73979a2b6bbbee5ea1c383a7807e57f14dca650a038616685c3dccfea01b6151

Analysis

max time kernel
115s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc644d185c356a3466c9cca257b2ac00N.exe
Size

59KB
MD5

fc644d185c356a3466c9cca257b2ac00
SHA1

3dc75c51ae02e47064adfbb123a2cbc7db39f310
SHA256

73979a2b6bbbee5ea1c383a7807e57f14dca650a038616685c3dccfea01b6151
SHA512

1fb5306011c1fe04e90c7cfaee4ac6406b99371f664465f84437bbfa3bb646a1f6090bd0c6655acdb1bf6fe3d6f12468b1ac59ef980d71f2c81f76ce72494fb1
SSDEEP

1536:Oz8Pf4O5XliDlCg2m8Eos4kIM/cAEosQU48gkIMw0YcAEosQU48gkIMw0YcAEosn:JXwDli5Eos4kIM/cAEosQU48gkIMw0YU

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbhhieao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klgqabib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnaecedp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkmlnimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhfbog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kblpcndd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khihld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjcmngnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhfbog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdkoef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jejbhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbppgona.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdkoef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ggccllai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieqpbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhkljfok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcjdam32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkegbpca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kahinkaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbcedmnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leabphmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gndbie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbbkocid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnnnfalp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Loemnnhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhmafcnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	fc644d185c356a3466c9cca257b2ac00N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhmhpfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkegbpca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klgqabib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqnejaff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilkhog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jejbhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kejloi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iaedanal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaqcnl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeaiij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lolcnman.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gggmgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqpapacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kahinkaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhhodg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjgkab32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leoejh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggccllai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jehfcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnpjlajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjnaaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqpapacd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iaedanal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhhodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lojfin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbbkocid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqpbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlkafdco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kocphojh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kemhei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcjdam32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgocgjgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jogqlpde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjgkab32.exe

Executes dropped EXE 64 IoCs

pid	Process
464	Fbfkceca.exe
636	Ggccllai.exe
1740	Gjaphgpl.exe
1316	Gbhhieao.exe
3324	Gcjdam32.exe
4828	Gjcmngnj.exe
2928	Gqnejaff.exe
872	Gggmgk32.exe
3736	Gnaecedp.exe
1284	Gqpapacd.exe
4700	Gkefmjcj.exe
3648	Gndbie32.exe
1136	Gcqjal32.exe
1388	Gjkbnfha.exe
3020	Gbbkocid.exe
3504	Hgocgjgk.exe
3704	Hqghqpnl.exe
2056	Hkmlnimb.exe
4268	Haidfpki.exe
4560	Hkohchko.exe
3252	Iencmm32.exe
3288	Ilhkigcd.exe
2016	Iaedanal.exe
5076	Ieqpbm32.exe
616	Ilkhog32.exe
3104	Ibdplaho.exe
4904	Iagqgn32.exe
4872	Ilmedf32.exe
4820	Ibgmaqfl.exe
1600	Ihceigec.exe
5108	Jnnnfalp.exe
404	Jehfcl32.exe
1416	Jhfbog32.exe
3556	Jnpjlajn.exe
3684	Jejbhk32.exe
4388	Jhhodg32.exe
724	Jjgkab32.exe
4924	Jaqcnl32.exe
1932	Jhkljfok.exe
2376	Jlfhke32.exe
3348	Jbppgona.exe
2540	Jhmhpfmi.exe
3528	Jogqlpde.exe
4088	Jeaiij32.exe
3360	Jlkafdco.exe
4032	Jjnaaa32.exe
1708	Kahinkaf.exe
4344	Khabke32.exe
2756	Kkpnga32.exe
4224	Kajfdk32.exe
4216	Kdhbpf32.exe
1444	Klpjad32.exe
4460	Kbjbnnfg.exe
4368	Kdkoef32.exe
4360	Kkegbpca.exe
2768	Kblpcndd.exe
1776	Kejloi32.exe
4192	Khihld32.exe
4964	Kocphojh.exe
4212	Kbnlim32.exe
2596	Kemhei32.exe
5004	Klgqabib.exe
2672	Loemnnhe.exe
5024	Leoejh32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Gbbkocid.exe	Gjkbnfha.exe
File created	C:\Windows\SysWOW64\Lmgglf32.dll	Ibdplaho.exe
File created	C:\Windows\SysWOW64\Klgqabib.exe	Kemhei32.exe
File opened for modification	C:\Windows\SysWOW64\Kocphojh.exe	Khihld32.exe
File opened for modification	C:\Windows\SysWOW64\Jejbhk32.exe	Jnpjlajn.exe
File created	C:\Windows\SysWOW64\Jlfhke32.exe	Jhkljfok.exe
File opened for modification	C:\Windows\SysWOW64\Gndbie32.exe	Gkefmjcj.exe
File opened for modification	C:\Windows\SysWOW64\Gjkbnfha.exe	Gcqjal32.exe
File created	C:\Windows\SysWOW64\Lapmnano.dll	Hgocgjgk.exe
File created	C:\Windows\SysWOW64\Hopaik32.dll	Lojfin32.exe
File created	C:\Windows\SysWOW64\Hkohchko.exe	Haidfpki.exe
File opened for modification	C:\Windows\SysWOW64\Jhfbog32.exe	Jehfcl32.exe
File opened for modification	C:\Windows\SysWOW64\Lhpnlclc.exe	Leabphmp.exe
File created	C:\Windows\SysWOW64\Jjgkab32.exe	Jhhodg32.exe
File opened for modification	C:\Windows\SysWOW64\Jhmhpfmi.exe	Jbppgona.exe
File opened for modification	C:\Windows\SysWOW64\Kdkoef32.exe	Kbjbnnfg.exe
File created	C:\Windows\SysWOW64\Gcqjal32.exe	Gndbie32.exe
File opened for modification	C:\Windows\SysWOW64\Ieqpbm32.exe	Iaedanal.exe
File created	C:\Windows\SysWOW64\Lhbkac32.exe	Ledoegkm.exe
File created	C:\Windows\SysWOW64\Dcmnee32.dll	Jeaiij32.exe
File created	C:\Windows\SysWOW64\Gqnejaff.exe	Gjcmngnj.exe
File created	C:\Windows\SysWOW64\Kocphojh.exe	Khihld32.exe
File created	C:\Windows\SysWOW64\Kbnlim32.exe	Kocphojh.exe
File created	C:\Windows\SysWOW64\Pomfkgml.dll	Jlfhke32.exe
File created	C:\Windows\SysWOW64\Gdqeooaa.dll	Jbppgona.exe
File opened for modification	C:\Windows\SysWOW64\Jjnaaa32.exe	Jlkafdco.exe
File opened for modification	C:\Windows\SysWOW64\Lolcnman.exe	Lhbkac32.exe
File created	C:\Windows\SysWOW64\Dmehgibj.dll	Ilmedf32.exe
File opened for modification	C:\Windows\SysWOW64\Jlfhke32.exe	Jhkljfok.exe
File opened for modification	C:\Windows\SysWOW64\Khihld32.exe	Kejloi32.exe
File created	C:\Windows\SysWOW64\Gqhomdeb.dll	Leoejh32.exe
File opened for modification	C:\Windows\SysWOW64\Ldikgdpe.exe	Lolcnman.exe
File created	C:\Windows\SysWOW64\Fbfkceca.exe	fc644d185c356a3466c9cca257b2ac00N.exe
File opened for modification	C:\Windows\SysWOW64\Hqghqpnl.exe	Hgocgjgk.exe
File created	C:\Windows\SysWOW64\Qjfpkhpm.dll	Ggccllai.exe
File created	C:\Windows\SysWOW64\Oapijm32.dll	Ieqpbm32.exe
File created	C:\Windows\SysWOW64\Hkmlnimb.exe	Hqghqpnl.exe
File opened for modification	C:\Windows\SysWOW64\Gjcmngnj.exe	Gcjdam32.exe
File created	C:\Windows\SysWOW64\Paifdeda.dll	Gcjdam32.exe
File created	C:\Windows\SysWOW64\Bhnbgoib.dll	Gqnejaff.exe
File created	C:\Windows\SysWOW64\Iaedanal.exe	Ilhkigcd.exe
File created	C:\Windows\SysWOW64\Leoejh32.exe	Loemnnhe.exe
File opened for modification	C:\Windows\SysWOW64\Lojfin32.exe	Lhpnlclc.exe
File opened for modification	C:\Windows\SysWOW64\Jnnnfalp.exe	Ihceigec.exe
File created	C:\Windows\SysWOW64\Jaqcnl32.exe	Jjgkab32.exe
File opened for modification	C:\Windows\SysWOW64\Kahinkaf.exe	Jjnaaa32.exe
File created	C:\Windows\SysWOW64\Ehilac32.dll	Kejloi32.exe
File created	C:\Windows\SysWOW64\Gbhhieao.exe	Gjaphgpl.exe
File opened for modification	C:\Windows\SysWOW64\Jhhodg32.exe	Jejbhk32.exe
File opened for modification	C:\Windows\SysWOW64\Kkegbpca.exe	Kdkoef32.exe
File created	C:\Windows\SysWOW64\Ndnoffic.dll	Kajfdk32.exe
File created	C:\Windows\SysWOW64\Kemhei32.exe	Kbnlim32.exe
File opened for modification	C:\Windows\SysWOW64\Gqnejaff.exe	Gjcmngnj.exe
File created	C:\Windows\SysWOW64\Gggmgk32.exe	Gqnejaff.exe
File created	C:\Windows\SysWOW64\Ofbmdj32.dll	Iaedanal.exe
File opened for modification	C:\Windows\SysWOW64\Hgocgjgk.exe	Gbbkocid.exe
File created	C:\Windows\SysWOW64\Ieqpbm32.exe	Iaedanal.exe
File created	C:\Windows\SysWOW64\Hhodke32.dll	Khabke32.exe
File created	C:\Windows\SysWOW64\Oofial32.dll	Lhbkac32.exe
File created	C:\Windows\SysWOW64\Bekdaogi.dll	Lolcnman.exe
File created	C:\Windows\SysWOW64\Gjcmngnj.exe	Gcjdam32.exe
File created	C:\Windows\SysWOW64\Ilmedf32.exe	Iagqgn32.exe
File opened for modification	C:\Windows\SysWOW64\Khabke32.exe	Kahinkaf.exe
File opened for modification	C:\Windows\SysWOW64\Gbhhieao.exe	Gjaphgpl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5296	5216	WerFault.exe	165

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilmedf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibgmaqfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjgkab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbppgona.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggccllai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjaphgpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlfhke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbnnfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leoejh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldikgdpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkohchko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jehfcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhfbog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khabke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbbkocid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhhodg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeaiij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemhei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnaecedp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hqghqpnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilhkigcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihceigec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kahinkaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjcmngnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gqpapacd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjkbnfha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjnaaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gndbie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iaedanal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkegbpca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kejloi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocphojh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lojfin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leabphmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbhhieao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcjdam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgocgjgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iencmm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibdplaho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhmhpfmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlkafdco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Haidfpki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnpjlajn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhkljfok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ledoegkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lolcnman.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbfkceca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcqjal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iagqgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klgqabib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loemnnhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilkhog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaqcnl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kblpcndd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkmlnimb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieqpbm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jejbhk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkpnga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdhbpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khihld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnnnfalp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klpjad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gqnejaff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kajfdk32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjfpkhpm.dll"	Ggccllai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ihceigec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jhhodg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlfhke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khihld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjekja32.dll"	Gbbkocid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lapmnano.dll"	Hgocgjgk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieqpbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kahinkaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khabke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iaedanal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjkbnfha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hgocgjgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iaedanal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lndkebgi.dll"	Jhfbog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Leabphmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oofial32.dll"	Lhbkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhfbog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcmnee32.dll"	Jeaiij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlkafdco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkklm32.dll"	Gjaphgpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjaphgpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hagapc32.dll"	Gcqjal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkmlnimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjfkgg32.dll"	Jnnnfalp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlbngnmk.dll"	Jaqcnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jogqlpde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjcmngnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiocnbpm.dll"	Ibgmaqfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaqcnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkefmjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gndbie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jeaiij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjnaaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibgmaqfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kejloi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgocgjgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkmlnimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oapijm32.dll"	Ieqpbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pceijm32.dll"	Jogqlpde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkpnga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ledoegkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gnaecedp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kblpcndd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqnejaff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbfqflph.dll"	Gqpapacd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hqghqpnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbppgona.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lojfin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khecje32.dll"	Kahinkaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamgof32.dll"	Kkegbpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbnlim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhnbgoib.dll"	Gqnejaff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iencmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlkafdco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khabke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kajfdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmoak32.dll"	Hkohchko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhpnlclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfdcpb32.dll"	Gkefmjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkohchko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibdplaho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jogqlpde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ledoegkm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 464	1868	fc644d185c356a3466c9cca257b2ac00N.exe	90
PID 1868 wrote to memory of 464	1868	fc644d185c356a3466c9cca257b2ac00N.exe	90
PID 1868 wrote to memory of 464	1868	fc644d185c356a3466c9cca257b2ac00N.exe	90
PID 464 wrote to memory of 636	464	Fbfkceca.exe	91
PID 464 wrote to memory of 636	464	Fbfkceca.exe	91
PID 464 wrote to memory of 636	464	Fbfkceca.exe	91
PID 636 wrote to memory of 1740	636	Ggccllai.exe	92
PID 636 wrote to memory of 1740	636	Ggccllai.exe	92
PID 636 wrote to memory of 1740	636	Ggccllai.exe	92
PID 1740 wrote to memory of 1316	1740	Gjaphgpl.exe	93
PID 1740 wrote to memory of 1316	1740	Gjaphgpl.exe	93
PID 1740 wrote to memory of 1316	1740	Gjaphgpl.exe	93
PID 1316 wrote to memory of 3324	1316	Gbhhieao.exe	94
PID 1316 wrote to memory of 3324	1316	Gbhhieao.exe	94
PID 1316 wrote to memory of 3324	1316	Gbhhieao.exe	94
PID 3324 wrote to memory of 4828	3324	Gcjdam32.exe	95
PID 3324 wrote to memory of 4828	3324	Gcjdam32.exe	95
PID 3324 wrote to memory of 4828	3324	Gcjdam32.exe	95
PID 4828 wrote to memory of 2928	4828	Gjcmngnj.exe	96
PID 4828 wrote to memory of 2928	4828	Gjcmngnj.exe	96
PID 4828 wrote to memory of 2928	4828	Gjcmngnj.exe	96
PID 2928 wrote to memory of 872	2928	Gqnejaff.exe	97
PID 2928 wrote to memory of 872	2928	Gqnejaff.exe	97
PID 2928 wrote to memory of 872	2928	Gqnejaff.exe	97
PID 872 wrote to memory of 3736	872	Gggmgk32.exe	98
PID 872 wrote to memory of 3736	872	Gggmgk32.exe	98
PID 872 wrote to memory of 3736	872	Gggmgk32.exe	98
PID 3736 wrote to memory of 1284	3736	Gnaecedp.exe	100
PID 3736 wrote to memory of 1284	3736	Gnaecedp.exe	100
PID 3736 wrote to memory of 1284	3736	Gnaecedp.exe	100
PID 1284 wrote to memory of 4700	1284	Gqpapacd.exe	101
PID 1284 wrote to memory of 4700	1284	Gqpapacd.exe	101
PID 1284 wrote to memory of 4700	1284	Gqpapacd.exe	101
PID 4700 wrote to memory of 3648	4700	Gkefmjcj.exe	102
PID 4700 wrote to memory of 3648	4700	Gkefmjcj.exe	102
PID 4700 wrote to memory of 3648	4700	Gkefmjcj.exe	102
PID 3648 wrote to memory of 1136	3648	Gndbie32.exe	103
PID 3648 wrote to memory of 1136	3648	Gndbie32.exe	103
PID 3648 wrote to memory of 1136	3648	Gndbie32.exe	103
PID 1136 wrote to memory of 1388	1136	Gcqjal32.exe	104
PID 1136 wrote to memory of 1388	1136	Gcqjal32.exe	104
PID 1136 wrote to memory of 1388	1136	Gcqjal32.exe	104
PID 1388 wrote to memory of 3020	1388	Gjkbnfha.exe	105
PID 1388 wrote to memory of 3020	1388	Gjkbnfha.exe	105
PID 1388 wrote to memory of 3020	1388	Gjkbnfha.exe	105
PID 3020 wrote to memory of 3504	3020	Gbbkocid.exe	107
PID 3020 wrote to memory of 3504	3020	Gbbkocid.exe	107
PID 3020 wrote to memory of 3504	3020	Gbbkocid.exe	107
PID 3504 wrote to memory of 3704	3504	Hgocgjgk.exe	108
PID 3504 wrote to memory of 3704	3504	Hgocgjgk.exe	108
PID 3504 wrote to memory of 3704	3504	Hgocgjgk.exe	108
PID 3704 wrote to memory of 2056	3704	Hqghqpnl.exe	109
PID 3704 wrote to memory of 2056	3704	Hqghqpnl.exe	109
PID 3704 wrote to memory of 2056	3704	Hqghqpnl.exe	109
PID 2056 wrote to memory of 4268	2056	Hkmlnimb.exe	110
PID 2056 wrote to memory of 4268	2056	Hkmlnimb.exe	110
PID 2056 wrote to memory of 4268	2056	Hkmlnimb.exe	110
PID 4268 wrote to memory of 4560	4268	Haidfpki.exe	112
PID 4268 wrote to memory of 4560	4268	Haidfpki.exe	112
PID 4268 wrote to memory of 4560	4268	Haidfpki.exe	112
PID 4560 wrote to memory of 3252	4560	Hkohchko.exe	113
PID 4560 wrote to memory of 3252	4560	Hkohchko.exe	113
PID 4560 wrote to memory of 3252	4560	Hkohchko.exe	113
PID 3252 wrote to memory of 3288	3252	Iencmm32.exe	114

C:\Users\Admin\AppData\Local\Temp\fc644d185c356a3466c9cca257b2ac00N.exe
"C:\Users\Admin\AppData\Local\Temp\fc644d185c356a3466c9cca257b2ac00N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Windows\SysWOW64\Fbfkceca.exe
  C:\Windows\system32\Fbfkceca.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:464
- - C:\Windows\SysWOW64\Ggccllai.exe
    C:\Windows\system32\Ggccllai.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:636
  - - C:\Windows\SysWOW64\Gjaphgpl.exe
      C:\Windows\system32\Gjaphgpl.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1740
    - - C:\Windows\SysWOW64\Gbhhieao.exe
        
        C:\Windows\system32\Gbhhieao.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1316
      - C:\Windows\SysWOW64\Gcjdam32.exe
        
        C:\Windows\system32\Gcjdam32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\SysWOW64\Gjcmngnj.exe
        
        C:\Windows\system32\Gjcmngnj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\Gqnejaff.exe
        
        C:\Windows\system32\Gqnejaff.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Gggmgk32.exe
        
        C:\Windows\system32\Gggmgk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\Gnaecedp.exe
        
        C:\Windows\system32\Gnaecedp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\SysWOW64\Gqpapacd.exe
        
        C:\Windows\system32\Gqpapacd.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\SysWOW64\Gkefmjcj.exe
        
        C:\Windows\system32\Gkefmjcj.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\SysWOW64\Gndbie32.exe
        
        C:\Windows\system32\Gndbie32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\SysWOW64\Gcqjal32.exe
        
        C:\Windows\system32\Gcqjal32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\Gjkbnfha.exe
        
        C:\Windows\system32\Gjkbnfha.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Gbbkocid.exe
        
        C:\Windows\system32\Gbbkocid.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Hgocgjgk.exe
        
        C:\Windows\system32\Hgocgjgk.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SysWOW64\Hqghqpnl.exe
        
        C:\Windows\system32\Hqghqpnl.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\SysWOW64\Hkmlnimb.exe
        
        C:\Windows\system32\Hkmlnimb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Haidfpki.exe
        
        C:\Windows\system32\Haidfpki.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\SysWOW64\Hkohchko.exe
        
        C:\Windows\system32\Hkohchko.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Iencmm32.exe
        
        C:\Windows\system32\Iencmm32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\Ilhkigcd.exe
        
        C:\Windows\system32\Ilhkigcd.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3288
        
        C:\Windows\SysWOW64\Iaedanal.exe
        
        C:\Windows\system32\Iaedanal.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Ieqpbm32.exe
        
        C:\Windows\system32\Ieqpbm32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Ilkhog32.exe
        
        C:\Windows\system32\Ilkhog32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:616
        
        C:\Windows\SysWOW64\Ibdplaho.exe
        
        C:\Windows\system32\Ibdplaho.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Iagqgn32.exe
        
        C:\Windows\system32\Iagqgn32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4904
        
        C:\Windows\SysWOW64\Ilmedf32.exe
        
        C:\Windows\system32\Ilmedf32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Windows\SysWOW64\Ibgmaqfl.exe
        
        C:\Windows\system32\Ibgmaqfl.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Ihceigec.exe
        
        C:\Windows\system32\Ihceigec.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Jnnnfalp.exe
        
        C:\Windows\system32\Jnnnfalp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Jehfcl32.exe
        
        C:\Windows\system32\Jehfcl32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\Windows\SysWOW64\Jhfbog32.exe
        
        C:\Windows\system32\Jhfbog32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Jnpjlajn.exe
        
        C:\Windows\system32\Jnpjlajn.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3556
        
        C:\Windows\SysWOW64\Jejbhk32.exe
        
        C:\Windows\system32\Jejbhk32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3684
        
        C:\Windows\SysWOW64\Jhhodg32.exe
        
        C:\Windows\system32\Jhhodg32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Jjgkab32.exe
        
        C:\Windows\system32\Jjgkab32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:724
        
        C:\Windows\SysWOW64\Jaqcnl32.exe
        
        C:\Windows\system32\Jaqcnl32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Jhkljfok.exe
        
        C:\Windows\system32\Jhkljfok.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\Jlfhke32.exe
        
        C:\Windows\system32\Jlfhke32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Jbppgona.exe
        
        C:\Windows\system32\Jbppgona.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3348
        
        C:\Windows\SysWOW64\Jhmhpfmi.exe
        
        C:\Windows\system32\Jhmhpfmi.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Windows\SysWOW64\Jogqlpde.exe
        
        C:\Windows\system32\Jogqlpde.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Jeaiij32.exe
        
        C:\Windows\system32\Jeaiij32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Jlkafdco.exe
        
        C:\Windows\system32\Jlkafdco.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3360
        
        C:\Windows\SysWOW64\Jjnaaa32.exe
        
        C:\Windows\system32\Jjnaaa32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\Kahinkaf.exe
        
        C:\Windows\system32\Kahinkaf.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Khabke32.exe
        
        C:\Windows\system32\Khabke32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Kkpnga32.exe
        
        C:\Windows\system32\Kkpnga32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Kajfdk32.exe
        
        C:\Windows\system32\Kajfdk32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Kdhbpf32.exe
        
        C:\Windows\system32\Kdhbpf32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4216
        
        C:\Windows\SysWOW64\Klpjad32.exe
        
        C:\Windows\system32\Klpjad32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\Kbjbnnfg.exe
        
        C:\Windows\system32\Kbjbnnfg.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Windows\SysWOW64\Kdkoef32.exe
        
        C:\Windows\system32\Kdkoef32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4368
        
        C:\Windows\SysWOW64\Kkegbpca.exe
        
        C:\Windows\system32\Kkegbpca.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Kblpcndd.exe
        
        C:\Windows\system32\Kblpcndd.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Kejloi32.exe
        
        C:\Windows\system32\Kejloi32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Khihld32.exe
        
        C:\Windows\system32\Khihld32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Kocphojh.exe
        
        C:\Windows\system32\Kocphojh.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Windows\SysWOW64\Kbnlim32.exe
        
        C:\Windows\system32\Kbnlim32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Kemhei32.exe
        
        C:\Windows\system32\Kemhei32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\Klgqabib.exe
        
        C:\Windows\system32\Klgqabib.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Windows\SysWOW64\Loemnnhe.exe
        
        C:\Windows\system32\Loemnnhe.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\Leoejh32.exe
        
        C:\Windows\system32\Leoejh32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5024
        
        C:\Windows\SysWOW64\Lhmafcnf.exe
        
        C:\Windows\system32\Lhmafcnf.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4320
        
        C:\Windows\SysWOW64\Lbcedmnl.exe
        
        C:\Windows\system32\Lbcedmnl.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1084
        
        C:\Windows\SysWOW64\Leabphmp.exe
        
        C:\Windows\system32\Leabphmp.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Lhpnlclc.exe
        
        C:\Windows\system32\Lhpnlclc.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Lojfin32.exe
        
        C:\Windows\system32\Lojfin32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Ledoegkm.exe
        
        C:\Windows\system32\Ledoegkm.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\Lhbkac32.exe
        
        C:\Windows\system32\Lhbkac32.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Lolcnman.exe
        
        C:\Windows\system32\Lolcnman.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:5216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5216 -s 400
        75⤵
        Program crash
        
        PID:5296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5216 -ip 5216
1⤵
PID:5272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4352,i,2727319350781907497,7925939240893079607,262144 --variations-seed-version --mojo-platform-channel-handle=3004 /prefetch:8
1⤵
PID:5676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbfkceca.exe

Filesize
59KB

MD5
dd62cd1da19585684ac6efafce38c591

SHA1
bdb59de419ca662c51793e8ef4b34514295dd4d0

SHA256
00b0b980b3cbcda6dadf080260b3d57a4178da5de5108be6ac02048da8d96690

SHA512
c70c42e1f9ad58d711966d664b10c1f691dfc32203ee01d7fb52fe3be9578fdc423c928979cd92d24ec1381fe02c2c648a30e81dd81d81689ebebd95896276bb

Download Submit
C:\Windows\SysWOW64\Gbbkocid.exe

Filesize
59KB

MD5
56f9bce6c71f07010d48384a59fccbc9

SHA1
8d8c2bbfc8fdce5c64365187e29b7c3888a087d1

SHA256
ae7ee264aac13c9d88e1bbfb2c2e139ce53206e4cd6b8dce0f3020c38ea566d1

SHA512
be1ee31ece3d18dcca6b87b595259e015d1e3e3211cdef3d5395a31605db020ce6ba63d400456090551af7c641182f8b159ceeff0171debee514572ce7e537f0

Download Submit
C:\Windows\SysWOW64\Gbhhieao.exe

Filesize
59KB

MD5
917392caf0058ba1eecf0501d621b549

SHA1
e21ba93e315ffb3d3e873b7a307222433bcf5cbe

SHA256
422c76592e98f5fbd5b8cf1fdd0dd5dabda5bfd717ce3df88f4263d14217f136

SHA512
78a2dde6e7fc558e8037772f8774dbee1d57c70d96944602baba8de91e625d2d979462b395cc14479de2ed91d815cc8b2bd176578a5d0cd49b43cd020265e534

Download Submit
C:\Windows\SysWOW64\Gcjdam32.exe

Filesize
59KB

MD5
100ce7da8a77197961b1f021c8b5f9ad

SHA1
7245a19018f0f24de8fdcfec559c86eaf724e5f2

SHA256
aab27836ad3460d964f6f471db93ef477a500b6456bada7a8aaa744d523b3cb1

SHA512
dcde3862eb3c3b075b603948bb6587f7b44648c1ae972832ffa4ab7aa9c75955b9469b8cbb47dd80a239c8dd31436bb49b7fb4736ecccda827c7c2c13891533d

Download Submit
C:\Windows\SysWOW64\Gcqjal32.exe

Filesize
59KB

MD5
f97f731fd33d98c6b3cb44b56c0780a7

SHA1
ba3c1854c3fc1de026fc6fd833a5fbb71274b571

SHA256
a32f9a1b453ce6907bc1cd76745af43c4fb972ae82103855dbc71d265e9663f7

SHA512
6d48b6897ff8da94cc462d6fdf3c92e2d87b94169849b988b40da8f7228801b8e4ab8fbcb47d13e00d75980fc5aee300d9e3e0d79414ba6b84ab4b08e4f1d893

Download Submit
C:\Windows\SysWOW64\Ggccllai.exe

Filesize
59KB

MD5
8bc25ec2e2b4997b7a407dc981de1740

SHA1
2232c8e33bc1b68aa40326d14b87ef8e7ad988eb

SHA256
81ad0f618618f411d066a89c8ac634c7ac11da350fd0b582b95394e464122fac

SHA512
8f7158b19bf01416179a246a084011e6f01e523ccc9e8da2e9e2538d707270b1477d07d68e4d7ca0da81534d59c2d98ce0f920bbbdaf8fb46e4b196e946fb69c

Download Submit
C:\Windows\SysWOW64\Gggmgk32.exe

Filesize
59KB

MD5
f190b7bcc38d91e454af6966acd70120

SHA1
19546f3b23b472ae3096451258033a97b6f3ef2a

SHA256
1a13967fa97f15f1fb1f8be559e8e176f5ff7b7b6e48dd71abc4bc6c701daeaf

SHA512
31b041b4d2143b028903acd999fe9dc425c9ba952944edc6282e630af3161c04922b2824b292ed04db483b39913e1757e4854dec9c33608afad4ada3fabcfa8d

Download Submit
C:\Windows\SysWOW64\Gjaphgpl.exe

Filesize
59KB

MD5
29000eac9dc2442ff47183d95a0c9311

SHA1
65a81dcd94fa2bfd9a008828b48a955d98f8a6e0

SHA256
d02b3e7d34ac35e1b8870208aedb0d90879c2ee214fc1bb365d7fd787726fb81

SHA512
a343ebe3de86408b05172bd2ed0cdd97d78d77f2dd035cf6c2aa07879ddee5fcf2779f6f7b5d44295e20aa49996ce8ed985924ff2b745f5bd9412fbb166a299b

Download Submit
C:\Windows\SysWOW64\Gjcmngnj.exe

Filesize
59KB

MD5
80f7be63f02b0ad61d39452101d6ba66

SHA1
186e9cf6b7d25b443a924a98e96d1344243feaa6

SHA256
03038d004e54c3ee18d900b31bd5ae8b154dc44c1cbcdf57ffe68d30a5c3d567

SHA512
ee53742c0d0ca7201a623038323274e540e54e3410c35c48745138d197e3a85d1015495016b68e9d07636c02b7f31296611be8ecf4fb588b650f6b0c05019a1a

Download Submit
C:\Windows\SysWOW64\Gjkbnfha.exe

Filesize
59KB

MD5
2ea32b56d4c6255b7d91b8ef5f64c6a0

SHA1
7306e33545754ca5fede41cc414fb995cb115b93

SHA256
d4dd4755b62fcbcaf2644a33b7698287b41182160e2ada060a1e5bd9dc9852ff

SHA512
d543d4cd5cb8f8ee083eafb47450bf982e0667b63d412296342ab803b01cffb112d9f569e40e4d3bdc535300b19198226de55e149a932e29e827c38e666af09f

Download Submit
C:\Windows\SysWOW64\Gkefmjcj.exe

Filesize
59KB

MD5
32109a1e94ec5f1ae09dafb0849a0ffd

SHA1
bc635cf19e00dbe376e5898df26c57395dbcbfb6

SHA256
16c9dcd58c3ebf722e1c49d7ffbc430ecb9817254df965c389225c7eb2eec9be

SHA512
970f10786d469156fafdf9e7bd405dfcd9e92191597046890cfed21c8368018cf1fcdaad4fe4cccb224446d0e2539f0f123791850f1acc5e97a81b703048218b

Download Submit
C:\Windows\SysWOW64\Gnaecedp.exe

Filesize
59KB

MD5
53c540ffaa86ec5cfda7a29aade7f1e1

SHA1
417bf113217d4ed24ad0b4a184561ed19204f606

SHA256
81336a439246fb918c29bb35b1cb111749ae9622bef2007d37ee8e7b3f92cca4

SHA512
b3e73c9fa6560f381d863c41ab6b607d0590b0a5977d3dd290f785c3c6033ec6c458968f6fa4c276e8178bf53ae4dfe4d879057cafd0e8e571dca2488e68e751

Download Submit
C:\Windows\SysWOW64\Gndbie32.exe

Filesize
59KB

MD5
dedc3911c7a177560c851dd226247f15

SHA1
0c359903d4630cc8d4cbe84f7971e3996eb72653

SHA256
c22967bb1ba6a4e627ee7aa51fa6c53fdf67b66b4a7a097bc95cb410844cce50

SHA512
03852a55cdc20a7f8558edf7e1fc513d350b7a050a1ffcb4bdda877dbfbc39cb73ffc9d5e2e07aa0275e1f81fed17ae18475c06cd4653907c8491febc73ecda3

Download Submit
C:\Windows\SysWOW64\Gqnejaff.exe

Filesize
59KB

MD5
e33d6b40579bfb2ff44206ed554ddb8e

SHA1
fb9990c4828418b5fe5bd8648cd481b2c9ecf5d9

SHA256
5e5c50e80dca32d4d1845c5b17e5ffd3d687b55a34277158db45614752ec570a

SHA512
ac5de82d66645b0bf7ffa25d734b0d02911bcef5c02a7e0e773278e34e8c9a09de034af78bc968d0e3e6284bf4757c9a3e8c87b041f1d4eb220fc02d80df8102

Download Submit
C:\Windows\SysWOW64\Gqpapacd.exe

Filesize
59KB

MD5
d93b222ef5306110715c7f86875d2585

SHA1
4a98286e7e0a94efd689330a64c9c1bbc4b22d51

SHA256
c9723bd2c79392888f1880b790132e3a5962ea762e559736daa01ea7ee859f5e

SHA512
b4308429bb091d7300d951396d587350817f16284026e9f409081be338921abaa9c1c0ca92a0ce1e6b6ae6cda5625e303b2be24c6b4ada47f4cecbd8735cd71f

Download Submit
C:\Windows\SysWOW64\Haidfpki.exe

Filesize
59KB

MD5
25eebb337d407af063ca9f8d9948b7b3

SHA1
bd76d3acc8240f572832eacee7cceeb09d9a1fa5

SHA256
2ce57d1bf3f376e705a5e689258575409421e7b8466178262779a05e5a44c9a2

SHA512
6537f53266cb005b42eba82dca9887241b16be5094472c5764e6930b81d768c567cd84eb558f00f89784d4bc1451b0451d7d0ba98e51a47651f4cbd85d264b98

Download Submit
C:\Windows\SysWOW64\Hgocgjgk.exe

Filesize
59KB

MD5
e8b4a447fb1cbcdd7dda828bc9b3ef74

SHA1
d909795da1ed4790888ab28d8a98e72304c78e6e

SHA256
d9214345af3e83252083bb274c3b47668bc3c1f06eff7c86ea22c6bd1b481661

SHA512
dbb25a0219350652488033a2f47a923c19778ce489509551b48269fdd46ef0b1b1741c6cc905425148b0c297cf1ab6d3d2b4ce85f841e6a9882c5051bd08e3c6

Download Submit
C:\Windows\SysWOW64\Hkmlnimb.exe

Filesize
59KB

MD5
778e1792ec137e21975d738d91d92b13

SHA1
aee6d0037bdb446b111dd0198c47575b07afad69

SHA256
f3b9311209ec69e68e9e0bec6cf085ffba58d14fb45811ea15ba3053349f19e0

SHA512
faed36da6e10d46fd156274fd7cb07f3ad9a7fbefa750267ae3d78b90325cfd12e88899008cb1e425e72fef65cde1b7223ff8e473b0a71b4c1fea93360d1ff35

Download Submit
C:\Windows\SysWOW64\Hkohchko.exe

Filesize
59KB

MD5
afd77b1e67203cd1ff87d3a58049a953

SHA1
3f067f64051eb1a1b707ba2ac3e41beef112a068

SHA256
e3702b40d2270df76eb71fe89a5348714df4211c78f2d73d39fda37a8dd8020c

SHA512
1d24ee7a51ce651c85aea92e9554a833921e7ebc0ecce58209c362c73631e9ac19c7eddce084a00108c55c175aaeaef3783498794cb850799cc1fdda03679891

Download Submit
C:\Windows\SysWOW64\Hqghqpnl.exe

Filesize
59KB

MD5
ed08d92e7f134f55435eb92ccf76f0af

SHA1
61898057ad6580e76f2b7dbeb571b59eaf5b5519

SHA256
b3f195aad7445c8b05d910b936fb8e1e9b824d3a45a618e8bd3953aa273f40c9

SHA512
1879dc62c91f4df315d797fea9bc94cae16552f6acacf7a314c3c909ecd8e6ef8bfa84dd3e8bd51c9bc9ba98115ec88d471f0f5b489c0e30b8c57a33b83380d8

Download Submit
C:\Windows\SysWOW64\Iaedanal.exe

Filesize
59KB

MD5
a08ca2b6354b70cdf91b5cefd79c41dd

SHA1
2a0d0b1b89273c4f0d007554a1cafcdc39c44038

SHA256
c26592f33cfd8452dcebde5f7c5db394505f6d806d371410961ff0384d165e01

SHA512
cac8a7a721246cbf2dbed3ac23b46eea7cc41a5084fda91e30132f16b37b02a072d9a345c732a6ea43fdb1467f1c7e26ccf8afe4be1906954342f7a4b09dfeb0

Download Submit
C:\Windows\SysWOW64\Iagqgn32.exe

Filesize
59KB

MD5
4383640be440c527bfbec0455e5a04d3

SHA1
a008d8bd1968dde331c61020d4b5712049e0e92f

SHA256
37514558c3846d2d3e6fee13fd8d397cbddaa3986f903984cc2adcde907e3720

SHA512
6dfaf4578303c40735e292f909b3abf89ebf9d48c99bf8842171813bbe6fdc74924ccf513d7ddd674a3a91eecba211c0e19df845fdbac265c4c257412ac1150c

Download Submit
C:\Windows\SysWOW64\Ibdplaho.exe

Filesize
59KB

MD5
a3cb60976c0099724957d18f487ce3ad

SHA1
f913357fd759c04d69e1521db1480ad4dc0065d3

SHA256
8aa9ee9d549ae7b85ebddb1d8d1691633a23b3b3811de6db2ca6b15226614473

SHA512
ea0e965d58a143701b1a9917b0853316ddbd3c7628a38e0d56f40a212a6eb0a0261d0ff194ff50bfd22671ce6542f4ecd58609944226c5f377616ace84d71813

Download Submit
C:\Windows\SysWOW64\Ibgmaqfl.exe

Filesize
59KB

MD5
9434ef09d659725cc6928102a95f659a

SHA1
2a19d232fc622389f1e99f4c857b09014b0657b1

SHA256
d21d4e333b8c91311a88c3848c145812a48c58c76510a50d0d591a7ced853f40

SHA512
e55dde549afcf1751532c2c00c4c08d448993ec476fc16425875d719b888807f57196b288ec7f552d389d44231907e0863762f6e477f6f26d78c253c849185bc

Download Submit
C:\Windows\SysWOW64\Iencmm32.exe

Filesize
59KB

MD5
40fa2b33e06354f1e217ea58bfc8cbab

SHA1
f075278b25a75ae16613b3c97be2a78795bf3497

SHA256
df9a95e71d04474eabecdab96d3e70fdabdf7118dab6113c42519ecad90c01ab

SHA512
fd0450ac2a0695b2f6df9bb2eb629afdfb9bdb15bde594c6002f9b272f7ba41655e06d163bd170ac1ac64a19658d3d749cb7427f292e72f803a3014935845af2

Download Submit
C:\Windows\SysWOW64\Ieqpbm32.exe

Filesize
59KB

MD5
4386029a8e33a8beab505512f04d3093

SHA1
e4d96c76fa518e20e0b70297840794625b75d89e

SHA256
ae6e2766e2c8880ccd656cddf1eb102d76718b85bb664a29e0c9ff9a7d756918

SHA512
c15534fa93612e0a7d0325d647eb01f2053030457b8ce5cef4ab528d08012d680cd3a567da88471d1f7ad19700928a1f8912b865ccb4ddf7ff1c607351a6cf2b

Download Submit
C:\Windows\SysWOW64\Ihceigec.exe

Filesize
59KB

MD5
7a5fa02f69bbf70f86ba1436c451ef37

SHA1
e3011ff218402e608dc5ce00c4549eeceff9a8a3

SHA256
58c63c08d5e9158533bfa2f4f2cd4c5e357f3be26d4dbac56b8d8e85801d5073

SHA512
892bae3e8de7717ba00e9625b3a28b5ddbce9fca68e6e87c6b969ab92b5e75726b596b1f57fb2d08f8ef865d7d0c927133b407349c74860997f12535deedbb54

Download Submit
C:\Windows\SysWOW64\Ilhkigcd.exe

Filesize
59KB

MD5
ffcb7dae74373763067a1a7a6455e19c

SHA1
c981f008620851440b744debf8945288c9234a91

SHA256
38ff24101898d26ad23e790db5e13dde39f319e69398e52774ede6c3d6187522

SHA512
ad5f792cc28553c76db4b6a2ea00216aeb80e02b795dfab375bc2bdb41e5fcd72d5c2ea8bc15d177fd37e33795f48dc90403bf9421cb3cce9a5eb0e11c453268

Download Submit
C:\Windows\SysWOW64\Ilkhog32.exe

Filesize
59KB

MD5
9375d352fc91da569fe2d908465bdce3

SHA1
2f50c242a7044c2948ebba36d6a502981b73009b

SHA256
ec588f1f7a3ef98e8921bae5db112b44b6351889739dc7bd235a08c1de217ce5

SHA512
d7c4646745a0ffb38298ab83a8a0648b543b91cd0d135aadf5c2b3b0e445c3d3036145f5666cfedeae1083635ed19c94c5989f06d91c3f7170c4e7992314df2e

Download Submit
C:\Windows\SysWOW64\Ilmedf32.exe

Filesize
59KB

MD5
5a016adf389f5c0d4136d6eddfad01c0

SHA1
2a4541031c950ee40c2ac4e8ad4bc45e81f3589b

SHA256
4a2d59ba0f127b10d6708cc387b49ca431c0773ccf307a0593f0c6ffe15e08d5

SHA512
2d9208bd655290acd0249963e6f7033f6554bf1557927e5c3be0b3bde7431181daa160c361dd262aca34caf71659b07318550df9d5a67a2e6bfeba5404e191d3

Download Submit
C:\Windows\SysWOW64\Jbppgona.exe

Filesize
59KB

MD5
864e1d5e7c3bad5f0e6337e4cdb43440

SHA1
ca27a143f0eecbf4a9cbda8ecc90afa399f95415

SHA256
75f9ce64f5220d6bd5812f99ec0a689fd906cb63eec88701b08e5b18d1add761

SHA512
92292c244fd372c84900160607eedc89215e07053fa7dabfb6679afc0c3e34614287d8c91675486fb54ab3464aafe51e85b0c15ff3c6ea35d6195dfb1864aa3e

Download Submit
C:\Windows\SysWOW64\Jehfcl32.exe

Filesize
59KB

MD5
33b0b0e028e432cea2dde377688d129a

SHA1
cf5b29d8a71871489ba7b3399192d914229df84f

SHA256
98f22cb69fb09d40640952551def89beea7a82cb7061b1d0a707cdf15b3e02f5

SHA512
75e539e142997ff3469651879f23d3a12ab770024eb8ff1d75b3aadce4d154dfeeeaf333a19f3c5f3d16b3edc89e108c8918f859ce3f292bd75d1e143b0275ca

Download Submit
C:\Windows\SysWOW64\Jnnnfalp.exe

Filesize
59KB

MD5
d612c9fd5cf66aece6b5fabcf6d3e3de

SHA1
81c654b8bca8641b754a3a129a3ba89350fe9210

SHA256
74acc866cf8f39abee6cb2f30c284fbbd026e41e6d9c22911d7f2eea3d23a0e9

SHA512
1ed0ee1668f0ded999ac8f6890cf8d26eae5537e24aedc3b5ba8987dad5db5b651345f68b996e2f364b75ef93794c6e04723009d09d9738f6a4ebe5c3cb5a042

Download Submit
C:\Windows\SysWOW64\Kdhbpf32.exe

Filesize
59KB

MD5
df013b8f2ea4f7570c5f6114fc6b08d5

SHA1
00a23f390ddabcbe123daf4c21177d1162b3cb26

SHA256
722088bda45a0691c0ded006b48c33fe9e9457f9ae6cc0addc77c97514502b53

SHA512
fb1eecf62c2f158c52adaa4af65befdc06bb7f83c443ff99abf3cfc6cb07ec79ae059f306be36438af7737dfac5100d3b8a59d0c0da4aa3099a60fe3cf1f4aaa

Download Submit
C:\Windows\SysWOW64\Kdkoef32.exe

Filesize
59KB

MD5
52dc33d1ed0a1f67d984da781a61b800

SHA1
3f7b7e4d1591a0ccf721811661e14a3ef13138de

SHA256
9c0cdb0b8fa1c7d99c426c6cbc933c034dd0097037778cf3d53ccaa10bf79020

SHA512
ac6f652d84352631b23a51d9099af26cd8d3bbb2cd2d0f3adbb1fb2bdf41bef470f34082e35b9e50e2ec07459d1a36783813ef719a0d76534bb82c9a9a7dc467

Download Submit
memory/404-255-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/464-7-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/616-200-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/636-15-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/724-289-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/872-63-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1084-458-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1136-103-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1284-79-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1316-32-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1388-111-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1416-265-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1444-374-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1444-521-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1600-240-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1708-344-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1740-23-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1776-404-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1776-516-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1868-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1924-470-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1924-507-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1932-296-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2016-184-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2056-143-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2376-302-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2540-314-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2596-428-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2596-512-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2672-510-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2672-440-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2756-356-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2756-524-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2768-398-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2768-517-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2824-464-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2824-506-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2928-55-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3020-119-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3104-212-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3252-167-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3288-175-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3324-39-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3348-308-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3360-332-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3504-128-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3528-320-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3648-95-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3684-276-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3704-136-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3736-72-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4032-338-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4088-326-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4192-515-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4192-410-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4212-513-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4212-422-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4216-522-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4216-372-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4224-523-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4224-362-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4264-504-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4264-482-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4268-151-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4320-452-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4320-508-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4344-350-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4360-518-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4360-392-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4368-519-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4368-386-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4388-278-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4460-380-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4460-520-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4560-159-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4700-87-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4820-232-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4828-47-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4872-224-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4904-215-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4924-290-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4964-514-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4964-416-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5004-511-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5004-434-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5024-446-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5024-509-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5048-505-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5048-476-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5076-192-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5136-503-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5136-488-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5176-502-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5176-494-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5216-501-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5216-500-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads