a7955087906b839e9bf7c33d902144c7989d772af7ac766a4fb9f5ef1a2d85fe

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/09/2024, 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f176990e862ffedd189be31515d66240N.exe
Size

128KB
MD5

f176990e862ffedd189be31515d66240
SHA1

ee34f7e0a74ff269a6ef99d9c487aa70a08465c5
SHA256

a7955087906b839e9bf7c33d902144c7989d772af7ac766a4fb9f5ef1a2d85fe
SHA512

573a260a996af15d9268a006b9605bef166d79078e7fef56abe818a83903dee9fb99eef405afaa5d743b34db1ec8c8f1ed94e60958381fd2e64d79ee619bef1b
SSDEEP

3072:5gWx+mA7//Rvi7pKmkGVPLeRUEdmjRrz3TIUV4BKi:5gwRu//Rvi7FkG1SmEdGTBI

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkgdhp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gndbie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Heepfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Heepfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkpnga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkhbbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iccpniqp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcdhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkbkmqed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kehojiej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkjohi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Igjbci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kahinkaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibgmaqfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Janghmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jeaiij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkiamp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Llngbabj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gdknpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hcljmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iapjgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihceigec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jhoeef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Leoejh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeaiij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffjgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hbknebqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Indkpcdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jnpjlajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leoejh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hkcbnh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igjbci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klbgfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Icfmci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlidpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llngbabj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcljmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijmhkchl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lbebilli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkaeih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jogqlpde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Koimbpbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kejloi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiamp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdknpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gndbie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Halaloif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lknjhokg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kblpcndd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbijgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Janghmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jlidpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jnbgaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkmqed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbebilli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gkhbbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hkjohi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Indkpcdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iccpniqp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kahinkaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hbdgec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ijkled32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ihceigec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbdgec32.exe

Executes dropped EXE 64 IoCs

pid	Process
4992	Gdknpp32.exe
4072	Gcnnllcg.exe
2912	Gndbie32.exe
4376	Gkhbbi32.exe
344	Gbbkocid.exe
2288	Hkjohi32.exe
4436	Hbdgec32.exe
2636	Hgapmj32.exe
1348	Hjolie32.exe
552	Hbfdjc32.exe
3736	Heepfn32.exe
1248	Hchqbkkm.exe
2392	Halaloif.exe
812	Hkaeih32.exe
5056	Hbknebqi.exe
3176	Hcljmj32.exe
392	Hkcbnh32.exe
4080	Iapjgo32.exe
3320	Igjbci32.exe
1756	Indkpcdk.exe
4244	Icachjbb.exe
1480	Ijkled32.exe
3296	Ieqpbm32.exe
1588	Iccpniqp.exe
1712	Ijmhkchl.exe
4312	Ibdplaho.exe
624	Icfmci32.exe
1516	Ibgmaqfl.exe
4228	Ieeimlep.exe
2720	Ihceigec.exe
1512	Jbijgp32.exe
4680	Jehfcl32.exe
4208	Jlanpfkj.exe
2024	Jnpjlajn.exe
4664	Janghmia.exe
2860	Jdmcdhhe.exe
1508	Jldkeeig.exe
3416	Jnbgaa32.exe
4336	Jbncbpqd.exe
3136	Jelonkph.exe
220	Jeolckne.exe
3260	Jlidpe32.exe
752	Jogqlpde.exe
3264	Jeaiij32.exe
1444	Jhoeef32.exe
3956	Koimbpbc.exe
3300	Kahinkaf.exe
4936	Kdffjgpj.exe
2380	Kkpnga32.exe
2168	Kbgfhnhi.exe
4932	Kdhbpf32.exe
3972	Kkbkmqed.exe
4796	Kehojiej.exe
4356	Klbgfc32.exe
3776	Kblpcndd.exe
1164	Kejloi32.exe
3160	Kdmlkfjb.exe
1372	Kkgdhp32.exe
5008	Kaaldjil.exe
3832	Kdpiqehp.exe
2948	Lkiamp32.exe
4212	Lbqinm32.exe
1628	Leoejh32.exe
3068	Lhmafcnf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jehfcl32.exe	Jbijgp32.exe
File created	C:\Windows\SysWOW64\Kahinkaf.exe	Koimbpbc.exe
File created	C:\Windows\SysWOW64\Lknjhokg.exe	Lhpnlclc.exe
File created	C:\Windows\SysWOW64\Hkaeih32.exe	Halaloif.exe
File created	C:\Windows\SysWOW64\Oojnjjli.dll	Kahinkaf.exe
File opened for modification	C:\Windows\SysWOW64\Ijmhkchl.exe	Iccpniqp.exe
File created	C:\Windows\SysWOW64\Ckdlidhm.dll	Jehfcl32.exe
File created	C:\Windows\SysWOW64\Lbhool32.exe	Llngbabj.exe
File created	C:\Windows\SysWOW64\Nijmbbnl.dll	Hbdgec32.exe
File created	C:\Windows\SysWOW64\Gcnnllcg.exe	Gdknpp32.exe
File created	C:\Windows\SysWOW64\Jakjcj32.dll	Hkcbnh32.exe
File opened for modification	C:\Windows\SysWOW64\Ibdplaho.exe	Ijmhkchl.exe
File created	C:\Windows\SysWOW64\Jdmcdhhe.exe	Janghmia.exe
File opened for modification	C:\Windows\SysWOW64\Jnbgaa32.exe	Jldkeeig.exe
File created	C:\Windows\SysWOW64\Gdknpp32.exe	f176990e862ffedd189be31515d66240N.exe
File created	C:\Windows\SysWOW64\Hkcbnh32.exe	Hcljmj32.exe
File created	C:\Windows\SysWOW64\Eloeba32.dll	Jeaiij32.exe
File created	C:\Windows\SysWOW64\Anjkcakk.dll	Kdhbpf32.exe
File opened for modification	C:\Windows\SysWOW64\Hchqbkkm.exe	Heepfn32.exe
File opened for modification	C:\Windows\SysWOW64\Jlanpfkj.exe	Jehfcl32.exe
File created	C:\Windows\SysWOW64\Bochcckb.dll	Jldkeeig.exe
File opened for modification	C:\Windows\SysWOW64\Lkiamp32.exe	Kdpiqehp.exe
File created	C:\Windows\SysWOW64\Gbbkocid.exe	Gkhbbi32.exe
File created	C:\Windows\SysWOW64\Obcckehh.dll	Ibdplaho.exe
File opened for modification	C:\Windows\SysWOW64\Gndbie32.exe	Gcnnllcg.exe
File created	C:\Windows\SysWOW64\Cmkjoj32.dll	Jeolckne.exe
File created	C:\Windows\SysWOW64\Ekheml32.dll	Kkpnga32.exe
File created	C:\Windows\SysWOW64\Jehfcl32.exe	Jbijgp32.exe
File created	C:\Windows\SysWOW64\Ibdplaho.exe	Ijmhkchl.exe
File opened for modification	C:\Windows\SysWOW64\Hkaeih32.exe	Halaloif.exe
File opened for modification	C:\Windows\SysWOW64\Gbbkocid.exe	Gkhbbi32.exe
File created	C:\Windows\SysWOW64\Igjbci32.exe	Iapjgo32.exe
File created	C:\Windows\SysWOW64\Gndbie32.exe	Gcnnllcg.exe
File created	C:\Windows\SysWOW64\Idhdlmdd.dll	Logicn32.exe
File created	C:\Windows\SysWOW64\Kkgdhp32.exe	Kdmlkfjb.exe
File created	C:\Windows\SysWOW64\Ljnakk32.dll	Koimbpbc.exe
File created	C:\Windows\SysWOW64\Kdffjgpj.exe	Kahinkaf.exe
File created	C:\Windows\SysWOW64\Dmehgibj.dll	Icfmci32.exe
File created	C:\Windows\SysWOW64\Jlanpfkj.exe	Jehfcl32.exe
File created	C:\Windows\SysWOW64\Dodipp32.dll	Jelonkph.exe
File created	C:\Windows\SysWOW64\Najlgpeb.dll	Lhpnlclc.exe
File opened for modification	C:\Windows\SysWOW64\Heepfn32.exe	Hbfdjc32.exe
File created	C:\Windows\SysWOW64\Icachjbb.exe	Indkpcdk.exe
File opened for modification	C:\Windows\SysWOW64\Hbdgec32.exe	Hkjohi32.exe
File opened for modification	C:\Windows\SysWOW64\Hcljmj32.exe	Hbknebqi.exe
File created	C:\Windows\SysWOW64\Cpclaedf.dll	Hjolie32.exe
File created	C:\Windows\SysWOW64\Jhoeef32.exe	Jeaiij32.exe
File opened for modification	C:\Windows\SysWOW64\Klbgfc32.exe	Kehojiej.exe
File opened for modification	C:\Windows\SysWOW64\Leoejh32.exe	Lbqinm32.exe
File opened for modification	C:\Windows\SysWOW64\Icfmci32.exe	Ibdplaho.exe
File created	C:\Windows\SysWOW64\Gkhbbi32.exe	Gndbie32.exe
File created	C:\Windows\SysWOW64\Kblpcndd.exe	Klbgfc32.exe
File opened for modification	C:\Windows\SysWOW64\Gcnnllcg.exe	Gdknpp32.exe
File opened for modification	C:\Windows\SysWOW64\Kdpiqehp.exe	Kaaldjil.exe
File created	C:\Windows\SysWOW64\Llngbabj.exe	Ldfoad32.exe
File opened for modification	C:\Windows\SysWOW64\Iccpniqp.exe	Ieqpbm32.exe
File created	C:\Windows\SysWOW64\Klbgfc32.exe	Kehojiej.exe
File opened for modification	C:\Windows\SysWOW64\Halaloif.exe	Hchqbkkm.exe
File created	C:\Windows\SysWOW64\Cobnge32.dll	Hkaeih32.exe
File created	C:\Windows\SysWOW64\Lndkebgi.dll	Jlanpfkj.exe
File created	C:\Windows\SysWOW64\Hgapmj32.exe	Hbdgec32.exe
File opened for modification	C:\Windows\SysWOW64\Jbijgp32.exe	Ihceigec.exe
File opened for modification	C:\Windows\SysWOW64\Kblpcndd.exe	Klbgfc32.exe
File opened for modification	C:\Windows\SysWOW64\Hkcbnh32.exe	Hcljmj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5456	5368	WerFault.exe	164

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldikgdpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjolie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icachjbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iccpniqp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbijgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnbgaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kblpcndd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f176990e862ffedd189be31515d66240N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbbkocid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihceigec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkpnga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhpnlclc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdffjgpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkgdhp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gndbie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijmhkchl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbncbpqd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldfoad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkbkmqed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kehojiej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbdgec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Heepfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkcbnh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Janghmia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeaiij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbgfhnhi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkiamp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llngbabj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieqpbm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lknjhokg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Indkpcdk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieeimlep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jehfcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgapmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcljmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibgmaqfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbqinm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hchqbkkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibdplaho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlanpfkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kahinkaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kejloi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdpiqehp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkhbbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijkled32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbebilli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcnnllcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkaeih32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeolckne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbfdjc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Halaloif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jldkeeig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jelonkph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jogqlpde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhoeef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdknpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbknebqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlidpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koimbpbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdmlkfjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leoejh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logicn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbhool32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkjohi32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Halaloif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hbknebqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kkpnga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kkbkmqed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gcnnllcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hbfdjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jeolckne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eloeba32.dll"	Jeaiij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Icachjbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jdmcdhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqfnqg32.dll"	Kkgdhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcnhog32.dll"	Kdpiqehp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jnpjlajn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jbncbpqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jeolckne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ijmhkchl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbncbpqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Indkpcdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lhmafcnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gdknpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hkjohi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekheml32.dll"	Kkpnga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekjhmdj.dll"	Kblpcndd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichnpf32.dll"	Lbqinm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Icachjbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jnbgaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kblpcndd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldfoad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Llngbabj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Heepfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhodke32.dll"	Kdffjgpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jbijgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpkiqbe.dll"	Jnpjlajn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jelonkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljnakk32.dll"	Koimbpbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kblpcndd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljloomi.dll"	Hgapmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hkaeih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jooeqo32.dll"	Indkpcdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aannbg32.dll"	Janghmia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kahinkaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjkcakk.dll"	Kdhbpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfmeel32.dll"	Kkbkmqed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hcljmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hcljmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jlanpfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkcnp32.dll"	Kejloi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hjolie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdffjgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jnbgaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jogqlpde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kejloi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okahhpqj.dll"	Lbebilli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekdaogi.dll"	Lbhool32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdmfbplf.dll"	Gndbie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofbmdj32.dll"	Ijkled32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jlidpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamgof32.dll"	Klbgfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhjaco32.dll"	Llngbabj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hkcbnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ieeimlep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iccpniqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kbgfhnhi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lknjhokg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 4992	1612	f176990e862ffedd189be31515d66240N.exe	90
PID 1612 wrote to memory of 4992	1612	f176990e862ffedd189be31515d66240N.exe	90
PID 1612 wrote to memory of 4992	1612	f176990e862ffedd189be31515d66240N.exe	90
PID 4992 wrote to memory of 4072	4992	Gdknpp32.exe	91
PID 4992 wrote to memory of 4072	4992	Gdknpp32.exe	91
PID 4992 wrote to memory of 4072	4992	Gdknpp32.exe	91
PID 4072 wrote to memory of 2912	4072	Gcnnllcg.exe	92
PID 4072 wrote to memory of 2912	4072	Gcnnllcg.exe	92
PID 4072 wrote to memory of 2912	4072	Gcnnllcg.exe	92
PID 2912 wrote to memory of 4376	2912	Gndbie32.exe	93
PID 2912 wrote to memory of 4376	2912	Gndbie32.exe	93
PID 2912 wrote to memory of 4376	2912	Gndbie32.exe	93
PID 4376 wrote to memory of 344	4376	Gkhbbi32.exe	94
PID 4376 wrote to memory of 344	4376	Gkhbbi32.exe	94
PID 4376 wrote to memory of 344	4376	Gkhbbi32.exe	94
PID 344 wrote to memory of 2288	344	Gbbkocid.exe	95
PID 344 wrote to memory of 2288	344	Gbbkocid.exe	95
PID 344 wrote to memory of 2288	344	Gbbkocid.exe	95
PID 2288 wrote to memory of 4436	2288	Hkjohi32.exe	96
PID 2288 wrote to memory of 4436	2288	Hkjohi32.exe	96
PID 2288 wrote to memory of 4436	2288	Hkjohi32.exe	96
PID 4436 wrote to memory of 2636	4436	Hbdgec32.exe	97
PID 4436 wrote to memory of 2636	4436	Hbdgec32.exe	97
PID 4436 wrote to memory of 2636	4436	Hbdgec32.exe	97
PID 2636 wrote to memory of 1348	2636	Hgapmj32.exe	98
PID 2636 wrote to memory of 1348	2636	Hgapmj32.exe	98
PID 2636 wrote to memory of 1348	2636	Hgapmj32.exe	98
PID 1348 wrote to memory of 552	1348	Hjolie32.exe	100
PID 1348 wrote to memory of 552	1348	Hjolie32.exe	100
PID 1348 wrote to memory of 552	1348	Hjolie32.exe	100
PID 552 wrote to memory of 3736	552	Hbfdjc32.exe	101
PID 552 wrote to memory of 3736	552	Hbfdjc32.exe	101
PID 552 wrote to memory of 3736	552	Hbfdjc32.exe	101
PID 3736 wrote to memory of 1248	3736	Heepfn32.exe	102
PID 3736 wrote to memory of 1248	3736	Heepfn32.exe	102
PID 3736 wrote to memory of 1248	3736	Heepfn32.exe	102
PID 1248 wrote to memory of 2392	1248	Hchqbkkm.exe	103
PID 1248 wrote to memory of 2392	1248	Hchqbkkm.exe	103
PID 1248 wrote to memory of 2392	1248	Hchqbkkm.exe	103
PID 2392 wrote to memory of 812	2392	Halaloif.exe	105
PID 2392 wrote to memory of 812	2392	Halaloif.exe	105
PID 2392 wrote to memory of 812	2392	Halaloif.exe	105
PID 812 wrote to memory of 5056	812	Hkaeih32.exe	106
PID 812 wrote to memory of 5056	812	Hkaeih32.exe	106
PID 812 wrote to memory of 5056	812	Hkaeih32.exe	106
PID 5056 wrote to memory of 3176	5056	Hbknebqi.exe	107
PID 5056 wrote to memory of 3176	5056	Hbknebqi.exe	107
PID 5056 wrote to memory of 3176	5056	Hbknebqi.exe	107
PID 3176 wrote to memory of 392	3176	Hcljmj32.exe	108
PID 3176 wrote to memory of 392	3176	Hcljmj32.exe	108
PID 3176 wrote to memory of 392	3176	Hcljmj32.exe	108
PID 392 wrote to memory of 4080	392	Hkcbnh32.exe	109
PID 392 wrote to memory of 4080	392	Hkcbnh32.exe	109
PID 392 wrote to memory of 4080	392	Hkcbnh32.exe	109
PID 4080 wrote to memory of 3320	4080	Iapjgo32.exe	110
PID 4080 wrote to memory of 3320	4080	Iapjgo32.exe	110
PID 4080 wrote to memory of 3320	4080	Iapjgo32.exe	110
PID 3320 wrote to memory of 1756	3320	Igjbci32.exe	112
PID 3320 wrote to memory of 1756	3320	Igjbci32.exe	112
PID 3320 wrote to memory of 1756	3320	Igjbci32.exe	112
PID 1756 wrote to memory of 4244	1756	Indkpcdk.exe	113
PID 1756 wrote to memory of 4244	1756	Indkpcdk.exe	113
PID 1756 wrote to memory of 4244	1756	Indkpcdk.exe	113
PID 4244 wrote to memory of 1480	4244	Icachjbb.exe	114

C:\Users\Admin\AppData\Local\Temp\f176990e862ffedd189be31515d66240N.exe
"C:\Users\Admin\AppData\Local\Temp\f176990e862ffedd189be31515d66240N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\SysWOW64\Gdknpp32.exe
  C:\Windows\system32\Gdknpp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Windows\SysWOW64\Gcnnllcg.exe
    C:\Windows\system32\Gcnnllcg.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4072
  - - C:\Windows\SysWOW64\Gndbie32.exe
      C:\Windows\system32\Gndbie32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Windows\SysWOW64\Gkhbbi32.exe
        
        C:\Windows\system32\Gkhbbi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4376
      - C:\Windows\SysWOW64\Gbbkocid.exe
        
        C:\Windows\system32\Gbbkocid.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:344
        
        C:\Windows\SysWOW64\Hkjohi32.exe
        
        C:\Windows\system32\Hkjohi32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Hbdgec32.exe
        
        C:\Windows\system32\Hbdgec32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Hgapmj32.exe
        
        C:\Windows\system32\Hgapmj32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Hjolie32.exe
        
        C:\Windows\system32\Hjolie32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\SysWOW64\Hbfdjc32.exe
        
        C:\Windows\system32\Hbfdjc32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\SysWOW64\Heepfn32.exe
        
        C:\Windows\system32\Heepfn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\SysWOW64\Hchqbkkm.exe
        
        C:\Windows\system32\Hchqbkkm.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\Halaloif.exe
        
        C:\Windows\system32\Halaloif.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Hkaeih32.exe
        
        C:\Windows\system32\Hkaeih32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\SysWOW64\Hbknebqi.exe
        
        C:\Windows\system32\Hbknebqi.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Hcljmj32.exe
        
        C:\Windows\system32\Hcljmj32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\SysWOW64\Hkcbnh32.exe
        
        C:\Windows\system32\Hkcbnh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\SysWOW64\Iapjgo32.exe
        
        C:\Windows\system32\Iapjgo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\SysWOW64\Igjbci32.exe
        
        C:\Windows\system32\Igjbci32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Indkpcdk.exe
        
        C:\Windows\system32\Indkpcdk.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\Icachjbb.exe
        
        C:\Windows\system32\Icachjbb.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Ijkled32.exe
        
        C:\Windows\system32\Ijkled32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Ieqpbm32.exe
        
        C:\Windows\system32\Ieqpbm32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3296
        
        C:\Windows\SysWOW64\Iccpniqp.exe
        
        C:\Windows\system32\Iccpniqp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Ijmhkchl.exe
        
        C:\Windows\system32\Ijmhkchl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Ibdplaho.exe
        
        C:\Windows\system32\Ibdplaho.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4312
        
        C:\Windows\SysWOW64\Icfmci32.exe
        
        C:\Windows\system32\Icfmci32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:624
        
        C:\Windows\SysWOW64\Ibgmaqfl.exe
        
        C:\Windows\system32\Ibgmaqfl.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Windows\SysWOW64\Ieeimlep.exe
        
        C:\Windows\system32\Ieeimlep.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4228
        
        C:\Windows\SysWOW64\Ihceigec.exe
        
        C:\Windows\system32\Ihceigec.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\Jbijgp32.exe
        
        C:\Windows\system32\Jbijgp32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Jehfcl32.exe
        
        C:\Windows\system32\Jehfcl32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4680
        
        C:\Windows\SysWOW64\Jlanpfkj.exe
        
        C:\Windows\system32\Jlanpfkj.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4208
        
        C:\Windows\SysWOW64\Jnpjlajn.exe
        
        C:\Windows\system32\Jnpjlajn.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Janghmia.exe
        
        C:\Windows\system32\Janghmia.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\Jdmcdhhe.exe
        
        C:\Windows\system32\Jdmcdhhe.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Jldkeeig.exe
        
        C:\Windows\system32\Jldkeeig.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\Jnbgaa32.exe
        
        C:\Windows\system32\Jnbgaa32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3416
        
        C:\Windows\SysWOW64\Jbncbpqd.exe
        
        C:\Windows\system32\Jbncbpqd.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Jelonkph.exe
        
        C:\Windows\system32\Jelonkph.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Jeolckne.exe
        
        C:\Windows\system32\Jeolckne.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Jlidpe32.exe
        
        C:\Windows\system32\Jlidpe32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Jogqlpde.exe
        
        C:\Windows\system32\Jogqlpde.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Jeaiij32.exe
        
        C:\Windows\system32\Jeaiij32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Jhoeef32.exe
        
        C:\Windows\system32\Jhoeef32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\Koimbpbc.exe
        
        C:\Windows\system32\Koimbpbc.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Kahinkaf.exe
        
        C:\Windows\system32\Kahinkaf.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3300
        
        C:\Windows\SysWOW64\Kdffjgpj.exe
        
        C:\Windows\system32\Kdffjgpj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Kkpnga32.exe
        
        C:\Windows\system32\Kkpnga32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Kbgfhnhi.exe
        
        C:\Windows\system32\Kbgfhnhi.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Kdhbpf32.exe
        
        C:\Windows\system32\Kdhbpf32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Kkbkmqed.exe
        
        C:\Windows\system32\Kkbkmqed.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Kehojiej.exe
        
        C:\Windows\system32\Kehojiej.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\Windows\SysWOW64\Klbgfc32.exe
        
        C:\Windows\system32\Klbgfc32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Kblpcndd.exe
        
        C:\Windows\system32\Kblpcndd.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3776
        
        C:\Windows\SysWOW64\Kejloi32.exe
        
        C:\Windows\system32\Kejloi32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Kdmlkfjb.exe
        
        C:\Windows\system32\Kdmlkfjb.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3160
        
        C:\Windows\SysWOW64\Kkgdhp32.exe
        
        C:\Windows\system32\Kkgdhp32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Kaaldjil.exe
        
        C:\Windows\system32\Kaaldjil.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5008
        
        C:\Windows\SysWOW64\Kdpiqehp.exe
        
        C:\Windows\system32\Kdpiqehp.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Lkiamp32.exe
        
        C:\Windows\system32\Lkiamp32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\Lbqinm32.exe
        
        C:\Windows\system32\Lbqinm32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Leoejh32.exe
        
        C:\Windows\system32\Leoejh32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\Lhmafcnf.exe
        
        C:\Windows\system32\Lhmafcnf.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Logicn32.exe
        
        C:\Windows\system32\Logicn32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:396
        
        C:\Windows\SysWOW64\Lhpnlclc.exe
        
        C:\Windows\system32\Lhpnlclc.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\SysWOW64\Lknjhokg.exe
        
        C:\Windows\system32\Lknjhokg.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Lbebilli.exe
        
        C:\Windows\system32\Lbebilli.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Ldfoad32.exe
        
        C:\Windows\system32\Ldfoad32.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Llngbabj.exe
        
        C:\Windows\system32\Llngbabj.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Lbhool32.exe
        
        C:\Windows\system32\Lbhool32.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:5368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 416
        74⤵
        Program crash
        
        PID:5456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5368 -ip 5368
1⤵
PID:5432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4212,i,15436195446242760253,4000484513008731869,262144 --variations-seed-version --mojo-platform-channel-handle=4308 /prefetch:8
1⤵
PID:6120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Edpabila.dll

Filesize
7KB

MD5
3e0ff950aa5acb741afa3f82faa3c3f0

SHA1
61bc1857b6adce61e15763f6dd8ab995c3cbed6a

SHA256
aaae54e62cff1d8f0156c36c51e8679e8adf1902653a9e2940bb55559e6dfced

SHA512
4859e03d551446bb6b55d276c0110c4e984bc9fe805a95702144adf8864c61686650a576705825b278529c991d35e972b9317c654d4c03bc8bc7697fc5a1ac70

Download Submit
C:\Windows\SysWOW64\Gbbkocid.exe

Filesize
128KB

MD5
bf22a744446051ea0f985ac6b1c60195

SHA1
faff5b51d8a64fba9914141e9a7674ae29c42d8a

SHA256
cb3230382f245135be217f44621e50a85428f72fd6aa84bcb03f9d400a61676a

SHA512
ae66453a8b4386cd05dbebfb6d1673abb6a45d5ad4b5d1fb2d22cb8558d67d80160e002daf924694328a6e6f80a0667dcabaa6d3c85a97760dd893c15517d913

Download Submit
C:\Windows\SysWOW64\Gcnnllcg.exe

Filesize
128KB

MD5
a4ac5a817b705ffd4fe1017d9190c3d1

SHA1
9c25acb2817f7ae31764eb1f6b22b09d0a64bc7c

SHA256
382cccdfedd41f914977ca745b3476e5b447f5bde86424b857fa9ad1730ad904

SHA512
7687e752e2b3ce4038fdc3c53610afd00d0880edd1ca17e8cc049fb119948000341b10b63372035e66f0fa8ea5f8c8c164f504464201565116f31d001fa8bde6

Download Submit
C:\Windows\SysWOW64\Gdknpp32.exe

Filesize
128KB

MD5
a656cfc35fa91f6eaaeba44742b8d969

SHA1
1106dc6b6bdd38040b8372604e01507ef2037719

SHA256
ebba13084785c629afb1ca089287a0bb4375fc8c739e09ac566cce72cff72d36

SHA512
50893dba8b6c1ec8a8fb49b5285243ddb31563a68e4f97266c3411da08fbf0bf5e56c4620e0390399580d89170aa9657372f6eccee4eedd3eac15b2e0e505913

Download Submit
C:\Windows\SysWOW64\Gkhbbi32.exe

Filesize
128KB

MD5
d3874d8a78dc223c6afed18ae7f575ce

SHA1
ac6141dfdb6f87bdd4c580189588d403808c7a1e

SHA256
d6107cf8baa2d33b13dfaaa41c55e9bc8f41c3107d0d228954007485eafa4949

SHA512
27a6e0b404cdf4d0cc78fc5167743952b013b063de2143fead5afa45fc0d1fdafa6e73197e39fda0191942670c9ee2111c0264bd60e982facd7ac074fc522163

Download Submit
C:\Windows\SysWOW64\Gndbie32.exe

Filesize
128KB

MD5
8b289771da3d2b3ecfa6424f44149383

SHA1
1901dab686b71813b54cda51c3ce41edc3eaa9e7

SHA256
76564daa9a949b90657c38273cb6a6c521425099edf148db7ca13bdf17d68085

SHA512
4ab264e0be3090aeffdd7665c6b4a4a098e98eccf4409891fdb7f7a11d0313b7de5b88d259bf85507ccc2a879beb440aa136cedf9aea660128a5959e9809578b

Download Submit
C:\Windows\SysWOW64\Halaloif.exe

Filesize
128KB

MD5
bf03301002a6a519d90dd6bdc504ce1b

SHA1
798fee12040764e0fb0a1ec5e1d326e9568a87e4

SHA256
f9ca3b761595826a5e272b5396775d26ed2dbd867f8c742b43e4c12475e27e02

SHA512
54be29c2aca0c9caf70a18792976f8cc8fe5fdf53ebfd4cbeeada460038f2cae31f98938fb3cf4b402778aaece9e664d9427c75ad12dc3b695a802ff11b4e046

Download Submit
C:\Windows\SysWOW64\Hbdgec32.exe

Filesize
128KB

MD5
2e9daffb26ea4f7a14615cccbbd982c9

SHA1
6a965aeb39e85482c9d9ebdc00918b8504f9a7ed

SHA256
fd496cd3fa1ffda5b048dcdef7ddfe834c8de1a5f5b7c46892ef2c50057ae2aa

SHA512
1d1aa494353c6f9ea9812691530748c6c8b1f330c94f52ee7521b54b403031866cb70f6657a13232bb4c09f1bb8ec6240d58c57093c35ffd3a592b1426fa8bc4

Download Submit
C:\Windows\SysWOW64\Hbfdjc32.exe

Filesize
128KB

MD5
db08adf8c1afa0768a21e2e540c6b00c

SHA1
9863d30557691ab225532be5dc775c3b672ed7bf

SHA256
583c7b5e30bf0d7f9020440b043ca891ebc5fd6308b3193d862b5583e4779c8f

SHA512
1096689aefa0e93690b9c30aa23d487a09cfcc7e8d72f6a3401c57311230e051a0531356053b0361c8bfa0e3213c0335aece6585ce59b01907e902e1cc064131

Download Submit
C:\Windows\SysWOW64\Hbknebqi.exe

Filesize
128KB

MD5
3c0f7a106d95170da15f20da64f36807

SHA1
cbd8f206516e03399397e772d11c3e70c789291f

SHA256
ea9f7b423e472675187df018179aa1de2ee1495b027e1b736faf4b109c8c3ce3

SHA512
4d20ee9994d939fe2d73b940a5b7767e8fe73ab163e7a066c67aa264459413d166ce53bcb62bbb782211bec31e4b4c6e5ffef2449ae14b34c5d694e8e63d3020

Download Submit
C:\Windows\SysWOW64\Hchqbkkm.exe

Filesize
128KB

MD5
ff2f16acb975af5a66a1fb846f6720a2

SHA1
d3246490b2bc684cef304db832ed14747eb81ffc

SHA256
9de989bdac5e9a2fa9d1576baf9ec2a891843ff0113c491ee3589ccbb1705f24

SHA512
007f5e0e14c1879ef0943d6b1e5897d7b83ab001be3ef1b5086258352e568122e47eb1dbfda7338b55fb5ff17be0b4421d55f55aad9307d498a6c02a842b8d75

Download Submit
C:\Windows\SysWOW64\Hcljmj32.exe

Filesize
128KB

MD5
7d658b4ea19d7ef163f0edaa2b847efa

SHA1
d9e85857456fb1ed7da701576554ff2d2d060d21

SHA256
3ad7b1591757bf974d003734c5c9eef4835e77f95e239317ab5ec2922afc211a

SHA512
bdb630130d2eebde3abf5fda5b991cfc740f54dffaeb19541a61087001a71ee7b57be4a21adfb5d2f2b2264521d4c0e8e7d8464e0ade87b11c826bd35b62e8d4

Download Submit
C:\Windows\SysWOW64\Heepfn32.exe

Filesize
128KB

MD5
051ae9d32451cd2d3ccfb33aceb0e913

SHA1
556811e97ed8f9be678cad0e5a4ba454fe37770a

SHA256
a6e7203887fd1768b72e98f71d94a9bb5d625feee68f53b8df14a67d241625f1

SHA512
23559ab3cdf8032838c8d59157d6f37dd147c9d3cd08a67abeb3fcc5f35e97850830f54dc3db28422cd4e61b9913d1186d4b22decf2259daa52d70fbb16e77bf

Download Submit
C:\Windows\SysWOW64\Hgapmj32.exe

Filesize
128KB

MD5
59e56c7d1c4a458401acacd3a25cb237

SHA1
53e00011e4ba26a59bc479ec4ca97dcd3acc1a7f

SHA256
f138aaffb813cc69c62505b0eb0f891faadbe7e0bfbf1f23c886a4b289c4dbce

SHA512
8bd9c495f7fa6cd37937e58711c82e074a07035a4d88883d2e8f28e5c3fba84280b5fb74dd0f5d50e492881000e998d281db17d6b56369469b883568fc82a942

Download Submit
C:\Windows\SysWOW64\Hjolie32.exe

Filesize
128KB

MD5
0c2e9290c9b2edbd6ae8e3d5bffd5ee0

SHA1
e648690c80052ad3f602ef184288f36a66553575

SHA256
d1de988ac17755d718dc8e0fdf5a057383b8068504f09682046f0be87bd4f042

SHA512
5fabf7bbc5fe181ca7b55c3548b240511723164422b0827722fbc46e112bdc568273d57f47aee0decaa250a4c2878bced3adbce41ee7e99d792c782063d7b3e5

Download Submit
C:\Windows\SysWOW64\Hkaeih32.exe

Filesize
128KB

MD5
9ebae923752557abead0403d04ba546f

SHA1
d1d582e6c966479418ea4aecc818f65d4394883d

SHA256
02e5b35bb84f39097e218c5f903aba46b0397dc13f033e82c4d939600f968b0e

SHA512
970e052b20ee718eec6e0519089816d06ebdf5e6519aa14af6875ee0a394d4459418a804e64b926a5656d7100ce77f88139ed02671c6b344cc2492b02ece4509

Download Submit
C:\Windows\SysWOW64\Hkcbnh32.exe

Filesize
128KB

MD5
df05ef6c7915ea5b3df5934bd1655de3

SHA1
5b647613f14cc73a0ca05a6552e489d2e664b054

SHA256
a209a47d8b72815c2d96a77a0e02ba53f4806135a7a225134a21b60418a9e94f

SHA512
894e3f58910d052466c0e04bd64ede7ad89ef1cdf883372712609c00b0eb78b795dc418b11de23cc1eb34606f162102e577a9e517cf9c353174926ed01d212aa

Download Submit
C:\Windows\SysWOW64\Hkjohi32.exe

Filesize
64KB

MD5
78a9aaafd227a1867345f29cc3123b08

SHA1
96d27b8bcecb60a662aa28866d0edf96279b68ef

SHA256
4c0252d32fb637a09d5d97f2a8e505231c380d5cee752139f03148dab91a058e

SHA512
dd5854ac0b083f7546103d645f43f84516f812721a99dc176eba0bb85896e7a19347e5c92789e40c2ebf18409cc0997f7aa03b8bd68512ed8eaf163c5366c467

Download Submit
C:\Windows\SysWOW64\Hkjohi32.exe

Filesize
128KB

MD5
217a9fa3603abe80de9b11062eb76dc5

SHA1
88ca5c15f289cb54842a58e8ab71bc90f50f3bc5

SHA256
2435cfb7970c4073e278803124a775858a3cdc6534186612e6bd28e9a836b8eb

SHA512
f33f060c1444a3c870a0ecab19079ae54464b6aafae707c26f455dedc7dbe47029efdbe8fad662b91706bb059c8f698bfb2782024011bd7f43f78efde1f21a3c

Download Submit
C:\Windows\SysWOW64\Iapjgo32.exe

Filesize
128KB

MD5
be1ec7819c48f416b5dbc87a99723a40

SHA1
1d274504cb3744d993734d408dbee1851454cbef

SHA256
cd09dd00db9b91d75ef03e2dfd0948062495f51f9ce5812e21b252a01f326b4b

SHA512
020a74b4d55868177953b62c697889adb783d0b516b2a711993fe7e9e12e3f7004f5a55873b9031b0a02f0679d516d16501f309ec86375ab0a2bd8bc957df957

Download Submit
C:\Windows\SysWOW64\Ibdplaho.exe

Filesize
128KB

MD5
1bb165a9a3fbc30524d8c23d50ad1601

SHA1
8274ed3b00ac8cb0b45aa0a9811a6b46a8afb30e

SHA256
9e244b892a33ff1269578ed33c32cd331166e10b219dd6c7ccbf8db8fcc56b06

SHA512
d89f43d5a3e6fddca34ac9a7104a43b6291e300ba2e6fc548bec1de7380d0c3c3a96e2a2e3aae0ae456232735e8afecbf35ec98344877e85bdb9c0a1a38788e2

Download Submit
C:\Windows\SysWOW64\Ibgmaqfl.exe

Filesize
128KB

MD5
3ba61387866a9eaa884904a2983aa715

SHA1
6b6ee26bbd9056ba1832d9d139ed0bbbe78afb9b

SHA256
17c84d794f2e5a1e3b9f89acc094780dd565c544f3cb41f59b4909701c2b77c3

SHA512
33b19a2e87b5f6b31e1b25245086a385cd08a10be9ea7af12f7fd4b3ec7e460c38749f3ad1bc73221bba4d18c31098ee82b6186c0df99c81075ac2eb89afb0b3

Download Submit
C:\Windows\SysWOW64\Icachjbb.exe

Filesize
128KB

MD5
6ad85b0a4143c0d73a37a738397c3039

SHA1
3f69d6f05977ba217cc6988723ee6ad4eea534fe

SHA256
d1be54578dcfb4a03948e97b7d09e310b8edc58f0e1b164fc260e43bd3094d37

SHA512
a2b37a18a4b9c7b135b09cda54249c980d23fbef1715143dbd251d8f0636863ed9c1be4ef4dc02936c2288aea9c9b94427fd15a949a563f53fd89cdb85342c95

Download Submit
C:\Windows\SysWOW64\Iccpniqp.exe

Filesize
128KB

MD5
6e604339133313a62cd157288e5adb9c

SHA1
c5d564ab5f243ab416954271cfdff0c4ab7fef47

SHA256
6fcebe84996c4c1e661b6f64f68913b8294f1898e72e305762125480ae37dcd1

SHA512
d1346715d6afe9b8f47677102972e82d881cbb74a1d4c042f43ace730b3769264c8fb6c3c2a8371f76dcb7f7f6fdd0521b2d6e585470292798c538c16a121ec1

Download Submit
C:\Windows\SysWOW64\Icfmci32.exe

Filesize
128KB

MD5
e3305c9ac818b0fe8df7ed159128279f

SHA1
96d95e47dc16bba7aa2993ee2875d0d9730ce3be

SHA256
8ec3592c94445e1abe0c4d9a774ad9ec414a22e6e76c0c2773660cdb3a5e4cfb

SHA512
ee692b9c41c17eb024bafffb0dbd366c42633ac4e69e926cf8adaf86272c3466cb52396adee3f8297e850047dfd5bcc0b4e56d61318603b2dcd328410408b4ee

Download Submit
C:\Windows\SysWOW64\Ieeimlep.exe

Filesize
128KB

MD5
e299fe46eb36b7d8ab3b48b59795f0b2

SHA1
619d5b6dd6229b31651e44cf019b964dc052faa1

SHA256
fee06e829e9fdb0b52ed7f82f1b1b64a9c1c92262b062d189b85f17d43f335d7

SHA512
bd005f46c3ab2e10d6b9d258936a849f4084c3295ab5f11e5efc1cb855be14fd0db512878358191d2227098d679ab245045ce493c9b56e017f5aecdb99094a42

Download Submit
C:\Windows\SysWOW64\Ieqpbm32.exe

Filesize
128KB

MD5
98070e80336445a235e9343cef0a9d6e

SHA1
13bc3e2d9347cfad9e445c60fbf7ba79a0e1895b

SHA256
439f52ba8ab4729f80dedb583a45fd7ce906b78487c8b4603b71f8fa7947f0a1

SHA512
3c263a00821d280c6f4b569b6d543966eaeff0a7262b6e23c901cafad85049e01404ac7ef43f074786f2e4cb287c3c3d6a6f00dcba4dad6b28ea8f43728eed77

Download Submit
C:\Windows\SysWOW64\Igjbci32.exe

Filesize
128KB

MD5
79c067ae1c1c2417f62db55cc5e89231

SHA1
f638df2fed718fa867cd0e6dccb3635983c7985e

SHA256
7fe7d3fed4b758ea6824d70c95d113aa048e0f245148f1e7168d8d986814fad9

SHA512
ce92ddcbf5e45d0bdfdee21c4b9606ef7fda517593f5a143fe191c5333f5f6dc299ef81177cdc5db6ab679b1da6c5224be56055e4c97fe9f8e32a7cda519155e

Download Submit
C:\Windows\SysWOW64\Ihceigec.exe

Filesize
128KB

MD5
ecdb52201c2b5fdca4dfa511460aaa1b

SHA1
3e504b3dfa4f2f63c02628c79003423af4cc5687

SHA256
659f70f16c328281d5931b949e73773f28896101db302f6a3b2d4a03440c010a

SHA512
064281650cd3eb641a51a67ec54aa331e8db16863a6ad08783d61395b0c56de81affb4afe592114167cc060f8e8f62ad72d8f19b51eb86f2d64627e2484d0c83

Download Submit
C:\Windows\SysWOW64\Ijkled32.exe

Filesize
128KB

MD5
743dd2b607d78a63f1373d34da27ad1c

SHA1
61d604e767ec46dcf358ee9f8392038adf193e0a

SHA256
c595f6ea17966b932f87e7e171c6387c05aa0c60adc83f76c6c99fb22e13f8e0

SHA512
2df2bc1645810c22217e038d1c8c02f7ea9ceeedc3b25b1dee579dd17b994b5f8cb5c0118b988a2c07cb118208e401e9ec1b0f294e23e4d58367b7a1b185927f

Download Submit
C:\Windows\SysWOW64\Ijmhkchl.exe

Filesize
128KB

MD5
3a477225cb3cc286c4f2243b128a84ec

SHA1
1eeb23616ec39d00562c35faf30f6494a45d5ec3

SHA256
89764364239b7f11d290a0a25403ca330db737aac75b6e683f6225c30714c3d0

SHA512
a373f3f570bbb846e2ea05872171918c99377ba4e5560aea31350c74d3e735217d806b9b07156357a79c218ce39c249a0f1fbdd5d77a6d095164cbb571d5e114

Download Submit
C:\Windows\SysWOW64\Indkpcdk.exe

Filesize
128KB

MD5
cb784e0f9eb9823a80c4f7657be3de95

SHA1
c31f6db0dfe671acb086ef3a32d1aba69faaf39c

SHA256
9ea2dfffbc3ef1bd4516fe012b9152c43ce59179bc5175c8894ab000049c591c

SHA512
0ecc9ef1f74942af7fbdcc87aa7db566a4184b23bef7fa149309d6e79f189df6d95b781f06dd98b07b5195a6f5b4d03ba43cc071b3425e9b6b405fb15ebd53ff

Download Submit
C:\Windows\SysWOW64\Jbijgp32.exe

Filesize
128KB

MD5
9ed4f77791de975c06d47f5a308bfd17

SHA1
22e678afd72979feb81165763e61d1f83f9acf3d

SHA256
8dcfe819cd20dec50d216d193d3434e10f73f7c7a50d9ca99bfba30b9503fe04

SHA512
20dcb18f5b6696e51f1e7b2cb4d781c973bc58e688701cd0be60b00e57034dbaf0a7939259794f8efb6879287e5c27a00c49608b8dc73b668c8bc7747e557139

Download Submit
C:\Windows\SysWOW64\Jehfcl32.exe

Filesize
128KB

MD5
09b634805c15981a961753718c9dfe17

SHA1
e4f8d612d2896b46f0be70b16ff640b20c66b3a1

SHA256
d23a4afcdebbefd2b96c196c477c1597d9e2e449f5b82f296b04a153c6c77e42

SHA512
c657d40ec43b6e5a9f6a6738ebd16ac050bf3ae83307c9134eb9f8b806aeaee006094504caa82755067e08bd936541c989847fd8f1091f8b38ff69b1081fb885

Download Submit
C:\Windows\SysWOW64\Klbgfc32.exe

Filesize
128KB

MD5
e956f28a95baf12c62fae960f9ada74f

SHA1
f75ce0387730d0e3d3de7f67ecada542ada324a5

SHA256
ee66faed9c15d9b653b10aebe01f8263f72e273f2bde850f335beb6a32db260d

SHA512
f8f7ae950e225121fe575777077e40de4ec0a9b717b4cbc7af702472e30792f85f327c1a0ebbafdb3eb8276760e4fbf2f661ab4793f1aa3ccf22e533e9f55fe6

Download Submit
memory/220-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/344-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/392-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-512-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/552-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/752-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/812-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-530-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1248-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1348-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1372-526-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1372-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1480-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1512-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1612-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1712-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-542-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2392-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-63-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2912-23-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-520-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3136-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3160-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3160-528-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3176-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3260-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3296-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3320-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3416-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3736-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3776-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3776-532-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3832-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3832-522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3972-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3972-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4080-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4208-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4212-518-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4212-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4228-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4312-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4376-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4664-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4680-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-536-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4936-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-524-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5148-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5148-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5204-506-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5204-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5248-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5248-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5288-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5288-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5328-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5328-500-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5368-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5368-499-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads