88e3103f5b1a88476ca1ccf0289dbf5062c0adc78d2d8098d95eca38ae1e1175

Analysis

max time kernel
138s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88e3103f5b1a88476ca1ccf0289dbf5062c0adc78d2d8098d95eca38ae1e1175.exe
Size

80KB
MD5

581e9e5d54b3c80aaef5fd0d26cd382c
SHA1

cae844b52626ebbd56e9d77e0187644661dcf0df
SHA256

88e3103f5b1a88476ca1ccf0289dbf5062c0adc78d2d8098d95eca38ae1e1175
SHA512

35fbf74028b1ce14928bc253e525766de66681ff51928e055d91875b0b75377e6629abde53c748198aae444cb160a5d8c0b8ad22d0a124739d83ed5549de8b63
SSDEEP

1536:VisVcaWCHA18yoJ5t7GCf5+e2LeJ9VqDlzVxyh+CbxMa:KaWqAcJ5tSCf5MeJ9IDlRxyhTb7

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hepgkohh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidfpki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Inkaqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kopcbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laffpi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddble32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddble32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	88e3103f5b1a88476ca1ccf0289dbf5062c0adc78d2d8098d95eca38ae1e1175.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hepgkohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kefbdjgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjhokg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkqgno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkqgno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inkaqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idhiii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgocgjgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kemhei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kopcbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnconj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnconj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keceoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klbgfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbebilli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	88e3103f5b1a88476ca1ccf0289dbf5062c0adc78d2d8098d95eca38ae1e1175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hqghqpnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Halaloif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koljgppp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiamp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhmafcnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkmlnimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkmlnimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijiopd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kalcik32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjnaaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijbbfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jldkeeig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Keceoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laffpi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbhool32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbbkocid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icogcjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlfhke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjnaaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjhokg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hejjanpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilhkigcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilhkigcd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iaedanal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jddiegbm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjaioe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfohjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klpjad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbeibo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leoejh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iaedanal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaljbmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbbmmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiamp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haidfpki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbppgona.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijiopd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcdhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgeihiac.exe

Executes dropped EXE 61 IoCs

pid	Process
1416	Gbbkocid.exe
2156	Hepgkohh.exe
1536	Hgocgjgk.exe
5004	Hqghqpnl.exe
4588	Hkmlnimb.exe
2232	Haidfpki.exe
2948	Hjaioe32.exe
3244	Halaloif.exe
3068	Hgeihiac.exe
460	Hbknebqi.exe
708	Hejjanpm.exe
3984	Hnbnjc32.exe
452	Icogcjde.exe
3604	Ijiopd32.exe
2316	Iabglnco.exe
2960	Ilhkigcd.exe
4864	Iaedanal.exe
4376	Ijmhkchl.exe
952	Iagqgn32.exe
4948	Ihaidhgf.exe
4324	Inkaqb32.exe
2772	Idhiii32.exe
1036	Ijbbfc32.exe
4456	Jaljbmkd.exe
2700	Jdjfohjg.exe
3480	Jnpjlajn.exe
3948	Jdmcdhhe.exe
3432	Jldkeeig.exe
3784	Jaqcnl32.exe
4520	Jlfhke32.exe
4660	Jbppgona.exe
4132	Jdalog32.exe
232	Jlidpe32.exe
3596	Jbbmmo32.exe
728	Jddiegbm.exe
1156	Jjnaaa32.exe
2288	Kbeibo32.exe
816	Keceoj32.exe
3992	Kkpnga32.exe
1520	Koljgppp.exe
3088	Kefbdjgm.exe
2956	Klpjad32.exe
5084	Kalcik32.exe
2008	Kdkoef32.exe
2888	Klbgfc32.exe
4012	Kopcbo32.exe
4676	Kaopoj32.exe
3832	Khihld32.exe
4484	Kocphojh.exe
3032	Kemhei32.exe
4648	Lkiamp32.exe
4500	Leoejh32.exe
1756	Lhmafcnf.exe
1208	Lklnconj.exe
4692	Laffpi32.exe
2768	Lddble32.exe
4172	Lknjhokg.exe
2716	Lbebilli.exe
3704	Ldfoad32.exe
5136	Lbhool32.exe
5180	Ldikgdpe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Klbgfc32.exe	Kdkoef32.exe
File created	C:\Windows\SysWOW64\Bekdaogi.dll	Lbhool32.exe
File created	C:\Windows\SysWOW64\Ggghajap.dll	Gbbkocid.exe
File created	C:\Windows\SysWOW64\Idhiii32.exe	Inkaqb32.exe
File opened for modification	C:\Windows\SysWOW64\Jdjfohjg.exe	Jaljbmkd.exe
File created	C:\Windows\SysWOW64\Cmkjoj32.dll	Jdalog32.exe
File created	C:\Windows\SysWOW64\Jbppgona.exe	Jlfhke32.exe
File opened for modification	C:\Windows\SysWOW64\Lknjhokg.exe	Lddble32.exe
File created	C:\Windows\SysWOW64\Ldfoad32.exe	Lbebilli.exe
File opened for modification	C:\Windows\SysWOW64\Jddiegbm.exe	Jbbmmo32.exe
File created	C:\Windows\SysWOW64\Dhfhohgp.dll	Kdkoef32.exe
File created	C:\Windows\SysWOW64\Kocphojh.exe	Khihld32.exe
File opened for modification	C:\Windows\SysWOW64\Lbebilli.exe	Lknjhokg.exe
File created	C:\Windows\SysWOW64\Pnfceopp.dll	Hkmlnimb.exe
File opened for modification	C:\Windows\SysWOW64\Jnpjlajn.exe	Jdjfohjg.exe
File opened for modification	C:\Windows\SysWOW64\Jaqcnl32.exe	Jldkeeig.exe
File created	C:\Windows\SysWOW64\Oacmli32.dll	Kkpnga32.exe
File created	C:\Windows\SysWOW64\Keceoj32.exe	Kbeibo32.exe
File created	C:\Windows\SysWOW64\Khihld32.exe	Kaopoj32.exe
File opened for modification	C:\Windows\SysWOW64\Lhmafcnf.exe	Leoejh32.exe
File opened for modification	C:\Windows\SysWOW64\Jjnaaa32.exe	Jddiegbm.exe
File created	C:\Windows\SysWOW64\Kemhei32.exe	Kocphojh.exe
File opened for modification	C:\Windows\SysWOW64\Lklnconj.exe	Lhmafcnf.exe
File opened for modification	C:\Windows\SysWOW64\Ldfoad32.exe	Lbebilli.exe
File opened for modification	C:\Windows\SysWOW64\Idhiii32.exe	Inkaqb32.exe
File created	C:\Windows\SysWOW64\Ijbbfc32.exe	Idhiii32.exe
File created	C:\Windows\SysWOW64\Qbddhbhn.dll	Idhiii32.exe
File opened for modification	C:\Windows\SysWOW64\Jlidpe32.exe	Jdalog32.exe
File opened for modification	C:\Windows\SysWOW64\Inkaqb32.exe	Ihaidhgf.exe
File created	C:\Windows\SysWOW64\Kkpnga32.exe	Keceoj32.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnga32.exe	Keceoj32.exe
File opened for modification	C:\Windows\SysWOW64\Ldikgdpe.exe	Lbhool32.exe
File opened for modification	C:\Windows\SysWOW64\Hgocgjgk.exe	Hepgkohh.exe
File created	C:\Windows\SysWOW64\Lcmgbngb.dll	Halaloif.exe
File created	C:\Windows\SysWOW64\Ijiopd32.exe	Icogcjde.exe
File opened for modification	C:\Windows\SysWOW64\Iagqgn32.exe	Ijmhkchl.exe
File created	C:\Windows\SysWOW64\Ncapfeoc.dll	Ihaidhgf.exe
File created	C:\Windows\SysWOW64\Pmbpeafn.dll	Klpjad32.exe
File created	C:\Windows\SysWOW64\Kaopoj32.exe	Kopcbo32.exe
File created	C:\Windows\SysWOW64\Jaljbmkd.exe	Ijbbfc32.exe
File created	C:\Windows\SysWOW64\Jgcnomaa.dll	Lklnconj.exe
File created	C:\Windows\SysWOW64\Lddble32.exe	Laffpi32.exe
File created	C:\Windows\SysWOW64\Hepgkohh.exe	Gbbkocid.exe
File created	C:\Windows\SysWOW64\Lapmnano.dll	Hgocgjgk.exe
File created	C:\Windows\SysWOW64\Bblnengb.dll	Hejjanpm.exe
File created	C:\Windows\SysWOW64\Pjpjea32.dll	Ijiopd32.exe
File created	C:\Windows\SysWOW64\Jaqcnl32.exe	Jldkeeig.exe
File created	C:\Windows\SysWOW64\Mnfooh32.dll	Lknjhokg.exe
File created	C:\Windows\SysWOW64\Lbhool32.exe	Lkqgno32.exe
File created	C:\Windows\SysWOW64\Dbneceac.dll	Hqghqpnl.exe
File created	C:\Windows\SysWOW64\Hejjanpm.exe	Hbknebqi.exe
File created	C:\Windows\SysWOW64\Eopbppjf.dll	Iaedanal.exe
File created	C:\Windows\SysWOW64\Jldkeeig.exe	Jdmcdhhe.exe
File opened for modification	C:\Windows\SysWOW64\Iaedanal.exe	Ilhkigcd.exe
File opened for modification	C:\Windows\SysWOW64\Ijbbfc32.exe	Idhiii32.exe
File opened for modification	C:\Windows\SysWOW64\Jdalog32.exe	Jbppgona.exe
File opened for modification	C:\Windows\SysWOW64\Kalcik32.exe	Klpjad32.exe
File created	C:\Windows\SysWOW64\Hgocgjgk.exe	Hepgkohh.exe
File created	C:\Windows\SysWOW64\Kjekja32.dll	Hepgkohh.exe
File created	C:\Windows\SysWOW64\Icogcjde.exe	Hnbnjc32.exe
File opened for modification	C:\Windows\SysWOW64\Icogcjde.exe	Hnbnjc32.exe
File opened for modification	C:\Windows\SysWOW64\Kemhei32.exe	Kocphojh.exe
File opened for modification	C:\Windows\SysWOW64\Lbhool32.exe	Lkqgno32.exe
File opened for modification	C:\Windows\SysWOW64\Kocphojh.exe	Khihld32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5280	5180	WerFault.exe	155

System Location Discovery: System Language Discovery 1 TTPs 63 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdjfohjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdmcdhhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlidpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbknebqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnpjlajn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocphojh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbhool32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlfhke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkqgno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijbbfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaqcnl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaopoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbebilli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgocgjgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilhkigcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inkaqb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klpjad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdkoef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hepgkohh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjaioe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iaedanal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hejjanpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnbnjc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iagqgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaljbmkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemhei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lklnconj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkmlnimb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbeibo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klbgfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khihld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijmhkchl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjnaaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leoejh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhmafcnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lddble32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefbdjgm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldikgdpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hqghqpnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icogcjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Idhiii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbppgona.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbbmmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koljgppp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbbkocid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Halaloif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdalog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kopcbo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkpnga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kalcik32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jldkeeig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jddiegbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laffpi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Haidfpki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgeihiac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihaidhgf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keceoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldfoad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	88e3103f5b1a88476ca1ccf0289dbf5062c0adc78d2d8098d95eca38ae1e1175.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijiopd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iabglnco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkiamp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lknjhokg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hqghqpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijiopd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idhiii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkpnga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eopbppjf.dll"	Iaedanal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Inkaqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmbpeafn.dll"	Klpjad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjbah32.dll"	Khihld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqhomdeb.dll"	Leoejh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldfoad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	88e3103f5b1a88476ca1ccf0289dbf5062c0adc78d2d8098d95eca38ae1e1175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkfood32.dll"	Jbppgona.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kocphojh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najlgpeb.dll"	Lddble32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjhokg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjekja32.dll"	Hepgkohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbddhbhn.dll"	Idhiii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbneceac.dll"	Hqghqpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cobnge32.dll"	Hgeihiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijbbfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbbmmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jddiegbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lajbnn32.dll"	Kefbdjgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichnpf32.dll"	Lkiamp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laffpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhjaco32.dll"	Lkqgno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkqgno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Haidfpki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hgeihiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hejjanpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijiopd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojglddfj.dll"	Jdmcdhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kopcbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddble32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lndkebgi.dll"	Jdjfohjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnconj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddble32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbebilli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hepgkohh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijmhkchl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jnpjlajn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbppgona.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klpjad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khihld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kocphojh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjhokg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieaqqigc.dll"	Ldfoad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldfoad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbhool32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	88e3103f5b1a88476ca1ccf0289dbf5062c0adc78d2d8098d95eca38ae1e1175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idhiii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oacmli32.dll"	Kkpnga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kalcik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klbgfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kemhei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhmafcnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgcnomaa.dll"	Lklnconj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgocgjgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcqpalio.dll"	Hbknebqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbknebqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnbnjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icogcjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kknikplo.dll"	Iagqgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaqcnl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 1416	848	88e3103f5b1a88476ca1ccf0289dbf5062c0adc78d2d8098d95eca38ae1e1175.exe	91
PID 848 wrote to memory of 1416	848	88e3103f5b1a88476ca1ccf0289dbf5062c0adc78d2d8098d95eca38ae1e1175.exe	91
PID 848 wrote to memory of 1416	848	88e3103f5b1a88476ca1ccf0289dbf5062c0adc78d2d8098d95eca38ae1e1175.exe	91
PID 1416 wrote to memory of 2156	1416	Gbbkocid.exe	92
PID 1416 wrote to memory of 2156	1416	Gbbkocid.exe	92
PID 1416 wrote to memory of 2156	1416	Gbbkocid.exe	92
PID 2156 wrote to memory of 1536	2156	Hepgkohh.exe	93
PID 2156 wrote to memory of 1536	2156	Hepgkohh.exe	93
PID 2156 wrote to memory of 1536	2156	Hepgkohh.exe	93
PID 1536 wrote to memory of 5004	1536	Hgocgjgk.exe	94
PID 1536 wrote to memory of 5004	1536	Hgocgjgk.exe	94
PID 1536 wrote to memory of 5004	1536	Hgocgjgk.exe	94
PID 5004 wrote to memory of 4588	5004	Hqghqpnl.exe	95
PID 5004 wrote to memory of 4588	5004	Hqghqpnl.exe	95
PID 5004 wrote to memory of 4588	5004	Hqghqpnl.exe	95
PID 4588 wrote to memory of 2232	4588	Hkmlnimb.exe	96
PID 4588 wrote to memory of 2232	4588	Hkmlnimb.exe	96
PID 4588 wrote to memory of 2232	4588	Hkmlnimb.exe	96
PID 2232 wrote to memory of 2948	2232	Haidfpki.exe	97
PID 2232 wrote to memory of 2948	2232	Haidfpki.exe	97
PID 2232 wrote to memory of 2948	2232	Haidfpki.exe	97
PID 2948 wrote to memory of 3244	2948	Hjaioe32.exe	98
PID 2948 wrote to memory of 3244	2948	Hjaioe32.exe	98
PID 2948 wrote to memory of 3244	2948	Hjaioe32.exe	98
PID 3244 wrote to memory of 3068	3244	Halaloif.exe	99
PID 3244 wrote to memory of 3068	3244	Halaloif.exe	99
PID 3244 wrote to memory of 3068	3244	Halaloif.exe	99
PID 3068 wrote to memory of 460	3068	Hgeihiac.exe	100
PID 3068 wrote to memory of 460	3068	Hgeihiac.exe	100
PID 3068 wrote to memory of 460	3068	Hgeihiac.exe	100
PID 460 wrote to memory of 708	460	Hbknebqi.exe	101
PID 460 wrote to memory of 708	460	Hbknebqi.exe	101
PID 460 wrote to memory of 708	460	Hbknebqi.exe	101
PID 708 wrote to memory of 3984	708	Hejjanpm.exe	103
PID 708 wrote to memory of 3984	708	Hejjanpm.exe	103
PID 708 wrote to memory of 3984	708	Hejjanpm.exe	103
PID 3984 wrote to memory of 452	3984	Hnbnjc32.exe	104
PID 3984 wrote to memory of 452	3984	Hnbnjc32.exe	104
PID 3984 wrote to memory of 452	3984	Hnbnjc32.exe	104
PID 452 wrote to memory of 3604	452	Icogcjde.exe	105
PID 452 wrote to memory of 3604	452	Icogcjde.exe	105
PID 452 wrote to memory of 3604	452	Icogcjde.exe	105
PID 3604 wrote to memory of 2316	3604	Ijiopd32.exe	106
PID 3604 wrote to memory of 2316	3604	Ijiopd32.exe	106
PID 3604 wrote to memory of 2316	3604	Ijiopd32.exe	106
PID 2316 wrote to memory of 2960	2316	Iabglnco.exe	108
PID 2316 wrote to memory of 2960	2316	Iabglnco.exe	108
PID 2316 wrote to memory of 2960	2316	Iabglnco.exe	108
PID 2960 wrote to memory of 4864	2960	Ilhkigcd.exe	109
PID 2960 wrote to memory of 4864	2960	Ilhkigcd.exe	109
PID 2960 wrote to memory of 4864	2960	Ilhkigcd.exe	109
PID 4864 wrote to memory of 4376	4864	Iaedanal.exe	110
PID 4864 wrote to memory of 4376	4864	Iaedanal.exe	110
PID 4864 wrote to memory of 4376	4864	Iaedanal.exe	110
PID 4376 wrote to memory of 952	4376	Ijmhkchl.exe	112
PID 4376 wrote to memory of 952	4376	Ijmhkchl.exe	112
PID 4376 wrote to memory of 952	4376	Ijmhkchl.exe	112
PID 952 wrote to memory of 4948	952	Iagqgn32.exe	113
PID 952 wrote to memory of 4948	952	Iagqgn32.exe	113
PID 952 wrote to memory of 4948	952	Iagqgn32.exe	113
PID 4948 wrote to memory of 4324	4948	Ihaidhgf.exe	114
PID 4948 wrote to memory of 4324	4948	Ihaidhgf.exe	114
PID 4948 wrote to memory of 4324	4948	Ihaidhgf.exe	114
PID 4324 wrote to memory of 2772	4324	Inkaqb32.exe	115

C:\Users\Admin\AppData\Local\Temp\88e3103f5b1a88476ca1ccf0289dbf5062c0adc78d2d8098d95eca38ae1e1175.exe
"C:\Users\Admin\AppData\Local\Temp\88e3103f5b1a88476ca1ccf0289dbf5062c0adc78d2d8098d95eca38ae1e1175.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:848
- C:\Windows\SysWOW64\Gbbkocid.exe
  C:\Windows\system32\Gbbkocid.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Windows\SysWOW64\Hepgkohh.exe
    C:\Windows\system32\Hepgkohh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\SysWOW64\Hgocgjgk.exe
      C:\Windows\system32\Hgocgjgk.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1536
    - - C:\Windows\SysWOW64\Hqghqpnl.exe
        
        C:\Windows\system32\Hqghqpnl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5004
      - C:\Windows\SysWOW64\Hkmlnimb.exe
        
        C:\Windows\system32\Hkmlnimb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Haidfpki.exe
        
        C:\Windows\system32\Haidfpki.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Hjaioe32.exe
        
        C:\Windows\system32\Hjaioe32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Halaloif.exe
        
        C:\Windows\system32\Halaloif.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\SysWOW64\Hgeihiac.exe
        
        C:\Windows\system32\Hgeihiac.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Hbknebqi.exe
        
        C:\Windows\system32\Hbknebqi.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:460
        
        C:\Windows\SysWOW64\Hejjanpm.exe
        
        C:\Windows\system32\Hejjanpm.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\Windows\SysWOW64\Hnbnjc32.exe
        
        C:\Windows\system32\Hnbnjc32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Icogcjde.exe
        
        C:\Windows\system32\Icogcjde.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Ijiopd32.exe
        
        C:\Windows\system32\Ijiopd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\Iabglnco.exe
        
        C:\Windows\system32\Iabglnco.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Ilhkigcd.exe
        
        C:\Windows\system32\Ilhkigcd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Iaedanal.exe
        
        C:\Windows\system32\Iaedanal.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Ijmhkchl.exe
        
        C:\Windows\system32\Ijmhkchl.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\Iagqgn32.exe
        
        C:\Windows\system32\Iagqgn32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SysWOW64\Ihaidhgf.exe
        
        C:\Windows\system32\Ihaidhgf.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Inkaqb32.exe
        
        C:\Windows\system32\Inkaqb32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\Idhiii32.exe
        
        C:\Windows\system32\Idhiii32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Ijbbfc32.exe
        
        C:\Windows\system32\Ijbbfc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Jaljbmkd.exe
        
        C:\Windows\system32\Jaljbmkd.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Windows\SysWOW64\Jdjfohjg.exe
        
        C:\Windows\system32\Jdjfohjg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Jnpjlajn.exe
        
        C:\Windows\system32\Jnpjlajn.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Jdmcdhhe.exe
        
        C:\Windows\system32\Jdmcdhhe.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Jldkeeig.exe
        
        C:\Windows\system32\Jldkeeig.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3432
        
        C:\Windows\SysWOW64\Jaqcnl32.exe
        
        C:\Windows\system32\Jaqcnl32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Jlfhke32.exe
        
        C:\Windows\system32\Jlfhke32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4520
        
        C:\Windows\SysWOW64\Jbppgona.exe
        
        C:\Windows\system32\Jbppgona.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Jdalog32.exe
        
        C:\Windows\system32\Jdalog32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4132
        
        C:\Windows\SysWOW64\Jlidpe32.exe
        
        C:\Windows\system32\Jlidpe32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:232
        
        C:\Windows\SysWOW64\Jbbmmo32.exe
        
        C:\Windows\system32\Jbbmmo32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Jddiegbm.exe
        
        C:\Windows\system32\Jddiegbm.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:728
        
        C:\Windows\SysWOW64\Jjnaaa32.exe
        
        C:\Windows\system32\Jjnaaa32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1156
        
        C:\Windows\SysWOW64\Kbeibo32.exe
        
        C:\Windows\system32\Kbeibo32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\Keceoj32.exe
        
        C:\Windows\system32\Keceoj32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:816
        
        C:\Windows\SysWOW64\Kkpnga32.exe
        
        C:\Windows\system32\Kkpnga32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Koljgppp.exe
        
        C:\Windows\system32\Koljgppp.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Windows\SysWOW64\Kefbdjgm.exe
        
        C:\Windows\system32\Kefbdjgm.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Klpjad32.exe
        
        C:\Windows\system32\Klpjad32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Kalcik32.exe
        
        C:\Windows\system32\Kalcik32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Kdkoef32.exe
        
        C:\Windows\system32\Kdkoef32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\Klbgfc32.exe
        
        C:\Windows\system32\Klbgfc32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Kopcbo32.exe
        
        C:\Windows\system32\Kopcbo32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Kaopoj32.exe
        
        C:\Windows\system32\Kaopoj32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4676
        
        C:\Windows\SysWOW64\Khihld32.exe
        
        C:\Windows\system32\Khihld32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Kocphojh.exe
        
        C:\Windows\system32\Kocphojh.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Kemhei32.exe
        
        C:\Windows\system32\Kemhei32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Lkiamp32.exe
        
        C:\Windows\system32\Lkiamp32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Leoejh32.exe
        
        C:\Windows\system32\Leoejh32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Lhmafcnf.exe
        
        C:\Windows\system32\Lhmafcnf.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Lklnconj.exe
        
        C:\Windows\system32\Lklnconj.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Laffpi32.exe
        
        C:\Windows\system32\Laffpi32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Lddble32.exe
        
        C:\Windows\system32\Lddble32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Lknjhokg.exe
        
        C:\Windows\system32\Lknjhokg.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Lbebilli.exe
        
        C:\Windows\system32\Lbebilli.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Ldfoad32.exe
        
        C:\Windows\system32\Ldfoad32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Lkqgno32.exe
        
        C:\Windows\system32\Lkqgno32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Lbhool32.exe
        
        C:\Windows\system32\Lbhool32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5180
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5180 -s 400
        64⤵
        Program crash
        
        PID:5280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5180 -ip 5180
1⤵
PID:5240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4160,i,10369132178352108590,11047993562598554317,262144 --variations-seed-version --mojo-platform-channel-handle=4188 /prefetch:8
1⤵
PID:5644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gbbkocid.exe

Filesize
80KB

MD5
570e616e6d9b5427b9be61e662738381

SHA1
0051394c08dbd0638e9265d68515f4ade4eebc8f

SHA256
59eb80b036e89c7c970c8ef510d2c821f159c9c8dcac1fd8cd70b3063f405e27

SHA512
4c50c4b1a0716ab059831008c250f924e9ed7f7fc0fa35b5ba76febafd53792be252f0ce2fe2371846e35644c6e20e261bef2d0e750337746d25530b6b4ad1fa

Download Submit
C:\Windows\SysWOW64\Haidfpki.exe

Filesize
80KB

MD5
bcb0f7f5616fff516bb62d0e4803e521

SHA1
1c549a804039a229448e4f809b24a65138388a5c

SHA256
081fa643578670ce52eb4484880cb013c53d2cbbe91c34f3eb7507d559f769e4

SHA512
230a1a7d2b839cd8305439b3d494f8e65a1c9eaa9241fbee2722a4e9dc0a541cdc30cba058884e5084204b066888af8a2f7980d629263f65213b594828003795

Download Submit
C:\Windows\SysWOW64\Halaloif.exe

Filesize
80KB

MD5
b1a4ec1f816b880c363245a1ffb75721

SHA1
d5d1a8b361d5293ca391679f5fa2dec273cb5783

SHA256
0890c9cfa68aacf7164f61347e6b312bed25b34f68617cd0a04f9049eb0812d2

SHA512
f60230b5acece90b79c4d85cb7e943d6c53cef8497740252e1b01c904873289586533846e5637826ce279ee1e978a10d6ed0fce669f78b17dc7c3e62e890d67d

Download Submit
C:\Windows\SysWOW64\Hbknebqi.exe

Filesize
80KB

MD5
3e01d7bed58ea6ec26e159ecacdfb913

SHA1
114319722ad7fea871e420c5bf03baacebd8940c

SHA256
e83d648d0637c6092c6d75f7de8a41ebd57a6fbb43b30517bf1063043b9bf3e9

SHA512
801bbbb506f627d506891c4e11a0acfd965d418c0bf96b0223b3ea5e2911c2482f1cb02803b19b56cdaedae08a445224c3dba45abdfd039e85eec036079fe94e

Download Submit
C:\Windows\SysWOW64\Hejjanpm.exe

Filesize
80KB

MD5
7fc6a1c10d31b0d054aa67531ef64fd8

SHA1
508221d2fe28add47fa5764d1309bc3a1e327c5d

SHA256
d0e867d78e244d54eaf2d9ba13bdbcaf36305f94720031d483d651f024e3e1b7

SHA512
4975e2fd91e8b882bd34ccd1d516e4f4e981d4e2533b815577bb19ae8caf370b601ac871dcbe0ec57cda11f4aa55056b65aca8f365c2116f79380ac6f50e6a8b

Download Submit
C:\Windows\SysWOW64\Hepgkohh.exe

Filesize
80KB

MD5
f191a5cfa1cb2f4d3c744d20325ff5ce

SHA1
2e05f2d347887671707df9c35c6f4d03a25b410c

SHA256
3baac8c71e89206a77ec180a0e7d970c1d9c1b637c322973eda8b26f2b9ab922

SHA512
9685d010142b19b34c616bac14999c602e56b160bee640b0c305ba576036f186568e31ad202687bdd190cb17323cc7dd9246b8932f8c703e868038da74674ebb

Download Submit
C:\Windows\SysWOW64\Hgeihiac.exe

Filesize
80KB

MD5
f06e878a314b090f016162aab5ed5f1c

SHA1
c19f24b98bf94a87cdb9ae54a9118346300a866d

SHA256
f9f578c635ddb6c86fd901f73d366e66df782a71f6edf172924066b7706df3e0

SHA512
c22a7586d2efc97d5d68312cee2818822edcf68c1e3fc5c7776ea29c99a547d5d502fac294eb8576a0576d6b69c9fae445aae454f8db6bddb65842bf963b06d7

Download Submit
C:\Windows\SysWOW64\Hgocgjgk.exe

Filesize
80KB

MD5
17d843a2c9130651a20207235ed8c38f

SHA1
91fc3c0bb0c5b18e5b439db676bcb8d2d9d85bfb

SHA256
e44d888b4574f60a74848994a5364a08a3da01d7ab680c2a1cb217c66154e3e9

SHA512
3c50ba60d56853c804be54c4c17f3bfcf2132d316e59ba9f4e68d0094b642b8d1845503712b310d4973e1ac87002146cfd15b2e51621b6440b17b8bea86bcd5e

Download Submit
C:\Windows\SysWOW64\Hjaioe32.exe

Filesize
80KB

MD5
5a4c186580b8980c58bb345e8f50a820

SHA1
c9fbfc36c57db8494bd835cc41b5f3c852120729

SHA256
0915217aa0bb5eef598667e37c7833d00a4ca4de7254206b54a45083823f6237

SHA512
397c58b8ea519f2e7c8de941511fd067da51f92a6e4e92d8e309e48b7949b41329b1901ff25db951acdce232c57ca07cb28a0efbfd81e574076dda90309cc6be

Download Submit
C:\Windows\SysWOW64\Hkmlnimb.exe

Filesize
80KB

MD5
dafda7299a1ea4c3d7ab6a5bc5bf03b8

SHA1
26adf49a5f1ba37a49eeeffed08fe9594bd19071

SHA256
b3289d8660bc1decf1005fef1b6c4172e3642642597ab78c5b5048a0d3ed60a2

SHA512
5b21134f3a8cf2a2c03dc5e3e325850a69aa4fed9d541fbe046f60aff8632ecb86d1b9829826bb2bf9145ff1f471ce5b954b021532c3cdf76087252c2e8d916c

Download Submit
C:\Windows\SysWOW64\Hnbnjc32.exe

Filesize
80KB

MD5
d71615d01bebe1c6ffe4ece0108fa2a6

SHA1
ac0d2767d653737570ade91171a8a4400eea7be2

SHA256
ec6d6cd91c0db4800e33732025f63820f0e48573e52b58c45ed84464c3c293d0

SHA512
19c408f1483d21d87032ca93ccf3362102c8b50becd1b05d3a9c6707f12d400af70bdf66156c4cabeebdebed3c7d0eedbc9d4c433a9623400e2f46cffeabb67d

Download Submit
C:\Windows\SysWOW64\Hqghqpnl.exe

Filesize
80KB

MD5
a8c6718d950a21573f9f689ab23b16fc

SHA1
ae70ed2b3c151435b6e0460404a984853d65e355

SHA256
30f0fac98dc475407bf9bcdb44f2cf21eeaa61fc52171337cbb7ae2085d8413e

SHA512
ed1ec00c1f3c6641832160c9d8483542d8f97bc0ef0cd24469f04039fb51bd6aa75e3559139d20123e10a223f8f9ec5b70116ead3a04ca810816be42eb540af1

Download Submit
C:\Windows\SysWOW64\Iabglnco.exe

Filesize
80KB

MD5
5108ac273c31e14f23c908b7f3fe0d28

SHA1
fe34fc40861e2210ab7b4f2f4e83847fcd689750

SHA256
724d354fb0bb88b1b2a4776546f5eed3f01a26f639ab25ae8794b01e8e101301

SHA512
f137f7013d1268fd3b48e2e5432c5e0f16c316fb18777a254f7b2468f79439710befbc9e09a06e7c92853ee6a191af382cead6251bec5a740331fe2eda7ed619

Download Submit
C:\Windows\SysWOW64\Iaedanal.exe

Filesize
80KB

MD5
52e94c80373873cebb410e5866df90cf

SHA1
dc06cf25275c4f86749455a45ca516edeeca3ce6

SHA256
47616a9aece93cfd1c74d9a8eea2fbe99138f8f939379555584ee0f614e59a45

SHA512
9d320d609d57f98c7cdb364aad86c0440a457fc4114fc34b236c27d822a5ddb34123656c937847a802df99eac6f8a08b627f163eae92587741511d72018db9b6

Download Submit
C:\Windows\SysWOW64\Iagqgn32.exe

Filesize
80KB

MD5
fd3834b781db99b9e733a057b2d2900b

SHA1
bc6df7e5d00b2c5348729c186e647ec67ec02929

SHA256
cbb63c08480ba43009ad897571ee4b276a50eb4e19cd2375fddee6a4286e5758

SHA512
c53fefebcb7f37f8da785dc0b766d78ba3571a25b8d0a63961e59826e14a444647c75f3967260a7950ae5123990152083ee7815625f4d18484368668307f098a

Download Submit
C:\Windows\SysWOW64\Icogcjde.exe

Filesize
80KB

MD5
dc52c7f169ef4c589f4e1641e82ef0e5

SHA1
e1456848f6c18342a77924074ae3d77776aec2c0

SHA256
a2fea96401fd3fa74c39e5e6ad544324290222a9eacfa840c85077c19e585540

SHA512
747b9d318c046feb817ca92a751e80beffe266c35c944b4375490c8cf4f625329b0efdd4fa1e0c54ab2ecc98c997f466e5f9e1f792ba74fdd067c4a78d890de7

Download Submit
C:\Windows\SysWOW64\Idhiii32.exe

Filesize
80KB

MD5
3ba5448b331dca4c4ccf628b1db95cbc

SHA1
016dd60fc034ed107e5f404d23e7117fab044cb4

SHA256
740aa80bd2c7f307ab89a55f74aa0c39b7a42ed8a65c534ccb54ce377adf88ea

SHA512
5218992897bc22af435fe482b58e0003df2c907773ca6d10bff4cded71ee601f2d1102f8b538da31cd0ffb063054fec8018884aca42cfb8b90e33438e0e5ba2a

Download Submit
C:\Windows\SysWOW64\Ihaidhgf.exe

Filesize
80KB

MD5
e483000c41aeff03b11b4ec3a2c63028

SHA1
4f0430e8d2895187c1f5108924ade07511b7fc0e

SHA256
2c6673f94eb3587949f8254566fd5bcfd5fff0c60e1242f4dceb5784d7e38347

SHA512
e6d2f5563c3d8898db6b7abfc30ae3982c83d3c27c9d4124e4f436ea71248cdcf9392c3ac3d344347534828eadfa64e95e7945dc8e108d8a4e031cf50af90abe

Download Submit
C:\Windows\SysWOW64\Ijbbfc32.exe

Filesize
80KB

MD5
af87033bee6c898c5c2aa626fef6b3a5

SHA1
e2c81c424876b8ef63cdcfef86aed800b459a622

SHA256
beef852dcf00eed9374be13727b71e31086e8be3ab21e32cdc48def91911ffb4

SHA512
9cabb1ae4a0a856876c2a11a5a2e62fe26e785b1f7fd501e351919adc27c763586d4049e698cea4d7f75b0617d7c7bd5d753ad4046e091e1960006e99c8ce21b

Download Submit
C:\Windows\SysWOW64\Ijiopd32.exe

Filesize
80KB

MD5
1ac7aadbbdf4cab65df54f3b48f087d7

SHA1
5633b681f1d74eb7a325e8e77074e88c2c5978f1

SHA256
3342a80540bc9ce143d836dceb9231e92b20e7d03864f08d7efc843b775cce83

SHA512
ef5d57f3845e5852ad01977b6a50648c5daf83fdc0b99b72784d8c1acaa504a601b85be41818707fd0a9824b563c0be42010acee51cb840fc765a8afb7d824ca

Download Submit
C:\Windows\SysWOW64\Ijmhkchl.exe

Filesize
80KB

MD5
d32b0780ca1977baaf3cb5ffd65fd87e

SHA1
9a54561c872582b464e9dac261327a1014133062

SHA256
49e2d0e17a098fa1ea2ff4b9f874cd72896089701d68e692673559e125222302

SHA512
f098c888fd02a2ef85fe237011860e490f95b55c9465dac1d06de22394cc0907679880db651b0580e6987a19282d5eaaaf3777d8ac6caf2d1663d615c8826c5f

Download Submit
C:\Windows\SysWOW64\Ilhkigcd.exe

Filesize
80KB

MD5
06e6d62aecdc750bbe8b79215cff2701

SHA1
1c368145459965ec718ad324159f88f98146777d

SHA256
fa3096603cce01993c99ed47254b20b899bbd811fbdf4dbff01ae64873ce4d91

SHA512
ba838d943a6f072d1f7ed1dc4ae61490d0904a8db4530549b25b571c695a33fcdfe78e6a21e9242958048494d95a220cf6eb85c2318089706b76ed4d0d79c590

Download Submit
C:\Windows\SysWOW64\Inkaqb32.exe

Filesize
80KB

MD5
417ae4d5e1276023130789a05cba0349

SHA1
80776e46dea69ddb4700f1710ac476a55da268bb

SHA256
ed4567ed9f46b3ae0b858010b86150c4abbf50c7a5e69ab1fd2c724926906cb0

SHA512
57e9f9785dd456cba61898b27a2ee95eb7ce90570af06556e4c9c8c7b2e773d26b6a3030c0b94e4929376879b021a93c500da4faa43114f82923b76d2fe39632

Download Submit
C:\Windows\SysWOW64\Jaljbmkd.exe

Filesize
80KB

MD5
e7b10817aecf1e9e12ac6040cde1229d

SHA1
7cb0af135047038a5efb7ff7d2c86fb085cdec9f

SHA256
e1a70e9095f869bc8ae5cd05f5aa9feea8ea9678c40e324132887f07f5510e15

SHA512
827f14b407e1380202772e142f2ac735952934f09cf3c69d5774534476cfd0c9155fdf6217f6e2c258ca61dab6e72499f059e89c7df9288b9fadbca6f650beb8

Download Submit
C:\Windows\SysWOW64\Jaqcnl32.exe

Filesize
80KB

MD5
96f11af4c0a33d46b1ae4c3a0f98409e

SHA1
97a6a26aabfb26ff3cedf105a27afe550a502c79

SHA256
9596cefd66479dc78d62bfcce3e7986127a6b01164a41a7245d405e8ff12d261

SHA512
781266369d7a3b74e5f193ca8bac61e9362ffdf65335d00be3aaefea35b48be3c5176f8e28d0a3559b647a58a2bd96a000584ac23a27c8dcf852bb7ea6749637

Download Submit
C:\Windows\SysWOW64\Jbppgona.exe

Filesize
80KB

MD5
59a4e7f6d9a0882d1a535a6157dfb0b1

SHA1
059f16b7bf6251593a271dfc6fcc19f85bb52067

SHA256
5d6fb79e34a717a67390a2cb0fc0a75341671c83e03ddbed5038d50799063a2b

SHA512
f31b88c8b20b0fdbac7390581d0f41de967164da2c9ab40c8459298668588c3633115d7ed0ffe3ad7cbb4ec228e1544ad4aefb5cf6db55c862c4c99811606009

Download Submit
C:\Windows\SysWOW64\Jdalog32.exe

Filesize
80KB

MD5
9e97af5136785d2355a1f0f9a7bc6502

SHA1
3366bdd2cae685e8fe65a6417aa9c54b51d9f9f5

SHA256
82f5ffea1f4be79bbde90f9ebb4521ef8939e2d22521e1b5a854b9d0dba855c4

SHA512
8171f9a93c38515c4c43fb2fbf37b332956bf78e7ace0c46c67a6160a86d1991ffffbdc2106f2245f49649761a35ab2d34d643aefc474da7a0dfb937aae79912

Download Submit
C:\Windows\SysWOW64\Jdjfohjg.exe

Filesize
80KB

MD5
6c5f13e01496ad8c4842d38622eca456

SHA1
048185da0f8db5d39271323698251ea0b3a54578

SHA256
b9b68e834bfe44d5adbad5d6ff58f4392aa695a7a36e9cc0958eeac854a86295

SHA512
a5f371dd91becf6b75a4f1d89cd7a6929f06279f14320b2c8f79b7a1ffe3a89462f158f871e3e1121b9b125be2754bb5cdac24bc3b35e346d68e7e906ba33bdf

Download Submit
C:\Windows\SysWOW64\Jdmcdhhe.exe

Filesize
80KB

MD5
02ebebd7c4122189ed671dbb2459543f

SHA1
15bbab9f106ed351c2afa038f6bcdfe96202c645

SHA256
8469b8556aff64b1c6ade3e4cef1d371f72bad3160fb6e756f301c2ecf3f31f6

SHA512
46f504fbda68471930e72702a63ed73a92a8222e8b19cb4ae1b91917ae9a7ae458c9626f4ccaad722ae8481aaa2cf247df7d1a4cdb0671a713acbb5df6eae209

Download Submit
C:\Windows\SysWOW64\Jjnaaa32.exe

Filesize
80KB

MD5
81852b11c31411a381c9d3d740ac0710

SHA1
6d08aa04da35d086cd67d50243973ad800dfc26f

SHA256
56cdc9c7cf004f7e1e82afcab3171105322273275b37ce7f0059548440409b27

SHA512
6b5cb850a2a08f2a47ca0b830f883475279d99388c7cf76a615bc11662d5d8e905ec3a9dc89f4bd5e26c71eb4f37f07676e3755383e308d6f789c6e2a6762ad7

Download Submit
C:\Windows\SysWOW64\Jldkeeig.exe

Filesize
80KB

MD5
c81f8ad7d14ed33045f52dbae50e11d4

SHA1
7c366bb4babdf1ceb3630a1374c33478403ef95d

SHA256
541285b36a58c70e81157db6ebd63ab2200497952ba92e27bbe07beea5ff1d0b

SHA512
48cccc0848f92702d3305dfd11d80ca4d98f8a7b4c2382d23aab271c360396d10bef7c77a5a5b6b1b195eeaedaf54dd27e05b192b54b72dac3adbc477eac1dfd

Download Submit
C:\Windows\SysWOW64\Jlfhke32.exe

Filesize
80KB

MD5
96f4ebc76276253bcdcf2fd91bfbaf99

SHA1
5df469d74a25004ecc70d1e4dec67cfc359cdd1f

SHA256
d9cc458bb68d2c2aa9fd0cebc53bdd387757f7ed6ed8e45bdb3b9f82c4dc90ad

SHA512
7ad4c393f2150b3071df559a3075e3b37fdf39f33d055e2ac87115d1640383ae04cb3c2612d5f60f654e7761d01731672de7a0930b0c6a28a2fbc7308ff38e6e

Download Submit
C:\Windows\SysWOW64\Jnpjlajn.exe

Filesize
80KB

MD5
2215e8fa6c149269e7d493b53e882ceb

SHA1
0d0354220f2eaa7dd01338df099f46be44fd36aa

SHA256
7e200fda69c0ce70bc7795bafa3b848b1f71d8b9c7107e72fd77457c6b27df68

SHA512
207a87f6e9711f9a4cdcc999c28669b46ab95f71a6ef98b9cc1d42d832dda2630750d79238cebdb8ed3b9d3ac35a41c0659c875eb19b08448a05a86ba43b4127

Download Submit
C:\Windows\SysWOW64\Ldikgdpe.exe

Filesize
80KB

MD5
01fe34cac97c8ec1326423b7748a5d7c

SHA1
9c9dcd9efe436a759898fbf2048b0c3db2fad318

SHA256
359b4cce5c79e95053bc6bd951b2da6f38d9096537e831065070a8ebbce6fbf6

SHA512
2499b778e6aacd88dcdee4818da09715e461dc833801c2a4bf497b551de48af95f5d5db48b349f595fc60101b91b900c09f7cbefccc808394e3a0a7393884aaf

Download Submit
memory/232-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/232-455-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/452-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/460-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/708-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/728-453-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/728-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/816-452-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/816-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/848-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/848-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/952-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1036-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1156-285-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1208-440-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1208-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1416-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1520-309-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1520-451-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1536-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1756-441-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1756-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2008-447-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2008-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2156-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2232-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2288-291-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2316-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2700-463-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2700-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2716-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2716-436-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2768-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2768-438-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2772-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2876-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2888-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2888-446-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2948-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2956-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2956-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2960-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3032-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3032-444-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3068-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3088-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3088-450-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3244-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3432-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3432-460-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3480-462-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3480-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3596-454-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3596-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3604-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3704-435-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3704-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3784-459-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3784-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3832-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3948-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3948-217-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3984-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3992-303-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4012-345-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4132-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4132-456-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4172-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4172-410-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4324-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4376-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4456-464-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4456-194-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4484-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4500-442-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4500-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4520-458-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4520-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4588-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4648-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4648-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4660-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4660-457-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4676-445-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4676-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4692-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4692-439-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4864-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4948-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5004-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5084-448-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5084-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5136-434-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5136-426-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5180-432-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5180-433-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads