exe
File created	C:\Windows\SysWOW64\Aldclhie.dll	Bpedeiff.exe
File created	C:\Windows\SysWOW64\Ccmcgcmp.exe	Calfpk32.exe
File opened for modification	C:\Windows\SysWOW64\Ccblbb32.exe	Cmedjl32.exe
File created	C:\Windows\SysWOW64\Nppbddqg.dll	Cmedjl32.exe
File created	C:\Windows\SysWOW64\Ofjljj32.dll	Enopghee.exe
File opened for modification	C:\Windows\SysWOW64\Fbfkceca.exe	Fklcgk32.exe
File created	C:\Windows\SysWOW64\Ncbigo32.dll	Dpalgenf.exe
File created	C:\Windows\SysWOW64\Gcghkm32.exe	Fbfkceca.exe
File created	C:\Windows\SysWOW64\Dggkipii.exe	Dajbaika.exe
File created	C:\Windows\SysWOW64\Ekqckmfb.exe	Ecikjoep.exe
File created	C:\Windows\SysWOW64\Fbaahf32.exe	Fkgillpj.exe
File created	C:\Windows\SysWOW64\Fgnjqm32.exe	Fbaahf32.exe
File created	C:\Windows\SysWOW64\Bkkhbb32.exe	Bpedeiff.exe
File created	C:\Windows\SysWOW64\Mbddol32.dll	Cgklmacf.exe
File opened for modification	C:\Windows\SysWOW64\Enemaimp.exe	Egkddo32.exe
File created	C:\Windows\SysWOW64\Fncibg32.exe	Fgiaemic.exe
File opened for modification	C:\Windows\SysWOW64\Gkcigjel.exe	Gdiakp32.exe
File opened for modification	C:\Windows\SysWOW64\Bpedeiff.exe	Biklho32.exe
File created	C:\Windows\SysWOW64\Djgdkk32.exe	Dcnlnaom.exe
File opened for modification	C:\Windows\SysWOW64\Dggkipii.exe	Dajbaika.exe
File opened for modification	C:\Windows\SysWOW64\Enjfli32.exe	Ekljpm32.exe
File created	C:\Windows\SysWOW64\Backedki.dll	Gbkdod32.exe
File created	C:\Windows\SysWOW64\Pjcfndog.dll	Bipecnkd.exe
File created	C:\Windows\SysWOW64\Calfpk32.exe	Cbkfbcpb.exe
File opened for modification	C:\Windows\SysWOW64\Dajbaika.exe	Dcibca32.exe
File created	C:\Windows\SysWOW64\Oahhgi32.dll	Gdiakp32.exe
File opened for modification	C:\Windows\SysWOW64\Cdaile32.exe	Cmgqpkip.exe
File created	C:\Windows\SysWOW64\Eaceghcg.exe	Ekimjn32.exe
File created	C:\Windows\SysWOW64\Gbkdod32.exe	Gkalbj32.exe
File created	C:\Windows\SysWOW64\Bopnkd32.dll	Dajbaika.exe
File created	C:\Windows\SysWOW64\Gbhhieao.exe	Gjaphgpl.exe
File opened for modification	C:\Windows\SysWOW64\Cibain32.exe	Bdeiqgkj.exe
File opened for modification	C:\Windows\SysWOW64\Fgiaemic.exe	Fggdpnkf.exe
File opened for modification	C:\Windows\SysWOW64\Gcjdam32.exe	Gbhhieao.exe
File opened for modification	C:\Windows\SysWOW64\Egkddo32.exe	Dpalgenf.exe
File created	C:\Windows\SysWOW64\Fjinnekj.dll	Fdmaoahm.exe
File created	C:\Windows\SysWOW64\Fgiaemic.exe	Fggdpnkf.exe
File created	C:\Windows\SysWOW64\Fkgillpj.exe	Fdmaoahm.exe
File created	C:\Windows\SysWOW64\Dmfbkh32.dll	Gbhhieao.exe
File opened for modification	C:\Windows\SysWOW64\Ccmcgcmp.exe	Calfpk32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbanq32.exe	Dphiaffa.exe
File created	C:\Windows\SysWOW64\Flpbbbdk.dll	Ekimjn32.exe
File opened for modification	C:\Windows\SysWOW64\Gbhhieao.exe	Gjaphgpl.exe
File opened for modification	C:\Windows\SysWOW64\Dpalgenf.exe	Djgdkk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5180	380	WerFault.exe	160

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbaclegm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cibain32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calfpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekljpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edihdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edoencdm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbfkceca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekqckmfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcnlnaom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egkddo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekimjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eaceghcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecikjoep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbhhieao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cigkdmel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgdkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enjfli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjmfmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcghkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpedeiff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdmaoahm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dphiaffa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dajbaika.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enemaimp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgnjqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fklcgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdeiqgkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccblbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbanq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnqcfjae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkkhbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqfojblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdbkja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbkdod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmdkcnie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmcgcmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdaile32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fncibg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkgillpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgqpkip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egbken32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgiaemic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjaphgpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkcigjel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baepolni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcibca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpalgenf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqkondfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fggdpnkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enopghee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbmadd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d87109ceb31e71207444994bc107e240N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkbfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biklho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbfmgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bipecnkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbkfbcpb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgklmacf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkaiphj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnljkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eddnic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpacqg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enlcahgh.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnljkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnqcfjae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fgnjqm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjaphgpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjaphgpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d87109ceb31e71207444994bc107e240N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bipecnkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgqpkip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edoencdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcghkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldbhiiol.dll"	Bfkbfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bipecnkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eafbac32.dll"	Cbkfbcpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcfndog.dll"	Bipecnkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcnlnaom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d87109ceb31e71207444994bc107e240N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dggkipii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpalgenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Begndj32.dll"	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcipf32.dll"	Fqfojblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbfkceca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpacqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifncdb32.dll"	Ccblbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocmhlca.dll"	Bmdkcnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afjpan32.dll"	Baepolni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfqhkbn.dll"	Cigkdmel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fgiaemic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d87109ceb31e71207444994bc107e240N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccblbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apocmn32.dll"	Gcjdam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmojj32.dll"	Enemaimp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofjljj32.dll"	Enopghee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmgbm32.dll"	Gkcigjel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dajbaika.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpacqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpalgenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbaclegm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbfkceca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baepolni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccblbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdbkja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdiakp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmdkcnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgilho32.dll"	Eaceghcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmafal32.dll"	Bkkhbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbaohka.dll"	Dgbanq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpbbbdk.dll"	Ekimjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmedjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Edoencdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekimjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqkondfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fggdpnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calfpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gihfoi32.dll"	Fbaahf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbkdod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbaahf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anijgd32.dll"	Edoencdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egbken32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgklmacf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkodbfgo.dll"	Dkkaiphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcpcgc32.dll"	Dnqcfjae.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 4700	536	d87109ceb31e71207444994bc107e240N.exe	92
PID 536 wrote to memory of 4700	536	d87109ceb31e71207444994bc107e240N.exe	92
PID 536 wrote to memory of 4700	536	d87109ceb31e71207444994bc107e240N.exe	92
PID 4700 wrote to memory of 4556	4700	Bfkbfd32.exe	93
PID 4700 wrote to memory of 4556	4700	Bfkbfd32.exe	93
PID 4700 wrote to memory of 4556	4700	Bfkbfd32.exe	93
PID 4556 wrote to memory of 4980	4556	Bmdkcnie.exe	94
PID 4556 wrote to memory of 4980	4556	Bmdkcnie.exe	94
PID 4556 wrote to memory of 4980	4556	Bmdkcnie.exe	94
PID 4980 wrote to memory of 2712	4980	Bbaclegm.exe	96
PID 4980 wrote to memory of 2712	4980	Bbaclegm.exe	96
PID 4980 wrote to memory of 2712	4980	Bbaclegm.exe	96
PID 2712 wrote to memory of 2320	2712	Biklho32.exe	97
PID 2712 wrote to memory of 2320	2712	Biklho32.exe	97
PID 2712 wrote to memory of 2320	2712	Biklho32.exe	97
PID 2320 wrote to memory of 1460	2320	Bpedeiff.exe	98
PID 2320 wrote to memory of 1460	2320	Bpedeiff.exe	98
PID 2320 wrote to memory of 1460	2320	Bpedeiff.exe	98
PID 1460 wrote to memory of 1340	1460	Bkkhbb32.exe	99
PID 1460 wrote to memory of 1340	1460	Bkkhbb32.exe	99
PID 1460 wrote to memory of 1340	1460	Bkkhbb32.exe	99
PID 1340 wrote to memory of 3960	1340	Baepolni.exe	100
PID 1340 wrote to memory of 3960	1340	Baepolni.exe	100
PID 1340 wrote to memory of 3960	1340	Baepolni.exe	100
PID 3960 wrote to memory of 3732	3960	Bbfmgd32.exe	101
PID 3960 wrote to memory of 3732	3960	Bbfmgd32.exe	101
PID 3960 wrote to memory of 3732	3960	Bbfmgd32.exe	101
PID 3732 wrote to memory of 3584	3732	Bipecnkd.exe	102
PID 3732 wrote to memory of 3584	3732	Bipecnkd.exe	102
PID 3732 wrote to memory of 3584	3732	Bipecnkd.exe	102
PID 3584 wrote to memory of 4392	3584	Bdeiqgkj.exe	103
PID 3584 wrote to memory of 4392	3584	Bdeiqgkj.exe	103
PID 3584 wrote to memory of 4392	3584	Bdeiqgkj.exe	103
PID 4392 wrote to memory of 2400	4392	Cibain32.exe	104
PID 4392 wrote to memory of 2400	4392	Cibain32.exe	104
PID 4392 wrote to memory of 2400	4392	Cibain32.exe	104
PID 2400 wrote to memory of 1056	2400	Cbkfbcpb.exe	105
PID 2400 wrote to memory of 1056	2400	Cbkfbcpb.exe	105
PID 2400 wrote to memory of 1056	2400	Cbkfbcpb.exe	105
PID 1056 wrote to memory of 2380	1056	Calfpk32.exe	106
PID 1056 wrote to memory of 2380	1056	Calfpk32.exe	106
PID 1056 wrote to memory of 2380	1056	Calfpk32.exe	106
PID 2380 wrote to memory of 5104	2380	Ccmcgcmp.exe	107
PID 2380 wrote to memory of 5104	2380	Ccmcgcmp.exe	107
PID 2380 wrote to memory of 5104	2380	Ccmcgcmp.exe	107
PID 5104 wrote to memory of 2552	5104	Cigkdmel.exe	108
PID 5104 wrote to memory of 2552	5104	Cigkdmel.exe	108
PID 5104 wrote to memory of 2552	5104	Cigkdmel.exe	108
PID 2552 wrote to memory of 748	2552	Cpacqg32.exe	109
PID 2552 wrote to memory of 748	2552	Cpacqg32.exe	109
PID 2552 wrote to memory of 748	2552	Cpacqg32.exe	109
PID 748 wrote to memory of 1944	748	Cgklmacf.exe	110
PID 748 wrote to memory of 1944	748	Cgklmacf.exe	110
PID 748 wrote to memory of 1944	748	Cgklmacf.exe	110
PID 1944 wrote to memory of 4520	1944	Cmedjl32.exe	111
PID 1944 wrote to memory of 4520	1944	Cmedjl32.exe	111
PID 1944 wrote to memory of 4520	1944	Cmedjl32.exe	111
PID 4520 wrote to memory of 1896	4520	Ccblbb32.exe	112
PID 4520 wrote to memory of 1896	4520	Ccblbb32.exe	112
PID 4520 wrote to memory of 1896	4520	Ccblbb32.exe	112
PID 1896 wrote to memory of 3244	1896	Cmgqpkip.exe	113
PID 1896 wrote to memory of 3244	1896	Cmgqpkip.exe	113
PID 1896 wrote to memory of 3244	1896	Cmgqpkip.exe	113
PID 3244 wrote to memory of 3140	3244	Cdaile32.exe	114

C:\Users\Admin\AppData\Local\Temp\d87109ceb31e71207444994bc107e240N.exe
"C:\Users\Admin\AppData\Local\Temp\d87109ceb31e71207444994bc107e240N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:536
- C:\Windows\SysWOW64\Bfkbfd32.exe
  C:\Windows\system32\Bfkbfd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Windows\SysWOW64\Bmdkcnie.exe
    C:\Windows\system32\Bmdkcnie.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4556
  - - C:\Windows\SysWOW64\Bbaclegm.exe
      C:\Windows\system32\Bbaclegm.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4980
    - - C:\Windows\SysWOW64\Biklho32.exe
        
        C:\Windows\system32\Biklho32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2712
      - C:\Windows\SysWOW64\Bpedeiff.exe
        
        C:\Windows\system32\Bpedeiff.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\Bkkhbb32.exe
        
        C:\Windows\system32\Bkkhbb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Baepolni.exe
        
        C:\Windows\system32\Baepolni.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\SysWOW64\Bbfmgd32.exe
        
        C:\Windows\system32\Bbfmgd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Bipecnkd.exe
        
        C:\Windows\system32\Bipecnkd.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\SysWOW64\Bdeiqgkj.exe
        
        C:\Windows\system32\Bdeiqgkj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\SysWOW64\Cibain32.exe
        
        C:\Windows\system32\Cibain32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\Cbkfbcpb.exe
        
        C:\Windows\system32\Cbkfbcpb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Ccmcgcmp.exe
        
        C:\Windows\system32\Ccmcgcmp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Cigkdmel.exe
        
        C:\Windows\system32\Cigkdmel.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\Cpacqg32.exe
        
        C:\Windows\system32\Cpacqg32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\Cgklmacf.exe
        
        C:\Windows\system32\Cgklmacf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\SysWOW64\Cmedjl32.exe
        
        C:\Windows\system32\Cmedjl32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Ccblbb32.exe
        
        C:\Windows\system32\Ccblbb32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Cmgqpkip.exe
        
        C:\Windows\system32\Cmgqpkip.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5084
        
        C:\Windows\SysWOW64\Dgbanq32.exe
        
        C:\Windows\system32\Dgbanq32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Dnljkk32.exe
        
        C:\Windows\system32\Dnljkk32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Dcibca32.exe
        
        C:\Windows\system32\Dcibca32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4000
        
        C:\Windows\SysWOW64\Dajbaika.exe
        
        C:\Windows\system32\Dajbaika.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Dggkipii.exe
        
        C:\Windows\system32\Dggkipii.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Dnqcfjae.exe
        
        C:\Windows\system32\Dnqcfjae.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Dcnlnaom.exe
        
        C:\Windows\system32\Dcnlnaom.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Djgdkk32.exe
        
        C:\Windows\system32\Djgdkk32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3572
        
        C:\Windows\SysWOW64\Dpalgenf.exe
        
        C:\Windows\system32\Dpalgenf.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3424
        
        C:\Windows\SysWOW64\Egkddo32.exe
        
        C:\Windows\system32\Egkddo32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Windows\SysWOW64\Enemaimp.exe
        
        C:\Windows\system32\Enemaimp.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Edoencdm.exe
        
        C:\Windows\system32\Edoencdm.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3328
        
        C:\Windows\SysWOW64\Ekimjn32.exe
        
        C:\Windows\system32\Ekimjn32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Eaceghcg.exe
        
        C:\Windows\system32\Eaceghcg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Ekljpm32.exe
        
        C:\Windows\system32\Ekljpm32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\Enjfli32.exe
        
        C:\Windows\system32\Enjfli32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\Eddnic32.exe
        
        C:\Windows\system32\Eddnic32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4280
        
        C:\Windows\SysWOW64\Egbken32.exe
        
        C:\Windows\system32\Egbken32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Enlcahgh.exe
        
        C:\Windows\system32\Enlcahgh.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3940
        
        C:\Windows\SysWOW64\Eqkondfl.exe
        
        C:\Windows\system32\Eqkondfl.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Ecikjoep.exe
        
        C:\Windows\system32\Ecikjoep.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\Ekqckmfb.exe
        
        C:\Windows\system32\Ekqckmfb.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Windows\SysWOW64\Enopghee.exe
        
        C:\Windows\system32\Enopghee.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Edihdb32.exe
        
        C:\Windows\system32\Edihdb32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3948
        
        C:\Windows\SysWOW64\Fggdpnkf.exe
        
        C:\Windows\system32\Fggdpnkf.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Fgiaemic.exe
        
        C:\Windows\system32\Fgiaemic.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Fncibg32.exe
        
        C:\Windows\system32\Fncibg32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\Fdmaoahm.exe
        
        C:\Windows\system32\Fdmaoahm.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Fkgillpj.exe
        
        C:\Windows\system32\Fkgillpj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3928
        
        C:\Windows\SysWOW64\Fbaahf32.exe
        
        C:\Windows\system32\Fbaahf32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Fgnjqm32.exe
        
        C:\Windows\system32\Fgnjqm32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Fjmfmh32.exe
        
        C:\Windows\system32\Fjmfmh32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4852
        
        C:\Windows\SysWOW64\Fqfojblo.exe
        
        C:\Windows\system32\Fqfojblo.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Fdbkja32.exe
        
        C:\Windows\system32\Fdbkja32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Fklcgk32.exe
        
        C:\Windows\system32\Fklcgk32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Fbfkceca.exe
        
        C:\Windows\system32\Fbfkceca.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Gcghkm32.exe
        
        C:\Windows\system32\Gcghkm32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Gjaphgpl.exe
        
        C:\Windows\system32\Gjaphgpl.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\Gbhhieao.exe
        
        C:\Windows\system32\Gbhhieao.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Windows\SysWOW64\Gcjdam32.exe
        
        C:\Windows\system32\Gcjdam32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Gkalbj32.exe
        
        C:\Windows\system32\Gkalbj32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4476
        
        C:\Windows\SysWOW64\Gbkdod32.exe
        
        C:\Windows\system32\Gbkdod32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Gdiakp32.exe
        
        C:\Windows\system32\Gdiakp32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3836
        
        C:\Windows\SysWOW64\Gkcigjel.exe
        
        C:\Windows\system32\Gkcigjel.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Gbmadd32.exe
        
        C:\Windows\system32\Gbmadd32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 404
        70⤵
        Program crash
        
        PID:5180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 380 -ip 380
1⤵
PID:5148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3676,i,4356837537417149674,16553092232944545509,262144 --variations-seed-version --mojo-platform-channel-handle=3928 /prefetch:8
1⤵
PID:5820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Baepolni.exe

Filesize
64KB

MD5
01306e821695f1871d64b945044d1fe8

SHA1
c2ccaf72ff224985f633ebd61471c323cb6d98a5

SHA256
8898e49cc5c388fb3cb327ee551b0d7d0c068cca64c129a71f8e3f9d96991af2

SHA512
12a2249cd55c55c713d5945b2e24038d5bd18d4fa45499c09ab2d199dad3168818aab5bb03d69ea7d3acb3aa134ef997ac21ce542cb34e7b537b071100471d58

Download Submit
C:\Windows\SysWOW64\Bbaclegm.exe

Filesize
64KB

MD5
01c911af546337d877f484e04c658953

SHA1
6d664872ae0ac09535aa23f43672a55d03c57cc4

SHA256
4d9c30e1b2af334cfdd823c4f9fa966abe853625aa88f5baf5359239aadee84b

SHA512
f9da879ae216b1bf61179c396aea32396b189cf1f0da803a356e8c2904839a26766ea77521b0d3bf90405738bd118d443152446f52b4ee88d18aefbc2f8cc5bf

Download Submit
C:\Windows\SysWOW64\Bbfmgd32.exe

Filesize
64KB

MD5
8904d2b39cac6549b0c871fc36a3da47

SHA1
cdf3f4ba247a1900519677d6e6fd4e6cf360660a

SHA256
d31687b03677b415ff6e62884bfad65940a7e633142507f9076101a37ca3f603

SHA512
7ef70b846953ee16e7f45e2554e9432e9ff6329a23cfae22bb8821879a131c4d32f6d513d39f6a21227f082ce7bcc103a057b7a6dd40fe075d73ba214ff6f9ec

Download Submit
C:\Windows\SysWOW64\Bdeiqgkj.exe

Filesize
64KB

MD5
f6228455a9a8a5cef684315aa210b3fc

SHA1
c335c27c653d5135a3b1cf82acda2d9e2d51271a

SHA256
0b5dd38cb6179353cab1acced079528744d135e4512baaa615a106d001c45367

SHA512
055f355a1f790034c1d030ea42a9842495abbeae82a7b0863e25d4d0ad78d8f2bc3b9f2936bbb2d83039e60b6a413a514303971953c05a00faa04423448c24f6

Download Submit
C:\Windows\SysWOW64\Bfkbfd32.exe

Filesize
64KB

MD5
308846f67bc6348311d3bef9896fa296

SHA1
1faf5d79d7ce36423b3c748338ce3457b6e95339

SHA256
486d7ee92aaf4b86bb7c8d616409a2cf1f26cd106a448ca3ca936ad9223af64a

SHA512
81269cf84938edfc32cf04f624c197895857f240b86b3d9288dcc35f3c9d1860928cb14362b8d45f5698b8f6b2f08a397f93c9cdcaa1f66bf765a0bf4d9630bc

Download Submit
C:\Windows\SysWOW64\Biklho32.exe

Filesize
64KB

MD5
af7ff1e1bdcb7e1c3787c2866f0c3f7a

SHA1
6d904bd2d51cf2c385eb015aa334cb2a7dc87f48

SHA256
f00a7dc394da416e822796225f8ac5c893f40e76f50497411554535dd44c9fa6

SHA512
323829cf6c36126081270385f6046d45cfe300b76c5caae4dead177c35fac9bb50ac384f28fd381908086e22a90e9caa56cf716f664726fe5ec5d7b7e1a6857f

Download Submit
C:\Windows\SysWOW64\Bipecnkd.exe

Filesize
64KB

MD5
e1627c88612088ddc63ecf9a7c5af32a

SHA1
14e10e66b40d9bfb996860782c35662a491d701a

SHA256
63d6b670f115b03773f0d1e90659feada875610fb9389e11971177f6c3687647

SHA512
75e1d881e1ef7740f6f7d5408a6c4febab88f68f6fad61d8f7ee8db5c974e721decf946de4018fbe1cbb92bac9543b37430bd4a4121d3363afd1d87b536c9b86

Download Submit
C:\Windows\SysWOW64\Bkkhbb32.exe

Filesize
64KB

MD5
e340b888c5c78cbb8fa11f9948ff3797

SHA1
33e4132e53d96d525009bb599d519c02fe8e28bd

SHA256
1b136c2554ea80f17cb76ea45068361041a59196f9e68eaa677a19fef7ff8ca4

SHA512
25202bf0cabf7ffdaaf14bfd2574ab5a35e3f24204ba4fadc029dce318f1e42ce0f21eb7a2a91375c2feedcb0ea0b51f488a1ecb845d53bc687d536dc5515c88

Download Submit
C:\Windows\SysWOW64\Bmdkcnie.exe

Filesize
64KB

MD5
5fb63ac2918f7cca72bf6f717ddb35e7

SHA1
7e9a4ddd51b11a6c89e60c826562dd25296b183d

SHA256
7d3bdaef73931384f09f1b46d52365f230b2f28e3816ca7220b849f91e44acf1

SHA512
87e0e94c7db64afeff6ee0707c23496e41e0a7e954a017f03228391c2f071d3de3199afb37ff0157da104ebf9aad376966d1d58845c2d000ab917ad3ea84437e

Download Submit
C:\Windows\SysWOW64\Bpedeiff.exe

Filesize
64KB

MD5
76dbed16824dff4d32676101f683649f

SHA1
c361b39a20b2e5f175c96e59933c8beb96ad0675

SHA256
5bfc70e03c3867cadb6cc3c8d20d70133f75810971ea943d568525a1a0586189

SHA512
2f4eddb4bfd59f7a41819b83c29314cfc1834fe573da41c1a0ffba488f5a018eefbcde77a70e2a7dbe05ad97e7f3866169dd95c60c11ce1e18f389ef5075ff53

Download Submit
C:\Windows\SysWOW64\Calfpk32.exe

Filesize
64KB

MD5
568e14ae5329f6b9e02d33efef9e051d

SHA1
5e7e856b5d9bdfc119189751c10246daa02c24dc

SHA256
fbbd01321c8a8939cce517822866444fd034ff8473179c7a56095730f7fbdd0f

SHA512
0cb629fe7397ff20dd5a7e2c1bf245739f5415a645a72ffb044feff5d320ca50dd2e7ac0f1464dcf5a85e7752ff9957ece0df62179299503075d7333d94c8ce3

Download Submit
C:\Windows\SysWOW64\Cbkfbcpb.exe

Filesize
64KB

MD5
9c7d9e3ba83287dfb768b6db35371531

SHA1
ab8d569696488c9b527cea6a59f090a20a6d4d9f

SHA256
90ae0eb097f27ded30254ba210f2036370b215c34eea3976d6cc56380c080c36

SHA512
5ec9c085766a02c84ca3669acf803a815185ea614b861b3ab8e3b627cf00cbb5ad2aa6fa5693bff4365b6ef19132bf2d0133232e388b963fe69730b5e68c73e7

Download Submit
C:\Windows\SysWOW64\Ccblbb32.exe

Filesize
64KB

MD5
80703205269d36442b6eb9066ee4a97d

SHA1
3738f052fee80749fe371411679613c6a895aecb

SHA256
0518faddb1ca121d0f1cc8386bdfb8c563cc7645d12645dd7849bc1f6ce6afc1

SHA512
cf761b7db31aedcd84c7adcbca21cea6c2c3e16daba086736bebac2bc1e4677ad8bfc71230c3f00e3d634d3b1f5b036e46ef08076ea32b0f22af7ff9fabb9196

Download Submit
C:\Windows\SysWOW64\Ccmcgcmp.exe

Filesize
64KB

MD5
30d49f577665e1b1dd5fadf39f9e970f

SHA1
55752f37c2accbffed51bd0d289618a6262f0afc

SHA256
b0034adb3cfdb6e7b2633915bb5592ebbad3771901ceacd8bb8ac4c78abe5d7d

SHA512
58bfcc094e38c9ca546ad87998cf7f8a4e85d538dc364aafa8c7352f12c367ccdc97b5b565734af175765f0746651d70ac25a33afef78d169defcbb55c315257

Download Submit
C:\Windows\SysWOW64\Cdaile32.exe

Filesize
64KB

MD5
0aa948966492c3e84af156206802519f

SHA1
55f21d0aeb8d17c0afc65f344708062cccfae85e

SHA256
6bdc39a783f556ad971e9d3f7381b4dcb49952bb9bac37ab69babb3077adfe0e

SHA512
f76e7c975a261545faf37f7fda6492cb892c19863d6e43fc7ee5512c1f1daaff6ba205b05d50d145a0e0665f4f494a1215602d3ded761071cb363e51175aa9b5

Download Submit
C:\Windows\SysWOW64\Cgklmacf.exe

Filesize
64KB

MD5
90d64a06171696345165ef21f9afa03c

SHA1
ac494aa12ef15c7b6f8ab97a444e75fe35becd83

SHA256
d25035f6e6f8af60a98e2ceaa9a5c612ee2e74c92d021b372a758ef27fe3f1af

SHA512
474eb423e3c14ace61e6443b244b39a0dbfdf77a4b0af9f6aad71c41cdb70a8b0cb95a18eeb4fbea46d4b0289233c74774e7fd3447d0710cc62f6d6a6c2862f1

Download Submit
C:\Windows\SysWOW64\Cibain32.exe

Filesize
64KB

MD5
5bcd00da97a0e9bfc1134862f4b33928

SHA1
bbf3155257979b87c618be5fb3c5f75049dea25e

SHA256
728a159a0f6d60bee1efe8dd01bf439a222d10818b11eb959d7e0a98ca9286aa

SHA512
b97f628fced93f70673d41a3363106c982a3198fd63bf3bd160d97bde348a335b850fbf3622d1d0d918084784fa2e7f27fe3b0fcf36f2dec8e73eee55e301a2f

Download Submit
C:\Windows\SysWOW64\Cigkdmel.exe

Filesize
64KB

MD5
4a4dbca6b1debed0df4d796570787ad9

SHA1
adc9ee2da5dd04419e7eb5d0f7542887b6f64806

SHA256
71c05d8d16b34d2934aeefa4bc98916ab160b3f5ccc7bc1d2513df84e2418b7f

SHA512
ddc0b7133ab1e021faab328d85a3c5b33f672fa6a33be1f54c2c697b65cc6650588ea84e90651946bc4e703c491f00b6c9f96ecd37bc8d63a01fc0fb8a8bf3c6

Download Submit
C:\Windows\SysWOW64\Cmedjl32.exe

Filesize
64KB

MD5
fee4f50dba22e0a181229cb424680fa3

SHA1
63b5fab4a1e8c72a1d6fcc53dd65a26ef080d637

SHA256
3badc7ffe81a0f761ffca3b0d760089ba3b973c55680df7456797946b36764ac

SHA512
c4b0b318e6efccabae4fab8fcf61c343c5d51d589ca4def930eaef809e961dd5cb73e5aa21d296e5b5498305eee8280a637e4888e013df4513341319fb260b8b

Download Submit
C:\Windows\SysWOW64\Cmgqpkip.exe

Filesize
64KB

MD5
0d7166c4d8ee3825fbbfad9530d675fc

SHA1
2d3b9f586cd5c45d55471670ec06afbb966f27c2

SHA256
a4e0184e61777672de275cbe4e05a7a34fbcb49051eec01d12d7608a0fc816a6

SHA512
0827ea12b74d25745132ed81cad41aa3c7986520e995cf734fbf9b7bc692d53d2edbcfd745ef70e12539c42c69f987052010dd5876c7df7d74d80cad31349190

Download Submit
C:\Windows\SysWOW64\Cpacqg32.exe

Filesize
64KB

MD5
8b790452b5840ea0534aa19b733627ed

SHA1
859032c9b2b7fe5eb9a09c72a93ca98b85304d80

SHA256
3f1dbf9310efb463c7b01db4f2f3b6f22eed1107d859e9132fd40a95b47e8252

SHA512
d796acf67fe9f03b8652112bfb54e48a9a8df09c002c9b1cd1cb08085574491225bef776328c7d25fecc0986b9e663b068227686ed147cbba59b73019b52e61b

Download Submit
C:\Windows\SysWOW64\Dajbaika.exe

Filesize
64KB

MD5
dcde7d1251576e9fd35c597cea083ae0

SHA1
51b5e021a9bb788a86b1805388ba193ee15f36a6

SHA256
4f7f340da17ed352fddc697a4e7651c167e3289cfcd98a6ae0619f2d0c7c0534

SHA512
a5443c429acbe8506cf6753e5c14f877effa48efc485204ce486648c6938b8489acbd168a95d2d31cee7441789e2daa15f54baeecf21df6c8a0bca72c99b6a09

Download Submit
C:\Windows\SysWOW64\Dcibca32.exe

Filesize
64KB

MD5
da7bd1a2f49394f0fccb1821e238a377

SHA1
71e4b3aef716260ca4b2aff2b29553d71be71269

SHA256
bd25c4c9fcbd369ccb537b99008b2d204a8455ee0f0de2ef144fe187bb685f4e

SHA512
96f6997540b7b2562669f84ab48296cbc1155435744aaa19aa7e84fbc2ddb16ba4f7736e700be580d65dea9b80cda08871785dea84c2af3bcfac7e2155a07205

Download Submit
C:\Windows\SysWOW64\Dcnlnaom.exe

Filesize
64KB

MD5
3133c00c1fd29cfff272f7d7f4f0cf9a

SHA1
db42f9b1653647ecd2cfe2a6a4ca95f3ba0d40dd

SHA256
2a9e29206f74c0360007b3310daf23255a4819ca82e83afcd8161f3544b2d3e6

SHA512
adf002d92e54d320adc3e85af172291d704ddafad783a101dc38c0a39dd685beeffa2342c078d6a2801ab6fb90fa8e5390ce36c39ec63efcac6b733cf394d7dd

Download Submit
C:\Windows\SysWOW64\Dgbanq32.exe

Filesize
64KB

MD5
8000bf2b8c66ecfecb667faed3023753

SHA1
b874ca8fba831fd41383044dffc13d79af5c3688

SHA256
e637555b20158860d1d8949282df07e7c5931d55cd7e84fe3ba8b53c2fd6e130

SHA512
eac5b14b54cacdc40f0eecbb6951588f4f88076580247f9bf78d8cb08d46f1d49f3cf4493e87f69a92b29aabe3c8afcd4d73a7a3c60196940954f43f10e4ea3d

Download Submit
C:\Windows\SysWOW64\Dggkipii.exe

Filesize
64KB

MD5
0288ed41dee9f0803550f289585b86f4

SHA1
9d4164203879be96813ac7e005c7550546f163bc

SHA256
73a2a16a128e465738cd76d7ad6e0a44e231434201aacfa2514a6d8d7daf07aa

SHA512
63c94467bea97c970095cf02e39afa665b33815af4c7ffb4f2510978241b96dfe359ef568891cf3e4f9a0472c5234048b0cd86bf2ad065c755ecc0250bd2848a

Download Submit
C:\Windows\SysWOW64\Djgdkk32.exe

Filesize
64KB

MD5
2a4c049eb15db410d2bfad59c09ab393

SHA1
63d4b6fb12ee19ff42cb246ff9be20a23361b710

SHA256
df6080606498c3b297355699c036ae6557841d910d74d63aa0b603d072e26e4e

SHA512
31cd89284992884c6fb2b6016427b0d778f997f14baf787c45b28d975914b2b74996cdcdd8fdda9aab9c8c2135714062bb28cf764efd34d4cdc87edafb25fe16

Download Submit
C:\Windows\SysWOW64\Dkkaiphj.exe

Filesize
64KB

MD5
8b69fb6f6ee7855b98fe8055a76e08ae

SHA1
9b0f59c22d2771f67f99405f7acdc3ad07fce948

SHA256
7793b89548b5295057979746d678c3715b11e1fd53748c7b1c1ad7bf6374e7fe

SHA512
e2bab06a507b475fae8b5f222f0079e3e3bd52c096e07ea26adaf1863fc7380f54e5bfe705c26c22e5f1f08a8cc5599bb3e8b38637b8ab38561335635b8a7190

Download Submit
C:\Windows\SysWOW64\Dnljkk32.exe

Filesize
64KB

MD5
73ccc0688ea473597d1e2b94cc2d3800

SHA1
211e2ca7c2ccb0243445ddcb4233fb08d1bd3ba9

SHA256
031ce0bdc3758fa347c1e17fbc4b5430697c622d7af17c0b8b1eea7ce97b7cae

SHA512
53c8a6a46a630f1c82c611135eb2f067b742d86a2cd40bb146925c40eec80aa0346bbe9faa585480bf3b5f8d2dd37cd04d889691bb6e2ab95e8eeb98cfc497e9

Download Submit
C:\Windows\SysWOW64\Dnqcfjae.exe

Filesize
64KB

MD5
84df3a0916d28b507dd24fb8dbd41a9a

SHA1
78da6d67d23a0f4d12f0a86878563608e00f019f

SHA256
b8d404fa6ce3bbd76a4a7f7e2c99ef85436b2d7324f77fdbeb6336825497fa47

SHA512
d68204c4be99ea5f07873d3f0ecc81914d8cb90d0c48ee806bd573ffb35cb52ccf98af10371e63d217648eed1df831ef8169be649664e5f8850e26ba297402fb

Download Submit
C:\Windows\SysWOW64\Dpalgenf.exe

Filesize
64KB

MD5
0b5603a5ca1df0fdd4cb9c2a47d52691

SHA1
cb5a0c644e5ace31523794b4ac4f6ebf2e90a91d

SHA256
f2985501f251b382b0d32203dc1a54553cede202d5f42248458ff32c32b136fd

SHA512
1a7a0e83e95e0bc27133e090c94115b67a6695bfa1c3fa8ce08885234c3b913715be963ca8862364e4f1f160df79683f4644d2e87e670f5aa477d2c089965bae

Download Submit
C:\Windows\SysWOW64\Dphiaffa.exe

Filesize
64KB

MD5
5d512aba1586b956522c02ce70ec4554

SHA1
8783415130eaca4ec38c40ab6bad0591cb331426

SHA256
93bf34d31662255d2b1b1427a794fc314a56fed7c5f0f5617f7559efaa42441c

SHA512
f55e3a693d483da7a12397ffde8a892b7bc572f559f5bf2257785658444b3d2a19295273e67a9483bf219828240f3e5df34ecedee07d6764c55bfdd45109b2a1

Download Submit
C:\Windows\SysWOW64\Fjmfmh32.exe

Filesize
64KB

MD5
f7da878410540ed0f1da53e95fc63381

SHA1
54ad9b7b53dbaabd38165e3d4a0fe1d54b50185d

SHA256
d82178b65a1be77668a36025bf4a3e800fb46488c162128579d9078d7341c126

SHA512
c3386859e0562178c48e22c0791e1ef62924c7db9c5173a47b6c198e243015d4201861112e0d5ba130d00314dcdc0c4c2d0ece3a72be4aa67360e41a57f90a78

Download Submit
C:\Windows\SysWOW64\Gdiakp32.exe

Filesize
64KB

MD5
6184b83cd89da4946e9bd43c39bd9a7b

SHA1
0f5d499a450954fbdd783f9c5b3abc28c4cc2dba

SHA256
241265d5ea2ff16fd30ce9a6fa9bd2248d1957743adaa8c878907bb1da842be5

SHA512
138093f27d3069b0a7aecfb1c9b7ea3f838fd5d5e0fb9b5e07f1a5cd2bbd0205c243e5b381f8fb2ae51fd64a8d05a54bcfa294f29172fa370c4b7e05fb20fea5

Download Submit
memory/380-475-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/380-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/448-513-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/448-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/536-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/536-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/748-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1056-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1140-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1276-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1276-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-481-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1848-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1896-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-518-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-499-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2428-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2552-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2592-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-511-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-489-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3056-505-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3056-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3132-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3132-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3140-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3244-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3328-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3424-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-487-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3572-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3584-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3732-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3832-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3832-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3836-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3836-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3928-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3928-507-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-525-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4000-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4280-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4284-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4700-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4852-501-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4852-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-523-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-493-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads