523a83fc08a53b6064991c3af902fb29ad901785c7f866c4cd06de7208d37c12

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2024, 05:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ec2927674ee84dea2508e326c0076e0N.exe
Size

243KB
MD5

4ec2927674ee84dea2508e326c0076e0
SHA1

10ee9c71d9615ac01a39b5c4ec2827b9a51fef30
SHA256

523a83fc08a53b6064991c3af902fb29ad901785c7f866c4cd06de7208d37c12
SHA512

8e54c554595cd4c7c6bfacb010bfbf330702e380679dcb4c81b52e69b4c313016eee9236ddad1602851cf8425ec98ba5f39dc70e09355451594b882ff3bd66bc
SSDEEP

6144:8HgQNG32BEKvKzwdlU2zlNgwTnAWtlhjQ:8HgQNU2BEal5LhDAalhj

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefbdjgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iloajfml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaqcnl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjnaaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaemilci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jddiegbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbhool32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhbkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaljbmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjhokg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjhokg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdopjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkegbpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhmafcnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kongmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lahbei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iccpniqp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jejbhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlkafdco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbgfhnhi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kocphojh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idhiii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeolckne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaemilci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdpiqehp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laffpi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leabphmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iloajfml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jeolckne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klddlckd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jogqlpde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klmnkdal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kefbdjgm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klpjad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kehojiej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klddlckd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jejbhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jldkeeig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaqcnl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldfoad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkegbpca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaopoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4ec2927674ee84dea2508e326c0076e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhkljfok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kehojiej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lajokiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jeaiij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kblpcndd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klgqabib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeaiij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kblpcndd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiamp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4ec2927674ee84dea2508e326c0076e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhmhpfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jogqlpde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbhool32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdopjh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kongmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdmlkfjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iccpniqp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijpepcfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbjbnnfg.exe

Executes dropped EXE 62 IoCs

pid	Process
4908	Ibbcfa32.exe
4044	Iccpniqp.exe
2364	Ijpepcfj.exe
4380	Idhiii32.exe
3796	Iloajfml.exe
4052	Jaljbmkd.exe
1528	Jejbhk32.exe
4032	Jldkeeig.exe
2548	Jaqcnl32.exe
2612	Jdopjh32.exe
1716	Jhkljfok.exe
1888	Jbppgona.exe
3720	Jeolckne.exe
2836	Jhmhpfmi.exe
3788	Jlidpe32.exe
4244	Jogqlpde.exe
4548	Jaemilci.exe
3392	Jeaiij32.exe
2588	Jddiegbm.exe
3232	Jlkafdco.exe
4344	Jjnaaa32.exe
3040	Kbeibo32.exe
1052	Keceoj32.exe
2580	Kdffjgpj.exe
3748	Klmnkdal.exe
2592	Kkpnga32.exe
1192	Kbgfhnhi.exe
2796	Kefbdjgm.exe
4584	Kdhbpf32.exe
3724	Klpjad32.exe
4804	Kongmo32.exe
2704	Kbjbnnfg.exe
2448	Kehojiej.exe
3152	Klbgfc32.exe
2456	Kkegbpca.exe
772	Kblpcndd.exe
2776	Kaopoj32.exe
4624	Kdmlkfjb.exe
32	Klddlckd.exe
3644	Kocphojh.exe
452	Kbnlim32.exe
1960	Kemhei32.exe
3088	Kdpiqehp.exe
5124	Klgqabib.exe
5160	Lkiamp32.exe
5200	Lbqinm32.exe
5236	Leoejh32.exe
5276	Lhmafcnf.exe
5316	Lklnconj.exe
5356	Logicn32.exe
5392	Laffpi32.exe
5432	Leabphmp.exe
5472	Lhpnlclc.exe
5512	Lknjhokg.exe
5552	Lbebilli.exe
5588	Lahbei32.exe
5628	Ldfoad32.exe
5668	Lhbkac32.exe
5708	Lkqgno32.exe
5748	Lbhool32.exe
5788	Lajokiaa.exe
5828	Ldikgdpe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jogqlpde.exe	Jlidpe32.exe
File created	C:\Windows\SysWOW64\Japjfm32.dll	Kongmo32.exe
File opened for modification	C:\Windows\SysWOW64\Kblpcndd.exe	Kkegbpca.exe
File opened for modification	C:\Windows\SysWOW64\Logicn32.exe	Lklnconj.exe
File opened for modification	C:\Windows\SysWOW64\Lknjhokg.exe	Lhpnlclc.exe
File created	C:\Windows\SysWOW64\Lbebilli.exe	Lknjhokg.exe
File opened for modification	C:\Windows\SysWOW64\Iccpniqp.exe	Ibbcfa32.exe
File opened for modification	C:\Windows\SysWOW64\Jaemilci.exe	Jogqlpde.exe
File created	C:\Windows\SysWOW64\Bmapeg32.dll	Jeaiij32.exe
File created	C:\Windows\SysWOW64\Jjnaaa32.exe	Jlkafdco.exe
File created	C:\Windows\SysWOW64\Mhfdfbqe.dll	Klpjad32.exe
File opened for modification	C:\Windows\SysWOW64\Klgqabib.exe	Kdpiqehp.exe
File created	C:\Windows\SysWOW64\Jldkeeig.exe	Jejbhk32.exe
File opened for modification	C:\Windows\SysWOW64\Jeolckne.exe	Jbppgona.exe
File created	C:\Windows\SysWOW64\Ekheml32.dll	Kkpnga32.exe
File created	C:\Windows\SysWOW64\Kehojiej.exe	Kbjbnnfg.exe
File created	C:\Windows\SysWOW64\Qagfppeh.dll	Laffpi32.exe
File opened for modification	C:\Windows\SysWOW64\Klmnkdal.exe	Kdffjgpj.exe
File created	C:\Windows\SysWOW64\Hhodke32.dll	Klmnkdal.exe
File created	C:\Windows\SysWOW64\Ndnoffic.dll	Kefbdjgm.exe
File created	C:\Windows\SysWOW64\Lknjhokg.exe	Lhpnlclc.exe
File created	C:\Windows\SysWOW64\Icajjnkn.dll	Ijpepcfj.exe
File created	C:\Windows\SysWOW64\Iloajfml.exe	Idhiii32.exe
File opened for modification	C:\Windows\SysWOW64\Jldkeeig.exe	Jejbhk32.exe
File created	C:\Windows\SysWOW64\Kemhei32.exe	Kbnlim32.exe
File created	C:\Windows\SysWOW64\Klgqabib.exe	Kdpiqehp.exe
File created	C:\Windows\SysWOW64\Dodipp32.dll	Jbppgona.exe
File created	C:\Windows\SysWOW64\Oojnjjli.dll	Keceoj32.exe
File created	C:\Windows\SysWOW64\Fncnpk32.dll	Kdffjgpj.exe
File created	C:\Windows\SysWOW64\Kdhbpf32.exe	Kefbdjgm.exe
File opened for modification	C:\Windows\SysWOW64\Kdmlkfjb.exe	Kaopoj32.exe
File created	C:\Windows\SysWOW64\Bkjbah32.dll	Klddlckd.exe
File opened for modification	C:\Windows\SysWOW64\Klbgfc32.exe	Kehojiej.exe
File created	C:\Windows\SysWOW64\Fbkcnp32.dll	Kaopoj32.exe
File opened for modification	C:\Windows\SysWOW64\Jaljbmkd.exe	Iloajfml.exe
File created	C:\Windows\SysWOW64\Gdqeooaa.dll	Jeolckne.exe
File opened for modification	C:\Windows\SysWOW64\Jogqlpde.exe	Jlidpe32.exe
File created	C:\Windows\SysWOW64\Klpjad32.exe	Kdhbpf32.exe
File created	C:\Windows\SysWOW64\Lajbnn32.dll	Kdhbpf32.exe
File created	C:\Windows\SysWOW64\Mfmeel32.dll	Kbjbnnfg.exe
File created	C:\Windows\SysWOW64\Ofnfbijk.dll	Kdmlkfjb.exe
File created	C:\Windows\SysWOW64\Gqhomdeb.dll	Leoejh32.exe
File created	C:\Windows\SysWOW64\Laffpi32.exe	Logicn32.exe
File created	C:\Windows\SysWOW64\Idhiii32.exe	Ijpepcfj.exe
File opened for modification	C:\Windows\SysWOW64\Jejbhk32.exe	Jaljbmkd.exe
File created	C:\Windows\SysWOW64\Jlidpe32.exe	Jhmhpfmi.exe
File created	C:\Windows\SysWOW64\Keceoj32.exe	Kbeibo32.exe
File created	C:\Windows\SysWOW64\Kkegbpca.exe	Klbgfc32.exe
File created	C:\Windows\SysWOW64\Aomqdipk.dll	Kblpcndd.exe
File created	C:\Windows\SysWOW64\Leabphmp.exe	Laffpi32.exe
File opened for modification	C:\Windows\SysWOW64\Lahbei32.exe	Lbebilli.exe
File created	C:\Windows\SysWOW64\Ieaqqigc.dll	Lhbkac32.exe
File created	C:\Windows\SysWOW64\Jhkljfok.exe	Jdopjh32.exe
File created	C:\Windows\SysWOW64\Cmkjoj32.dll	Jhmhpfmi.exe
File created	C:\Windows\SysWOW64\Kbeibo32.exe	Jjnaaa32.exe
File created	C:\Windows\SysWOW64\Bekdaogi.dll	Lajokiaa.exe
File created	C:\Windows\SysWOW64\Ijpepcfj.exe	Iccpniqp.exe
File opened for modification	C:\Windows\SysWOW64\Idhiii32.exe	Ijpepcfj.exe
File created	C:\Windows\SysWOW64\Kongimkh.dll	Jldkeeig.exe
File opened for modification	C:\Windows\SysWOW64\Jeaiij32.exe	Jaemilci.exe
File created	C:\Windows\SysWOW64\Mnfooh32.dll	Lknjhokg.exe
File opened for modification	C:\Windows\SysWOW64\Lbqinm32.exe	Lkiamp32.exe
File created	C:\Windows\SysWOW64\Ldfoad32.exe	Lahbei32.exe
File created	C:\Windows\SysWOW64\Lhpnlclc.exe	Leabphmp.exe

Program crash 1 IoCs

pid	pid_target	Process
5924	5828	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 63 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jddiegbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjnaaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbgfhnhi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbnnfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klgqabib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lklnconj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laffpi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijpepcfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeolckne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefbdjgm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemhei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lahbei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhbkac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibbcfa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlidpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkpnga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klpjad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klbgfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbnlim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaqcnl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keceoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdhbpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kblpcndd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kehojiej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdffjgpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdmlkfjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhpnlclc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbebilli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkqgno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdopjh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbppgona.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jogqlpde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klddlckd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ec2927674ee84dea2508e326c0076e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlkafdco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kongmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaopoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhmafcnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iloajfml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdpiqehp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbqinm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jldkeeig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkegbpca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lknjhokg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldfoad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lajokiaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jejbhk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhmhpfmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeaiij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkiamp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leoejh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leabphmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Idhiii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaemilci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbeibo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocphojh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iccpniqp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhkljfok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klmnkdal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logicn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaljbmkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbhool32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldikgdpe.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlidpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaemilci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oojnjjli.dll"	Keceoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kefbdjgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfdfbqe.dll"	Klpjad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbhool32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lajokiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijpepcfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlkafdco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekheml32.dll"	Kkpnga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbgfhnhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpjkgoka.dll"	Lkiamp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhdlmdd.dll"	Leabphmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaljbmkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jhkljfok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jddiegbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaopoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdpiqehp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iloajfml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdqeooaa.dll"	Jeolckne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofnfbijk.dll"	Kdmlkfjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqhomdeb.dll"	Leoejh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fooqlnoa.dll"	Lklnconj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbebilli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmijcp32.dll"	Jjnaaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odehaccj.dll"	Kocphojh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichnpf32.dll"	Lbqinm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Leoejh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jogqlpde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klmnkdal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbojb32.dll"	Klbgfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Logicn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iloajfml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnconj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	4ec2927674ee84dea2508e326c0076e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaqcnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kefbdjgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kongmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klbgfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieaqqigc.dll"	Lhbkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lahbei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idhiii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kongimkh.dll"	Jldkeeig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbppgona.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jeolckne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdffjgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhmafcnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laffpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbnhl32.dll"	4ec2927674ee84dea2508e326c0076e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfqbll32.dll"	Jlidpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdhbpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbjbnnfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdpiqehp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbhool32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Leabphmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhmhpfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jogqlpde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbeibo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbgfhnhi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbjbnnfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhfhohgp.dll"	Kehojiej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klgqabib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldfoad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	4ec2927674ee84dea2508e326c0076e0N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 4908	1756	4ec2927674ee84dea2508e326c0076e0N.exe	91
PID 1756 wrote to memory of 4908	1756	4ec2927674ee84dea2508e326c0076e0N.exe	91
PID 1756 wrote to memory of 4908	1756	4ec2927674ee84dea2508e326c0076e0N.exe	91
PID 4908 wrote to memory of 4044	4908	Ibbcfa32.exe	93
PID 4908 wrote to memory of 4044	4908	Ibbcfa32.exe	93
PID 4908 wrote to memory of 4044	4908	Ibbcfa32.exe	93
PID 4044 wrote to memory of 2364	4044	Iccpniqp.exe	95
PID 4044 wrote to memory of 2364	4044	Iccpniqp.exe	95
PID 4044 wrote to memory of 2364	4044	Iccpniqp.exe	95
PID 2364 wrote to memory of 4380	2364	Ijpepcfj.exe	96
PID 2364 wrote to memory of 4380	2364	Ijpepcfj.exe	96
PID 2364 wrote to memory of 4380	2364	Ijpepcfj.exe	96
PID 4380 wrote to memory of 3796	4380	Idhiii32.exe	97
PID 4380 wrote to memory of 3796	4380	Idhiii32.exe	97
PID 4380 wrote to memory of 3796	4380	Idhiii32.exe	97
PID 3796 wrote to memory of 4052	3796	Iloajfml.exe	98
PID 3796 wrote to memory of 4052	3796	Iloajfml.exe	98
PID 3796 wrote to memory of 4052	3796	Iloajfml.exe	98
PID 4052 wrote to memory of 1528	4052	Jaljbmkd.exe	99
PID 4052 wrote to memory of 1528	4052	Jaljbmkd.exe	99
PID 4052 wrote to memory of 1528	4052	Jaljbmkd.exe	99
PID 1528 wrote to memory of 4032	1528	Jejbhk32.exe	100
PID 1528 wrote to memory of 4032	1528	Jejbhk32.exe	100
PID 1528 wrote to memory of 4032	1528	Jejbhk32.exe	100
PID 4032 wrote to memory of 2548	4032	Jldkeeig.exe	101
PID 4032 wrote to memory of 2548	4032	Jldkeeig.exe	101
PID 4032 wrote to memory of 2548	4032	Jldkeeig.exe	101
PID 2548 wrote to memory of 2612	2548	Jaqcnl32.exe	102
PID 2548 wrote to memory of 2612	2548	Jaqcnl32.exe	102
PID 2548 wrote to memory of 2612	2548	Jaqcnl32.exe	102
PID 2612 wrote to memory of 1716	2612	Jdopjh32.exe	103
PID 2612 wrote to memory of 1716	2612	Jdopjh32.exe	103
PID 2612 wrote to memory of 1716	2612	Jdopjh32.exe	103
PID 1716 wrote to memory of 1888	1716	Jhkljfok.exe	104
PID 1716 wrote to memory of 1888	1716	Jhkljfok.exe	104
PID 1716 wrote to memory of 1888	1716	Jhkljfok.exe	104
PID 1888 wrote to memory of 3720	1888	Jbppgona.exe	105
PID 1888 wrote to memory of 3720	1888	Jbppgona.exe	105
PID 1888 wrote to memory of 3720	1888	Jbppgona.exe	105
PID 3720 wrote to memory of 2836	3720	Jeolckne.exe	106
PID 3720 wrote to memory of 2836	3720	Jeolckne.exe	106
PID 3720 wrote to memory of 2836	3720	Jeolckne.exe	106
PID 2836 wrote to memory of 3788	2836	Jhmhpfmi.exe	107
PID 2836 wrote to memory of 3788	2836	Jhmhpfmi.exe	107
PID 2836 wrote to memory of 3788	2836	Jhmhpfmi.exe	107
PID 3788 wrote to memory of 4244	3788	Jlidpe32.exe	108
PID 3788 wrote to memory of 4244	3788	Jlidpe32.exe	108
PID 3788 wrote to memory of 4244	3788	Jlidpe32.exe	108
PID 4244 wrote to memory of 4548	4244	Jogqlpde.exe	109
PID 4244 wrote to memory of 4548	4244	Jogqlpde.exe	109
PID 4244 wrote to memory of 4548	4244	Jogqlpde.exe	109
PID 4548 wrote to memory of 3392	4548	Jaemilci.exe	110
PID 4548 wrote to memory of 3392	4548	Jaemilci.exe	110
PID 4548 wrote to memory of 3392	4548	Jaemilci.exe	110
PID 3392 wrote to memory of 2588	3392	Jeaiij32.exe	111
PID 3392 wrote to memory of 2588	3392	Jeaiij32.exe	111
PID 3392 wrote to memory of 2588	3392	Jeaiij32.exe	111
PID 2588 wrote to memory of 3232	2588	Jddiegbm.exe	112
PID 2588 wrote to memory of 3232	2588	Jddiegbm.exe	112
PID 2588 wrote to memory of 3232	2588	Jddiegbm.exe	112
PID 3232 wrote to memory of 4344	3232	Jlkafdco.exe	113
PID 3232 wrote to memory of 4344	3232	Jlkafdco.exe	113
PID 3232 wrote to memory of 4344	3232	Jlkafdco.exe	113
PID 4344 wrote to memory of 3040	4344	Jjnaaa32.exe	114

C:\Users\Admin\AppData\Local\Temp\4ec2927674ee84dea2508e326c0076e0N.exe
"C:\Users\Admin\AppData\Local\Temp\4ec2927674ee84dea2508e326c0076e0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\SysWOW64\Ibbcfa32.exe
  C:\Windows\system32\Ibbcfa32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Windows\SysWOW64\Iccpniqp.exe
    C:\Windows\system32\Iccpniqp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4044
  - - C:\Windows\SysWOW64\Ijpepcfj.exe
      C:\Windows\system32\Ijpepcfj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2364
    - - C:\Windows\SysWOW64\Idhiii32.exe
        
        C:\Windows\system32\Idhiii32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4380
      - C:\Windows\SysWOW64\Iloajfml.exe
        
        C:\Windows\system32\Iloajfml.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Windows\SysWOW64\Jaljbmkd.exe
        
        C:\Windows\system32\Jaljbmkd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\SysWOW64\Jejbhk32.exe
        
        C:\Windows\system32\Jejbhk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Jldkeeig.exe
        
        C:\Windows\system32\Jldkeeig.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Jaqcnl32.exe
        
        C:\Windows\system32\Jaqcnl32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Jdopjh32.exe
        
        C:\Windows\system32\Jdopjh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\Jhkljfok.exe
        
        C:\Windows\system32\Jhkljfok.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\Jbppgona.exe
        
        C:\Windows\system32\Jbppgona.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\Jeolckne.exe
        
        C:\Windows\system32\Jeolckne.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\SysWOW64\Jhmhpfmi.exe
        
        C:\Windows\system32\Jhmhpfmi.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Jlidpe32.exe
        
        C:\Windows\system32\Jlidpe32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\SysWOW64\Jogqlpde.exe
        
        C:\Windows\system32\Jogqlpde.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Jaemilci.exe
        
        C:\Windows\system32\Jaemilci.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Jeaiij32.exe
        
        C:\Windows\system32\Jeaiij32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Windows\SysWOW64\Jddiegbm.exe
        
        C:\Windows\system32\Jddiegbm.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Jlkafdco.exe
        
        C:\Windows\system32\Jlkafdco.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\Jjnaaa32.exe
        
        C:\Windows\system32\Jjnaaa32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\SysWOW64\Kbeibo32.exe
        
        C:\Windows\system32\Kbeibo32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Keceoj32.exe
        
        C:\Windows\system32\Keceoj32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Kdffjgpj.exe
        
        C:\Windows\system32\Kdffjgpj.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Klmnkdal.exe
        
        C:\Windows\system32\Klmnkdal.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Kkpnga32.exe
        
        C:\Windows\system32\Kkpnga32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Kbgfhnhi.exe
        
        C:\Windows\system32\Kbgfhnhi.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Kefbdjgm.exe
        
        C:\Windows\system32\Kefbdjgm.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Kdhbpf32.exe
        
        C:\Windows\system32\Kdhbpf32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Klpjad32.exe
        
        C:\Windows\system32\Klpjad32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Kongmo32.exe
        
        C:\Windows\system32\Kongmo32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Kbjbnnfg.exe
        
        C:\Windows\system32\Kbjbnnfg.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Kehojiej.exe
        
        C:\Windows\system32\Kehojiej.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Klbgfc32.exe
        
        C:\Windows\system32\Klbgfc32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Kkegbpca.exe
        
        C:\Windows\system32\Kkegbpca.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\Kblpcndd.exe
        
        C:\Windows\system32\Kblpcndd.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:772
        
        C:\Windows\SysWOW64\Kaopoj32.exe
        
        C:\Windows\system32\Kaopoj32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Kdmlkfjb.exe
        
        C:\Windows\system32\Kdmlkfjb.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Klddlckd.exe
        
        C:\Windows\system32\Klddlckd.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:32
        
        C:\Windows\SysWOW64\Kocphojh.exe
        
        C:\Windows\system32\Kocphojh.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Kbnlim32.exe
        
        C:\Windows\system32\Kbnlim32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:452
        
        C:\Windows\SysWOW64\Kemhei32.exe
        
        C:\Windows\system32\Kemhei32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\Kdpiqehp.exe
        
        C:\Windows\system32\Kdpiqehp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Klgqabib.exe
        
        C:\Windows\system32\Klgqabib.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Lkiamp32.exe
        
        C:\Windows\system32\Lkiamp32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Lbqinm32.exe
        
        C:\Windows\system32\Lbqinm32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Leoejh32.exe
        
        C:\Windows\system32\Leoejh32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Lhmafcnf.exe
        
        C:\Windows\system32\Lhmafcnf.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Lklnconj.exe
        
        C:\Windows\system32\Lklnconj.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Logicn32.exe
        
        C:\Windows\system32\Logicn32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Laffpi32.exe
        
        C:\Windows\system32\Laffpi32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Leabphmp.exe
        
        C:\Windows\system32\Leabphmp.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Lhpnlclc.exe
        
        C:\Windows\system32\Lhpnlclc.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5472
        
        C:\Windows\SysWOW64\Lknjhokg.exe
        
        C:\Windows\system32\Lknjhokg.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5512
        
        C:\Windows\SysWOW64\Lbebilli.exe
        
        C:\Windows\system32\Lbebilli.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Lahbei32.exe
        
        C:\Windows\system32\Lahbei32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Ldfoad32.exe
        
        C:\Windows\system32\Ldfoad32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Lhbkac32.exe
        
        C:\Windows\system32\Lhbkac32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Lkqgno32.exe
        
        C:\Windows\system32\Lkqgno32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5708
        
        C:\Windows\SysWOW64\Lbhool32.exe
        
        C:\Windows\system32\Lbhool32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Lajokiaa.exe
        
        C:\Windows\system32\Lajokiaa.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5828 -s 400
        64⤵
        Program crash
        
        PID:5924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5828 -ip 5828
1⤵
PID:5900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4184,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=4060 /prefetch:8
1⤵
PID:5576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ibbcfa32.exe

Filesize
243KB

MD5
5ada91792ae2f90ec37ad882519aa019

SHA1
1963c02949fdb9ad20490fca1bf60e93834458cf

SHA256
d75a0f04622eb37882ac97e9a362d2728b9c3a028724d34cf88d6c67c7d1e1fd

SHA512
248785310adb4e87de8bcf7000fa42512db5221bebe9d3c3ca81400cfe5740d44c7416e180e6a7282ee28c5c627e383c7567d3fd5faeea93d19a65a2cb063c8a

Download Submit
C:\Windows\SysWOW64\Iccpniqp.exe

Filesize
243KB

MD5
6310a7dfb55da19387024db7897b4995

SHA1
4dba21ca81fcd19ade20a31d6194d178f3281214

SHA256
c4993f74e4ddbfdaba4245090924b44a7dc5e4c4fd1dbdd6512fb136f327f46d

SHA512
5980de5b9b45ce5527cf170c7d7397c7bea34c2d769746fe94431585b1fbf499bee1823762f8c5aaba8ca833a68698d866a221e410e0d70db5ab464a896d2f92

Download Submit
C:\Windows\SysWOW64\Idhiii32.exe

Filesize
243KB

MD5
3c48ed67ce4fd7aa5fabe769371a721d

SHA1
bba91df132402138af5b4b8e0b9f40db4d0bb884

SHA256
4b99e90364d22f03c7aaf58648b74bb334f213dda8fc7b54414f3c4d258ee29a

SHA512
d9b7cd6d8c6643c7dc1f0a0457fa76a440cf7b56fd65aa2965345a7c47ac5ea26a9585885c6d9cbb1ded196d52e68cdacb029f66be45b640c3084fe0d4c9589b

Download Submit
C:\Windows\SysWOW64\Ijpepcfj.exe

Filesize
243KB

MD5
76536ac10676c89064ab4a7948c2bc5b

SHA1
aefddfd11684267e74cfb07fabf302db5c439bff

SHA256
37348aed9e51bda80da008d8b6660cfb7dbe07d52fc19cbc2e2a12b1be9e88fe

SHA512
b7cd6826903db44766d75fd98dbf7f39793c30735aab7740d5ac27cf9d4f939c93d5dd273a161cf119140ee1b3e931a39e10c6e4b6f8c3e215b9c401bf111ac0

Download Submit
C:\Windows\SysWOW64\Iloajfml.exe

Filesize
243KB

MD5
ebc88dd2425b6c2efc64b177289b928f

SHA1
c1137ebf1b8c40cab6af4e2b7370e91892f04da0

SHA256
43d2843013500d94fbecb7be8ee9d9fa6dbf89234773e4a0d5bb0432660b52a3

SHA512
b3e514afb70cdd2ef79a401e1f999bcb3d5322fc689ee826a116ee69d8bb64199cb8b20311983a330c459b7ece838afbc39bd616bfb21b0933900c1944b84295

Download Submit
C:\Windows\SysWOW64\Jaemilci.exe

Filesize
243KB

MD5
8e96392d864f9c9b350309107118bb47

SHA1
97aa6346b577b61bb9b0b0a9dd99e602eb2a53e8

SHA256
1951f8fe3667b3d613b460a4fa53e1783f0d90b3e78e85e04e66654ec0bfe5df

SHA512
e5176350a544d875f933bf804486a38db704d835f6b1e04b3c140e884168ee20b54b8183ae3ef27c3d8143265042a22a27d4c1c5f1baf2db5b152f8f7639e662

Download Submit
C:\Windows\SysWOW64\Jaljbmkd.exe

Filesize
243KB

MD5
54553390d17ddf387a99a08c8f716733

SHA1
3923ecba50598a9382686af7000f489ff8d19aab

SHA256
44aeba3a5d15ef41c91793d6845af14d67d8b1db09acbdd842eb73f7407a2606

SHA512
0bf26bd4c97b4e95f89a1707c5fc2ee12cecc640592a3b94ee67c318a28d937ba4fd4c75f4ef7254e75754d4ff3547c0588e80d42f805d9603dd2e963fb9b9c1

Download Submit
C:\Windows\SysWOW64\Jaqcnl32.exe

Filesize
243KB

MD5
2590f17de4ad01c22af27ad71a39cd81

SHA1
7af77ac5b935053bdf97d19bf48c90ab81dfb2d8

SHA256
b6410e2191e74fbf752b8824bdf2730c3a2c42b82dc5336f7ccb6a80e57611bf

SHA512
efa02b30025f931584f6907f900b8ba97cbfa0a152194bf94ecb9893a02aa481b28d676f687a238c8f02823a7d481fcf9324d4a70c3b00080f86f97f94d9a11b

Download Submit
C:\Windows\SysWOW64\Jbppgona.exe

Filesize
243KB

MD5
2db6ce13d884c869acc900ac04d36515

SHA1
24f7e4be1ab3f8205b47aac3be45e301263488fa

SHA256
2543f5a34e8a034157d21412bb584d65f9112cc6a6dda225b5145dac7c48ea5f

SHA512
d96e374f542c575e930c24b09e75b02a799dd643a02af4958ac9d12fe1886e48808eacbb5a791779a95f81f446041c0052408ee40ec89e73bde039139982bb8d

Download Submit
C:\Windows\SysWOW64\Jddiegbm.exe

Filesize
243KB

MD5
086cb38310d901bef02bc795e0dcf31a

SHA1
22ab9be25c53293360946553db170c18e19d8c48

SHA256
14144f587b45f024e4d10532330ee8aa3e5e370292a8e1bda0c1f4c780cb3594

SHA512
5119de0c47f9f1ffadf96ad28bca6dbd6cc815f42bb14ef17388990bc19ab7a32f563a4bdc20b76aa549814c4013ba636701413b2a5cc928cc5463ffacef93c5

Download Submit
C:\Windows\SysWOW64\Jdopjh32.exe

Filesize
243KB

MD5
25bef87671535769b2e82ec03306ed0a

SHA1
ef4745b7a36f97a2839d123e6330f4023baa62fd

SHA256
2df35e484dd4d28997e35f7e74478b673ec846e53f18ca0e77ba93c47a3ad825

SHA512
190cac3618954d082aeba0cac7e8b674c8bdcc6bd873cab88db84ef3554e30b808be36e529dc2258ede2f5c3ec556bd1ae16106d3a489efac4133870d472899e

Download Submit
C:\Windows\SysWOW64\Jeaiij32.exe

Filesize
243KB

MD5
6361e1e270fe9cffa1b05cdfa180509b

SHA1
1fb0d79e479cd8217b6f7f13908d6404f6ec4528

SHA256
30e29c881d0481d0d703d6551cab54d38639d4ba57a5c8d16bc9eec0023b9a39

SHA512
9fdf74bb36d9347d34062187d029a3c33f59c97d0fddfaaca96af74d59a3e246290a423bee8ad2008b717e98ae7c68c21aa460a094283de5758e0feb45aa4fc5

Download Submit
C:\Windows\SysWOW64\Jejbhk32.exe

Filesize
243KB

MD5
367b43985546c0e4eecc8d8bd6271fa6

SHA1
6d51f4cd112d08ef7547bb6c9857d6133fb01dd3

SHA256
5b31c77c2aa25f73a2a386f8f34165404f5d966134ee6dd7baa9e054655f8db7

SHA512
6e9092d1ae05beffaaab73319c2b6bf9597e409bf838c15631ee1542d9c6c111844ae9a5942b99902af9142566e2cc0895441c07896e96491bb854eeab6320f4

Download Submit
C:\Windows\SysWOW64\Jeolckne.exe

Filesize
243KB

MD5
0cf37eb298ba4ce7a3f9f87a059d3e76

SHA1
7b1761b68aa7d510adbd2a08c398844cac87de35

SHA256
5a766d207efd6b4109fa7f3b44b8ef29332399dc88b8c09efb9a05957d9f7478

SHA512
a04a9751ed717eada2106b8312b4bf98f06b4ca000ca6d5dcd29c8d156a6a7f52a77054a710da36e0a8bb9aa10ea5fd7d798db26940972338c3fc93d56184b23

Download Submit
C:\Windows\SysWOW64\Jhkljfok.exe

Filesize
243KB

MD5
73b52514daf618b1f368962ea138fb10

SHA1
3f8d74ead3b3cecb1e8dbdce916c010f9657ff8e

SHA256
59058123722aa000bea3cc845989a49ead97f60b30ac7297ea914fc53e062a00

SHA512
18472e99eb28871bbe39682c3b3df93468002dd1b346fa46823a7676969288fd64891bf4a93f3263c2f7b3a6d8f19b579ee1cff8928b2797c2bcf91c63673eed

Download Submit
C:\Windows\SysWOW64\Jhmhpfmi.exe

Filesize
243KB

MD5
1bc6b2162a6e454722269f73096ddf42

SHA1
6030dd6b9283033a2d5d41bfd3748be085be4867

SHA256
4265dd499f80167c0c8882ef99b3a273fe34c3ac39ff23e27b6833c303723826

SHA512
1b085ffa41f36816aa2bc2177f0a2a2e8d591bf9675f943084f1eb3c62b0a39ca2812c0607e3cf6ef66190264daa7586805e10dc12143dcf2231455272dc05f3

Download Submit
C:\Windows\SysWOW64\Jjnaaa32.exe

Filesize
243KB

MD5
ecf705c99c6fba33917d75a224561a5c

SHA1
5f297a96d42004c3e7772cf02ec50436eb091dc6

SHA256
1720062fffa825f19b30f61fdcca9f1fa449e2a3e4c7262fdbe10e24473fe9af

SHA512
0361cdcec5a7fb6138508796a2e2cbc5039681095489a49e1be7dea6e7a3bd167e1f8d429ae04678229639026104cf6d12e790b88ea3a0a4bb6d0094562289f2

Download Submit
C:\Windows\SysWOW64\Jldkeeig.exe

Filesize
243KB

MD5
49c1e0af1c2e2e8a5cbcfcfc721f41bb

SHA1
127479887ab52be76861d6a583e1d9612bbb3a1c

SHA256
2861a2690a17e72100072fb8754f08ef01d66d00c383a462007c1c645dc6ce43

SHA512
f701e2acb9c837d10d63d7cb4ca4a3b826b74b6c4d8ac34aba18a87be5f3cf647207895a1eded8defb47f494d079b37b13ce9a605c4e52e8cd1fb4b6b057a4e0

Download Submit
C:\Windows\SysWOW64\Jlidpe32.exe

Filesize
243KB

MD5
6de2ebd5f98f2d6eada82c3712f4c3e0

SHA1
2663b0895e4dbf36f37c0cf6b5022305df6281c9

SHA256
01e9d06bf0038e32e16da16925ef945a5361411809d677677853a8df7e2a0d39

SHA512
ca06c46f0c5dc234c6e29b4b1b155b34fe8bf8ba19a9acec58fc029bb3c2a02ac0092e9d848043bcff4cac0f900d8f2ed545b834446be31c7a895e82ef09bcad

Download Submit
C:\Windows\SysWOW64\Jlkafdco.exe

Filesize
243KB

MD5
8648a527ede7b4989e57e64d3e58178b

SHA1
9340bd6ef473491dafb80211e5b74f09ab2fff65

SHA256
b8e4c457a3d5b721bc275bdf84ce2202c1075565eede49e795a0823f70f909c9

SHA512
e4ae087e974022ca60aedf268ca1c33708bf9fd1a5725949a01ff676cc9e01db5f38066980a9dde7a338442a2bcc38d00bd78e13d22a79d3c447e3008d828ddd

Download Submit
C:\Windows\SysWOW64\Jogqlpde.exe

Filesize
243KB

MD5
012d249094ef48d1eee02b9beca18f96

SHA1
65e22776e8c977a7c9f8a81b7dd872b71b99e421

SHA256
c96d6439bbc602c13cbdd36965b94a9702d6efd661d8fb9772b5c5dd4184bcd7

SHA512
cb274bdb8337dc05b945b2ddde64b1d4c6736bd0613a428ea16f7c43888fd6c03c02d7a7150cef36eef07f259279f3cb1d9405a95643bfada5d1239b71481650

Download Submit
C:\Windows\SysWOW64\Kbeibo32.exe

Filesize
243KB

MD5
6d95b29ca373029f829bf77067731f97

SHA1
c8152660d9602785c8f4dc6328a9a424b42bbf1d

SHA256
f5a853676330f95439a8d85903e225c4b9b00f5140a58b3da54aeda539ec392c

SHA512
a08a1fabc1f4ba02c753fa1a9b2f7a07006ec7c1793239bfdefd8a6ae94b57512e7cde208e3e335cddf9d767d7f3dae380f1bf880ab313b88cf8d4596e69f44c

Download Submit
C:\Windows\SysWOW64\Kbgfhnhi.exe

Filesize
243KB

MD5
0fec0fb0564876c4186aebe84f3c2e26

SHA1
eaa975c47d4b6e1fa7fd3f6e12591272ef3d60d9

SHA256
9ec89aca8cfa2f0c83f8d97f057de4228a7ffb719525014481d5af3a026bdca0

SHA512
43f5bd80eb1de1284feddfe4d1c5c597491474e0bc97149b95a3ea4c6c9cb64f7c032abe164f0f6c0cdf7e9be3a00b9ecee5f721d2f7a4c66c82a5e562e2096c

Download Submit
C:\Windows\SysWOW64\Kbjbnnfg.exe

Filesize
243KB

MD5
b57e8cfeed222cb39258d8850cbe5704

SHA1
7094442f277f7c0ddf681a646173bc6680df405c

SHA256
5f302e2807ca449b189394795717ccce10023e3a6b52a2bcfe06ffe1257adb92

SHA512
e0c52fab8d3c45561770fdcae510ee3cb07f1f472986b2726900ea5dce34316c569343efce9ddff83f1b5722f4852c5c8258f07940831b996c737bf5e2188a18

Download Submit
C:\Windows\SysWOW64\Kdffjgpj.exe

Filesize
243KB

MD5
4389f0dad73ebcb471970e657c789e97

SHA1
44f7332eb7d0be3b2bf29497b21f2e60091c1a18

SHA256
e801c4cd7a8f5a1c2ea6c2b6258bfe4d0be124b707791d9ffba8a3998aeb684f

SHA512
e5a687cfcc9a636a59a201a9611da7bfe0c667947e04b800751c4b6b4193629da48dc4ad8c39cfdef86f53511b117b117b5fa132a4e3beed9e19ad3f3bddbe0d

Download Submit
C:\Windows\SysWOW64\Kdhbpf32.exe

Filesize
243KB

MD5
585a6e26984087f338f0b4eb870f8de6

SHA1
e082f0b250d007021db1bac6438bb446ab94924e

SHA256
7fc9fa1d652a47f55c7dfbd5e3ba2b9d345e2feef998eb46d219b64b3329891f

SHA512
5109b6ce4617222d0e860e5fc23a4ece2f68a18ac369133cd26f2cd4f1392d3573864c871f2cdab2b131ba97e23c43bf52714b3ef8df86a7a39ec9f299e081d0

Download Submit
C:\Windows\SysWOW64\Keceoj32.exe

Filesize
243KB

MD5
9fe9daa31439e4d08f9ca8ab14f4f995

SHA1
d9a70e1f2dd42bf486da9a5bd1ba00145b1fefd9

SHA256
9d841826bdbffc9c7b5c4120f6623f80774ab9b4681b61e6db6c360518599407

SHA512
9561e96f28795cd482fbe232d19988194005b3726c60d9b532c42e29ff77b8b9278090d46ef4103f6b4254cf49e75476ca945a50960dce83e0f0212409648a03

Download Submit
C:\Windows\SysWOW64\Kefbdjgm.exe

Filesize
243KB

MD5
2ff07eb43f4ad1a10427f696adbae2ce

SHA1
e418f201e8647715577fc008fbfa6cfb74718a39

SHA256
cf0a5c99ffeaa290ca7bb78c6a977f2213c57834df0cdb8a3ca69fa994db3a4b

SHA512
7161ab07a5cc692460443cbe77547dc5cfad961b800e036ecb9720b231c6554cf8cc3acdddcd0e9757569436ca4919eec0c967131a48e412728028257337bf73

Download Submit
C:\Windows\SysWOW64\Kkpnga32.exe

Filesize
243KB

MD5
9298c2a9325bf6a10ec6e3ddf9d7e799

SHA1
9886483e13a1e70501cb4a21e2355f474dbd00c9

SHA256
7ece878a3d70669be81fb2fa194c56cecf0879f968359979bdd94296010e84ae

SHA512
ccfb1c86db0a07df78d716b6d6888d538ae880f58a8948e70a8d8166585d485ff753facb8d67b48741b609ce7049581891395b5f2d679ddfa0472931fd99936c

Download Submit
C:\Windows\SysWOW64\Klmnkdal.exe

Filesize
243KB

MD5
ec1ccd4523cacd0ff2f3c2ef197efeca

SHA1
934267a915c3e098ea7ab5142f644fe00fde4ea2

SHA256
e608af990b013b8b668ba317008a4c22b541d56f6ea791ea935986bc0a8db474

SHA512
e394c7c0310d18a8b635c6c6b73744393c240c771aa23baef8ce7efcc66c82b8f965a6e85994c7b55211bddf2e656245e921f7e896e76bb815bf4011dc1989ba

Download Submit
C:\Windows\SysWOW64\Klpjad32.exe

Filesize
243KB

MD5
aa268ba080d2bb260213ad3f186c50bc

SHA1
04d70bc106141c6a4a93f444417e907140124711

SHA256
99f93727684d28ebe7625bf048d8f1dcbd84784c727fef4431626b7b0edf0108

SHA512
b1249513ca30e9aa4697c556a89fb07fceeb114bf65351861668848854186418e1b13bafe2795e83c29292c3a236ee62f87883d460c25ab915d4fc4393679acb

Download Submit
C:\Windows\SysWOW64\Kongmo32.exe

Filesize
243KB

MD5
f1f26d74d3d12d0a17c896a1ebcf0a59

SHA1
ca8226f636467e28975160a91398ed07bed3e94d

SHA256
0eb4f55f7e40e8edc17953b9d9bbb29d76b9cee5898e670c15b6d4859778ba19

SHA512
5e27b129f3d6e4d784b5e428807c34ae884e6e6b0ef21a4c25fb2c49d067f1c140358a5a26e2dea4236e0b94fd63144917d1baed2bc94e2f7e949ed16e9ef651

Download Submit
memory/32-303-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/32-480-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/452-476-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/452-315-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/772-285-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/772-486-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1052-190-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1192-222-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1192-504-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1528-56-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1716-89-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1756-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1756-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1888-97-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1960-321-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1960-474-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2364-25-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2448-492-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2448-268-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2456-279-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2456-488-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2548-72-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2580-198-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2588-157-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2592-506-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2592-214-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2612-81-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2704-494-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2704-261-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2776-484-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2776-291-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2796-230-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2796-502-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2836-117-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3040-182-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3088-472-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3152-490-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3232-165-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3392-149-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3644-478-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3644-309-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3720-105-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3724-498-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3724-252-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3748-206-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3788-126-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3796-41-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4032-65-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4044-16-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4052-49-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4244-133-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4344-174-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4380-36-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4548-142-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4584-500-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4584-238-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4624-482-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4624-297-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4804-496-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4804-254-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4908-13-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5124-470-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5124-332-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5160-468-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5200-343-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5200-466-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5236-349-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5236-464-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5276-355-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5276-462-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5316-460-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5356-366-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5356-458-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5392-456-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5392-372-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5432-454-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5432-378-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5472-452-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5472-384-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5512-450-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5552-395-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5552-448-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5588-401-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5588-446-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5628-407-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5628-444-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5668-442-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5668-413-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5708-440-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5708-419-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5748-438-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5748-425-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5788-431-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5788-436-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5828-432-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5828-434-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads