f0d36389227684bb0f5a200b82d6e4aff0233cebe6eed3b2dbf1af0afd07ca86

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2024 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0d36389227684bb0f5a200b82d6e4aff0233cebe6eed3b2dbf1af0afd07ca86N.exe
Size

78KB
MD5

cbc49d12aa13e65c658f3a0078cb16e0
SHA1

cf4880963d7e68ff3084783a23ca511841fc5884
SHA256

f0d36389227684bb0f5a200b82d6e4aff0233cebe6eed3b2dbf1af0afd07ca86
SHA512

6d085d53f41ef7d77cdf9390f9e27b088e010629d41a5c538b5b280ab28da33efc1c1c347126a79746756723d9f791bd3618df72b68dfb6846de734bbae9892b
SSDEEP

1536:fwxl0p7WPd6MxQV3lcd2zMftiVUN+zL20gJi1ie:Ix0ClzCV3C8ctiVUgzL20WKt

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgapmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjkdlall.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koljgppp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kblpcndd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klddlckd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdpiqehp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llkjmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Inkaqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbppgona.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jogqlpde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlkafdco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iencmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdjfohjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbnlim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnnnfalp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaemilci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khfkfedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jblflp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjnaaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkmqed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdpiqehp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibnjkbog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnnnfalp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jelonkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klmnkdal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kalcik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijkled32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnbgaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jogqlpde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdmlkfjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Leabphmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lajokiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjdedepg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iecmhlhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhkljfok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhmhpfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffjgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldbefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haidfpki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbiapb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iencmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnedgq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkegbpca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnconj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leabphmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lojfin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijiopd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaemilci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjnaaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdkoef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhpnlclc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjhokg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lojfin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbiapb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijiopd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jeaiij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klmnkdal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaqcnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kocphojh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jblflp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbeibo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Logicn32.exe

Executes dropped EXE 64 IoCs

pid	Process
3940	Hgapmj32.exe
3372	Haidfpki.exe
3528	Hkohchko.exe
3676	Hbiapb32.exe
4972	Hgeihiac.exe
4220	Hjdedepg.exe
4860	Hejjanpm.exe
856	Hkcbnh32.exe
2312	Ibnjkbog.exe
4400	Ilfodgeg.exe
3332	Ijiopd32.exe
2676	Iencmm32.exe
3020	Igmoih32.exe
4896	Ijkled32.exe
2628	Infhebbh.exe
2232	Iecmhlhb.exe
3208	Inkaqb32.exe
456	Idhiii32.exe
2776	Jnnnfalp.exe
4600	Jdjfohjg.exe
4424	Jblflp32.exe
5004	Jhhodg32.exe
3608	Jnbgaa32.exe
1876	Jaqcnl32.exe
1148	Jelonkph.exe
2076	Jhkljfok.exe
4444	Jjihfbno.exe
1828	Jnedgq32.exe
4724	Jbppgona.exe
3616	Jeolckne.exe
4880	Jdalog32.exe
1204	Jhmhpfmi.exe
1100	Jjkdlall.exe
3868	Jogqlpde.exe
2152	Jaemilci.exe
1436	Jeaiij32.exe
3816	Jhoeef32.exe
3064	Jlkafdco.exe
5036	Jjnaaa32.exe
3760	Kbeibo32.exe
704	Kahinkaf.exe
2852	Kdffjgpj.exe
428	Khabke32.exe
2652	Klmnkdal.exe
1788	Koljgppp.exe
4084	Kbgfhnhi.exe
1500	Kajfdk32.exe
4336	Kdhbpf32.exe
676	Khdoqefq.exe
2276	Kkbkmqed.exe
2912	Kongmo32.exe
2696	Kalcik32.exe
2380	Kdkoef32.exe
3344	Khfkfedn.exe
1672	Kkegbpca.exe
4932	Kblpcndd.exe
2288	Kaopoj32.exe
4080	Kdmlkfjb.exe
3484	Khihld32.exe
4204	Klddlckd.exe
3476	Kocphojh.exe
2964	Kbnlim32.exe
860	Kdpiqehp.exe
4232	Khkdad32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Idhdlmdd.dll	Leabphmp.exe
File created	C:\Windows\SysWOW64\Jhkljfok.exe	Jelonkph.exe
File opened for modification	C:\Windows\SysWOW64\Klddlckd.exe	Khihld32.exe
File created	C:\Windows\SysWOW64\Kocphojh.exe	Klddlckd.exe
File created	C:\Windows\SysWOW64\Jbppgona.exe	Jnedgq32.exe
File created	C:\Windows\SysWOW64\Jkfood32.dll	Jeolckne.exe
File opened for modification	C:\Windows\SysWOW64\Jjnaaa32.exe	Jlkafdco.exe
File opened for modification	C:\Windows\SysWOW64\Hkohchko.exe	Haidfpki.exe
File created	C:\Windows\SysWOW64\Balfdi32.dll	Jblflp32.exe
File opened for modification	C:\Windows\SysWOW64\Jhoeef32.exe	Jeaiij32.exe
File created	C:\Windows\SysWOW64\Iencmm32.exe	Ijiopd32.exe
File opened for modification	C:\Windows\SysWOW64\Jnnnfalp.exe	Idhiii32.exe
File created	C:\Windows\SysWOW64\Mghekd32.dll	Lknjhokg.exe
File opened for modification	C:\Windows\SysWOW64\Hkcbnh32.exe	Hejjanpm.exe
File created	C:\Windows\SysWOW64\Ijiopd32.exe	Ilfodgeg.exe
File created	C:\Windows\SysWOW64\Bochcckb.dll	Jhhodg32.exe
File opened for modification	C:\Windows\SysWOW64\Kbeibo32.exe	Jjnaaa32.exe
File created	C:\Windows\SysWOW64\Kbgfhnhi.exe	Koljgppp.exe
File opened for modification	C:\Windows\SysWOW64\Kaopoj32.exe	Kblpcndd.exe
File created	C:\Windows\SysWOW64\Odehaccj.dll	Kocphojh.exe
File opened for modification	C:\Windows\SysWOW64\Jaqcnl32.exe	Jnbgaa32.exe
File created	C:\Windows\SysWOW64\Kongimkh.dll	Jnbgaa32.exe
File created	C:\Windows\SysWOW64\Kkegbpca.exe	Khfkfedn.exe
File created	C:\Windows\SysWOW64\Fcnhog32.dll	Khkdad32.exe
File opened for modification	C:\Windows\SysWOW64\Kdkoef32.exe	Kalcik32.exe
File created	C:\Windows\SysWOW64\Aomqdipk.dll	Kblpcndd.exe
File created	C:\Windows\SysWOW64\Leabphmp.exe	Laffpi32.exe
File opened for modification	C:\Windows\SysWOW64\Lojfin32.exe	Lknjhokg.exe
File created	C:\Windows\SysWOW64\Ekheml32.dll	Koljgppp.exe
File created	C:\Windows\SysWOW64\Lklnconj.exe	Lhmafcnf.exe
File created	C:\Windows\SysWOW64\Hkohchko.exe	Haidfpki.exe
File opened for modification	C:\Windows\SysWOW64\Kdmlkfjb.exe	Kaopoj32.exe
File created	C:\Windows\SysWOW64\Ledoegkm.exe	Lojfin32.exe
File created	C:\Windows\SysWOW64\Hjdedepg.exe	Hgeihiac.exe
File created	C:\Windows\SysWOW64\Ghikqj32.dll	Iencmm32.exe
File created	C:\Windows\SysWOW64\Kahinkaf.exe	Kbeibo32.exe
File created	C:\Windows\SysWOW64\Ljnakk32.dll	Kbeibo32.exe
File created	C:\Windows\SysWOW64\Kdpiqehp.exe	Kaaldjil.exe
File created	C:\Windows\SysWOW64\Jfdklc32.dll	Lhmafcnf.exe
File created	C:\Windows\SysWOW64\Ldikgdpe.exe	Lajokiaa.exe
File created	C:\Windows\SysWOW64\Lqcnhf32.dll	Ilfodgeg.exe
File created	C:\Windows\SysWOW64\Dodipp32.dll	Jbppgona.exe
File created	C:\Windows\SysWOW64\Kdhbpf32.exe	Kajfdk32.exe
File created	C:\Windows\SysWOW64\Kkbkmqed.exe	Khdoqefq.exe
File created	C:\Windows\SysWOW64\Pmbpeafn.dll	Kongmo32.exe
File created	C:\Windows\SysWOW64\Hkcbnh32.exe	Hejjanpm.exe
File created	C:\Windows\SysWOW64\Koljgppp.exe	Klmnkdal.exe
File opened for modification	C:\Windows\SysWOW64\Kbnlim32.exe	Kocphojh.exe
File opened for modification	C:\Windows\SysWOW64\Loemnnhe.exe	Lkiamp32.exe
File created	C:\Windows\SysWOW64\Qhomgchl.dll	Jjihfbno.exe
File created	C:\Windows\SysWOW64\Fbbojb32.dll	Khfkfedn.exe
File opened for modification	C:\Windows\SysWOW64\Logicn32.exe	Lklnconj.exe
File created	C:\Windows\SysWOW64\Iojnef32.dll	Igmoih32.exe
File created	C:\Windows\SysWOW64\Khabke32.exe	Kdffjgpj.exe
File created	C:\Windows\SysWOW64\Kbeibo32.exe	Jjnaaa32.exe
File created	C:\Windows\SysWOW64\Ofnfbijk.dll	Khihld32.exe
File opened for modification	C:\Windows\SysWOW64\Llkjmb32.exe	Lhpnlclc.exe
File created	C:\Windows\SysWOW64\Lknjhokg.exe	Llkjmb32.exe
File opened for modification	C:\Windows\SysWOW64\Ijkled32.exe	Igmoih32.exe
File created	C:\Windows\SysWOW64\Qfqbll32.dll	Jjkdlall.exe
File opened for modification	C:\Windows\SysWOW64\Koljgppp.exe	Klmnkdal.exe
File created	C:\Windows\SysWOW64\Pnfceopp.dll	Hgapmj32.exe
File created	C:\Windows\SysWOW64\Jjkdkibk.dll	Haidfpki.exe
File created	C:\Windows\SysWOW64\Jhhodg32.exe	Jblflp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5148	2264	WerFault.exe	171

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hejjanpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjkdlall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kongmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ledoegkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibnjkbog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kblpcndd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbnlim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leabphmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkohchko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jogqlpde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhoeef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lajokiaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijiopd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Infhebbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jblflp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdalog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kalcik32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khdoqefq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igmoih32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jelonkph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhkljfok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbppgona.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbeibo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kahinkaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdhbpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khfkfedn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khihld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldbefe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilfodgeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkegbpca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iencmm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnnnfalp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeolckne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdkoef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbcedmnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lojfin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdjfohjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhhodg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khkdad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leoejh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhmafcnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logicn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laffpi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaqcnl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjihfbno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khabke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdmlkfjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Idhiii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdffjgpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klmnkdal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdpiqehp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkiamp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lacijjgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgeihiac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbgfhnhi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkbkmqed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lklnconj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnedgq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaemilci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaopoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lknjhokg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijkled32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnbgaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeaiij32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgmfnkfn.dll"	Hgeihiac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ledoegkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijkled32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jnnnfalp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Balfdi32.dll"	Jblflp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Koljgppp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idhiii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jhmhpfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fncnpk32.dll"	Khabke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcnhog32.dll"	Khkdad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjhokg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqcnhf32.dll"	Ilfodgeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbppgona.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodipp32.dll"	Jbppgona.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Haidfpki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkcbnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkfood32.dll"	Jeolckne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khabke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lajokiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjbah32.dll"	Klddlckd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Leoejh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhpnlclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cboleq32.dll"	Kalcik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdmlkfjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmjdlb32.dll"	Loemnnhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaemilci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomqdipk.dll"	Kblpcndd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klmnkdal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldbefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lojfin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eloeba32.dll"	Jeaiij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jhoeef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdmlkfjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lacijjgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnconj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopaik32.dll"	Lojfin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	f0d36389227684bb0f5a200b82d6e4aff0233cebe6eed3b2dbf1af0afd07ca86N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlbngnmk.dll"	Jelonkph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jogqlpde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhhodg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khabke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbojb32.dll"	Khfkfedn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laffpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcqpalio.dll"	Hjdedepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfamlaff.dll"	Infhebbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfdfbqe.dll"	Kkbkmqed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbcedmnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najlgpeb.dll"	Llkjmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfqbll32.dll"	Jjkdlall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khecje32.dll"	Kdffjgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqhomdeb.dll"	Ldbefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdklc32.dll"	Lhmafcnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhdlmdd.dll"	Leabphmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	f0d36389227684bb0f5a200b82d6e4aff0233cebe6eed3b2dbf1af0afd07ca86N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbiapb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmoak32.dll"	Ijiopd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lacijjgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhmimi32.dll"	Leoejh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichnpf32.dll"	Lacijjgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iojnef32.dll"	Igmoih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncapfeoc.dll"	Iecmhlhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pceijm32.dll"	Jaemilci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljnakk32.dll"	Kbeibo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehilac32.dll"	Kdmlkfjb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 3940	2884	f0d36389227684bb0f5a200b82d6e4aff0233cebe6eed3b2dbf1af0afd07ca86N.exe	89
PID 2884 wrote to memory of 3940	2884	f0d36389227684bb0f5a200b82d6e4aff0233cebe6eed3b2dbf1af0afd07ca86N.exe	89
PID 2884 wrote to memory of 3940	2884	f0d36389227684bb0f5a200b82d6e4aff0233cebe6eed3b2dbf1af0afd07ca86N.exe	89
PID 3940 wrote to memory of 3372	3940	Hgapmj32.exe	90
PID 3940 wrote to memory of 3372	3940	Hgapmj32.exe	90
PID 3940 wrote to memory of 3372	3940	Hgapmj32.exe	90
PID 3372 wrote to memory of 3528	3372	Haidfpki.exe	91
PID 3372 wrote to memory of 3528	3372	Haidfpki.exe	91
PID 3372 wrote to memory of 3528	3372	Haidfpki.exe	91
PID 3528 wrote to memory of 3676	3528	Hkohchko.exe	92
PID 3528 wrote to memory of 3676	3528	Hkohchko.exe	92
PID 3528 wrote to memory of 3676	3528	Hkohchko.exe	92
PID 3676 wrote to memory of 4972	3676	Hbiapb32.exe	93
PID 3676 wrote to memory of 4972	3676	Hbiapb32.exe	93
PID 3676 wrote to memory of 4972	3676	Hbiapb32.exe	93
PID 4972 wrote to memory of 4220	4972	Hgeihiac.exe	94
PID 4972 wrote to memory of 4220	4972	Hgeihiac.exe	94
PID 4972 wrote to memory of 4220	4972	Hgeihiac.exe	94
PID 4220 wrote to memory of 4860	4220	Hjdedepg.exe	95
PID 4220 wrote to memory of 4860	4220	Hjdedepg.exe	95
PID 4220 wrote to memory of 4860	4220	Hjdedepg.exe	95
PID 4860 wrote to memory of 856	4860	Hejjanpm.exe	96
PID 4860 wrote to memory of 856	4860	Hejjanpm.exe	96
PID 4860 wrote to memory of 856	4860	Hejjanpm.exe	96
PID 856 wrote to memory of 2312	856	Hkcbnh32.exe	97
PID 856 wrote to memory of 2312	856	Hkcbnh32.exe	97
PID 856 wrote to memory of 2312	856	Hkcbnh32.exe	97
PID 2312 wrote to memory of 4400	2312	Ibnjkbog.exe	98
PID 2312 wrote to memory of 4400	2312	Ibnjkbog.exe	98
PID 2312 wrote to memory of 4400	2312	Ibnjkbog.exe	98
PID 4400 wrote to memory of 3332	4400	Ilfodgeg.exe	99
PID 4400 wrote to memory of 3332	4400	Ilfodgeg.exe	99
PID 4400 wrote to memory of 3332	4400	Ilfodgeg.exe	99
PID 3332 wrote to memory of 2676	3332	Ijiopd32.exe	100
PID 3332 wrote to memory of 2676	3332	Ijiopd32.exe	100
PID 3332 wrote to memory of 2676	3332	Ijiopd32.exe	100
PID 2676 wrote to memory of 3020	2676	Iencmm32.exe	101
PID 2676 wrote to memory of 3020	2676	Iencmm32.exe	101
PID 2676 wrote to memory of 3020	2676	Iencmm32.exe	101
PID 3020 wrote to memory of 4896	3020	Igmoih32.exe	102
PID 3020 wrote to memory of 4896	3020	Igmoih32.exe	102
PID 3020 wrote to memory of 4896	3020	Igmoih32.exe	102
PID 4896 wrote to memory of 2628	4896	Ijkled32.exe	103
PID 4896 wrote to memory of 2628	4896	Ijkled32.exe	103
PID 4896 wrote to memory of 2628	4896	Ijkled32.exe	103
PID 2628 wrote to memory of 2232	2628	Infhebbh.exe	104
PID 2628 wrote to memory of 2232	2628	Infhebbh.exe	104
PID 2628 wrote to memory of 2232	2628	Infhebbh.exe	104
PID 2232 wrote to memory of 3208	2232	Iecmhlhb.exe	105
PID 2232 wrote to memory of 3208	2232	Iecmhlhb.exe	105
PID 2232 wrote to memory of 3208	2232	Iecmhlhb.exe	105
PID 3208 wrote to memory of 456	3208	Inkaqb32.exe	106
PID 3208 wrote to memory of 456	3208	Inkaqb32.exe	106
PID 3208 wrote to memory of 456	3208	Inkaqb32.exe	106
PID 456 wrote to memory of 2776	456	Idhiii32.exe	107
PID 456 wrote to memory of 2776	456	Idhiii32.exe	107
PID 456 wrote to memory of 2776	456	Idhiii32.exe	107
PID 2776 wrote to memory of 4600	2776	Jnnnfalp.exe	108
PID 2776 wrote to memory of 4600	2776	Jnnnfalp.exe	108
PID 2776 wrote to memory of 4600	2776	Jnnnfalp.exe	108
PID 4600 wrote to memory of 4424	4600	Jdjfohjg.exe	109
PID 4600 wrote to memory of 4424	4600	Jdjfohjg.exe	109
PID 4600 wrote to memory of 4424	4600	Jdjfohjg.exe	109
PID 4424 wrote to memory of 5004	4424	Jblflp32.exe	110

C:\Users\Admin\AppData\Local\Temp\f0d36389227684bb0f5a200b82d6e4aff0233cebe6eed3b2dbf1af0afd07ca86N.exe
"C:\Users\Admin\AppData\Local\Temp\f0d36389227684bb0f5a200b82d6e4aff0233cebe6eed3b2dbf1af0afd07ca86N.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\SysWOW64\Hgapmj32.exe
  C:\Windows\system32\Hgapmj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3940
- - C:\Windows\SysWOW64\Haidfpki.exe
    C:\Windows\system32\Haidfpki.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3372
  - - C:\Windows\SysWOW64\Hkohchko.exe
      C:\Windows\system32\Hkohchko.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3528
    - - C:\Windows\SysWOW64\Hbiapb32.exe
        
        C:\Windows\system32\Hbiapb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3676
      - C:\Windows\SysWOW64\Hgeihiac.exe
        
        C:\Windows\system32\Hgeihiac.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\Hjdedepg.exe
        
        C:\Windows\system32\Hjdedepg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\SysWOW64\Hejjanpm.exe
        
        C:\Windows\system32\Hejjanpm.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Hkcbnh32.exe
        
        C:\Windows\system32\Hkcbnh32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\SysWOW64\Ibnjkbog.exe
        
        C:\Windows\system32\Ibnjkbog.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Ilfodgeg.exe
        
        C:\Windows\system32\Ilfodgeg.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Ijiopd32.exe
        
        C:\Windows\system32\Ijiopd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Windows\SysWOW64\Iencmm32.exe
        
        C:\Windows\system32\Iencmm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Igmoih32.exe
        
        C:\Windows\system32\Igmoih32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Ijkled32.exe
        
        C:\Windows\system32\Ijkled32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Infhebbh.exe
        
        C:\Windows\system32\Infhebbh.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Iecmhlhb.exe
        
        C:\Windows\system32\Iecmhlhb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Inkaqb32.exe
        
        C:\Windows\system32\Inkaqb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\Idhiii32.exe
        
        C:\Windows\system32\Idhiii32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\Jnnnfalp.exe
        
        C:\Windows\system32\Jnnnfalp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Jdjfohjg.exe
        
        C:\Windows\system32\Jdjfohjg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\SysWOW64\Jblflp32.exe
        
        C:\Windows\system32\Jblflp32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Jhhodg32.exe
        
        C:\Windows\system32\Jhhodg32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Jnbgaa32.exe
        
        C:\Windows\system32\Jnbgaa32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3608
        
        C:\Windows\SysWOW64\Jaqcnl32.exe
        
        C:\Windows\system32\Jaqcnl32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1876
        
        C:\Windows\SysWOW64\Jelonkph.exe
        
        C:\Windows\system32\Jelonkph.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\Jhkljfok.exe
        
        C:\Windows\system32\Jhkljfok.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\Jjihfbno.exe
        
        C:\Windows\system32\Jjihfbno.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4444
        
        C:\Windows\SysWOW64\Jnedgq32.exe
        
        C:\Windows\system32\Jnedgq32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1828
        
        C:\Windows\SysWOW64\Jbppgona.exe
        
        C:\Windows\system32\Jbppgona.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Jeolckne.exe
        
        C:\Windows\system32\Jeolckne.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Jdalog32.exe
        
        C:\Windows\system32\Jdalog32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\Jhmhpfmi.exe
        
        C:\Windows\system32\Jhmhpfmi.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1204
        
        C:\Windows\SysWOW64\Jjkdlall.exe
        
        C:\Windows\system32\Jjkdlall.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Jogqlpde.exe
        
        C:\Windows\system32\Jogqlpde.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Jaemilci.exe
        
        C:\Windows\system32\Jaemilci.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Jeaiij32.exe
        
        C:\Windows\system32\Jeaiij32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Jhoeef32.exe
        
        C:\Windows\system32\Jhoeef32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3816
        
        C:\Windows\SysWOW64\Jlkafdco.exe
        
        C:\Windows\system32\Jlkafdco.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3064
        
        C:\Windows\SysWOW64\Jjnaaa32.exe
        
        C:\Windows\system32\Jjnaaa32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5036
        
        C:\Windows\SysWOW64\Kbeibo32.exe
        
        C:\Windows\system32\Kbeibo32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3760
        
        C:\Windows\SysWOW64\Kahinkaf.exe
        
        C:\Windows\system32\Kahinkaf.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:704
        
        C:\Windows\SysWOW64\Kdffjgpj.exe
        
        C:\Windows\system32\Kdffjgpj.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Khabke32.exe
        
        C:\Windows\system32\Khabke32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Klmnkdal.exe
        
        C:\Windows\system32\Klmnkdal.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Koljgppp.exe
        
        C:\Windows\system32\Koljgppp.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Kbgfhnhi.exe
        
        C:\Windows\system32\Kbgfhnhi.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4084
        
        C:\Windows\SysWOW64\Kajfdk32.exe
        
        C:\Windows\system32\Kajfdk32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1500
        
        C:\Windows\SysWOW64\Kdhbpf32.exe
        
        C:\Windows\system32\Kdhbpf32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4336
        
        C:\Windows\SysWOW64\Khdoqefq.exe
        
        C:\Windows\system32\Khdoqefq.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:676
        
        C:\Windows\SysWOW64\Kkbkmqed.exe
        
        C:\Windows\system32\Kkbkmqed.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Kongmo32.exe
        
        C:\Windows\system32\Kongmo32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\SysWOW64\Kalcik32.exe
        
        C:\Windows\system32\Kalcik32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Kdkoef32.exe
        
        C:\Windows\system32\Kdkoef32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Windows\SysWOW64\Khfkfedn.exe
        
        C:\Windows\system32\Khfkfedn.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3344
        
        C:\Windows\SysWOW64\Kkegbpca.exe
        
        C:\Windows\system32\Kkegbpca.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Windows\SysWOW64\Kblpcndd.exe
        
        C:\Windows\system32\Kblpcndd.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Kaopoj32.exe
        
        C:\Windows\system32\Kaopoj32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\Kdmlkfjb.exe
        
        C:\Windows\system32\Kdmlkfjb.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Khihld32.exe
        
        C:\Windows\system32\Khihld32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Windows\SysWOW64\Klddlckd.exe
        
        C:\Windows\system32\Klddlckd.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Kocphojh.exe
        
        C:\Windows\system32\Kocphojh.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3476
        
        C:\Windows\SysWOW64\Kbnlim32.exe
        
        C:\Windows\system32\Kbnlim32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\Kaaldjil.exe
        
        C:\Windows\system32\Kaaldjil.exe
        64⤵
        Drops file in System32 directory
        
        PID:440
        
        C:\Windows\SysWOW64\Kdpiqehp.exe
        
        C:\Windows\system32\Kdpiqehp.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\Khkdad32.exe
        
        C:\Windows\system32\Khkdad32.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Lkiamp32.exe
        
        C:\Windows\system32\Lkiamp32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Windows\SysWOW64\Loemnnhe.exe
        
        C:\Windows\system32\Loemnnhe.exe
        68⤵
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Lacijjgi.exe
        
        C:\Windows\system32\Lacijjgi.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Leoejh32.exe
        
        C:\Windows\system32\Leoejh32.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\Ldbefe32.exe
        
        C:\Windows\system32\Ldbefe32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:320
        
        C:\Windows\SysWOW64\Lhmafcnf.exe
        
        C:\Windows\system32\Lhmafcnf.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Lklnconj.exe
        
        C:\Windows\system32\Lklnconj.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Logicn32.exe
        
        C:\Windows\system32\Logicn32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1432
        
        C:\Windows\SysWOW64\Lbcedmnl.exe
        
        C:\Windows\system32\Lbcedmnl.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Laffpi32.exe
        
        C:\Windows\system32\Laffpi32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3360
        
        C:\Windows\SysWOW64\Leabphmp.exe
        
        C:\Windows\system32\Leabphmp.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Lhpnlclc.exe
        
        C:\Windows\system32\Lhpnlclc.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Llkjmb32.exe
        
        C:\Windows\system32\Llkjmb32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Lknjhokg.exe
        
        C:\Windows\system32\Lknjhokg.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Lojfin32.exe
        
        C:\Windows\system32\Lojfin32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\Ledoegkm.exe
        
        C:\Windows\system32\Ledoegkm.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Lajokiaa.exe
        
        C:\Windows\system32\Lajokiaa.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        84⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 416
        85⤵
        Program crash
        
        PID:5148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2264 -ip 2264
1⤵
PID:2212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4424,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=4444 /prefetch:8
1⤵
PID:5240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Haidfpki.exe

Filesize
78KB

MD5
e35c4edf7a9fd32701e4639ab65d3093

SHA1
cc67d14da50d4061d1792002c0b2cba6f0a1f338

SHA256
aa58f56c06d9537b401311c3d5dff70f8e781265bf1b05d648595d8b6dd030fd

SHA512
c14f704a92c6f6ad4b5c82d07cab53aa53c7e6fb7cec19edb33b0e0a6a0ea8d5a42b655cc4b80ec05a4f47e7ae8b33ba187ddeb452095d5cf8c1f61b8e934f55

Download Submit
C:\Windows\SysWOW64\Hbiapb32.exe

Filesize
78KB

MD5
f4c03a2a99bae3724e86fc4142be39ed

SHA1
6e8a851a73a2ceccc2398cb8df2b4b66c79e9739

SHA256
37bfcfa02cdd756a17d946fc7a47c4175ed0170496e79d1cc6d01c5ddb675121

SHA512
9b3df0cbe29363fea465766ff09d391eb988871c198167b93ec8cbde195bd8fe52905761d9fb3555e49e7c350972184e5ae7f4dc17a8734bf645d4b084805d60

Download Submit
C:\Windows\SysWOW64\Hejjanpm.exe

Filesize
78KB

MD5
f221d556325afc358672f252396bc97e

SHA1
ee61de4d8dee3b5a98f62e8241edb3431fae1a63

SHA256
d1536c3ba6e21b0d0954e50b978ba3349ba3b07cc963745c66a2986e46ff9869

SHA512
249ff4f3a493186bc89415ec5e99de443c3c0738e725f61387d7df7bbfaf132125620b401a5fdf61e775ce531e992b809ec1903ab020003fa5abf01444b57e84

Download Submit
C:\Windows\SysWOW64\Hgapmj32.exe

Filesize
78KB

MD5
cc08ef5ba98c26b715d3247553c52c52

SHA1
aaae553956eab051c414f0861b521211603c3c53

SHA256
ede2763a3524e4a136f8954a2b41740a43871471de5ff5668c94758b08088c8e

SHA512
922c5e5c91a875d415e8a3bc16ab7d472ba4b3ac28a2ec6a101fca1d1bfb872481a8370ca2303b5ca5be8335e4afb2a9132983333c34dbe72565588fbc56b35a

Download Submit
C:\Windows\SysWOW64\Hgeihiac.exe

Filesize
78KB

MD5
5b27eaff86ef6874cbb73e5f504cde04

SHA1
435b10c820d5d9773f0a1a3b18c2c41168e984b9

SHA256
49f2512798b3169ee496e71be63ea9d309f2d1ba262610a119fe087ce541c35b

SHA512
a61f9ffe6ff90e97e2ace4d2d286850d42a695fd669e83c6304e0de84d02ed9a41fa3bf20a7782d973610a1a384b98a9adb59fc213f900688bea6f59c58154b8

Download Submit
C:\Windows\SysWOW64\Hjdedepg.exe

Filesize
78KB

MD5
3906a8baa7d0bbbac9be2eda8e9a7349

SHA1
fbcf6ec45940b28843a0c0e5c5c8a8cfe2ae190f

SHA256
f7ac335a7ad5b27481a65b74d269a9ddc90a9634bb0f46b413491ce7089c31e4

SHA512
ff471ba7badc7f03220da6fe0ad46797c77a180318042b2c48411fe57cd317fdffb75bcbeeca0895d58672ba8318c492712e12a56f2c3d0a83bc904a12f7c1e8

Download Submit
C:\Windows\SysWOW64\Hkcbnh32.exe

Filesize
78KB

MD5
6eb322710ffcf3a5fc8b9b18cb74a2ff

SHA1
fae31290507862723bca06c99aa57ee3263b5865

SHA256
f393db285bd237ddb3835853a8631800e075085ec6497dddb1416a78c8292f09

SHA512
5df3637d2d56e24984b9586b7bca0b2977511613e29005dbbbc372c04aeeda7af796b2ae12fa33212c8ebde9e74f26a7f46108582a795f95fc422deb7128cce3

Download Submit
C:\Windows\SysWOW64\Hkohchko.exe

Filesize
78KB

MD5
c86c2ccf55718e30d815be2985f77e1e

SHA1
0da8911f158cb8d606c5e43142e78247f08f1b8f

SHA256
261dc31ec41c266344fd3d28dbae98c0c9f8e7cbb67722478b99d9934e630353

SHA512
c65442c862b0710f094afc921909bb3bf5444719d846ec187b9314e0cabcd04daac7a319bd88c2fd84b865001769f46bcab5c8462c1bd11aaab884c233787458

Download Submit
C:\Windows\SysWOW64\Ibnjkbog.exe

Filesize
78KB

MD5
e46f559851e14e107bae4fb21dcea89c

SHA1
7b7f21e9d2b24b558d87256fb338304af83d2067

SHA256
ca83f101677ce4eee6e78716d9a28bfb5d8f4c6636670717ebacf1d669ae8ee2

SHA512
a0174853a8b8719eb840eecb607ed6c79ee6c62fa9ce288a5e4a1bbfc5ff1ea7d7e3a6d3d4623551ed354633bef05d534d2bf2f37b3d6692c4c0223f647eea7d

Download Submit
C:\Windows\SysWOW64\Idhiii32.exe

Filesize
78KB

MD5
dc382c8e9c5db2d6ad31caea5d2f237b

SHA1
c2498293552b62af314a3a691c6831953e224552

SHA256
b3f05e1d982fb32f756218c9767c0b9237cf58793753aff587953b5f79fe744e

SHA512
0ba862e9489826e7ac0d0ae9f1b49c6d60f3a54aa3cd4693c535a1560a9e821f340c0cd293058ddaaf12c4bd8befce280ed2b8b99ab0201fa193473537832c88

Download Submit
C:\Windows\SysWOW64\Iecmhlhb.exe

Filesize
78KB

MD5
80c792f3d5ddb8746d980f52029a4f08

SHA1
465e85d15f5e01355067ad5a674088b5518126f1

SHA256
a4ed04abedb5980a438fd79a1eb9530267cc48a02c86234d2912aa3cb3fd981f

SHA512
e66f7f582f8fc66c6292d11eab6a0f83649f203b1a2b6d6c51b07873acefd610537658a3fe781ce5f7a7c209252d21e79378c1a266787bd1a93f3a37c1dc80d4

Download Submit
C:\Windows\SysWOW64\Iencmm32.exe

Filesize
78KB

MD5
944482b02582ba120dc061676b50012f

SHA1
4732a2b2f453d392657f05c6d05e454a75f59fff

SHA256
e595843176045933dc3355efd9f17e14b376a949d3c078314e25fb54e0abf8ba

SHA512
ed354a572c47aced3760d80fd9dcbbce5049a5a7482ac9423c996e5574f33a45539fb208d36e16f3a046d74e98aca9cc213faf242838edf622952df89cd1fd39

Download Submit
C:\Windows\SysWOW64\Igmoih32.exe

Filesize
78KB

MD5
3457b00665f5f0bac13bdc29ee38541c

SHA1
abda54de6d42a1c5fdebe07b84d5cdc068c32b86

SHA256
a0bc29fbb1d1079c5f97d143d6c5308603ab394744168cd531bd9d4494d8d411

SHA512
4c9360c58be0075fd3c42431cfaa767f2849b936b7bbab6f2131d4fb37c7be159b907603559af1d26180fee84431388593495aa135ae18ffe94221865623bc22

Download Submit
C:\Windows\SysWOW64\Ijiopd32.exe

Filesize
78KB

MD5
2832500036cee4a96f9c78435fdfa82e

SHA1
b62d275a286329b3c7c9ff3cd2b5f6489910617f

SHA256
55b984c6a4ea53fe638901d96eaf00605c43125d5ffa584eba3d5e29d2d251e5

SHA512
3302d2e35d1089f47158bb925a94738c94e6cbdec806eac2c7acce1ab994f65f201ef44af262b60535b4934a135dcc82851b23dfcd7041683ac3bbb26e8d2b0e

Download Submit
C:\Windows\SysWOW64\Ijkled32.exe

Filesize
78KB

MD5
e57ce1bb43c67d02787dc19fadf40fd3

SHA1
9e43fe803b2b51ea41d29b54291a4c44858f6394

SHA256
c9eff2676ace8502e0f1e7248ddfa1a1a0c864bb4538d0cd8d83ce0e7055e2e8

SHA512
8ed55c018ae5b41182a3324803d631b514cd5087a4e2a0c934bcb6b4759f3be19f41a6abf46b9eafba592057931208875cf1b8f435e482dd77748459cb7c8974

Download Submit
C:\Windows\SysWOW64\Ilfodgeg.exe

Filesize
78KB

MD5
2aee3f12a530d43a6016c4810f7aa4e0

SHA1
fe27cf37b2a31554ce619a8b0d9b4601de357cf4

SHA256
54ee68d17cfabffdb54887f3c853abec320163b2a06ac80502448187e9086f19

SHA512
3d89cd271db4467de5235bbb516230093888c5c70f6eb17fb2ccb9ed888d37d7bab3bace1ad379c0aeb5761d13e3e5b7bfbb0263d9a034a9a747a4897e6af17a

Download Submit
C:\Windows\SysWOW64\Infhebbh.exe

Filesize
78KB

MD5
2bcecc3cf969c24e080bbd1c3498c5f8

SHA1
7b6ccdc0bc8be52d216050e3b4608b8ec5898ff3

SHA256
b575adc8a85de5785147b6eea54fafbe8d71e4d63f57136185db2118f16362e4

SHA512
01406ef8e61ce182a4785fa3595b3af8bb16edddf0fb3c369df186203eceac66f7ab65793292836a6129caf6e5c5c1e1a50f0679392d0c76d356794777d8e947

Download Submit
C:\Windows\SysWOW64\Inkaqb32.exe

Filesize
78KB

MD5
593ccb8a9bac4e86b97cfcd0f4f9d01f

SHA1
cc1ecec38b6e677415c3c98a241823678c43b473

SHA256
86b3b014a826258ecc4a324b2195ce5910ab184b6b65d793b86f67423a34f410

SHA512
ff986b717070518c4eabbfc7e4fcb458537c698b92963d7c6950e55da73ee6771ccd55245b0b73b0a21c74ea0a2801cde9dfdbde88d477b0ca4740c09ef9c740

Download Submit
C:\Windows\SysWOW64\Jaqcnl32.exe

Filesize
78KB

MD5
3d549e7b56676fa7af69078190305323

SHA1
30e849e633c6a004e662662fbf816b5696f8a08f

SHA256
04aa568bcac76e1d5109fd3766eabba02a18f0dacebd548df06f64e9c83ded48

SHA512
348f63e8873a2cd34b914927dbd4ed1faf40f32738c6ede41211f6cc254bd3a63443609aacda1b196850238668b7f101a09b813b33403e2850280e074bacf576

Download Submit
C:\Windows\SysWOW64\Jblflp32.exe

Filesize
78KB

MD5
92723044257214f44f094c0502f38069

SHA1
2d6cde0c9ade16a03ba202b7a4846d64c45dc5fd

SHA256
b75d69d0040a6b3a8322631a9972b00c3d183d76b6540ce07f4863f78e5d5654

SHA512
c35b16886c18ec709cb6ce3cf136977f42a9a07a6611c052b62aee6b5d9b59f76680a2834c4ffe14295be12c845ae29a6777e7f05448ced4498c250672fd7668

Download Submit
C:\Windows\SysWOW64\Jbppgona.exe

Filesize
78KB

MD5
1644062cb53308db469778d629293c1a

SHA1
95ba781c226ed36145d0b3f970b5e09a181b8420

SHA256
87fc3147d181eef1d6dc735d0716a72a692705ed4d4885b473725e408203aa44

SHA512
9fee7e9de1e99aaaca2f6765789c85b1cabc249935c25da4d1c12e4e681e181ba44def6c91fdc5be140eeb101be33b13d48adb18d154c47d50e5555e165f5ee1

Download Submit
C:\Windows\SysWOW64\Jdalog32.exe

Filesize
78KB

MD5
4e9041ad1d1d49df4a3c64b28e044cc4

SHA1
b507cf6fcd782f101b9dfbec03233303fb9ec40f

SHA256
fb750312aca1fbdc1da3573590472abb05af61a3f325988286a8725dd5afe02c

SHA512
7a9c540c358e665e74a9f3d52836fa43c119a5c9584b60e96532d0149312e93470c1cf4248852f52ddb17d67206b124f06e524f96138dea8d85499e704729d00

Download Submit
C:\Windows\SysWOW64\Jdjfohjg.exe

Filesize
78KB

MD5
cb99f136e3203a47c251361a94ab78bf

SHA1
190fd4470eb30d11684399ff23cdd092da33a72a

SHA256
f199fc2b71edc67c8fe15e4198c93dfd9577af1ca994283c0d73a474465de38d

SHA512
731718c1ced299c4702cd2075a00b9b007d56b21ad73218ef7406da7ab73ea847886adb40c718a3adcdf64e4ceaa6e7ac92801c5a9aeb40316a89538b9cf5122

Download Submit
C:\Windows\SysWOW64\Jelonkph.exe

Filesize
78KB

MD5
d9b335334c7732f1e70ed0d61ae8b746

SHA1
bb03902be00d5537dc2addeafc5be77b37d2a9e5

SHA256
5e31db079e5134c0349ac4cbcbdae0eaaee8cebc8abf5b1cab70426893aa594e

SHA512
4ea5347679da1fd23c08c73139f46da71085fb9574f92517d6e7c5b3107e59c15d49e423868ebcfce5cbcf7e2113259b03fb69b20d265f70ea5fd42d47fdf321

Download Submit
C:\Windows\SysWOW64\Jeolckne.exe

Filesize
78KB

MD5
28cd18fa1091e199be9e8278a620a430

SHA1
c11819802d8522f96e4cd96c7b99dfd403244424

SHA256
677b529d6ccaf75f01ac84501f3ba8e85edde9c9e0cfa1d23c22c854724849e0

SHA512
1d4b4bbce754847f80c683f4ac3a8c4149ce2bc6bfabba54235fabe29d8647291dc8fbd22d88ef6ebf290b1a220fbf2c9ab45d4a29992b92c302b7acb2ad7b73

Download Submit
C:\Windows\SysWOW64\Jhhodg32.exe

Filesize
78KB

MD5
0dd78af7aaecb8dde531755e0bc7973e

SHA1
5b8da3c0900eb8d34a191c8baeccaa04e906bdb3

SHA256
a977966a0684c8df71f603e9b2f7322a4696afa183d576036b93755e687739a7

SHA512
21ec93217f313284335b5eb7e76866266034a4fb4c4a9da1ccdb825c0a343c39c4c1a4b040dd7a580166e1bbc891681b607bbfbbe5b290e9994176a97b8191bd

Download Submit
C:\Windows\SysWOW64\Jhkljfok.exe

Filesize
78KB

MD5
d01e53dec43af70af0f1947784fee73b

SHA1
f506a8eb02eaddb1a98873acd6cc9db461754bb4

SHA256
c68665db399d2b27dfe7a5ee345dcda9c691d5619a7e91abba984b8b36082004

SHA512
90276064562c2a6e012406c8be70a8780930def52bda6ffa5a32708205ff4191f864d001463d953524b6bb52777bc4abc3628d70a4849a9e08a714f8a876fc14

Download Submit
C:\Windows\SysWOW64\Jhmhpfmi.exe

Filesize
78KB

MD5
6b999ec8c09f9d4e2f20c767a3b19751

SHA1
7e2219615c1aff23846aa6b34a32f5844baaf623

SHA256
5501574b862468cfc81bf62b39cdf9024150d252de779dd2162916c6272c2748

SHA512
040bc10f0d92f383ca85c56497bf5ff36d16a0dc74cf1adfb6e6b16e59c6dcb55deebbda7d01ab7cc31c672b47b5719affdd7acfefd282edb920a63413687327

Download Submit
C:\Windows\SysWOW64\Jjihfbno.exe

Filesize
78KB

MD5
9e9554eec5cf3eb6d7b8a1e1d15f38c2

SHA1
e9d34dd5f162720bd0406357bd2361ba0f89e211

SHA256
1e6e1150cda832b95185b14b2e20629068cad032f02ad6d12c7022daea190214

SHA512
708806aa0244a05bc3087daade94ba5bf77eb9be1f9d69c0d0665b8d3b05ab2907fe8e408b1b1e0b5eebe1e0532c223df344f1978fbeff9dfcb6b56afb240551

Download Submit
C:\Windows\SysWOW64\Jnbgaa32.exe

Filesize
78KB

MD5
790e8129e9a207cbd45b33fdcfae09da

SHA1
d6e88cf8ad019b5407c3481e7ed0c937b39986e5

SHA256
c21e0573b1404e7cf60a705878a1ebdd6a0d147ae8e8645a34e92d9ebfd83a9c

SHA512
7d08cda8d9c44483b1cb2fb53d8888ed89cf440b5a4cc3a9f167bf044bc923492025fcf13d227f4b49e2257f985938ea08dc939e71316110fd1295b8f0c6b22e

Download Submit
C:\Windows\SysWOW64\Jnedgq32.exe

Filesize
78KB

MD5
baba8ee0a2b8fbad24ee79dcda81b2b1

SHA1
83e2402d8718461c3322f639431e4ff2e616af56

SHA256
bc5e898232db1dbd643828c1f351aedacfb9f448fb55ad09c3466c5e79217630

SHA512
22ef7a642b2f33b10076d68ce253425bad2aad03eafe2b44200b9e39a5dab611737707f81365f07c1b3852bd75d3b94d58731f50b4d07174562e73e05c4a7d3a

Download Submit
C:\Windows\SysWOW64\Jnnnfalp.exe

Filesize
78KB

MD5
8e475892a15c04309da9c0b803b256f0

SHA1
f314f33f41300abc84d8d18f3690a7b7b6fd08f1

SHA256
1c8d8649194f9030337c0eaf1624e362dbe3f821d9acffa41d13442d045ce657

SHA512
737e28cdfb945e086512e939d11824cbf6048e7a862dc80ac81c4dc43246538e33294837cf3d2dafe03905187f7514554471ba3f3bc817a98940718340569a56

Download Submit
memory/320-506-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/428-348-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/440-463-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/456-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/456-246-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/676-384-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/704-337-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/856-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/856-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/860-469-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1100-288-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1148-220-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1204-283-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1432-523-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1436-306-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1500-372-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1672-421-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1788-360-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1828-247-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1876-211-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2076-229-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2152-300-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2232-228-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2232-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2276-391-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2288-432-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2312-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2312-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2380-409-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2628-127-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2628-219-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2652-354-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2676-193-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2676-100-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2696-403-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2776-162-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2776-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2852-342-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2884-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2884-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2884-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2912-396-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2964-458-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3020-202-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3020-109-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3064-318-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3208-237-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3208-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3244-518-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3332-179-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3332-91-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3344-415-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3372-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3372-99-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3476-456-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3484-445-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3500-512-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3528-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3528-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3608-203-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3616-266-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3676-121-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3676-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3760-331-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3816-312-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3868-294-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3940-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3940-90-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4080-439-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4084-367-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4132-500-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4204-450-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4220-134-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4220-49-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4232-475-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4336-378-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4400-82-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4400-170-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4424-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4424-180-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4444-238-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4600-171-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4600-264-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4612-494-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4660-488-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4724-256-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4772-482-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4860-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4860-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4880-275-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4896-122-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4932-426-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4972-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4972-126-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5004-194-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5036-324-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads