9469c1d193b538f898684636a10817e7db7fdcad8c79a3d4c4f05547519b7904

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

668ff49b926d67a272cf23eef187f400N.exe
Size

290KB
MD5

668ff49b926d67a272cf23eef187f400
SHA1

7c8515f8a9b913711ce28000f5a8fa36d2ba8fa8
SHA256

9469c1d193b538f898684636a10817e7db7fdcad8c79a3d4c4f05547519b7904
SHA512

24aad3abf653addc6ceb8c22dd340d0bde5ec550b0fd0e6da6137b45c0dde7335ba9d15894b3b580ce9027bf68b3f1c5249c999290e90e58f3a2aea111e8fa44
SSDEEP

6144:L16W5sH+xpCfKUmKyIxLDXXoq9FJZCUmKyIxL:Jzc+xpCi32XXf9Do3

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijpepcfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jlanpfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbfdjc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgeihiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hnpaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icfmci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klgqabib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lahbei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnkhjdle.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbknebqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Inidkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhkljfok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdpiqehp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkiamp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hghfnioq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iaedanal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iajmmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlanpfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jehfcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lacijjgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ilkhog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inidkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibdplaho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iecmhlhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhfbog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkgdhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lahbei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	668ff49b926d67a272cf23eef187f400N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjhfif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gdnjfojj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iccpniqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llngbabj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiamp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Halaloif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihaidhgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihceigec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhhodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Idhiii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hqdkkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ielfgmnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igmoih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iaedanal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	668ff49b926d67a272cf23eef187f400N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Heepfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hgcmbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibbcfa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhfbog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jnpjlajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdpiqehp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnconj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hkohchko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijkled32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijbbfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbijgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llngbabj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijkled32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbijgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gnfooe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iholohii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibnjkbog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iencmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijpepcfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lhpnlclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ihaidhgf.exe

Executes dropped EXE 64 IoCs

pid	Process
2776	Gjhfif32.exe
2912	Gdnjfojj.exe
5072	Gnfooe32.exe
5088	Hqdkkp32.exe
3184	Hccggl32.exe
4608	Hkjohi32.exe
380	Hbdgec32.exe
2268	Hqghqpnl.exe
1352	Hnkhjdle.exe
4540	Hbfdjc32.exe
692	Heepfn32.exe
1248	Hgcmbj32.exe
532	Hkohchko.exe
3144	Hnmeodjc.exe
704	Halaloif.exe
4680	Hcjmhk32.exe
2524	Hgeihiac.exe
3176	Hjdedepg.exe
1968	Hnpaec32.exe
4824	Hbknebqi.exe
2264	Hejjanpm.exe
3536	Hghfnioq.exe
3220	Hjfbjdnd.exe
4244	Ibnjkbog.exe
2308	Ielfgmnj.exe
3020	Igjbci32.exe
3104	Indkpcdk.exe
4120	Ibpgqa32.exe
4468	Iabglnco.exe
516	Iencmm32.exe
2792	Igmoih32.exe
2984	Ijkled32.exe
1112	Infhebbh.exe
3080	Ibbcfa32.exe
3264	Iaedanal.exe
1104	Iccpniqp.exe
3700	Iholohii.exe
1308	Ilkhog32.exe
4796	Inidkb32.exe
3912	Ibdplaho.exe
1756	Iecmhlhb.exe
3332	Icfmci32.exe
2040	Ihaidhgf.exe
1084	Ijpepcfj.exe
5008	Inkaqb32.exe
3676	Iajmmm32.exe
2288	Idhiii32.exe
2356	Ihceigec.exe
556	Ijbbfc32.exe
3772	Jbijgp32.exe
1832	Jehfcl32.exe
3068	Jhfbog32.exe
5016	Jlanpfkj.exe
2420	Jnpjlajn.exe
2804	Jblflp32.exe
3972	Jejbhk32.exe
4812	Jhhodg32.exe
3444	Jjgkab32.exe
1760	Jbncbpqd.exe
3228	Jhkljfok.exe
5248	Khihld32.exe
5288	Kkgdhp32.exe
5324	Kaaldjil.exe
5376	Kdpiqehp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hbknebqi.exe	Hnpaec32.exe
File created	C:\Windows\SysWOW64\Iaedanal.exe	Ibbcfa32.exe
File created	C:\Windows\SysWOW64\Lbcedmnl.exe	Lklnconj.exe
File opened for modification	C:\Windows\SysWOW64\Ilkhog32.exe	Iholohii.exe
File created	C:\Windows\SysWOW64\Lfeliqka.dll	Lknjhokg.exe
File created	C:\Windows\SysWOW64\Ielfgmnj.exe	Ibnjkbog.exe
File created	C:\Windows\SysWOW64\Ijpepcfj.exe	Ihaidhgf.exe
File created	C:\Windows\SysWOW64\Fhjaco32.dll	Llngbabj.exe
File created	C:\Windows\SysWOW64\Hqdkkp32.exe	Gnfooe32.exe
File created	C:\Windows\SysWOW64\Hgeihiac.exe	Hcjmhk32.exe
File opened for modification	C:\Windows\SysWOW64\Hnpaec32.exe	Hjdedepg.exe
File opened for modification	C:\Windows\SysWOW64\Jnpjlajn.exe	Jlanpfkj.exe
File created	C:\Windows\SysWOW64\Lhpnlclc.exe	Lbcedmnl.exe
File created	C:\Windows\SysWOW64\Icfmci32.exe	Iecmhlhb.exe
File created	C:\Windows\SysWOW64\Edngom32.dll	Hkjohi32.exe
File created	C:\Windows\SysWOW64\Ciddcagg.dll	Hjdedepg.exe
File opened for modification	C:\Windows\SysWOW64\Indkpcdk.exe	Ilfodgeg.exe
File created	C:\Windows\SysWOW64\Hnpaec32.exe	Hjdedepg.exe
File created	C:\Windows\SysWOW64\Igmoih32.exe	Iencmm32.exe
File created	C:\Windows\SysWOW64\Ehilac32.dll	Jhkljfok.exe
File opened for modification	C:\Windows\SysWOW64\Lhpnlclc.exe	Lbcedmnl.exe
File opened for modification	C:\Windows\SysWOW64\Igmoih32.exe	Iencmm32.exe
File created	C:\Windows\SysWOW64\Kaaldjil.exe	Kkgdhp32.exe
File created	C:\Windows\SysWOW64\Acibndof.dll	Kdpiqehp.exe
File created	C:\Windows\SysWOW64\Hnggccfl.dll	Lklnconj.exe
File created	C:\Windows\SysWOW64\Dffdcecg.dll	Gjhfif32.exe
File created	C:\Windows\SysWOW64\Ijbbfc32.exe	Ihceigec.exe
File created	C:\Windows\SysWOW64\Jnpjlajn.exe	Jlanpfkj.exe
File created	C:\Windows\SysWOW64\Hbfdjc32.exe	Hnkhjdle.exe
File created	C:\Windows\SysWOW64\Lklnconj.exe	Lacijjgi.exe
File created	C:\Windows\SysWOW64\Llngbabj.exe	Lahbei32.exe
File opened for modification	C:\Windows\SysWOW64\Ldikgdpe.exe	Lbhool32.exe
File created	C:\Windows\SysWOW64\Ibnjkbog.exe	Hjfbjdnd.exe
File created	C:\Windows\SysWOW64\Kdpiqehp.exe	Kaaldjil.exe
File created	C:\Windows\SysWOW64\Epqblnhh.dll	Kaaldjil.exe
File created	C:\Windows\SysWOW64\Dpchag32.dll	Inkaqb32.exe
File opened for modification	C:\Windows\SysWOW64\Kaaldjil.exe	Kkgdhp32.exe
File created	C:\Windows\SysWOW64\Lcmgbngb.dll	Hcjmhk32.exe
File created	C:\Windows\SysWOW64\Ibdplaho.exe	Inidkb32.exe
File opened for modification	C:\Windows\SysWOW64\Ihaidhgf.exe	Icfmci32.exe
File created	C:\Windows\SysWOW64\Dgmfnkfn.dll	Hgeihiac.exe
File opened for modification	C:\Windows\SysWOW64\Ibnjkbog.exe	Hjfbjdnd.exe
File opened for modification	C:\Windows\SysWOW64\Iabglnco.exe	Ibpgqa32.exe
File created	C:\Windows\SysWOW64\Hfamlaff.dll	Ibdplaho.exe
File opened for modification	C:\Windows\SysWOW64\Jbncbpqd.exe	Jjgkab32.exe
File created	C:\Windows\SysWOW64\Okliqfhj.dll	Gdnjfojj.exe
File opened for modification	C:\Windows\SysWOW64\Hgcmbj32.exe	Heepfn32.exe
File opened for modification	C:\Windows\SysWOW64\Hjdedepg.exe	Hgeihiac.exe
File created	C:\Windows\SysWOW64\Khihld32.exe	Jhkljfok.exe
File created	C:\Windows\SysWOW64\Iencmm32.exe	Iabglnco.exe
File created	C:\Windows\SysWOW64\Jlanpfkj.exe	Jhfbog32.exe
File created	C:\Windows\SysWOW64\Efhbch32.dll	Jhhodg32.exe
File created	C:\Windows\SysWOW64\Ldikgdpe.exe	Lbhool32.exe
File opened for modification	C:\Windows\SysWOW64\Hkohchko.exe	Hgcmbj32.exe
File created	C:\Windows\SysWOW64\Ilkhog32.exe	Iholohii.exe
File created	C:\Windows\SysWOW64\Ohnncn32.dll	Jjgkab32.exe
File opened for modification	C:\Windows\SysWOW64\Hqghqpnl.exe	Hbdgec32.exe
File created	C:\Windows\SysWOW64\Pjpjea32.dll	Ibpgqa32.exe
File opened for modification	C:\Windows\SysWOW64\Jjgkab32.exe	Jhhodg32.exe
File created	C:\Windows\SysWOW64\Hkjohi32.exe	Hccggl32.exe
File opened for modification	C:\Windows\SysWOW64\Iencmm32.exe	Iabglnco.exe
File opened for modification	C:\Windows\SysWOW64\Ijbbfc32.exe	Ihceigec.exe
File created	C:\Windows\SysWOW64\Ihceigec.exe	Idhiii32.exe
File opened for modification	C:\Windows\SysWOW64\Jehfcl32.exe	Jbijgp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6052	5880	WerFault.exe	169

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Heepfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcjmhk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Indkpcdk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hghfnioq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Idhiii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jehfcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnpjlajn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jejbhk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhkljfok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lklnconj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnmeodjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Halaloif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilkhog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inidkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llngbabj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibpgqa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igmoih32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihaidhgf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlanpfkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbcedmnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbfdjc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jblflp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klgqabib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hccggl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgeihiac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilfodgeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Infhebbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inkaqb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	668ff49b926d67a272cf23eef187f400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibnjkbog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ielfgmnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjhfif32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igjbci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibdplaho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijpepcfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijbbfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khihld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lacijjgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnfooe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbknebqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjfbjdnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iajmmm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhfbog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjdedepg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iabglnco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnpaec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iecmhlhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihceigec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lknjhokg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hqdkkp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkohchko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hejjanpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjgkab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lahbei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbhool32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbncbpqd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbdgec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnkhjdle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgcmbj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iencmm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibbcfa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icfmci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhhodg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdpiqehp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iecmhlhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ilfodgeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibpgqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iaedanal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Denlcd32.dll"	Ilkhog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfamlaff.dll"	Ibdplaho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijbbfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	668ff49b926d67a272cf23eef187f400N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Heepfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijbbfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbknebqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hghfnioq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Infhebbh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	668ff49b926d67a272cf23eef187f400N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hjdedepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cobnge32.dll"	Hnpaec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Icfmci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jnpjlajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhjaco32.dll"	Llngbabj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hnmeodjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hnpaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpclaedf.dll"	Hnkhjdle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcnhog32.dll"	Klgqabib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjgkab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkgdhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncapfeoc.dll"	Ijpepcfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jblflp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmpaoopf.dll"	Indkpcdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iencmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iajmmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldnemdgd.dll"	Jblflp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdpiqehp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lhpnlclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mohpjh32.dll"	Hkohchko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbknebqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kaaldjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obcckehh.dll"	Iecmhlhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jnpjlajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oapijm32.dll"	Iholohii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdpiqehp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbijgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gnfooe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hejjanpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jejbhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhdlmdd.dll"	Lbcedmnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hgcmbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jhkljfok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibdplaho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hqdkkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Igmoih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iojnef32.dll"	Igmoih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lapmnano.dll"	Hbdgec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbfdjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Igjbci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ilkhog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijpepcfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jehfcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkgdhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lacijjgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hkjohi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hejjanpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lbhool32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Inkaqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlbngnmk.dll"	Jbncbpqd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 2776	4928	668ff49b926d67a272cf23eef187f400N.exe	91
PID 4928 wrote to memory of 2776	4928	668ff49b926d67a272cf23eef187f400N.exe	91
PID 4928 wrote to memory of 2776	4928	668ff49b926d67a272cf23eef187f400N.exe	91
PID 2776 wrote to memory of 2912	2776	Gjhfif32.exe	92
PID 2776 wrote to memory of 2912	2776	Gjhfif32.exe	92
PID 2776 wrote to memory of 2912	2776	Gjhfif32.exe	92
PID 2912 wrote to memory of 5072	2912	Gdnjfojj.exe	93
PID 2912 wrote to memory of 5072	2912	Gdnjfojj.exe	93
PID 2912 wrote to memory of 5072	2912	Gdnjfojj.exe	93
PID 5072 wrote to memory of 5088	5072	Gnfooe32.exe	94
PID 5072 wrote to memory of 5088	5072	Gnfooe32.exe	94
PID 5072 wrote to memory of 5088	5072	Gnfooe32.exe	94
PID 5088 wrote to memory of 3184	5088	Hqdkkp32.exe	95
PID 5088 wrote to memory of 3184	5088	Hqdkkp32.exe	95
PID 5088 wrote to memory of 3184	5088	Hqdkkp32.exe	95
PID 3184 wrote to memory of 4608	3184	Hccggl32.exe	96
PID 3184 wrote to memory of 4608	3184	Hccggl32.exe	96
PID 3184 wrote to memory of 4608	3184	Hccggl32.exe	96
PID 4608 wrote to memory of 380	4608	Hkjohi32.exe	98
PID 4608 wrote to memory of 380	4608	Hkjohi32.exe	98
PID 4608 wrote to memory of 380	4608	Hkjohi32.exe	98
PID 380 wrote to memory of 2268	380	Hbdgec32.exe	99
PID 380 wrote to memory of 2268	380	Hbdgec32.exe	99
PID 380 wrote to memory of 2268	380	Hbdgec32.exe	99
PID 2268 wrote to memory of 1352	2268	Hqghqpnl.exe	100
PID 2268 wrote to memory of 1352	2268	Hqghqpnl.exe	100
PID 2268 wrote to memory of 1352	2268	Hqghqpnl.exe	100
PID 1352 wrote to memory of 4540	1352	Hnkhjdle.exe	101
PID 1352 wrote to memory of 4540	1352	Hnkhjdle.exe	101
PID 1352 wrote to memory of 4540	1352	Hnkhjdle.exe	101
PID 4540 wrote to memory of 692	4540	Hbfdjc32.exe	102
PID 4540 wrote to memory of 692	4540	Hbfdjc32.exe	102
PID 4540 wrote to memory of 692	4540	Hbfdjc32.exe	102
PID 692 wrote to memory of 1248	692	Heepfn32.exe	103
PID 692 wrote to memory of 1248	692	Heepfn32.exe	103
PID 692 wrote to memory of 1248	692	Heepfn32.exe	103
PID 1248 wrote to memory of 532	1248	Hgcmbj32.exe	104
PID 1248 wrote to memory of 532	1248	Hgcmbj32.exe	104
PID 1248 wrote to memory of 532	1248	Hgcmbj32.exe	104
PID 532 wrote to memory of 3144	532	Hkohchko.exe	105
PID 532 wrote to memory of 3144	532	Hkohchko.exe	105
PID 532 wrote to memory of 3144	532	Hkohchko.exe	105
PID 3144 wrote to memory of 704	3144	Hnmeodjc.exe	106
PID 3144 wrote to memory of 704	3144	Hnmeodjc.exe	106
PID 3144 wrote to memory of 704	3144	Hnmeodjc.exe	106
PID 704 wrote to memory of 4680	704	Halaloif.exe	107
PID 704 wrote to memory of 4680	704	Halaloif.exe	107
PID 704 wrote to memory of 4680	704	Halaloif.exe	107
PID 4680 wrote to memory of 2524	4680	Hcjmhk32.exe	108
PID 4680 wrote to memory of 2524	4680	Hcjmhk32.exe	108
PID 4680 wrote to memory of 2524	4680	Hcjmhk32.exe	108
PID 2524 wrote to memory of 3176	2524	Hgeihiac.exe	109
PID 2524 wrote to memory of 3176	2524	Hgeihiac.exe	109
PID 2524 wrote to memory of 3176	2524	Hgeihiac.exe	109
PID 3176 wrote to memory of 1968	3176	Hjdedepg.exe	110
PID 3176 wrote to memory of 1968	3176	Hjdedepg.exe	110
PID 3176 wrote to memory of 1968	3176	Hjdedepg.exe	110
PID 1968 wrote to memory of 4824	1968	Hnpaec32.exe	111
PID 1968 wrote to memory of 4824	1968	Hnpaec32.exe	111
PID 1968 wrote to memory of 4824	1968	Hnpaec32.exe	111
PID 4824 wrote to memory of 2264	4824	Hbknebqi.exe	112
PID 4824 wrote to memory of 2264	4824	Hbknebqi.exe	112
PID 4824 wrote to memory of 2264	4824	Hbknebqi.exe	112
PID 2264 wrote to memory of 3536	2264	Hejjanpm.exe	113

C:\Users\Admin\AppData\Local\Temp\668ff49b926d67a272cf23eef187f400N.exe
"C:\Users\Admin\AppData\Local\Temp\668ff49b926d67a272cf23eef187f400N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Windows\SysWOW64\Gjhfif32.exe
  C:\Windows\system32\Gjhfif32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\Gdnjfojj.exe
    C:\Windows\system32\Gdnjfojj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Windows\SysWOW64\Gnfooe32.exe
      C:\Windows\system32\Gnfooe32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5072
    - - C:\Windows\SysWOW64\Hqdkkp32.exe
        
        C:\Windows\system32\Hqdkkp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5088
      - C:\Windows\SysWOW64\Hccggl32.exe
        
        C:\Windows\system32\Hccggl32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Windows\SysWOW64\Hkjohi32.exe
        
        C:\Windows\system32\Hkjohi32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Hbdgec32.exe
        
        C:\Windows\system32\Hbdgec32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\SysWOW64\Hqghqpnl.exe
        
        C:\Windows\system32\Hqghqpnl.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Hnkhjdle.exe
        
        C:\Windows\system32\Hnkhjdle.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Hbfdjc32.exe
        
        C:\Windows\system32\Hbfdjc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Heepfn32.exe
        
        C:\Windows\system32\Heepfn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\SysWOW64\Hgcmbj32.exe
        
        C:\Windows\system32\Hgcmbj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\Hkohchko.exe
        
        C:\Windows\system32\Hkohchko.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\SysWOW64\Hnmeodjc.exe
        
        C:\Windows\system32\Hnmeodjc.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\SysWOW64\Halaloif.exe
        
        C:\Windows\system32\Halaloif.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:704
        
        C:\Windows\SysWOW64\Hcjmhk32.exe
        
        C:\Windows\system32\Hcjmhk32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\SysWOW64\Hgeihiac.exe
        
        C:\Windows\system32\Hgeihiac.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Hjdedepg.exe
        
        C:\Windows\system32\Hjdedepg.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\SysWOW64\Hnpaec32.exe
        
        C:\Windows\system32\Hnpaec32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Hbknebqi.exe
        
        C:\Windows\system32\Hbknebqi.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Hejjanpm.exe
        
        C:\Windows\system32\Hejjanpm.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Hghfnioq.exe
        
        C:\Windows\system32\Hghfnioq.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Hjfbjdnd.exe
        
        C:\Windows\system32\Hjfbjdnd.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Windows\SysWOW64\Ibnjkbog.exe
        
        C:\Windows\system32\Ibnjkbog.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Windows\SysWOW64\Ielfgmnj.exe
        
        C:\Windows\system32\Ielfgmnj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\Igjbci32.exe
        
        C:\Windows\system32\Igjbci32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Ilfodgeg.exe
        
        C:\Windows\system32\Ilfodgeg.exe
        28⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Indkpcdk.exe
        
        C:\Windows\system32\Indkpcdk.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Ibpgqa32.exe
        
        C:\Windows\system32\Ibpgqa32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Iabglnco.exe
        
        C:\Windows\system32\Iabglnco.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Windows\SysWOW64\Iencmm32.exe
        
        C:\Windows\system32\Iencmm32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:516
        
        C:\Windows\SysWOW64\Igmoih32.exe
        
        C:\Windows\system32\Igmoih32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Ijkled32.exe
        
        C:\Windows\system32\Ijkled32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2984
        
        C:\Windows\SysWOW64\Infhebbh.exe
        
        C:\Windows\system32\Infhebbh.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Ibbcfa32.exe
        
        C:\Windows\system32\Ibbcfa32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3080
        
        C:\Windows\SysWOW64\Iaedanal.exe
        
        C:\Windows\system32\Iaedanal.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Iccpniqp.exe
        
        C:\Windows\system32\Iccpniqp.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1104
        
        C:\Windows\SysWOW64\Iholohii.exe
        
        C:\Windows\system32\Iholohii.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3700
        
        C:\Windows\SysWOW64\Ilkhog32.exe
        
        C:\Windows\system32\Ilkhog32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Inidkb32.exe
        
        C:\Windows\system32\Inidkb32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\Windows\SysWOW64\Ibdplaho.exe
        
        C:\Windows\system32\Ibdplaho.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Iecmhlhb.exe
        
        C:\Windows\system32\Iecmhlhb.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Icfmci32.exe
        
        C:\Windows\system32\Icfmci32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Ihaidhgf.exe
        
        C:\Windows\system32\Ihaidhgf.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Windows\SysWOW64\Ijpepcfj.exe
        
        C:\Windows\system32\Ijpepcfj.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Inkaqb32.exe
        
        C:\Windows\system32\Inkaqb32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Iajmmm32.exe
        
        C:\Windows\system32\Iajmmm32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3676
        
        C:\Windows\SysWOW64\Idhiii32.exe
        
        C:\Windows\system32\Idhiii32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\Ihceigec.exe
        
        C:\Windows\system32\Ihceigec.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\Ijbbfc32.exe
        
        C:\Windows\system32\Ijbbfc32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Jbijgp32.exe
        
        C:\Windows\system32\Jbijgp32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\Jehfcl32.exe
        
        C:\Windows\system32\Jehfcl32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Jhfbog32.exe
        
        C:\Windows\system32\Jhfbog32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\SysWOW64\Jlanpfkj.exe
        
        C:\Windows\system32\Jlanpfkj.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Windows\SysWOW64\Jnpjlajn.exe
        
        C:\Windows\system32\Jnpjlajn.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Jblflp32.exe
        
        C:\Windows\system32\Jblflp32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Jejbhk32.exe
        
        C:\Windows\system32\Jejbhk32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Jhhodg32.exe
        
        C:\Windows\system32\Jhhodg32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4812
        
        C:\Windows\SysWOW64\Jjgkab32.exe
        
        C:\Windows\system32\Jjgkab32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\Jbncbpqd.exe
        
        C:\Windows\system32\Jbncbpqd.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Jhkljfok.exe
        
        C:\Windows\system32\Jhkljfok.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3228
        
        C:\Windows\SysWOW64\Khihld32.exe
        
        C:\Windows\system32\Khihld32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5248
        
        C:\Windows\SysWOW64\Kkgdhp32.exe
        
        C:\Windows\system32\Kkgdhp32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Kaaldjil.exe
        
        C:\Windows\system32\Kaaldjil.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Kdpiqehp.exe
        
        C:\Windows\system32\Kdpiqehp.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Klgqabib.exe
        
        C:\Windows\system32\Klgqabib.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Lkiamp32.exe
        
        C:\Windows\system32\Lkiamp32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5480
        
        C:\Windows\SysWOW64\Lacijjgi.exe
        
        C:\Windows\system32\Lacijjgi.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Lklnconj.exe
        
        C:\Windows\system32\Lklnconj.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5568
        
        C:\Windows\SysWOW64\Lbcedmnl.exe
        
        C:\Windows\system32\Lbcedmnl.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Lhpnlclc.exe
        
        C:\Windows\system32\Lhpnlclc.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Lknjhokg.exe
        
        C:\Windows\system32\Lknjhokg.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5696
        
        C:\Windows\SysWOW64\Lahbei32.exe
        
        C:\Windows\system32\Lahbei32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5744
        
        C:\Windows\SysWOW64\Llngbabj.exe
        
        C:\Windows\system32\Llngbabj.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Lbhool32.exe
        
        C:\Windows\system32\Lbhool32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        77⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5880 -s 412
        78⤵
        Program crash
        
        PID:6052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 5880 -ip 5880
1⤵
PID:5996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4248,i,15436195446242760253,4000484513008731869,262144 --variations-seed-version --mojo-platform-channel-handle=1308 /prefetch:8
1⤵
PID:5312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gdnjfojj.exe

Filesize
290KB

MD5
81d22a376199926faba202a6e252eec8

SHA1
ffe1f182e16d5493ed9faa29d1eb72458e3045f6

SHA256
813ef04074eae8741d7ecb4f884624fef3f652b1177b8c89545045f9f1fb4abf

SHA512
5065865ab42d439fc3418108c704d2c030a0e204d21fc7621f0923b36e497e109f2342bc2b6d4b677befdced49774b49157d93e6155b1af3be69a9857e7c31a3

Download Submit
C:\Windows\SysWOW64\Gjhfif32.exe

Filesize
290KB

MD5
ebb8dfffae9d0981fb20a8cb3d09e2e7

SHA1
6c4cfd2bbf161a0cfac124422e703146cbb8ee24

SHA256
01bfdbe08ead814568a19a790cd05d7f90ef3f5b121835a99bb726da8a8b816e

SHA512
d274ec4f0acdac670bec85df5dcb266703ebb00471cf122775e51e77837ef321fb85f4b87e5010b40033f83bb3213a8d1c41b1f5145bb704f4657269fc074c41

Download Submit
C:\Windows\SysWOW64\Gnfooe32.exe

Filesize
290KB

MD5
f1cbe5ce681143560233a4f126b19b74

SHA1
1c7a6d1be55ab8a00246bbbec363f003e884c816

SHA256
1cf31db7941f1584356b54eb02e3e0d27080dfb3731dbcf7c027c161b97d748e

SHA512
51d4f525d387463b118e0dd4744b2ed9c0076bf88d552b0237bae2a015c7100f1f34cee910a9cde9c3bdb95d873491281e4dfbde90a55af29e456914663efd56

Download Submit
C:\Windows\SysWOW64\Halaloif.exe

Filesize
290KB

MD5
22a23e8c59a5e25fd913040d0698a068

SHA1
fcb83671ad4e1ac6fe655d7fe92a9de55800147d

SHA256
8e28c7a0dbaef8bb4d92f3713e0c34513eef93a55c94491b73bd00ce7a0236b4

SHA512
59119de57481596706489d7f9baca32e0017836f9b6dc83977691e39482cffea9e1187c2c8c758e8688ffa6003cd6727f5db5c712fb77da885dcc1345960522c

Download Submit
C:\Windows\SysWOW64\Hbdgec32.exe

Filesize
290KB

MD5
ce2540b9c2f8f3ef681e9e9a221722cc

SHA1
2e8cdf6adb029836628f4960720bdc2f58f62a47

SHA256
28da19d27c82b049ed05c9be51c7b613aa632688825fa443780f7a0b5893aa44

SHA512
87f4abb93016944838ea0607b8e11f0fc00ae112920f74fd5339bf60802f5507a222a7d2d488e8263631c9eda6274850406bbafb355884b3264fef9ac6654083

Download Submit
C:\Windows\SysWOW64\Hbfdjc32.exe

Filesize
290KB

MD5
0a208ed0f3fd9a7452aeb3d73f6b4474

SHA1
b242414bb0233b0a462ffc3ceb678ab7932ff9fb

SHA256
34198bea2b46afcc0844b749effd092e4ef95241afd01371bdc3d7fd07325993

SHA512
a9aa10b8e7979539b4a83becdb0b44e45a01cb2ba825edc48b29b53d38d8d7d0b8fcb894c94cc41581a035f281e75990624d6197199d9ba8cc4960fe90063582

Download Submit
C:\Windows\SysWOW64\Hbknebqi.exe

Filesize
290KB

MD5
7cafa6394db1e4348cc20b880400f987

SHA1
d5886b7f6ee6dfd4ca83ea5041fed6aa8887f338

SHA256
41412cf763d8f8827a6c7ac3e1c0ee25b019135989a7e45da1733efa2f8864ce

SHA512
16e3132007255f92fc36a5ead240d373c63a936122aa4a65681e980aed5a8f53edadf9ae1e88719c974f4d6f6a9e07f2d5e782cd4356954a7ef036a230ea0848

Download Submit
C:\Windows\SysWOW64\Hccggl32.exe

Filesize
290KB

MD5
1567b76448cf3cd5b3387d04e7c5a4f0

SHA1
c2001592c66f9afab10dc76bfc4d8fabff1866e6

SHA256
edef1d08218b020e97dc3f135c4f933d56e91387e47c03912985ec39e709d26f

SHA512
e91e4556e984672b3cd9e0d583e69bf846dbd54f52dd80a9acb2499b6c966dbddad40d68b43f4d2963d908276c0b9a975de22bb3392c5da71fb074b2121ed582

Download Submit
C:\Windows\SysWOW64\Hcjmhk32.exe

Filesize
290KB

MD5
49189b2cdda1c8c03283809fcbf5e0cb

SHA1
e86a262f9544605317903ea49d909ec243e9b24a

SHA256
188805be98a05279ea60b2b69c91ae2ca14a638fe04b733f78f385a2ff4d4ea3

SHA512
fecad3ff387390b18418eba61f5986c9afda25d9c42757a60ac7fe4554da9c0ac03309a4f3ff5f7b30c5149a22d5963bb5dcd566046ec9305ef73612415f9db9

Download Submit
C:\Windows\SysWOW64\Heepfn32.exe

Filesize
290KB

MD5
881432bf2ff7c6b9b4af4003375a419f

SHA1
3fccb0feb5af3b80ad39ea62ed2bf79bd85edbe1

SHA256
be3776125ccc309925d94f3f73eca71f1d1ed09844b3a393132f26cbe0aedfae

SHA512
43a8a1fdccc10627d0342b45cc92830455210ee4e392cd984ceed714f88c00ca69632a89c2063799e86d4181a149235949734b8621539852f30405710349a707

Download Submit
C:\Windows\SysWOW64\Hejjanpm.exe

Filesize
290KB

MD5
b2fcd3d71e1b944f854301b551c176ce

SHA1
c0dd441f43ee3ba8233446fa937a1ad3abb88bb8

SHA256
0ffa4dd35cefac5474cba292a376b5e2758687a7b55a081ea9129ee6ab0dbe3c

SHA512
b5f3cfb09675fd42d2237981f47fc0d4b34cc223c43e59911295680306644fbdcb5f01bd09877ae7577524adfa771740a3fe5a9190926c5a385420ad19dcd974

Download Submit
C:\Windows\SysWOW64\Hgcmbj32.exe

Filesize
290KB

MD5
e4c2bccb3dcec3d781321212298767c0

SHA1
37af67e76fa72f6d7e869eb3b6b3976e901fcfb5

SHA256
d2f953a3c993ff959eafc0b762f9f892b291be8bdd8691634f46f5c7b5c63dde

SHA512
eac266e8aa46b0b54130b4f071634244114cbe192052617ecf88534b2960ae458c8f489a124004f4cf8a33dfb876ffb3a6c8a8eaa5e142299a56fff89290f726

Download Submit
C:\Windows\SysWOW64\Hgeihiac.exe

Filesize
290KB

MD5
c2260d8a1bd9208068836e50b741e902

SHA1
3f97252c0e815c57f7b592a4419c55208371d597

SHA256
5d5f4d2196963666cdaea7e3630ab05ccb3bdf26fdb714c4a566e6b90db3e799

SHA512
5bbc66fb4e51133bfc7959ff85fa13aab2f42723e92dd5abcf09713c8fc7de81945bd885ae1b205bc39f3e471facee3287afae00c2df2cd2644ee4604e5b432a

Download Submit
C:\Windows\SysWOW64\Hghfnioq.exe

Filesize
290KB

MD5
11ed6a151f6ede3003a11cbbf4aba2c0

SHA1
7960d52d1f9f88825ba8a87f64e623fa68e89b4b

SHA256
7f10f1b0e506015e7f4bda6ec39aef1f379e53081ca77000755f0e4c0732ec92

SHA512
8588782a19e29f247d950f6b291e30d80d94cb5f6cb8a0d8191340305056a87fce84a4227ed3ab892caaca5b56975124dbf74e5e81475fe49be435ce4eeb8533

Download Submit
C:\Windows\SysWOW64\Hjdedepg.exe

Filesize
290KB

MD5
6e2e988957a269b8745bb8a835e11d1a

SHA1
72553c774202eb1e210a72489ca6abd5dd53d2ac

SHA256
0d9a136499eb61caa68f42e5836596701e9e779019e2e61c7397e2c099e0194c

SHA512
d0b119eb461214759f738eba576b57c2e6046821572e5025fe68aa5e836d9b4882c94bc9bdbeb8d5baf28cd054e3164cec90c3dba7ce878fd93eb85aa5a61e53

Download Submit
C:\Windows\SysWOW64\Hjfbjdnd.exe

Filesize
290KB

MD5
cd93c068ea9d72b099431a3e112aaf23

SHA1
e944e89b7f7c50763bfcf933be430ed23edc6e4a

SHA256
699701fb3b945f96f8f8c637153d82776a64f1e1af46fbac4c83c242b1e325cb

SHA512
5689106596251294f42e1771eb3cdaa8f2accea9348c2b7cc14a4b07cbc83d733ce434fedfeee81ffdf07517ac901349efb3cfb72d8b1bf7cf560956531736a2

Download Submit
C:\Windows\SysWOW64\Hkjohi32.exe

Filesize
290KB

MD5
39540b0450f9d29cdb520a56c16319e3

SHA1
39e52c86294484a872ec8598160a9afaf3ee9e6c

SHA256
f3ac5d4f0592dcef933870cd8112b34b289e7803eb2071c41383812ccc6ee9b9

SHA512
0786957f524b6cf763d49bf9dc4da15c38e0d9fd748c9052b4a5b44c3fcf4a7ddf2e6ff32503333815e369df44a3a1d24a27113091f32e852d04d98e51b184cd

Download Submit
C:\Windows\SysWOW64\Hkohchko.exe

Filesize
290KB

MD5
97ecaa5885f10fb874ae6ea506a425b7

SHA1
b1e7a508874a1d5a5d962c9c9edb2a38890cf569

SHA256
e537888ae7ef4f909db52299766cf4d457a51c94ec7347940a4cbf66e8bbc93c

SHA512
ac582e7a69f0393e29dddc1fc4847df79b9be797f71cbb3c212ba0906dd15bfcfad9abf139150d63a037a9c2ab3b06d3911236ab23f1fe4aa0e04365e5850d60

Download Submit
C:\Windows\SysWOW64\Hnkhjdle.exe

Filesize
290KB

MD5
d7065f5bf2aaa35b1c55bac680c9a752

SHA1
983ac8d36a2a5190864827bd4416452b3085eeb1

SHA256
ba4bfee6914832339442298083368ed519740356d994a1f5fabc7abea4cd7b9f

SHA512
740178bb51bdce719859c40cbd59ed060fd8173463a203aee452ddaf1b33e0219786e7e31ab4c589d5bf4f31ceadde8f805f59686e0b176dc82c08add48e507a

Download Submit
C:\Windows\SysWOW64\Hnmeodjc.exe

Filesize
290KB

MD5
fa775540dc237e2d1562ddc7e73e1231

SHA1
bfce1774455118f458dd5a1fd1623f041895c516

SHA256
94e65616749695b32e6fe205e570562056309cf717dc9414d045062c386387a3

SHA512
30e7573ff4d673a01aec811d757095aa90899e6f1173d855362e060b53c90859d22ca908d0f7bfc4f0eb11989288c315654960f7b7bf88f99943beff7a3264de

Download Submit
C:\Windows\SysWOW64\Hnpaec32.exe

Filesize
290KB

MD5
1aace86619343cb1ab899d518c3c12dc

SHA1
8fb060984a75e8e389ffa478d9c02327f85b7703

SHA256
d3d221443a0b0e3e46bbb691ea016c5e1bf193855072a9b0452751faf5b4d427

SHA512
9773db9b1fd3b5be14cc3fe5a7070519a3712a680fc1fddd8bb3b2d45190bdd4d41456ed43348cf70a4d54d85d24fd1d55f6f596afac586a3dddb34bff3022b7

Download Submit
C:\Windows\SysWOW64\Hqdkkp32.exe

Filesize
290KB

MD5
94458f5ccb4b2f3933a03f1f473ec63b

SHA1
4e15202f76d90b7751b2707c09d20aacd0b5dca5

SHA256
115f74bfc41435f8bdeebe07c9a5a3e21e32253498b0812a86a3c75c3817098b

SHA512
0d7934f24a8aec4f0869994e88bc358d7aff9927e8a2ad3a609ffc5244d9f313bf376781f6f32eb9294456fd1109dbaf16fb8d409102c464e6f3f7c5195cd6a3

Download Submit
C:\Windows\SysWOW64\Hqghqpnl.exe

Filesize
290KB

MD5
cff31f7593b67ff6b852654c030f6c62

SHA1
99faa072a79d124d13f2765f884d370ba5bfdc38

SHA256
7bbdfdf1311f323faf25c6c87bdcd128eaaa6492545291a32c5f064ad7e57ace

SHA512
483422d46f7423ff953683bf14c80f785e19c7d207f1f39e7e13233293e7cbbb3c6abd7b947d2241a9a9cf23401a0a4188f59016673574c1365c965b2b9f3677

Download Submit
C:\Windows\SysWOW64\Iabglnco.exe

Filesize
290KB

MD5
b30cd84690cbfaf3df5e8a93f7539edf

SHA1
53320b438c929bf76be6ca96ff4fb87a8958e144

SHA256
8f2900d55f44ee9015b0bb45f1aa3e1aecc6f4da791c42b2b3e4a2a64d7ff196

SHA512
33614a3ad9e4396331540545cf514167d7e7b782d0a95e82090b44356d1adf99026c4b36102b33552545091774425b7ea389d757049725161bdac0ff82df5186

Download Submit
C:\Windows\SysWOW64\Ibnjkbog.exe

Filesize
290KB

MD5
6297f28155a9385b7f6197b3dc1aa926

SHA1
4ec5213e73311f640ac022f1c0da4f3a376105fe

SHA256
04c934d547edf7f34a605ad545bf49db078f3402f0a566a064b390d52741fbf0

SHA512
d8647dbc9867276ee25a65bedde102fbcf6629dbd6a8227f4af7fa29ffc52658a2c3730efdd696ac1ce744050af5d586d60d6cdf062e7012db1914a8e382fd2d

Download Submit
C:\Windows\SysWOW64\Ibpgqa32.exe

Filesize
290KB

MD5
10d3e9776b72ac57d1234d7fd9d9faf3

SHA1
b36b2cc032f62935259e7e8aa07eb94c15d2daa0

SHA256
e30f3102d3bd649f54e3dc14036c469bf5c45d6fe8c54ca86f6c5661e52f0eeb

SHA512
3477a2e55dfbe0cfc76213c633df8e296fa6facd75930cc9a80899126cde22f668af6eb5bc2fecf6d8ea26e99279d9b93d49edba4867d7ab494583f330de03fa

Download Submit
C:\Windows\SysWOW64\Ielfgmnj.exe

Filesize
290KB

MD5
3cea99182c1d8d1aa701abd13811738c

SHA1
517b829b48a7563064bc0eac2bfb0d02886fbc1d

SHA256
e7c912818cbce28f89c952f5431e2a3d6701182a5206cc8aaf343183b7bf622f

SHA512
23d9f6941584b434ce394b30e5ea898474869c3da2020c929e407e5f9ea06fd78ff34bfca4e5f8fa42bcb13cc837a477f8401a03560cab103c845d73d73fe5a3

Download Submit
C:\Windows\SysWOW64\Iencmm32.exe

Filesize
290KB

MD5
53e2c97df314331bdbb63f585116d09f

SHA1
add5c6cd72d136333775781912c170a1d540faa3

SHA256
c2140d348b024d97dd13dc6953c6249af8f1f8932b0c9dbf83a882e16ea57116

SHA512
39d3c3da27b1776419f548393d5223d2dfc9990134a1d9ee80e697b68fc5c1ff76fd204aadea099dce3f26d6cd3598629654edc945a22247c95adae57cd85cff

Download Submit
C:\Windows\SysWOW64\Igjbci32.exe

Filesize
290KB

MD5
984a9aa77ccf00b554c4096e93337316

SHA1
ca3da976fb64ad97b4cf6aa3e118ae1155b5ec6e

SHA256
e43f4eb50e966abf85eccae775bd35445f39d43d6b540534cb747893f15a4e27

SHA512
4a8670174c04ddd7c580871a76770d5ae20953ed9aedcefed4888eb9646330ba29dd23ed6305de8b2c93619217f9c3892bf65783a21c8d52cd3bb77fb44ec7e0

Download Submit
C:\Windows\SysWOW64\Igmoih32.exe

Filesize
290KB

MD5
1b82aaab8c0dafa37eabc5846ef8da89

SHA1
9917fc8b9ba31ce8d0019986f3bc1146766d9478

SHA256
4dff2f6597e810253a1c90cf2bc958ed0f9164ce7e493daa55356959f7df4475

SHA512
28880abbef5c80cc61b883de5e4a78c6aef7e0732613f4484a3e19f62853c6330b0e4c5ebb71ddfeb54f3ddd06fcd1202b2b7ecbdc37c31285757a606fc512a5

Download Submit
C:\Windows\SysWOW64\Ijkled32.exe

Filesize
290KB

MD5
96d18d7f0fbd0f3b7c54492022c8eb17

SHA1
a347d2236bb2ce9ee16cfc1c50c10d7686eb506c

SHA256
b507f2560c998ca0122d68059f15f02294b8434e3916601a33ad2602108bab02

SHA512
9e7800a6ff1c1398114ba59d0237758010c480594c402a5aade4a6b7aeeb7d3a555d2f39cfb1db31aa1cef5661a413356edfe81d83f60682a66883aed4cf1a31

Download Submit
C:\Windows\SysWOW64\Indkpcdk.exe

Filesize
290KB

MD5
db5190aad0d776ecffaea29bf48865fd

SHA1
b2ff3ae36c330803fe2373b31905716165ce4ea7

SHA256
69ae080c170b948d746f60283a3597ba09ae9157a6cafe482274d03cdde0e19e

SHA512
372aaa9369a367857c3c200a2e8b81f6b6f823f45f3f28e70f040803708ab9bed812f19461cf7ac97686bfe845f96cc9eb9dc83f5502de6c5ede695a79aae17b

Download Submit
C:\Windows\SysWOW64\Infhebbh.exe

Filesize
290KB

MD5
25b448ec0d94bf13a0ad640526b36872

SHA1
d98ace9422cec1d63345f0bd534c166e27f04255

SHA256
2d6bf186f622bff3f7f3a0deefd4abeb4726d8d952c5835a66c197bd3f52f08a

SHA512
3bddf00a95edf8a1e9919b9c5b437d907946458f3bc2176204fa71e8a13af2d5b741f616f9450f28200eab8519ce841a16e8950c9baabc1e16df8d603896b9ea

Download Submit
C:\Windows\SysWOW64\Lahbei32.exe

Filesize
290KB

MD5
96f8ab24b697d9fba5a754d994bf4d86

SHA1
fb60b9bc6307a98d729bda594fb5b74c5a704d0b

SHA256
0feca5c0613e9cb1ab8e1476fb546412fa2c093820b4907525482a6225ab5cd3

SHA512
9e831f8ab82e61e06c14942f57dcbabe02bf39009e2d02955841d5240352209c833aebf2c8989a60bdaf86b0609904ad3a4175ed30f2e3d1be2cbef8aa60f0d9

Download Submit
C:\Windows\SysWOW64\Lcgagm32.dll

Filesize
7KB

MD5
779df23b07dc5b45b1c8333a3bc8625a

SHA1
6898155c36670c80bed9852263edf3584d591816

SHA256
a2ba907fdcfc00d25fac3468d27eaea1ec6bdcdd61e8738d1810f8db1a169cd7

SHA512
a0c5fe07d4e02872754e65af2a84e779c206d1e6a1d84859452bcb74b5786bf744e110bae4d5006093ce36fbbde0191fe4e5f67a3ee88e115c0214393ba0f24c

Download Submit
memory/380-60-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/516-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/532-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/556-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/692-367-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/704-373-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1084-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1104-396-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1112-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1248-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1308-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1352-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1756-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1760-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1832-415-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1968-378-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2040-403-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2264-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-597-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2288-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2308-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2356-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2420-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2524-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2776-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2776-606-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2792-391-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2804-420-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2984-392-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-385-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3068-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3080-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3104-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3144-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3176-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3184-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3220-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3228-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3228-543-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3264-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3332-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3444-423-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3536-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3676-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3700-397-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3772-414-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3912-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3972-421-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4120-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4244-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4328-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4468-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4540-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4608-59-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4680-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4796-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4812-422-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4824-379-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4928-608-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4928-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5016-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5072-603-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5072-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5088-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5248-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5288-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5324-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5324-539-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5376-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5408-536-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5408-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5480-534-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5480-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5520-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5520-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5568-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5568-531-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5612-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5612-529-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5656-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5656-527-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5696-491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5696-525-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5744-524-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5744-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5784-521-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5784-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5840-519-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5840-513-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5880-518-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5880-515-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads