8b4132781ce5a41aa9b26ac84170ac9379a5c54714b53181b751f44182769243

Analysis

max time kernel
114s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e8a9c0127e174d147031213eb682e70N.exe
Size

80KB
MD5

6e8a9c0127e174d147031213eb682e70
SHA1

93ac186ff6047fb273cb6c43eaa75aeff88a63c7
SHA256

8b4132781ce5a41aa9b26ac84170ac9379a5c54714b53181b751f44182769243
SHA512

d0c469e90c4b55abf2853ca1a8270defca3549149e70ca769070b8049e2faaeab6a59104af48355d4deab160769c8e3ff5f4b422af46dbc48cc73461380e4266
SSDEEP

1536:DBMofNzOtRp36VRMA7cJmn83jsV+JCULsg6x2LtJ9VqDlzVxyh+CbxMa:DBM4NzoF6VaAcJm8zsV+dsg6KtJ9IDla

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hccggl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnhkdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcedmkmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibpgqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieeimlep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klddlckd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbhool32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Janghmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlfhke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaemilci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llkjmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kejloi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lojfin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkqgno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jddiegbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldbefe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leabphmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkqgno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjgkab32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaqcnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaqcnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jddiegbm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaaldjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loemnnhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llkjmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llimgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hqghqpnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilkhog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jehfcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Leabphmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcjmhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnnnfalp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klddlckd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhmhpfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbjbnnfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lojfin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieqpbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibgmaqfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbeibo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Janghmia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klgqabib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khdoqefq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klbgfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kejloi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hchqbkkm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibdplaho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laffpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibnjkbog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqpbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhhodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klbgfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klgqabib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Loemnnhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdkoef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Halaloif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hannao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilfodgeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jehfcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhmhpfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khabke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6e8a9c0127e174d147031213eb682e70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ielfgmnj.exe

Executes dropped EXE 64 IoCs

pid	Process
4324	Hccggl32.exe
1116	Hnhkdd32.exe
1600	Hqghqpnl.exe
2872	Hcedmkmp.exe
4588	Hbfdjc32.exe
3588	Hchqbkkm.exe
2800	Hkohchko.exe
2244	Halaloif.exe
3720	Hcjmhk32.exe
460	Hjdedepg.exe
708	Hannao32.exe
3740	Hkcbnh32.exe
1612	Ibnjkbog.exe
3600	Ielfgmnj.exe
5084	Ilfodgeg.exe
3460	Ibpgqa32.exe
3664	Iencmm32.exe
1248	Infhebbh.exe
1692	Ieqpbm32.exe
3520	Ilkhog32.exe
4424	Ibdplaho.exe
2896	Ihaidhgf.exe
2292	Ibgmaqfl.exe
2648	Ieeimlep.exe
2392	Jnnnfalp.exe
656	Jehfcl32.exe
388	Jlanpfkj.exe
1208	Janghmia.exe
392	Jhhodg32.exe
3780	Jjgkab32.exe
5088	Jaqcnl32.exe
4304	Jlfhke32.exe
2052	Jacpcl32.exe
688	Jhmhpfmi.exe
3184	Jjkdlall.exe
4428	Jaemilci.exe
2156	Jddiegbm.exe
4616	Koimbpbc.exe
3764	Kbeibo32.exe
1472	Khabke32.exe
4272	Kkpnga32.exe
4172	Kajfdk32.exe
2844	Khdoqefq.exe
3108	Kbjbnnfg.exe
4988	Kdkoef32.exe
4048	Klbgfc32.exe
2780	Kopcbo32.exe
3020	Kejloi32.exe
4824	Klddlckd.exe
3348	Kaaldjil.exe
3224	Kdpiqehp.exe
3304	Klgqabib.exe
4980	Loemnnhe.exe
1536	Ldbefe32.exe
1672	Llimgb32.exe
4132	Laffpi32.exe
4792	Leabphmp.exe
1120	Llkjmb32.exe
4136	Lojfin32.exe
2232	Lahbei32.exe
2720	Ldfoad32.exe
1776	Lkqgno32.exe
5156	Lbhool32.exe
5200	Ldikgdpe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ibdplaho.exe	Ilkhog32.exe
File created	C:\Windows\SysWOW64\Gdqeooaa.dll	Jacpcl32.exe
File opened for modification	C:\Windows\SysWOW64\Klbgfc32.exe	Kdkoef32.exe
File opened for modification	C:\Windows\SysWOW64\Loemnnhe.exe	Klgqabib.exe
File opened for modification	C:\Windows\SysWOW64\Lojfin32.exe	Llkjmb32.exe
File created	C:\Windows\SysWOW64\Oflimp32.dll	Hqghqpnl.exe
File created	C:\Windows\SysWOW64\Cpclaedf.dll	Hcedmkmp.exe
File created	C:\Windows\SysWOW64\Akpbem32.dll	Ibnjkbog.exe
File created	C:\Windows\SysWOW64\Jnnnfalp.exe	Ieeimlep.exe
File created	C:\Windows\SysWOW64\Janghmia.exe	Jlanpfkj.exe
File opened for modification	C:\Windows\SysWOW64\Jddiegbm.exe	Jaemilci.exe
File created	C:\Windows\SysWOW64\Kdkoef32.exe	Kbjbnnfg.exe
File created	C:\Windows\SysWOW64\Qekjhmdj.dll	Kopcbo32.exe
File created	C:\Windows\SysWOW64\Dgmfnkfn.dll	Hcjmhk32.exe
File created	C:\Windows\SysWOW64\Kongimkh.dll	Jjgkab32.exe
File created	C:\Windows\SysWOW64\Lapmnano.dll	Hnhkdd32.exe
File opened for modification	C:\Windows\SysWOW64\Halaloif.exe	Hkohchko.exe
File created	C:\Windows\SysWOW64\Oapijm32.dll	Ieqpbm32.exe
File opened for modification	C:\Windows\SysWOW64\Jhhodg32.exe	Janghmia.exe
File opened for modification	C:\Windows\SysWOW64\Kbeibo32.exe	Koimbpbc.exe
File opened for modification	C:\Windows\SysWOW64\Kbjbnnfg.exe	Khdoqefq.exe
File created	C:\Windows\SysWOW64\Ldfoad32.exe	Lahbei32.exe
File created	C:\Windows\SysWOW64\Hlcfmhdo.dll	Hjdedepg.exe
File created	C:\Windows\SysWOW64\Hgpchp32.dll	Hkcbnh32.exe
File created	C:\Windows\SysWOW64\Kknikplo.dll	Ibdplaho.exe
File created	C:\Windows\SysWOW64\Jaqcnl32.exe	Jjgkab32.exe
File created	C:\Windows\SysWOW64\Jjmannfj.dll	Jhmhpfmi.exe
File opened for modification	C:\Windows\SysWOW64\Kajfdk32.exe	Kkpnga32.exe
File created	C:\Windows\SysWOW64\Laffpi32.exe	Llimgb32.exe
File created	C:\Windows\SysWOW64\Hnhkdd32.exe	Hccggl32.exe
File opened for modification	C:\Windows\SysWOW64\Hbfdjc32.exe	Hcedmkmp.exe
File created	C:\Windows\SysWOW64\Ieqpbm32.exe	Infhebbh.exe
File opened for modification	C:\Windows\SysWOW64\Ieqpbm32.exe	Infhebbh.exe
File created	C:\Windows\SysWOW64\Elmoqj32.dll	Jlfhke32.exe
File opened for modification	C:\Windows\SysWOW64\Khabke32.exe	Kbeibo32.exe
File created	C:\Windows\SysWOW64\Mjlhjjnc.dll	Kajfdk32.exe
File created	C:\Windows\SysWOW64\Llfgke32.dll	Klbgfc32.exe
File created	C:\Windows\SysWOW64\Cjbdmo32.dll	Ldbefe32.exe
File created	C:\Windows\SysWOW64\Lkqgno32.exe	Ldfoad32.exe
File opened for modification	C:\Windows\SysWOW64\Hnhkdd32.exe	Hccggl32.exe
File created	C:\Windows\SysWOW64\Hjdedepg.exe	Hcjmhk32.exe
File opened for modification	C:\Windows\SysWOW64\Hjdedepg.exe	Hcjmhk32.exe
File opened for modification	C:\Windows\SysWOW64\Ibnjkbog.exe	Hkcbnh32.exe
File created	C:\Windows\SysWOW64\Ilfodgeg.exe	Ielfgmnj.exe
File opened for modification	C:\Windows\SysWOW64\Jaqcnl32.exe	Jjgkab32.exe
File created	C:\Windows\SysWOW64\Cboleq32.dll	Kbjbnnfg.exe
File created	C:\Windows\SysWOW64\Llimgb32.exe	Ldbefe32.exe
File opened for modification	C:\Windows\SysWOW64\Hcedmkmp.exe	Hqghqpnl.exe
File created	C:\Windows\SysWOW64\Hchqbkkm.exe	Hbfdjc32.exe
File opened for modification	C:\Windows\SysWOW64\Hkohchko.exe	Hchqbkkm.exe
File created	C:\Windows\SysWOW64\Ejioqkck.dll	Halaloif.exe
File created	C:\Windows\SysWOW64\Ielfgmnj.exe	Ibnjkbog.exe
File created	C:\Windows\SysWOW64\Jehfcl32.exe	Jnnnfalp.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnga32.exe	Khabke32.exe
File created	C:\Windows\SysWOW64\Khdoqefq.exe	Kajfdk32.exe
File opened for modification	C:\Windows\SysWOW64\Lbhool32.exe	Lkqgno32.exe
File created	C:\Windows\SysWOW64\Hcjmhk32.exe	Halaloif.exe
File opened for modification	C:\Windows\SysWOW64\Ielfgmnj.exe	Ibnjkbog.exe
File opened for modification	C:\Windows\SysWOW64\Jlanpfkj.exe	Jehfcl32.exe
File created	C:\Windows\SysWOW64\Mnpkiqbe.dll	Jlanpfkj.exe
File created	C:\Windows\SysWOW64\Jjgkab32.exe	Jhhodg32.exe
File opened for modification	C:\Windows\SysWOW64\Ldbefe32.exe	Loemnnhe.exe
File opened for modification	C:\Windows\SysWOW64\Llimgb32.exe	Ldbefe32.exe
File opened for modification	C:\Windows\SysWOW64\Lahbei32.exe	Lojfin32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5292	5200	WerFault.exe	157

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnnnfalp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaemilci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koimbpbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdpiqehp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hccggl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iencmm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlanpfkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Janghmia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlfhke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkpnga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klbgfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kejloi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjdedepg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hannao32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieqpbm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbeibo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khabke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klgqabib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hqghqpnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcedmkmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieeimlep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaqcnl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdkoef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldbefe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hchqbkkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Infhebbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llimgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llkjmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lojfin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldikgdpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkcbnh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kopcbo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jddiegbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kajfdk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjkdlall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldfoad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbfdjc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jehfcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhmhpfmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loemnnhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leabphmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibnjkbog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibpgqa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilkhog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihaidhgf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klddlckd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Halaloif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ielfgmnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaaldjil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibdplaho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhhodg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jacpcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjgkab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcjmhk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibgmaqfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khdoqefq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbnnfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laffpi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lahbei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbhool32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnhkdd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkohchko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkqgno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e8a9c0127e174d147031213eb682e70N.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	6e8a9c0127e174d147031213eb682e70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedkhf32.dll"	Kkpnga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkpnga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Leabphmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	6e8a9c0127e174d147031213eb682e70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmehgibj.dll"	Ihaidhgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkojhm32.dll"	Ieeimlep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hccggl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hqghqpnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkohchko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbeibo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Japjfm32.dll"	Khdoqefq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lahbei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdkoef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqfnqg32.dll"	Klddlckd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibdplaho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhhodg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klbgfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epqblnhh.dll"	Kaaldjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laffpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Halaloif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Infhebbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afgfhaab.dll"	Jaqcnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjlhjjnc.dll"	Kajfdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieaqqigc.dll"	Ldfoad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilfodgeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibgmaqfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khabke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekdaogi.dll"	Lbhool32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lapmnano.dll"	Hnhkdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ihaidhgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjkdlall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhodke32.dll"	Khabke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klddlckd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieeimlep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcedmkmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hannao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifkqol32.dll"	Jddiegbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qagfppeh.dll"	Laffpi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbfdjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kknikplo.dll"	Ibdplaho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmapeg32.dll"	Jaemilci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khdoqefq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llimgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilcaoaif.dll"	Hccggl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iencmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Loemnnhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofbmdj32.dll"	Infhebbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Janghmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdqeooaa.dll"	Jacpcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjkdlall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jddiegbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Koimbpbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkcbnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jehfcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldbefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldbefe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llkjmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjgkab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cboleq32.dll"	Kbjbnnfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkohchko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibpgqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kajfdk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	6e8a9c0127e174d147031213eb682e70N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 684 wrote to memory of 4324	684	6e8a9c0127e174d147031213eb682e70N.exe	91
PID 684 wrote to memory of 4324	684	6e8a9c0127e174d147031213eb682e70N.exe	91
PID 684 wrote to memory of 4324	684	6e8a9c0127e174d147031213eb682e70N.exe	91
PID 4324 wrote to memory of 1116	4324	Hccggl32.exe	92
PID 4324 wrote to memory of 1116	4324	Hccggl32.exe	92
PID 4324 wrote to memory of 1116	4324	Hccggl32.exe	92
PID 1116 wrote to memory of 1600	1116	Hnhkdd32.exe	93
PID 1116 wrote to memory of 1600	1116	Hnhkdd32.exe	93
PID 1116 wrote to memory of 1600	1116	Hnhkdd32.exe	93
PID 1600 wrote to memory of 2872	1600	Hqghqpnl.exe	94
PID 1600 wrote to memory of 2872	1600	Hqghqpnl.exe	94
PID 1600 wrote to memory of 2872	1600	Hqghqpnl.exe	94
PID 2872 wrote to memory of 4588	2872	Hcedmkmp.exe	95
PID 2872 wrote to memory of 4588	2872	Hcedmkmp.exe	95
PID 2872 wrote to memory of 4588	2872	Hcedmkmp.exe	95
PID 4588 wrote to memory of 3588	4588	Hbfdjc32.exe	96
PID 4588 wrote to memory of 3588	4588	Hbfdjc32.exe	96
PID 4588 wrote to memory of 3588	4588	Hbfdjc32.exe	96
PID 3588 wrote to memory of 2800	3588	Hchqbkkm.exe	97
PID 3588 wrote to memory of 2800	3588	Hchqbkkm.exe	97
PID 3588 wrote to memory of 2800	3588	Hchqbkkm.exe	97
PID 2800 wrote to memory of 2244	2800	Hkohchko.exe	98
PID 2800 wrote to memory of 2244	2800	Hkohchko.exe	98
PID 2800 wrote to memory of 2244	2800	Hkohchko.exe	98
PID 2244 wrote to memory of 3720	2244	Halaloif.exe	99
PID 2244 wrote to memory of 3720	2244	Halaloif.exe	99
PID 2244 wrote to memory of 3720	2244	Halaloif.exe	99
PID 3720 wrote to memory of 460	3720	Hcjmhk32.exe	101
PID 3720 wrote to memory of 460	3720	Hcjmhk32.exe	101
PID 3720 wrote to memory of 460	3720	Hcjmhk32.exe	101
PID 460 wrote to memory of 708	460	Hjdedepg.exe	102
PID 460 wrote to memory of 708	460	Hjdedepg.exe	102
PID 460 wrote to memory of 708	460	Hjdedepg.exe	102
PID 708 wrote to memory of 3740	708	Hannao32.exe	103
PID 708 wrote to memory of 3740	708	Hannao32.exe	103
PID 708 wrote to memory of 3740	708	Hannao32.exe	103
PID 3740 wrote to memory of 1612	3740	Hkcbnh32.exe	104
PID 3740 wrote to memory of 1612	3740	Hkcbnh32.exe	104
PID 3740 wrote to memory of 1612	3740	Hkcbnh32.exe	104
PID 1612 wrote to memory of 3600	1612	Ibnjkbog.exe	105
PID 1612 wrote to memory of 3600	1612	Ibnjkbog.exe	105
PID 1612 wrote to memory of 3600	1612	Ibnjkbog.exe	105
PID 3600 wrote to memory of 5084	3600	Ielfgmnj.exe	107
PID 3600 wrote to memory of 5084	3600	Ielfgmnj.exe	107
PID 3600 wrote to memory of 5084	3600	Ielfgmnj.exe	107
PID 5084 wrote to memory of 3460	5084	Ilfodgeg.exe	108
PID 5084 wrote to memory of 3460	5084	Ilfodgeg.exe	108
PID 5084 wrote to memory of 3460	5084	Ilfodgeg.exe	108
PID 3460 wrote to memory of 3664	3460	Ibpgqa32.exe	109
PID 3460 wrote to memory of 3664	3460	Ibpgqa32.exe	109
PID 3460 wrote to memory of 3664	3460	Ibpgqa32.exe	109
PID 3664 wrote to memory of 1248	3664	Iencmm32.exe	110
PID 3664 wrote to memory of 1248	3664	Iencmm32.exe	110
PID 3664 wrote to memory of 1248	3664	Iencmm32.exe	110
PID 1248 wrote to memory of 1692	1248	Infhebbh.exe	111
PID 1248 wrote to memory of 1692	1248	Infhebbh.exe	111
PID 1248 wrote to memory of 1692	1248	Infhebbh.exe	111
PID 1692 wrote to memory of 3520	1692	Ieqpbm32.exe	112
PID 1692 wrote to memory of 3520	1692	Ieqpbm32.exe	112
PID 1692 wrote to memory of 3520	1692	Ieqpbm32.exe	112
PID 3520 wrote to memory of 4424	3520	Ilkhog32.exe	114
PID 3520 wrote to memory of 4424	3520	Ilkhog32.exe	114
PID 3520 wrote to memory of 4424	3520	Ilkhog32.exe	114
PID 4424 wrote to memory of 2896	4424	Ibdplaho.exe	115

C:\Users\Admin\AppData\Local\Temp\6e8a9c0127e174d147031213eb682e70N.exe
"C:\Users\Admin\AppData\Local\Temp\6e8a9c0127e174d147031213eb682e70N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:684
- C:\Windows\SysWOW64\Hccggl32.exe
  C:\Windows\system32\Hccggl32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4324
- - C:\Windows\SysWOW64\Hnhkdd32.exe
    C:\Windows\system32\Hnhkdd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1116
  - - C:\Windows\SysWOW64\Hqghqpnl.exe
      C:\Windows\system32\Hqghqpnl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1600
    - - C:\Windows\SysWOW64\Hcedmkmp.exe
        
        C:\Windows\system32\Hcedmkmp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
      - C:\Windows\SysWOW64\Hbfdjc32.exe
        
        C:\Windows\system32\Hbfdjc32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Hchqbkkm.exe
        
        C:\Windows\system32\Hchqbkkm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Hkohchko.exe
        
        C:\Windows\system32\Hkohchko.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Halaloif.exe
        
        C:\Windows\system32\Halaloif.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\Hcjmhk32.exe
        
        C:\Windows\system32\Hcjmhk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\SysWOW64\Hjdedepg.exe
        
        C:\Windows\system32\Hjdedepg.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:460
        
        C:\Windows\SysWOW64\Hannao32.exe
        
        C:\Windows\system32\Hannao32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\Windows\SysWOW64\Hkcbnh32.exe
        
        C:\Windows\system32\Hkcbnh32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SysWOW64\Ibnjkbog.exe
        
        C:\Windows\system32\Ibnjkbog.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\Ielfgmnj.exe
        
        C:\Windows\system32\Ielfgmnj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\Ilfodgeg.exe
        
        C:\Windows\system32\Ilfodgeg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\Ibpgqa32.exe
        
        C:\Windows\system32\Ibpgqa32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\SysWOW64\Iencmm32.exe
        
        C:\Windows\system32\Iencmm32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\Infhebbh.exe
        
        C:\Windows\system32\Infhebbh.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\Ieqpbm32.exe
        
        C:\Windows\system32\Ieqpbm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Ilkhog32.exe
        
        C:\Windows\system32\Ilkhog32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\Ibdplaho.exe
        
        C:\Windows\system32\Ibdplaho.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Ihaidhgf.exe
        
        C:\Windows\system32\Ihaidhgf.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Ibgmaqfl.exe
        
        C:\Windows\system32\Ibgmaqfl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Ieeimlep.exe
        
        C:\Windows\system32\Ieeimlep.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Jnnnfalp.exe
        
        C:\Windows\system32\Jnnnfalp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\Jehfcl32.exe
        
        C:\Windows\system32\Jehfcl32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:656
        
        C:\Windows\SysWOW64\Jlanpfkj.exe
        
        C:\Windows\system32\Jlanpfkj.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:388
        
        C:\Windows\SysWOW64\Janghmia.exe
        
        C:\Windows\system32\Janghmia.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Jhhodg32.exe
        
        C:\Windows\system32\Jhhodg32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Jjgkab32.exe
        
        C:\Windows\system32\Jjgkab32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3780
        
        C:\Windows\SysWOW64\Jaqcnl32.exe
        
        C:\Windows\system32\Jaqcnl32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Jlfhke32.exe
        
        C:\Windows\system32\Jlfhke32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Windows\SysWOW64\Jacpcl32.exe
        
        C:\Windows\system32\Jacpcl32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Jhmhpfmi.exe
        
        C:\Windows\system32\Jhmhpfmi.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:688
        
        C:\Windows\SysWOW64\Jjkdlall.exe
        
        C:\Windows\system32\Jjkdlall.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\Jaemilci.exe
        
        C:\Windows\system32\Jaemilci.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Jddiegbm.exe
        
        C:\Windows\system32\Jddiegbm.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Koimbpbc.exe
        
        C:\Windows\system32\Koimbpbc.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Kbeibo32.exe
        
        C:\Windows\system32\Kbeibo32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3764
        
        C:\Windows\SysWOW64\Khabke32.exe
        
        C:\Windows\system32\Khabke32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Kkpnga32.exe
        
        C:\Windows\system32\Kkpnga32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Kajfdk32.exe
        
        C:\Windows\system32\Kajfdk32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Khdoqefq.exe
        
        C:\Windows\system32\Khdoqefq.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Kbjbnnfg.exe
        
        C:\Windows\system32\Kbjbnnfg.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Kdkoef32.exe
        
        C:\Windows\system32\Kdkoef32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Klbgfc32.exe
        
        C:\Windows\system32\Klbgfc32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4048
        
        C:\Windows\SysWOW64\Kopcbo32.exe
        
        C:\Windows\system32\Kopcbo32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Windows\SysWOW64\Kejloi32.exe
        
        C:\Windows\system32\Kejloi32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\Klddlckd.exe
        
        C:\Windows\system32\Klddlckd.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Kaaldjil.exe
        
        C:\Windows\system32\Kaaldjil.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3348
        
        C:\Windows\SysWOW64\Kdpiqehp.exe
        
        C:\Windows\system32\Kdpiqehp.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3224
        
        C:\Windows\SysWOW64\Klgqabib.exe
        
        C:\Windows\system32\Klgqabib.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3304
        
        C:\Windows\SysWOW64\Loemnnhe.exe
        
        C:\Windows\system32\Loemnnhe.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Ldbefe32.exe
        
        C:\Windows\system32\Ldbefe32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Llimgb32.exe
        
        C:\Windows\system32\Llimgb32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Laffpi32.exe
        
        C:\Windows\system32\Laffpi32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\Leabphmp.exe
        
        C:\Windows\system32\Leabphmp.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Llkjmb32.exe
        
        C:\Windows\system32\Llkjmb32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1120
        
        C:\Windows\SysWOW64\Lojfin32.exe
        
        C:\Windows\system32\Lojfin32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4136
        
        C:\Windows\SysWOW64\Lahbei32.exe
        
        C:\Windows\system32\Lahbei32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Ldfoad32.exe
        
        C:\Windows\system32\Ldfoad32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Lkqgno32.exe
        
        C:\Windows\system32\Lkqgno32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Windows\SysWOW64\Lbhool32.exe
        
        C:\Windows\system32\Lbhool32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5200 -s 408
        66⤵
        Program crash
        
        PID:5292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5200 -ip 5200
1⤵
PID:5260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4236,i,10369132178352108590,11047993562598554317,262144 --variations-seed-version --mojo-platform-channel-handle=4100 /prefetch:8
1⤵
PID:5608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Halaloif.exe

Filesize
80KB

MD5
ff104ef710c34dd1cd6d8d87f48da053

SHA1
c2a017c3ed8d19ebf3e37474ac2b66e1d8982c46

SHA256
4fff51bdb9592718f510c7e4f8ffdeeee1218d5b4d104f8b6e0d43d5d2f547de

SHA512
697ea1ae31fa036dc00aba95f38d478bb49e2c782c8577acdeb4df2a86f56315f0e3ad8e54a90a1d38c4bd6d2e9e50d577304157454af3f18c578613b5b928f3

Download Submit
C:\Windows\SysWOW64\Hannao32.exe

Filesize
80KB

MD5
117b902d0a6198e603b607937eb38574

SHA1
8349d2d00574efc8c53987d641ba158e307ec341

SHA256
9c51755024d547ffd64d3f61166660ef9f45a6dff45a928511e8ef2fefde195b

SHA512
4a4c4182c964809bf69725191a30448e9e37e6578b2ef9b9c1f3d7e24e47358a03e7876ec82d2b3e5d4f805a16d1a2fcf3299f8f2327b078279af6a40d45d979

Download Submit
C:\Windows\SysWOW64\Hbfdjc32.exe

Filesize
80KB

MD5
ee5653cc7d6301d435a06ef5d3141e51

SHA1
c0ed18330d3e9d5f5cf3054f7621c510b509983a

SHA256
d739cb1b3af68ddbb47c275920b710b7cd7fe4ddb86a5a54114702c9392e8d95

SHA512
4bee067af8adb228d5de1aeedbd041a59c71832a016e3bf0e7167cbb68682c35a6a94a158ed46e748b4814440ba7bab5e22bf7e01f6d8c69b484a9b7e4151727

Download Submit
C:\Windows\SysWOW64\Hccggl32.exe

Filesize
80KB

MD5
71fcc63245baacf9bfa749373966005f

SHA1
4b81a8cb8fc715a08f2c5a95a427c6fb947ed57d

SHA256
879dfa9e02a15a9ac28c494c54378adf6556e4d7dfcd176abe9af8773340b647

SHA512
402e614f36d621ce0b469680604cfd9de69880b8f4893d76845554cf08d106d75d132e1275dbcc9c28ad56eb0a46853529bfb51882f6ab295bd30444629543d0

Download Submit
C:\Windows\SysWOW64\Hcedmkmp.exe

Filesize
80KB

MD5
81fe3ecf3e8dea1e8fa761b447e15f8b

SHA1
5a36ab77fa74f76bac1462abb5e0b408f5e2b97b

SHA256
57f4b47a8ad9eced36f000cd658d5494400b88bde119a0bd92f33cb70d597569

SHA512
4994ed4e1b7df8ea73ec4de7b5e6f8c7223cc3ab1e274c934beb39f85baf37dbbcee2c1c4265188141a2e0e4e71191dd483d9a5cd9ac52286c1030d4f54f73ac

Download Submit
C:\Windows\SysWOW64\Hchqbkkm.exe

Filesize
80KB

MD5
9cf24a678772f1fa67b7eae326b78081

SHA1
fcf4866a2d7d1d1d8ddf1e40db288f403a5f6f98

SHA256
50339ac4853421691c8cfad1b9b449b38a996038f30f5a69102f4c7988d1c310

SHA512
f70d19114f217f65047733bcd914e2232e56949fc4e18f0d4f324076b7bf6d38ce4b4c2e55f2e46a64b75b641873790500a9e761baa7259fc9bf6a8ef4a86cfd

Download Submit
C:\Windows\SysWOW64\Hcjmhk32.exe

Filesize
80KB

MD5
fb47b8f36b988af5095b65436ec6f09f

SHA1
e5fda3474e6be10916a191e82b3a1ef9cc97bb9b

SHA256
43ec7b0d83e4b108bfda964204e6da34a9ca398224788c76f704caf7c682eb29

SHA512
2868b9474112bc811beb0cbb189313abfb538f3f106e8fbff2cfb53eac02f87e94c39bc1222e17e2bbac7986c1605e95fe468ec447219e4827f61e7d9ef938e0

Download Submit
C:\Windows\SysWOW64\Hjdedepg.exe

Filesize
80KB

MD5
8cad15d88610005bcb280436e7e65827

SHA1
475536700c71b276448fdaf7fa0422613fe31f32

SHA256
e7ab22ab6d204e2cae23e6b14c66d84fe2030ab831829b999d3491beffc05422

SHA512
f5711f644aca24527d12ea217ac3e1f6a356bbb0554b7926c84d564ec592e498b89d6882324e01e6fcae11a8ebea74e8581faf8dea83a05cce4fa9a6e7ac1441

Download Submit
C:\Windows\SysWOW64\Hkcbnh32.exe

Filesize
80KB

MD5
457a3b2b03bd0b6cce1b5d4a4de2c095

SHA1
26fe971083f39009f1f418c2a166b9cbaa84fbfb

SHA256
1bba5462c167086f6b40f70b261d3db59632be7e0f3888e0188a828777091f31

SHA512
c00b51654815d880dbb632713c6a7dd54078e7d1b7895388fd053f9fe55a50eb5d060ff7be870e40ddfd3b0dd9e5c2552033c6ab419871312f9f1623461a2ea2

Download Submit
C:\Windows\SysWOW64\Hkohchko.exe

Filesize
80KB

MD5
b43a77de0ccc2298891305165e46b814

SHA1
f41ee1ac1cb93568a3090fca9e9efbacb9379093

SHA256
9aa0538b8f22b674ffc7749cfe4189c3faa54d6d3bce95d5e00a240a1296705f

SHA512
ad3cc036295bf7912cfb9ff2378813569f709f571fad26dff902dad73f127c7e0dbe260deb3b1cbb700c0b0dc18e293cc18ae9a5a6bd71cfafb1cfc97090b621

Download Submit
C:\Windows\SysWOW64\Hnhkdd32.exe

Filesize
80KB

MD5
613d7c666834342ed5d2111b06a50f73

SHA1
1e0678362783b94129e4c18818d281f3f091fa72

SHA256
4189f8547d5abdea55f83be3b1f0f42e1e942eb144a7712226780b7b6d0ecdf4

SHA512
86ef5b0c6ab1bfd92d09e4c92bc27eb498ebb8253246fa2e7c1d60202fde3d34f28776ea05a037ce5a3dc95eb3750436cf78ca5c443e132234662b3f4856236e

Download Submit
C:\Windows\SysWOW64\Hqghqpnl.exe

Filesize
80KB

MD5
a739ee246f30796812873f5ae3f9fe91

SHA1
0500626bbba56aa38a84459c42b090424d68d296

SHA256
cb121f5b13d058f8305072ddd8ca0517246825440897aab960657673affbf514

SHA512
ef7bbd184ed54164c3772090a0a729d9f882570f6f58b85526019148e5920816dbba65af94992c1390c90b44dc7754ee314b675f2fd44c14b0dab974db4a3bf6

Download Submit
C:\Windows\SysWOW64\Ibdplaho.exe

Filesize
80KB

MD5
9e4412ed0febb1356aece3d00a122934

SHA1
0abed20b86c23bbb0e1210bac3eaaf93e6bade3a

SHA256
3d737e42e7aaf0f7240e7be941cd726f00d57a22eeeec82377c97716dd6c98f6

SHA512
93259f2e350f86f9c3122b3ebd59db47da9f19d6f68bcd1bc152a69eb5a4b337523e78c954c300db626861de12705885218220f338971ce183b1d2a5430b633c

Download Submit
C:\Windows\SysWOW64\Ibgmaqfl.exe

Filesize
80KB

MD5
f0ff350f25c8b875b377ccd97c27747e

SHA1
9ba72edddc5c432e1d45cfcd3e5c2045687cbcc9

SHA256
6c9a22f45782c798385d10981a667f14b8e4efe71734422a1b80731d35e753d8

SHA512
ed653cc3b51c4352de1ecea3b838ff74bb686642c47325772ff5a3c1fd5742deee1669aca7107b4add8b868543cce991595d0e1b633795de98939d97a256edbf

Download Submit
C:\Windows\SysWOW64\Ibnjkbog.exe

Filesize
80KB

MD5
a7780aa952c8ab5b95cf6c3cee384b54

SHA1
aefe04bc9b79b56b0f2e6fdadb90e896eb0aa2b5

SHA256
6b61c648099e5a38e38e48684b392566cd0b81c3925e4da12bdb1830866c39da

SHA512
e011b92479657fb1684a67c3581e41097c3100a487b2df748f2171d5075136aa7fbe8802316eadf925fe89c48a4b03a76da0ed5a1531ff1ad372494cc8328d85

Download Submit
C:\Windows\SysWOW64\Ibpgqa32.exe

Filesize
80KB

MD5
8af19fcbab4e16d8481789f89cb8e58b

SHA1
ec307d744117d09499f85eb4d345ddef69b4a76f

SHA256
dfbf0c8d207ce7197d85e4704524fc25d9c1feae4fac3e977c57e14221d9ece2

SHA512
e51e972e2b7a904fe3ea81ca0ea56f0e1def45a6b691912eddbc75cdd06636477c58aa0a7b5f0d09e788da176f561ccb5a83f5ba1578c51462810773acaa2161

Download Submit
C:\Windows\SysWOW64\Ieeimlep.exe

Filesize
80KB

MD5
2b2e1cecdf39be86fa6c0d7647068546

SHA1
344b819975841f68d5b556bb73b216508f8883a9

SHA256
bf732b2f378da4b58c20ffb6a459699299f4a99d81690405ce84ce33a72d8f91

SHA512
40d87780d62bc37507ed44c89ac32656f8a5525bc0770097a9581a123c679b18ab5d6048e756d282784e1f6dbe779324eab56d8f7ebd4b7f9cc2fcec6371e4b8

Download Submit
C:\Windows\SysWOW64\Ielfgmnj.exe

Filesize
80KB

MD5
95cb24bfb89b1c7e6ec35330e5dac1ec

SHA1
797c046f9d41717adbbf9123e125c31fca71c6e0

SHA256
d67f7472ba05e2785844b83aa5ab58c6038ef85398b9d0e358765f1878413f59

SHA512
46aba18bce1f618be8d6f9c440a95a220712a4eb03af9d2169c049b8ebfd200a8494218f5cc57724b5822c013cfab2b4358746bd1268a25e93fd076176ed35b5

Download Submit
C:\Windows\SysWOW64\Iencmm32.exe

Filesize
80KB

MD5
fb3a290273062e0812f41926c864bee3

SHA1
928390afc292cbeb2bc3fc4d737fd90956401245

SHA256
70c71e5310caec4c6f178a58f584e5ecfc33c7a3f79f71b976727611620cac37

SHA512
05935686f9d82190ee62c9ec668b0d6ba1fb3e78587a8c7998bb27c26cd0dbce84df29890611268785ae3560bae92d8f21245d2e98e492a340ccf53d0adf99d8

Download Submit
C:\Windows\SysWOW64\Ieqpbm32.exe

Filesize
80KB

MD5
e8317677b078136e09716e2ee265e366

SHA1
76e4b41a99c832cc8dcc0dbe474f1c1c28686b46

SHA256
111dec2c2115c1d1595f3b264fed99511c1f42b72d97dfac0cda0ee20805fa9c

SHA512
0d00933ba4953b411ec2b29134ab2ec54a99bd2b1ca6b24a9729d47169ca822b9075e03569b3e64c2585eee2581c649ef43407f9514c3ea782e1f33401b1320f

Download Submit
C:\Windows\SysWOW64\Ihaidhgf.exe

Filesize
80KB

MD5
97d7639e3b0e98a949061dcc89fac08a

SHA1
c9feb4572b56a5d15b80e8d9f7eeb994a963233e

SHA256
d98c771453c47bcf9236fbc848ef9058398c520040a348be819abc637ff4ebc8

SHA512
b1036af943865745475d99fbf120729a9f0627866209f6fa7c1d285d5765e0b11b625bd694097592b9b76502676c43a80e2ab8a184b140120a089e2e25fd5955

Download Submit
C:\Windows\SysWOW64\Ilfodgeg.exe

Filesize
80KB

MD5
2904abc1181ce381861c0fb9bc87c83d

SHA1
cc0d64d2038ef5fad3549c33a5d5495c4f9110c4

SHA256
48a855493ebc8fb492adfa31779f5a4803056d32bd77d33a571074409d6a6048

SHA512
d2d4fd8124ca18d5fdb3f64f13835f0368c2067f9e52dd9f2b3a3f4ccd457dee631c24810277dc65de57bface9252eb90c48e9f8d42f2b4b597941a6624bd92c

Download Submit
C:\Windows\SysWOW64\Ilkhog32.exe

Filesize
80KB

MD5
039007bc7c6971035a19e1a4247c6c73

SHA1
16bfdbf3426529cc376d7ae005559652bc7df23b

SHA256
a5bf1606609baec2c092ceab52d98e35a174691119bd0de92d8d7c360b4c57c3

SHA512
f00dca154abb1f19a127ff096f29b200055fd5311c928b5b5dc522aaa4ec87c471a11823d522dd64b96784f8f85904cc26391c9639e1f4275d0f8dcfbb1910c7

Download Submit
C:\Windows\SysWOW64\Infhebbh.exe

Filesize
80KB

MD5
94fe4693198afd68307dae3410ae96b6

SHA1
a0858eff0b3fc2e779e12ffa482e663a635f2d3f

SHA256
7419f5dd4c35dbc9c856abbaa891de6d75363b605d7f60a9ef310d9766aa70e6

SHA512
3a4566b587b7720190c84058ad65b532fd2c7c1b195d8fd1842453329eeeb33c1ea50035f544b7eda080d466567ad4515026ec44efd8d2e95dfa0de355c0af52

Download Submit
C:\Windows\SysWOW64\Janghmia.exe

Filesize
80KB

MD5
0e5a98159007f783db8a0f6da6f427bc

SHA1
9ebde0c64fda6ce8820b1bb755972a6a6567a13b

SHA256
6228d85a9aa7d27bb3612156b4dfec6d1b64342b223c35d2a534bf6818d8f45e

SHA512
ebf8117f2e4ba10863d13ec7f46ac1dcb94cc38432bc5cd76f1a5f0fc3cfe89985c2b4efb45450c8d4533a84d070b99e31b9d5df808e2f1b5bf3cfc707d8d659

Download Submit
C:\Windows\SysWOW64\Jaqcnl32.exe

Filesize
80KB

MD5
44ae9ef56d455c56b70480a892c6178a

SHA1
2979295c8b4b5a663b1b52449154461ef33cc8e1

SHA256
fc286e9219bc7adbb8a0d060a5073ce7d33d0b47c9a5da96203363a20df85e5c

SHA512
77ff01fef013d7137834c53b54fe4c867c3a4dacba4ec5d0178d962eb4ecde0bd104dc7744a3fd0c645e9e51a00ed4386eaf48ba5c4004864b6b05ba25181331

Download Submit
C:\Windows\SysWOW64\Jehfcl32.exe

Filesize
80KB

MD5
ab7641f9bdba9a2c29e774960a680589

SHA1
99debecd23d75bf4447eb82e8bd0b90eb0d330f9

SHA256
2b3c1cb22f6de8a8706e3554f2127acf7194effb020006cb4d4a05836e2bb03d

SHA512
32e10a6da439b43743da947b1cc29b606710fd19c419143a7f821664f74075f8dbf67ee8bd1bf0019b4cb1624f357a1e7d3933b2e5b1db31eb0991e903529236

Download Submit
C:\Windows\SysWOW64\Jhhodg32.exe

Filesize
80KB

MD5
776863b9b34bc4eae495d190acc2473e

SHA1
8f56043c6e912805d2c988e7eea8931133f78c0d

SHA256
c4ca308ec76cdc055d2db61dc487084c8e40bb93adf1f3d000c0a493c0cccd8f

SHA512
a15968ab8a1c69cea8a6af18efb61307b6c13498ab2dfa61c556ec01d9b860fe9e72a1aa89b791eb4b61dd002ccde36fbd5adabda41b1433e5a276240adc210c

Download Submit
C:\Windows\SysWOW64\Jjgkab32.exe

Filesize
80KB

MD5
840c40cf9bc7f57f451ca5333b105da5

SHA1
1cfef6a5998815c77b0d8c445a49c76b74f468e7

SHA256
d51f6af19f77b6b956f7772043d4979816b36a077141ab7db0045bc56c0d60d1

SHA512
c9eabb8132b693e7a64c1891ec6c1ae67a31ad042e16ba0dffde2bfc7d8adce2e341019111615c6e8eaf91a2d33c1ce7029ba2a289566bf89d6c51cb2ee5ff1f

Download Submit
C:\Windows\SysWOW64\Jlanpfkj.exe

Filesize
80KB

MD5
eac7fce6e2926c50342595b3f58447bc

SHA1
cd2abf35527a70cc0b20270c238f47b4dff7b5c6

SHA256
ff76b8ac8d3e78518108671af2857ced5ccd34e45ac995787059b00f3f728218

SHA512
67f17d4a3e7e44343621a6ecc396c88d4d1b2c42348c391bc48256a242106a1cb754ede7fa19eb8adec42cd9aeb797a933674727028e9e6585443f863bbd55ce

Download Submit
C:\Windows\SysWOW64\Jlfhke32.exe

Filesize
80KB

MD5
89a1f0a48277903a981637d9c4722e85

SHA1
8469a2d9aa2d2ac3b17269fe15c36741cba7a358

SHA256
31c21776548de963a0c6034a31cf95f62db4100bb885befaa367b04ac2d8e77c

SHA512
55938b459ec13f008db361928bf216237cc8ea7095c7d0901fbf76752523089f6f868918a94baa300e3de6c231aed29719c34e2aa296d78993f8d38637a30e36

Download Submit
C:\Windows\SysWOW64\Jnnnfalp.exe

Filesize
80KB

MD5
1099df1b95e5d80e8eeb323bdf04b26a

SHA1
ad9b45c942604ec0e9cdf2a7be4fc8fcbd505a2d

SHA256
c64bccc54970a4908b10b77ba1d7c10d23fa6d6a35c3bc22518517731891de43

SHA512
7755d03721eaef400c30beda79c28485210f58ce39699dafd2978cfd6013e390dbbcb676d2d7924cfbd4761542897437622429086b109a36264fb28c15f095b5

Download Submit
memory/388-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/392-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/460-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/656-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/684-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/684-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/688-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/688-477-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/708-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1116-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1120-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1120-454-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1208-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1248-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1472-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1472-471-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1536-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1536-457-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1600-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1612-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1672-456-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1672-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1692-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1776-441-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2052-478-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2052-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2156-474-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2156-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2232-430-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2244-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2292-189-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2392-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2648-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2720-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2720-451-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2780-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2780-464-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2800-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2844-468-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2844-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2872-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2896-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3020-463-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3020-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3108-467-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3108-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3184-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3184-476-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3224-460-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3224-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3304-459-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3304-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3348-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3348-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3460-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3520-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3588-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3600-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3664-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3720-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3740-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3764-472-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3764-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3780-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4048-465-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4048-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4132-455-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4132-403-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4136-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4136-452-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4172-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4172-469-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4272-470-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4272-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4304-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4304-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4324-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4424-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4428-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4428-475-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4588-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4616-473-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4616-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4792-453-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4792-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4824-462-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4824-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4980-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4980-458-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4988-466-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4988-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5084-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5088-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5156-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5156-450-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5200-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads