67a09ef0529f53bc9ca3c5d94bae4717db121d2e9af6797e6642a70fc1c43cbc

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2024, 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74e921a2e5b2cd1e8158b70e08ca4460N.exe
Size

59KB
MD5

74e921a2e5b2cd1e8158b70e08ca4460
SHA1

96aa564f04867d52c1f2b3f2dc95076460abb23e
SHA256

67a09ef0529f53bc9ca3c5d94bae4717db121d2e9af6797e6642a70fc1c43cbc
SHA512

1db22d8b48ba420bd632d165c89bf15e0c44c162f0f12e6dc3054c2057b3d432f9c51afb4123083cbb3703bebc739d5b1a764f564139f4fb00962c7dbcc1ff31
SSDEEP

1536:nrHNOnNY01+ukguV/Yzlxnbix6dNCyVso:nrHknNB1+ukguV/qp86meso

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieeimlep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klmnkdal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijpepcfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijpepcfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kehojiej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lojfin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapjgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iecmhlhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbgfhnhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibbcfa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqpbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jejbhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jacpcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kemhei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnmeodjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Igmoih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbijgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjkdlall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jeaiij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Keceoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klmnkdal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klddlckd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnmeodjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbknebqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjnaaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lolcnman.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jehfcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcdhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Inidkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jldkeeig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hchqbkkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjfbjdnd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hchqbkkm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kblpcndd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbjbnnfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kehojiej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jldkeeig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jelonkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laffpi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeaiij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbqinm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iecmhlhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcdhhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khfkfedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	74e921a2e5b2cd1e8158b70e08ca4460N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieqpbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldbefe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laffpi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcjmhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iloajfml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbknebqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbcedmnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	74e921a2e5b2cd1e8158b70e08ca4460N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcjmhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdalog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdmlkfjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iloajfml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjdokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lefkkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inidkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbgfhnhi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbjbnnfg.exe

Executes dropped EXE 60 IoCs

pid	Process
4284	Hchqbkkm.exe
5032	Hnmeodjc.exe
860	Hcjmhk32.exe
4004	Hgeihiac.exe
856	Hbknebqi.exe
4768	Hejjanpm.exe
3724	Hjfbjdnd.exe
2728	Iapjgo32.exe
1004	Igjbci32.exe
3444	Ibpgqa32.exe
4408	Iencmm32.exe
1348	Igmoih32.exe
3652	Ibbcfa32.exe
2724	Ieqpbm32.exe
3328	Inidkb32.exe
4552	Iecmhlhb.exe
4424	Ijpepcfj.exe
4900	Ibgmaqfl.exe
4084	Ieeimlep.exe
4108	Iloajfml.exe
3476	Jbijgp32.exe
4460	Jehfcl32.exe
3344	Jjdokb32.exe
4012	Jejbhk32.exe
1204	Jdmcdhhe.exe
3040	Jldkeeig.exe
632	Jelonkph.exe
3376	Jlfhke32.exe
5000	Jacpcl32.exe
1668	Jdalog32.exe
4684	Jlidpe32.exe
4600	Jjkdlall.exe
2340	Jeaiij32.exe
1888	Jjnaaa32.exe
1876	Kbeibo32.exe
4420	Keceoj32.exe
2964	Klmnkdal.exe
3968	Kdhbpf32.exe
4816	Kkbkmqed.exe
2052	Kbjbnnfg.exe
2036	Kehojiej.exe
4888	Khfkfedn.exe
456	Kblpcndd.exe
4132	Kdmlkfjb.exe
2632	Klddlckd.exe
2616	Kocphojh.exe
4348	Kemhei32.exe
4024	Klgqabib.exe
4560	Lbqinm32.exe
4500	Ldbefe32.exe
2648	Llimgb32.exe
3360	Lbcedmnl.exe
560	Laffpi32.exe
4432	Llkjmb32.exe
1864	Lojfin32.exe
800	Ledoegkm.exe
2844	Ldfoad32.exe
2152	Lolcnman.exe
2076	Lefkkg32.exe
1764	Ldikgdpe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Olkpol32.dll	Lolcnman.exe
File created	C:\Windows\SysWOW64\Ldikgdpe.exe	Lefkkg32.exe
File opened for modification	C:\Windows\SysWOW64\Hchqbkkm.exe	74e921a2e5b2cd1e8158b70e08ca4460N.exe
File created	C:\Windows\SysWOW64\Kdmlkfjb.exe	Kblpcndd.exe
File created	C:\Windows\SysWOW64\Hopaik32.dll	Lojfin32.exe
File created	C:\Windows\SysWOW64\Ijpepcfj.exe	Iecmhlhb.exe
File created	C:\Windows\SysWOW64\Jdmcdhhe.exe	Jejbhk32.exe
File created	C:\Windows\SysWOW64\Khfkfedn.exe	Kehojiej.exe
File created	C:\Windows\SysWOW64\Hchqbkkm.exe	74e921a2e5b2cd1e8158b70e08ca4460N.exe
File created	C:\Windows\SysWOW64\Dadeofnh.dll	74e921a2e5b2cd1e8158b70e08ca4460N.exe
File created	C:\Windows\SysWOW64\Hejjanpm.exe	Hbknebqi.exe
File created	C:\Windows\SysWOW64\Hfamlaff.dll	Inidkb32.exe
File created	C:\Windows\SysWOW64\Dmehgibj.dll	Ijpepcfj.exe
File created	C:\Windows\SysWOW64\Jbijgp32.exe	Iloajfml.exe
File created	C:\Windows\SysWOW64\Aannbg32.dll	Jejbhk32.exe
File created	C:\Windows\SysWOW64\Ghikqj32.dll	Iencmm32.exe
File created	C:\Windows\SysWOW64\Ibbcfa32.exe	Igmoih32.exe
File opened for modification	C:\Windows\SysWOW64\Iecmhlhb.exe	Inidkb32.exe
File created	C:\Windows\SysWOW64\Hcjmhk32.exe	Hnmeodjc.exe
File created	C:\Windows\SysWOW64\Mghekd32.dll	Llkjmb32.exe
File created	C:\Windows\SysWOW64\Lefkkg32.exe	Lolcnman.exe
File created	C:\Windows\SysWOW64\Bfdkqcmb.dll	Kocphojh.exe
File opened for modification	C:\Windows\SysWOW64\Lbqinm32.exe	Klgqabib.exe
File opened for modification	C:\Windows\SysWOW64\Llimgb32.exe	Ldbefe32.exe
File created	C:\Windows\SysWOW64\Keceoj32.exe	Kbeibo32.exe
File opened for modification	C:\Windows\SysWOW64\Jbijgp32.exe	Iloajfml.exe
File opened for modification	C:\Windows\SysWOW64\Laffpi32.exe	Lbcedmnl.exe
File opened for modification	C:\Windows\SysWOW64\Hgeihiac.exe	Hcjmhk32.exe
File opened for modification	C:\Windows\SysWOW64\Hejjanpm.exe	Hbknebqi.exe
File opened for modification	C:\Windows\SysWOW64\Inidkb32.exe	Ieqpbm32.exe
File created	C:\Windows\SysWOW64\Oofial32.dll	Ldfoad32.exe
File opened for modification	C:\Windows\SysWOW64\Igjbci32.exe	Iapjgo32.exe
File created	C:\Windows\SysWOW64\Ieeimlep.exe	Ibgmaqfl.exe
File created	C:\Windows\SysWOW64\Gpmmbfem.dll	Ieeimlep.exe
File opened for modification	C:\Windows\SysWOW64\Kehojiej.exe	Kbjbnnfg.exe
File created	C:\Windows\SysWOW64\Ledoegkm.exe	Lojfin32.exe
File opened for modification	C:\Windows\SysWOW64\Iencmm32.exe	Ibpgqa32.exe
File opened for modification	C:\Windows\SysWOW64\Jjnaaa32.exe	Jeaiij32.exe
File created	C:\Windows\SysWOW64\Kdhbpf32.exe	Kbgfhnhi.exe
File created	C:\Windows\SysWOW64\Bibokqno.dll	Jldkeeig.exe
File created	C:\Windows\SysWOW64\Jlfhke32.exe	Jelonkph.exe
File opened for modification	C:\Windows\SysWOW64\Jlidpe32.exe	Jdalog32.exe
File created	C:\Windows\SysWOW64\Hmijcp32.dll	Jjnaaa32.exe
File created	C:\Windows\SysWOW64\Mohpjh32.dll	Hchqbkkm.exe
File created	C:\Windows\SysWOW64\Igjbci32.exe	Iapjgo32.exe
File created	C:\Windows\SysWOW64\Jejbhk32.exe	Jjdokb32.exe
File opened for modification	C:\Windows\SysWOW64\Jjdokb32.exe	Jehfcl32.exe
File created	C:\Windows\SysWOW64\Elmoqj32.dll	Jlfhke32.exe
File opened for modification	C:\Windows\SysWOW64\Kemhei32.exe	Kocphojh.exe
File created	C:\Windows\SysWOW64\Anjkcakk.dll	Kdhbpf32.exe
File created	C:\Windows\SysWOW64\Llkjmb32.exe	Laffpi32.exe
File opened for modification	C:\Windows\SysWOW64\Lefkkg32.exe	Lolcnman.exe
File created	C:\Windows\SysWOW64\Hgeihiac.exe	Hcjmhk32.exe
File opened for modification	C:\Windows\SysWOW64\Hjfbjdnd.exe	Hejjanpm.exe
File created	C:\Windows\SysWOW64\Kkbkmqed.exe	Kdhbpf32.exe
File created	C:\Windows\SysWOW64\Japjfm32.dll	Kkbkmqed.exe
File created	C:\Windows\SysWOW64\Kemhei32.exe	Kocphojh.exe
File opened for modification	C:\Windows\SysWOW64\Hbknebqi.exe	Hgeihiac.exe
File created	C:\Windows\SysWOW64\Kbeibo32.exe	Jjnaaa32.exe
File opened for modification	C:\Windows\SysWOW64\Lbcedmnl.exe	Llimgb32.exe
File opened for modification	C:\Windows\SysWOW64\Jelonkph.exe	Jldkeeig.exe
File opened for modification	C:\Windows\SysWOW64\Klmnkdal.exe	Keceoj32.exe
File created	C:\Windows\SysWOW64\Ldfoad32.exe	Ledoegkm.exe
File created	C:\Windows\SysWOW64\Jopaaj32.dll	Iapjgo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5160	1764	WerFault.exe	156

System Location Discovery: System Language Discovery 1 TTPs 62 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcjmhk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibpgqa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbeibo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klmnkdal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llkjmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdhbpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieqpbm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jelonkph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlfhke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jacpcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbgfhnhi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jldkeeig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkbkmqed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hchqbkkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdalog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ledoegkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lojfin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnmeodjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iapjgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbijgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeaiij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldbefe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocphojh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klgqabib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbqinm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbknebqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieeimlep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjkdlall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klddlckd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laffpi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgeihiac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igmoih32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lolcnman.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lefkkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjnaaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbnnfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdmlkfjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemhei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llimgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inidkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijpepcfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iloajfml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jehfcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjfbjdnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlidpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldfoad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	74e921a2e5b2cd1e8158b70e08ca4460N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldikgdpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kehojiej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khfkfedn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hejjanpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibbcfa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iecmhlhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjdokb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keceoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kblpcndd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbcedmnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igjbci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iencmm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibgmaqfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jejbhk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdmcdhhe.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejahec32.dll"	Hejjanpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieeimlep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmgkhgl.dll"	Jeaiij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdhbpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpjkgoka.dll"	Klgqabib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhmimi32.dll"	Lbqinm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopaik32.dll"	Lojfin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iloajfml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jejbhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jacpcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjkdlall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjkcakk.dll"	Kdhbpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okahhpqj.dll"	Ledoegkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	74e921a2e5b2cd1e8158b70e08ca4460N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hchqbkkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghikqj32.dll"	Iencmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlidpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbeibo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Keceoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfdkqcmb.dll"	Kocphojh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgcnomaa.dll"	Lbcedmnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijpepcfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjkdlall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjnaaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbjbnnfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llimgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hgeihiac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iencmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jehfcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjdokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbeibo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llkjmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olkpol32.dll"	Lolcnman.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lefkkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klmnkdal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kehojiej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcmgbngb.dll"	Hcjmhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfaadk32.dll"	Ibgmaqfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idjcam32.dll"	Laffpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekdaogi.dll"	Lefkkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibokqno.dll"	Jldkeeig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldbefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hchqbkkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Denlcd32.dll"	Ieqpbm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Inidkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jelonkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjbah32.dll"	Klddlckd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klddlckd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldbefe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbcedmnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjmheb32.dll"	Iecmhlhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepbdodb.dll"	Jehfcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdmcdhhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lojfin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lojfin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cobnge32.dll"	Hgeihiac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khfkfedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dadeofnh.dll"	74e921a2e5b2cd1e8158b70e08ca4460N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iecmhlhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbgfhnhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkmqed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ledoegkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oofial32.dll"	Ldfoad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	74e921a2e5b2cd1e8158b70e08ca4460N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 4284	5052	74e921a2e5b2cd1e8158b70e08ca4460N.exe	93
PID 5052 wrote to memory of 4284	5052	74e921a2e5b2cd1e8158b70e08ca4460N.exe	93
PID 5052 wrote to memory of 4284	5052	74e921a2e5b2cd1e8158b70e08ca4460N.exe	93
PID 4284 wrote to memory of 5032	4284	Hchqbkkm.exe	94
PID 4284 wrote to memory of 5032	4284	Hchqbkkm.exe	94
PID 4284 wrote to memory of 5032	4284	Hchqbkkm.exe	94
PID 5032 wrote to memory of 860	5032	Hnmeodjc.exe	95
PID 5032 wrote to memory of 860	5032	Hnmeodjc.exe	95
PID 5032 wrote to memory of 860	5032	Hnmeodjc.exe	95
PID 860 wrote to memory of 4004	860	Hcjmhk32.exe	96
PID 860 wrote to memory of 4004	860	Hcjmhk32.exe	96
PID 860 wrote to memory of 4004	860	Hcjmhk32.exe	96
PID 4004 wrote to memory of 856	4004	Hgeihiac.exe	97
PID 4004 wrote to memory of 856	4004	Hgeihiac.exe	97
PID 4004 wrote to memory of 856	4004	Hgeihiac.exe	97
PID 856 wrote to memory of 4768	856	Hbknebqi.exe	98
PID 856 wrote to memory of 4768	856	Hbknebqi.exe	98
PID 856 wrote to memory of 4768	856	Hbknebqi.exe	98
PID 4768 wrote to memory of 3724	4768	Hejjanpm.exe	99
PID 4768 wrote to memory of 3724	4768	Hejjanpm.exe	99
PID 4768 wrote to memory of 3724	4768	Hejjanpm.exe	99
PID 3724 wrote to memory of 2728	3724	Hjfbjdnd.exe	100
PID 3724 wrote to memory of 2728	3724	Hjfbjdnd.exe	100
PID 3724 wrote to memory of 2728	3724	Hjfbjdnd.exe	100
PID 2728 wrote to memory of 1004	2728	Iapjgo32.exe	101
PID 2728 wrote to memory of 1004	2728	Iapjgo32.exe	101
PID 2728 wrote to memory of 1004	2728	Iapjgo32.exe	101
PID 1004 wrote to memory of 3444	1004	Igjbci32.exe	102
PID 1004 wrote to memory of 3444	1004	Igjbci32.exe	102
PID 1004 wrote to memory of 3444	1004	Igjbci32.exe	102
PID 3444 wrote to memory of 4408	3444	Ibpgqa32.exe	103
PID 3444 wrote to memory of 4408	3444	Ibpgqa32.exe	103
PID 3444 wrote to memory of 4408	3444	Ibpgqa32.exe	103
PID 4408 wrote to memory of 1348	4408	Iencmm32.exe	104
PID 4408 wrote to memory of 1348	4408	Iencmm32.exe	104
PID 4408 wrote to memory of 1348	4408	Iencmm32.exe	104
PID 1348 wrote to memory of 3652	1348	Igmoih32.exe	105
PID 1348 wrote to memory of 3652	1348	Igmoih32.exe	105
PID 1348 wrote to memory of 3652	1348	Igmoih32.exe	105
PID 3652 wrote to memory of 2724	3652	Ibbcfa32.exe	106
PID 3652 wrote to memory of 2724	3652	Ibbcfa32.exe	106
PID 3652 wrote to memory of 2724	3652	Ibbcfa32.exe	106
PID 2724 wrote to memory of 3328	2724	Ieqpbm32.exe	108
PID 2724 wrote to memory of 3328	2724	Ieqpbm32.exe	108
PID 2724 wrote to memory of 3328	2724	Ieqpbm32.exe	108
PID 3328 wrote to memory of 4552	3328	Inidkb32.exe	109
PID 3328 wrote to memory of 4552	3328	Inidkb32.exe	109
PID 3328 wrote to memory of 4552	3328	Inidkb32.exe	109
PID 4552 wrote to memory of 4424	4552	Iecmhlhb.exe	111
PID 4552 wrote to memory of 4424	4552	Iecmhlhb.exe	111
PID 4552 wrote to memory of 4424	4552	Iecmhlhb.exe	111
PID 4424 wrote to memory of 4900	4424	Ijpepcfj.exe	112
PID 4424 wrote to memory of 4900	4424	Ijpepcfj.exe	112
PID 4424 wrote to memory of 4900	4424	Ijpepcfj.exe	112
PID 4900 wrote to memory of 4084	4900	Ibgmaqfl.exe	113
PID 4900 wrote to memory of 4084	4900	Ibgmaqfl.exe	113
PID 4900 wrote to memory of 4084	4900	Ibgmaqfl.exe	113
PID 4084 wrote to memory of 4108	4084	Ieeimlep.exe	114
PID 4084 wrote to memory of 4108	4084	Ieeimlep.exe	114
PID 4084 wrote to memory of 4108	4084	Ieeimlep.exe	114
PID 4108 wrote to memory of 3476	4108	Iloajfml.exe	115
PID 4108 wrote to memory of 3476	4108	Iloajfml.exe	115
PID 4108 wrote to memory of 3476	4108	Iloajfml.exe	115
PID 3476 wrote to memory of 4460	3476	Jbijgp32.exe	116

C:\Users\Admin\AppData\Local\Temp\74e921a2e5b2cd1e8158b70e08ca4460N.exe
"C:\Users\Admin\AppData\Local\Temp\74e921a2e5b2cd1e8158b70e08ca4460N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Windows\SysWOW64\Hchqbkkm.exe
  C:\Windows\system32\Hchqbkkm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4284
- - C:\Windows\SysWOW64\Hnmeodjc.exe
    C:\Windows\system32\Hnmeodjc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5032
  - - C:\Windows\SysWOW64\Hcjmhk32.exe
      C:\Windows\system32\Hcjmhk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:860
    - - C:\Windows\SysWOW64\Hgeihiac.exe
        
        C:\Windows\system32\Hgeihiac.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4004
      - C:\Windows\SysWOW64\Hbknebqi.exe
        
        C:\Windows\system32\Hbknebqi.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\SysWOW64\Hejjanpm.exe
        
        C:\Windows\system32\Hejjanpm.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\Hjfbjdnd.exe
        
        C:\Windows\system32\Hjfbjdnd.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SysWOW64\Iapjgo32.exe
        
        C:\Windows\system32\Iapjgo32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Igjbci32.exe
        
        C:\Windows\system32\Igjbci32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\Ibpgqa32.exe
        
        C:\Windows\system32\Ibpgqa32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Windows\SysWOW64\Iencmm32.exe
        
        C:\Windows\system32\Iencmm32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\Igmoih32.exe
        
        C:\Windows\system32\Igmoih32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\SysWOW64\Ibbcfa32.exe
        
        C:\Windows\system32\Ibbcfa32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Ieqpbm32.exe
        
        C:\Windows\system32\Ieqpbm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Inidkb32.exe
        
        C:\Windows\system32\Inidkb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Windows\SysWOW64\Iecmhlhb.exe
        
        C:\Windows\system32\Iecmhlhb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Ijpepcfj.exe
        
        C:\Windows\system32\Ijpepcfj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Ibgmaqfl.exe
        
        C:\Windows\system32\Ibgmaqfl.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\SysWOW64\Ieeimlep.exe
        
        C:\Windows\system32\Ieeimlep.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Iloajfml.exe
        
        C:\Windows\system32\Iloajfml.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\SysWOW64\Jbijgp32.exe
        
        C:\Windows\system32\Jbijgp32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\Jehfcl32.exe
        
        C:\Windows\system32\Jehfcl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Jjdokb32.exe
        
        C:\Windows\system32\Jjdokb32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3344
        
        C:\Windows\SysWOW64\Jejbhk32.exe
        
        C:\Windows\system32\Jejbhk32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Jdmcdhhe.exe
        
        C:\Windows\system32\Jdmcdhhe.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1204
        
        C:\Windows\SysWOW64\Jldkeeig.exe
        
        C:\Windows\system32\Jldkeeig.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Jelonkph.exe
        
        C:\Windows\system32\Jelonkph.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Jlfhke32.exe
        
        C:\Windows\system32\Jlfhke32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3376
        
        C:\Windows\SysWOW64\Jacpcl32.exe
        
        C:\Windows\system32\Jacpcl32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Jdalog32.exe
        
        C:\Windows\system32\Jdalog32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Windows\SysWOW64\Jlidpe32.exe
        
        C:\Windows\system32\Jlidpe32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Jjkdlall.exe
        
        C:\Windows\system32\Jjkdlall.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Jeaiij32.exe
        
        C:\Windows\system32\Jeaiij32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Jjnaaa32.exe
        
        C:\Windows\system32\Jjnaaa32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Kbeibo32.exe
        
        C:\Windows\system32\Kbeibo32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Keceoj32.exe
        
        C:\Windows\system32\Keceoj32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Klmnkdal.exe
        
        C:\Windows\system32\Klmnkdal.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Kbgfhnhi.exe
        
        C:\Windows\system32\Kbgfhnhi.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Kdhbpf32.exe
        
        C:\Windows\system32\Kdhbpf32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Kkbkmqed.exe
        
        C:\Windows\system32\Kkbkmqed.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Kbjbnnfg.exe
        
        C:\Windows\system32\Kbjbnnfg.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Kehojiej.exe
        
        C:\Windows\system32\Kehojiej.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Khfkfedn.exe
        
        C:\Windows\system32\Khfkfedn.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Kblpcndd.exe
        
        C:\Windows\system32\Kblpcndd.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:456
        
        C:\Windows\SysWOW64\Kdmlkfjb.exe
        
        C:\Windows\system32\Kdmlkfjb.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4132
        
        C:\Windows\SysWOW64\Klddlckd.exe
        
        C:\Windows\system32\Klddlckd.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Kocphojh.exe
        
        C:\Windows\system32\Kocphojh.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Kemhei32.exe
        
        C:\Windows\system32\Kemhei32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4348
        
        C:\Windows\SysWOW64\Klgqabib.exe
        
        C:\Windows\system32\Klgqabib.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Lbqinm32.exe
        
        C:\Windows\system32\Lbqinm32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Ldbefe32.exe
        
        C:\Windows\system32\Ldbefe32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Llimgb32.exe
        
        C:\Windows\system32\Llimgb32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Lbcedmnl.exe
        
        C:\Windows\system32\Lbcedmnl.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3360
        
        C:\Windows\SysWOW64\Laffpi32.exe
        
        C:\Windows\system32\Laffpi32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:560
        
        C:\Windows\SysWOW64\Llkjmb32.exe
        
        C:\Windows\system32\Llkjmb32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Lojfin32.exe
        
        C:\Windows\system32\Lojfin32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Ledoegkm.exe
        
        C:\Windows\system32\Ledoegkm.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:800
        
        C:\Windows\SysWOW64\Ldfoad32.exe
        
        C:\Windows\system32\Ldfoad32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Lolcnman.exe
        
        C:\Windows\system32\Lolcnman.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Lefkkg32.exe
        
        C:\Windows\system32\Lefkkg32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 400
        63⤵
        Program crash
        
        PID:5160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1764 -ip 1764
1⤵
PID:5136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4444,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=4424 /prefetch:8
1⤵
PID:5732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hbknebqi.exe

Filesize
59KB

MD5
6441b5bb33ec31bf22fa2999d213a009

SHA1
84918133e5b6c6b40d3d11a4a6e81bf06c5fe442

SHA256
d9d37019cbd765a43e565d8f7b606554871ede0b795f0859b399e3dd5d418d9a

SHA512
5fb3f5b3fe5b5c96d42d0712f09683e5cc6f6b6b7de3e87c41ef86f8b25f7451fca42bc219752b4454ad152e5014065a6306774af02902ea77f2e5726fe62bd9

Download Submit
C:\Windows\SysWOW64\Hchqbkkm.exe

Filesize
59KB

MD5
ab6bf763ee4e2c28315c0319cbc0b395

SHA1
33261d1512ab782efcffcaf496ff8c8596c72194

SHA256
786f264de3fe208e92b0b75aca7d123d0fd5a41dd80acd0c1b52f16f09090562

SHA512
62ad80b462607d2cadcb1ec48e2610b049d6beed00865c55cfadf1e6d9ca6cd76bcaf691d996511ff75f7371aeed8b0be033e9f8e4a276e3623dde11591b45dd

Download Submit
C:\Windows\SysWOW64\Hcjmhk32.exe

Filesize
59KB

MD5
2b0de9ab683147d8c77c34228c3d1dea

SHA1
4cc0efa990851787451b2f20282ca857ebc23969

SHA256
1c0ca8cec8f5398a214308e58f00900410d8c9900c7a13d54614c71088beddf2

SHA512
53382069857dca678ec3e243a692bcfb45693dce26744e661223173936b2f931a7ee23156f14477dcf1d9d416cc6919d98e5c709b261602925f64ae5eeb4d827

Download Submit
C:\Windows\SysWOW64\Hejjanpm.exe

Filesize
59KB

MD5
a717863183fbfdd0a59a91d70875f3d0

SHA1
5f69db38776f6941284fd745d7a6f3ed170a24d1

SHA256
d237474e19c1537cf7759ca496d17d11d0dadfce90b6a1f42077d40533fc87ea

SHA512
40d2e29074f2652b5374ac277297bc538a4cd063e7f12a8cb7809327897333d26f45bc7fd1fec95c0933a87b82fe50a83369f85e99c3f22a6c85a9759caad7d3

Download Submit
C:\Windows\SysWOW64\Hgeihiac.exe

Filesize
59KB

MD5
b3075384da6873c00363d9dd54ff0b25

SHA1
8ad5e861779da4e2d5d6ce4f63a4966e8eae5a10

SHA256
c575db1f277d25f190891e3c0d795e0a67567a34db1542cb404201db0a5c8976

SHA512
37b7774fe94ca0ce60d032febf13c59b8440edbdbd962fadd0adad95ac6d71be3cf4f9fff9e953162b1410417b7ae42b03dfaf163a670153ac15a8717885f1b8

Download Submit
C:\Windows\SysWOW64\Hjfbjdnd.exe

Filesize
59KB

MD5
8bbf010784c416d60546fe5d9df231f4

SHA1
f8359214e61bc23440f43443db9cbcdb3aee91e9

SHA256
7b513b56f2cd221dfe5abee76beb27be1183abd71c0a3966b7c275a8dd6f35dd

SHA512
d46a588fe90a4275b3f22fc1c81644f3eca05a29859309e54cf00847977164a14994c31b65fee706bb5cc4dbe32bd616dd26bef69628761382a8ca922f5c023c

Download Submit
C:\Windows\SysWOW64\Hnmeodjc.exe

Filesize
59KB

MD5
b747b3bd3d55425ed4bf3c76e0c87d8e

SHA1
d6e9e5c983f5731f58b5935fb851a5a5630ebb90

SHA256
80e5623bcccd0419538a735feed1b3476311ceb8b04572dd1c4c18144e85eab2

SHA512
3cb3b716fd4befc1d509cdca55f17acb466f21a99acad1ba794b5850903d94ad8888c92c797b91e5893ea8718b55985a19f3885f5afa46faba4ff605bba9c575

Download Submit
C:\Windows\SysWOW64\Iapjgo32.exe

Filesize
59KB

MD5
8936abbe61d6f3b03c561af9bf692636

SHA1
2c49d918bc76de4508f87285a1ac5f1533563ef8

SHA256
4a7204d0b2242851b78000f2c4154ceb061e9b976638c2dd1261df245ab971fd

SHA512
c0ddce2700cb57af27962a08c50b8d255085784a52d0d3ac796aa752bc5711d4b0efde27c381a815add084a9a1ed5087c99d9a75eb34a2f2e1f568d5d6ac94bf

Download Submit
C:\Windows\SysWOW64\Ibbcfa32.exe

Filesize
59KB

MD5
f57fa64705b99119042b08fc42702949

SHA1
fd699135ca0c25071e2022f4e234de0f9f51ee97

SHA256
65ef9b9305f23a783a63f64b40b53d2497367e1db2a31d5d18b87f9cc52593b5

SHA512
c5b86816c87716dfe7729fbffd472faead90768e755716d0897558dbf62d4496ffa929bf5d35942918cb01652f9a7e14eb0097e3f99f718d30fc391b5f9dc223

Download Submit
C:\Windows\SysWOW64\Ibgmaqfl.exe

Filesize
59KB

MD5
fda9434d6233723825bae998332c3582

SHA1
2dcd700f5c2a20d3d0c72f4d4794e10f74600b72

SHA256
2a4f32b69009b61ed26f1f49632553974d04ea216178a609aeb65c6314fbfc44

SHA512
4b03e5d483316496c4d22256ace9de7c8d0543dbfc2791db51a02f705d4e1e9bc1e4591aa4dd24b037389fbb6f5caf4fc913f583807a269439a6e610b3e57bf7

Download Submit
C:\Windows\SysWOW64\Ibpgqa32.exe

Filesize
59KB

MD5
c5007f739af72aa404a4d4a5c6d940ec

SHA1
405c031ca411aeec844a6f761656b95eaa2d3394

SHA256
d8eb35757becd26d43ae156eed30b842bccaf7feeea029cc1969eedaacc50f1e

SHA512
6bb7887e84ef669a3e41d013f6f548cabe0051a5562e61eee6646a45489496263eadb7b423b816951ba914c16b56296ad11ae7be89e9279d2d13c7793e1495d1

Download Submit
C:\Windows\SysWOW64\Iecmhlhb.exe

Filesize
59KB

MD5
35c3ef41733814f0cbf1c14798566ca1

SHA1
c21a6540a3ac841824b0e8f80d97c5c72775da06

SHA256
dce08a18ac7f21baf5760a7aad597e396d845feacfc5afeb5aae9f9c4399d0d5

SHA512
552126db31525b14fa5d59777f59f7dd2550871bb9d93ac9e5e6763524d6667c3a46c03f610af1dd452a241b97107d734b5b60ecaa0563a2ccc0aac5164ea7de

Download Submit
C:\Windows\SysWOW64\Ieeimlep.exe

Filesize
59KB

MD5
ece7b55457002d2e765ee69a3a53b493

SHA1
db86b79e70da44d4a76459272357a88d0285b0e1

SHA256
9cc8139529d91bc4373fdfaf158350c32c75a23f554e7c5f569be6a3f250e9f1

SHA512
ff34c4cf500be59d1ca3fb9c2c7a73b58198cfd5ce49bd6e034bdf7c65b98112306264e8888f36a9ff55f441c52364a9583af4e8ac53662dc6ad3d2d47e97c59

Download Submit
C:\Windows\SysWOW64\Iencmm32.exe

Filesize
59KB

MD5
82bcbe97071cd2dc39295784062fb707

SHA1
9edd4171bfc02c821251a852867404047a3a4fd6

SHA256
2866f3a37f5848d893666624dd92adb54fc3c4d928fe368cd59f23ff92459cb8

SHA512
7d3c196105af7ffb86a2b3d1b24899721fa4c41fde7ab9a1ba3c7164115369fbc94614bce6c07a77b9197baf1f031b1c080984d12fe788f02f55c879b451c361

Download Submit
C:\Windows\SysWOW64\Ieqpbm32.exe

Filesize
59KB

MD5
7076d87a69a8f72dfc4bea366a3ea47d

SHA1
15c5f9bf035696580d214a0b3eb644c59e39d82f

SHA256
826c3fd2582f96178ad03fb6b158d07306c6b54c42cdc5f93afe972a8edff1fc

SHA512
57e16579a2889b77a71af3632a5015d0bc309efb530181e656002f1d747669fa06970dabcfb1c1e5520483bab3d71e98b235de173a55d99abcc38129fad444be

Download Submit
C:\Windows\SysWOW64\Igjbci32.exe

Filesize
59KB

MD5
436734d5699410f816eea467fd945635

SHA1
ce183244b039228ed7abf56f49b10475861663a8

SHA256
eab7c3f066bfb0194e49849d3222567e8c359019b6c21648818f89b35e725f88

SHA512
138038871b9e84db75cd1eb5a01843f8fc9f1b7fb64be6890445181fb42341ebd0d3103ea5710fd66027f340d064b579e4afd41239d75c1148db4a7ebfc5c66c

Download Submit
C:\Windows\SysWOW64\Igmoih32.exe

Filesize
59KB

MD5
cbc903fa26b3cb2f743a970603120121

SHA1
f494088a064a3c518b24abefe0bcbedb9b7e4169

SHA256
d4c52ddf27da5be60674932915293b437d30a93adfd05e064b89f7c167b814a5

SHA512
9e930c280fffd47edd3ef2f8d50ddad59aed5db8c604fd07e61ca8e6470ce852e0c504dd416cda54d4fd32812bae794bd3e2a159ae5363d4606fffaeb85d1029

Download Submit
C:\Windows\SysWOW64\Ijpepcfj.exe

Filesize
59KB

MD5
6fd4ba883a0a7f23e6ce5f73ecbad02d

SHA1
fb518e29f893f1484ea8fd16c9728faed9fdf206

SHA256
356c4fd86a2ec7c5853a86ec59939306e0df50a3856eec911a4cbe3d16351858

SHA512
846622bbea5fd65b8cf22fdd67a31a807e0475aaaeaab2168b475c56c2b33235aa31570699bce653457aa0e10a8f56cbb01a37b6784579d4d494a002be52e2de

Download Submit
C:\Windows\SysWOW64\Iloajfml.exe

Filesize
59KB

MD5
776aadcc02ec719322575247e3883594

SHA1
6c37a4afc21b6fec417f69eb397240df53bdab82

SHA256
412eaadb0dd246fc42b7755830a22e0e4ccef99cc5eaac0547b465e07d0c299e

SHA512
9744fd343488127f1e285474e22052b9cdab7da0e08fcc29133be6dbc1718f838b7e106159b48b67738184a4e4f690188f5236897c55145da5470ddfe25703fd

Download Submit
C:\Windows\SysWOW64\Inidkb32.exe

Filesize
59KB

MD5
89d2d4bdf5c733980481008d9e26b559

SHA1
9c34ba40a0674d49a59c4c647e75de4508d97a5e

SHA256
863ab797f47050e789cb9baa875255ee13813c05dc4b264b0226ffbad7e54ea6

SHA512
8dc6bae75081c44d7127afb45a7f179b3b891ea741a0a13a8a0219b7f202015a8d8327932f75f2e55a94cfe7cd21db84bda651eaae5e8fe03d021789d24edfe4

Download Submit
C:\Windows\SysWOW64\Jacpcl32.exe

Filesize
59KB

MD5
12765d974306240a1074e2b186fd6eac

SHA1
9fe2f68f68e1f70516c9140730352c1ee14814a2

SHA256
a859fe17338153e95d21ebdda62e4b6703bda0cadc69cc4504501cf813b95948

SHA512
b87c7c0483a55de3b97f43b639fafb693bc33e03f1e5289e5cc3b59fc0f32479966ca1ad8867c4c8e3373f8e98e522bafcebf9497cd6cdeabe46ba0943748f4a

Download Submit
C:\Windows\SysWOW64\Jbijgp32.exe

Filesize
59KB

MD5
cda791c2244004b91cf4fb50752ab4c0

SHA1
6924a3f0683f46a9fb25c24beccfa0d27c194a7e

SHA256
d811e2e52d5b7a7dded0d52d1502f77cd59cf374a654c62a3b7608e55f8c8f38

SHA512
e5e7a42c88b352a383422c580dac1f0b3a478a65f56bfd1621ae574c81cc9a2bd683a964b49350ee6412301c56a7d1a27e5f70bc66dec180f6f23981d5410408

Download Submit
C:\Windows\SysWOW64\Jdalog32.exe

Filesize
59KB

MD5
751eb0b84c50b1f5bc0bcf78081a0a8c

SHA1
6df251a69cb6ed5e161d6657f50f8bdbb2463e2d

SHA256
07fd8787b133fab911a654c164327c3566ef88d5c1f520b3b25185beab2c6acf

SHA512
cb964f39c2f1ca0c31d51df8fd6cb7e6d388c224ee8e4385fe89232312a0af479bcdcc8eef357c1ab9221a9ecf7ab4ea76b2d003bd914b50d4cd6bf75f770c39

Download Submit
C:\Windows\SysWOW64\Jdmcdhhe.exe

Filesize
59KB

MD5
80f1e1d0d8d3b8efccf657d392934ca8

SHA1
49f70c77079dc48fdb2d9628abca88c007e79f49

SHA256
0da3e341dd988a945f131b27105e303bb3f3325a04ebb251135009b188b672bd

SHA512
4cda5dd9bd418312204f4afb784f53782635d23fe499bd911eff8b9f53fa999aed2251cfec033706a99b3ae0f1efc6e4dca330585269b82937a00422ab6d2f9a

Download Submit
C:\Windows\SysWOW64\Jehfcl32.exe

Filesize
59KB

MD5
aeeda2e60ffc28792ebc3ade61052d19

SHA1
899bb6d437d8f6898c1ea57c64c7713f474e34ba

SHA256
b5e1009e06ca4c9ea497073b12b3fcf5f0c7fb45deea183e30b7f4986d69955c

SHA512
d2e5e9edb96559d98411aab231e0f5fd4533c7af561d39d7651b096e50b32b6ecc93a205b79acab3f43f5f011cc4e0b2f91b4196d2bddc20501f803b414b067d

Download Submit
C:\Windows\SysWOW64\Jejbhk32.exe

Filesize
59KB

MD5
48eadbbc71c575fef8d12443d4b74eb7

SHA1
88bfa8d0cd3096d756e78fa3c0d4208259868706

SHA256
5839852cea05f3925b99f9f63504479a022f1ae44dbf65bdb4983ca7b334b036

SHA512
8f8f8557c9ad3ef19bc1c7e465692877df21a86269e9477de7158a6033ad2bc2ef1615f6b2a34fafe65daf20041100d0e9497061f8fe4c9b35ab83e8cd49e291

Download Submit
C:\Windows\SysWOW64\Jelonkph.exe

Filesize
59KB

MD5
e8f33c6e68138678f0d8bfd5bfb63987

SHA1
b30619f5683542faa9a9c947f49dbd19dd68fbad

SHA256
5eb11f4669a40370d3a2046573d3cdc628746f60095302992a5e24f11424996f

SHA512
6d095d4b445a9791156ad6b77c12d3aac96a943f1e800a5a3fb3782cb04f402ac026b03bb6beec57656cb537a38fe428ce4c9e34dc51bf8db63efc2de0cc7ea1

Download Submit
C:\Windows\SysWOW64\Jjdokb32.exe

Filesize
59KB

MD5
a5071fdeb87353a5ab2be23d202f0367

SHA1
111e8e4d0384051c1431806b5eb0311cbb309bd8

SHA256
251e22ec634f5dd5b87f31baa9e73eaef6ea3aaea25e563c2e6fb67607269dd2

SHA512
e35c9a2471f62b7a1e473de1ab851a57549381d5c1cd67b78a368d50724de91f60172ae5d13244a46611ae18350c591c80c1babd46ba9df6d8e597baf69d2760

Download Submit
C:\Windows\SysWOW64\Jjkdlall.exe

Filesize
59KB

MD5
116991e49fbc18bc608b884457d9e1c2

SHA1
d1261d4e0dd5dd1f216a97723b106b91fbb5d6f7

SHA256
cd91187ed8d90239f28f6aea7a3f54eb1a05bcfa942df8ff08675b3ff8850685

SHA512
e143d166910568feb2eb5d52a95a86d59544e5f613efe2ca8ec2e0ab1b68837c8b21d84cb951710d21b2ea72bf7f39a66fa9f8011f5776b7aaeafb66829e057d

Download Submit
C:\Windows\SysWOW64\Jldkeeig.exe

Filesize
59KB

MD5
6b56d4ceff917ca5d8e4f59e52653f0f

SHA1
03ddfad3bf433d5f9e7909f846d10ff8dbdb00af

SHA256
1e76dfe70ac3bc20974843e07d3a1e786caa6f8e6350c40458c756bd4fbd55e3

SHA512
f7f35df18c60672478f78ba7efd5962351de64d3858709bfe3e30944839e7a2ff898de109b2f0c98147fb9809cde427fb8270f95417950755abac9a1f3b74a40

Download Submit
C:\Windows\SysWOW64\Jlfhke32.exe

Filesize
59KB

MD5
ea675a91a1a60d420a878f52ca56c652

SHA1
6499e6c65f4b9dd6944dd178858642477e5f757e

SHA256
ae21626aaf187a0b5466bb00bad9fa7d5ea0f1fbff81e5d9bdf45c651d513631

SHA512
cfd35eb97406cbd0a1dfa6116cd76082158c40a1d3ddafb6d18c5e6406c8690abd6bf4878ed3b7e1d99f3e2f13de5a8e6faed658d7603760ccb9933919ee4ab0

Download Submit
C:\Windows\SysWOW64\Jlidpe32.exe

Filesize
59KB

MD5
814060a09f3378473f849ddff04da365

SHA1
672ff73391beacc31f90a91df9f569519c0efb58

SHA256
595ebc446a8cc92f6d5e450f55c005f9970324c18aaba94cf760856f45c916a9

SHA512
e6556a88bc99a03a7a437bbdaec085f9ceecdff1b7ed73acfa6aa1a9ced5267bff32fcfded7e52cd3055a64ab887a71854b741862b24c836c2797c598fb1a02f

Download Submit
memory/456-322-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/456-442-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/560-431-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/560-382-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/632-459-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/632-222-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/800-404-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/800-430-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/856-39-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/860-23-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1004-72-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1204-200-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1348-95-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1668-456-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1668-244-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1764-424-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1764-427-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1864-394-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1864-429-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1876-277-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1876-451-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1888-267-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1888-452-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2036-444-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2036-310-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2052-304-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2052-445-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2076-426-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2076-418-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2152-425-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2152-412-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2340-261-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2340-453-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2616-439-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2616-340-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2632-334-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2632-440-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2648-370-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2648-433-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2724-112-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2728-63-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2844-428-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2844-406-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2964-449-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2964-285-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3040-208-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3328-120-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3344-183-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3360-376-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3360-436-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3376-223-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3376-458-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3444-80-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3476-168-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3652-103-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3724-55-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3968-292-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3968-447-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4004-31-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4012-191-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4024-357-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4024-437-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4084-151-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4108-159-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4132-328-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4132-441-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4284-7-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4348-438-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4348-346-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4408-88-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4412-448-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4412-286-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4420-279-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4420-450-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4424-135-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4432-388-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4432-432-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4460-175-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4500-364-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4500-434-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4552-128-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4560-358-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4560-435-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4600-260-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4600-454-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4684-455-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4768-48-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4816-298-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4816-446-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4888-443-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4888-316-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4900-144-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5000-232-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5000-457-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5032-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5052-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads