a6c6f6c371db40952a4d1023f599e5b2ee76247f7d20f5df1dd00b0db5d98b59

Analysis

max time kernel
114s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbe95c81bb31327e3328c649aa48c230N.exe
Size

364KB
MD5

cbe95c81bb31327e3328c649aa48c230
SHA1

55e152bbdd0b4cfb1c514fcff3bcce5eadf6df03
SHA256

a6c6f6c371db40952a4d1023f599e5b2ee76247f7d20f5df1dd00b0db5d98b59
SHA512

bda8e30f41754a1a5ad2ddb3e3205d2408c55885486c24e4f31116592c2936a4a75d6c73ca247dbf03ff71e043d3e32ec68eaf5848d909c96dc26e15216dae5f
SSDEEP

6144:lzdX5KsCq4FjSGcCqJGxhCiCq4FjSGcCq:lRXUFRhUF

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbncbpqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbeibo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefbdjgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lacijjgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Infhebbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijmhkchl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkmqed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kblpcndd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lacijjgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llngbabj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjgkab32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jacpcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnedgq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdpiqehp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldbefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Infhebbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihaidhgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khihld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlfhke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klmnkdal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Loemnnhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbcedmnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leabphmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	cbe95c81bb31327e3328c649aa48c230N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iajmmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kemhei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbcedmnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	cbe95c81bb31327e3328c649aa48c230N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kblpcndd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klmnkdal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kehojiej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llimgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lajokiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iabglnco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdjfohjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khdoqefq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbnlim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnconj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ledoegkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjfbjdnd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdalog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kahinkaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcljmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iajmmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idhiii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jogqlpde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabglnco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khdoqefq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kopcbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jddiegbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhoeef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlidpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbebilli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jogqlpde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhoeef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kahinkaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ledoegkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbijgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlanpfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffjgpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkgdhp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjhokg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaljbmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jelonkph.exe

Executes dropped EXE 64 IoCs

pid	Process
3928	Hegmlnbp.exe
1712	Hcljmj32.exe
1776	Hjfbjdnd.exe
4004	Iabglnco.exe
1324	Infhebbh.exe
1616	Ijmhkchl.exe
4076	Ihaidhgf.exe
5076	Iajmmm32.exe
1852	Idhiii32.exe
4500	Jbijgp32.exe
4752	Jaljbmkd.exe
3092	Jdjfohjg.exe
3164	Jlanpfkj.exe
4312	Jnpjlajn.exe
1560	Jblflp32.exe
4960	Jejbhk32.exe
1140	Jjgkab32.exe
512	Jbncbpqd.exe
4580	Jelonkph.exe
560	Jdopjh32.exe
4108	Jlfhke32.exe
1036	Jnedgq32.exe
4460	Jacpcl32.exe
2244	Jdalog32.exe
4844	Jlidpe32.exe
928	Jogqlpde.exe
856	Jaemilci.exe
3724	Jddiegbm.exe
3508	Jhoeef32.exe
4236	Jjnaaa32.exe
2012	Kbeibo32.exe
2288	Kahinkaf.exe
456	Kdffjgpj.exe
3856	Klmnkdal.exe
3360	Koljgppp.exe
2336	Kbgfhnhi.exe
2632	Kefbdjgm.exe
2856	Khdoqefq.exe
3316	Kkbkmqed.exe
4316	Kbjbnnfg.exe
2092	Kehojiej.exe
2728	Khfkfedn.exe
2676	Klbgfc32.exe
2472	Kopcbo32.exe
2164	Kblpcndd.exe
1084	Kdmlkfjb.exe
4756	Khihld32.exe
5168	Kkgdhp32.exe
5200	Kbnlim32.exe
5240	Kemhei32.exe
5288	Kdpiqehp.exe
5320	Klgqabib.exe
5360	Loemnnhe.exe
5400	Lacijjgi.exe
5440	Ldbefe32.exe
5480	Llimgb32.exe
5528	Lklnconj.exe
5560	Lbcedmnl.exe
5608	Leabphmp.exe
5640	Lhpnlclc.exe
5680	Lknjhokg.exe
5720	Lbebilli.exe
5760	Ledoegkm.exe
5800	Llngbabj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Iajmmm32.exe	Ihaidhgf.exe
File created	C:\Windows\SysWOW64\Kehojiej.exe	Kbjbnnfg.exe
File created	C:\Windows\SysWOW64\Kdmlkfjb.exe	Kblpcndd.exe
File created	C:\Windows\SysWOW64\Lolcnman.exe	Llngbabj.exe
File created	C:\Windows\SysWOW64\Ihaidhgf.exe	Ijmhkchl.exe
File opened for modification	C:\Windows\SysWOW64\Jaemilci.exe	Jogqlpde.exe
File created	C:\Windows\SysWOW64\Anjkcakk.dll	Khdoqefq.exe
File created	C:\Windows\SysWOW64\Odehaccj.dll	Kkgdhp32.exe
File created	C:\Windows\SysWOW64\Ekheml32.dll	Koljgppp.exe
File created	C:\Windows\SysWOW64\Kbnlim32.exe	Kkgdhp32.exe
File created	C:\Windows\SysWOW64\Ldbefe32.exe	Lacijjgi.exe
File opened for modification	C:\Windows\SysWOW64\Hcljmj32.exe	Hegmlnbp.exe
File opened for modification	C:\Windows\SysWOW64\Idhiii32.exe	Iajmmm32.exe
File created	C:\Windows\SysWOW64\Jjgkab32.exe	Jejbhk32.exe
File created	C:\Windows\SysWOW64\Llngbabj.exe	Ledoegkm.exe
File opened for modification	C:\Windows\SysWOW64\Ldikgdpe.exe	Lajokiaa.exe
File created	C:\Windows\SysWOW64\Klmnkdal.exe	Kdffjgpj.exe
File opened for modification	C:\Windows\SysWOW64\Kefbdjgm.exe	Kbgfhnhi.exe
File created	C:\Windows\SysWOW64\Ejahec32.dll	Hcljmj32.exe
File created	C:\Windows\SysWOW64\Pakfglam.dll	Jbijgp32.exe
File opened for modification	C:\Windows\SysWOW64\Jlfhke32.exe	Jdopjh32.exe
File created	C:\Windows\SysWOW64\Ipmgkhgl.dll	Jhoeef32.exe
File created	C:\Windows\SysWOW64\Jelonkph.exe	Jbncbpqd.exe
File created	C:\Windows\SysWOW64\Jogqlpde.exe	Jlidpe32.exe
File opened for modification	C:\Windows\SysWOW64\Kemhei32.exe	Kbnlim32.exe
File opened for modification	C:\Windows\SysWOW64\Ihaidhgf.exe	Ijmhkchl.exe
File created	C:\Windows\SysWOW64\Mjlhjjnc.dll	Kefbdjgm.exe
File created	C:\Windows\SysWOW64\Ebpmamlm.dll	Khihld32.exe
File created	C:\Windows\SysWOW64\Jdjfohjg.exe	Jaljbmkd.exe
File created	C:\Windows\SysWOW64\Epqblnhh.dll	Kemhei32.exe
File created	C:\Windows\SysWOW64\Ledoegkm.exe	Lbebilli.exe
File opened for modification	C:\Windows\SysWOW64\Hjfbjdnd.exe	Hcljmj32.exe
File created	C:\Windows\SysWOW64\Infhebbh.exe	Iabglnco.exe
File created	C:\Windows\SysWOW64\Pinffi32.dll	Iabglnco.exe
File opened for modification	C:\Windows\SysWOW64\Jdjfohjg.exe	Jaljbmkd.exe
File created	C:\Windows\SysWOW64\Jaemilci.exe	Jogqlpde.exe
File created	C:\Windows\SysWOW64\Qagfppeh.dll	Lbcedmnl.exe
File opened for modification	C:\Windows\SysWOW64\Jhoeef32.exe	Jddiegbm.exe
File created	C:\Windows\SysWOW64\Hgnfpc32.dll	Kbgfhnhi.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkmqed.exe	Khdoqefq.exe
File opened for modification	C:\Windows\SysWOW64\Kblpcndd.exe	Kopcbo32.exe
File created	C:\Windows\SysWOW64\Acibndof.dll	Kdpiqehp.exe
File created	C:\Windows\SysWOW64\Hopaik32.dll	Lbebilli.exe
File created	C:\Windows\SysWOW64\Khdoqefq.exe	Kefbdjgm.exe
File created	C:\Windows\SysWOW64\Kkgdhp32.exe	Khihld32.exe
File opened for modification	C:\Windows\SysWOW64\Loemnnhe.exe	Klgqabib.exe
File created	C:\Windows\SysWOW64\Idhiii32.exe	Iajmmm32.exe
File created	C:\Windows\SysWOW64\Jlidpe32.exe	Jdalog32.exe
File created	C:\Windows\SysWOW64\Kbjbnnfg.exe	Kkbkmqed.exe
File opened for modification	C:\Windows\SysWOW64\Kbjbnnfg.exe	Kkbkmqed.exe
File created	C:\Windows\SysWOW64\Bekdaogi.dll	Lajokiaa.exe
File created	C:\Windows\SysWOW64\Jbijgp32.exe	Idhiii32.exe
File opened for modification	C:\Windows\SysWOW64\Khfkfedn.exe	Kehojiej.exe
File created	C:\Windows\SysWOW64\Jfdklc32.dll	Llimgb32.exe
File created	C:\Windows\SysWOW64\Cpmheahf.dll	cbe95c81bb31327e3328c649aa48c230N.exe
File created	C:\Windows\SysWOW64\Elmoqj32.dll	Jnedgq32.exe
File created	C:\Windows\SysWOW64\Lklnconj.exe	Llimgb32.exe
File created	C:\Windows\SysWOW64\Ldikgdpe.exe	Lajokiaa.exe
File opened for modification	C:\Windows\SysWOW64\Iabglnco.exe	Hjfbjdnd.exe
File created	C:\Windows\SysWOW64\Dpchag32.dll	Ihaidhgf.exe
File created	C:\Windows\SysWOW64\Fncnpk32.dll	Kdffjgpj.exe
File opened for modification	C:\Windows\SysWOW64\Ijmhkchl.exe	Infhebbh.exe
File created	C:\Windows\SysWOW64\Mobpnd32.dll	Kehojiej.exe
File created	C:\Windows\SysWOW64\Mpaifo32.dll	Hegmlnbp.exe

Program crash 1 IoCs

pid	pid_target	Process
6012	5920	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihaidhgf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdopjh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kblpcndd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdpiqehp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lolcnman.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcljmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhoeef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koljgppp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loemnnhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lacijjgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Infhebbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdjfohjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdalog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjnaaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kopcbo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klgqabib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldbefe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldikgdpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbncbpqd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdmlkfjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhpnlclc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlanpfkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jelonkph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkgdhp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llimgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llngbabj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iajmmm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jblflp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jejbhk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlidpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jogqlpde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hegmlnbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnpjlajn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ledoegkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjfbjdnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jacpcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jddiegbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbeibo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khdoqefq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnedgq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khihld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lknjhokg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cbe95c81bb31327e3328c649aa48c230N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klbgfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbebilli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Idhiii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbijgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjgkab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kahinkaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijmhkchl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdffjgpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klmnkdal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbgfhnhi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefbdjgm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iabglnco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaemilci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkbkmqed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khfkfedn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemhei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbnnfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kehojiej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbcedmnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leabphmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lajokiaa.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khihld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	cbe95c81bb31327e3328c649aa48c230N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcljmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klgqabib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oofial32.dll"	Llngbabj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkbkmqed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najlgpeb.dll"	Lhpnlclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icajjnkn.dll"	Iajmmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhkkfnao.dll"	Jaljbmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmapeg32.dll"	Jaemilci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jddiegbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgnfpc32.dll"	Kbgfhnhi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kefbdjgm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlfhke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlidpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eloeba32.dll"	Jddiegbm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Loemnnhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibokqno.dll"	Jbncbpqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlidpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaemilci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Japjfm32.dll"	Kkbkmqed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llfgke32.dll"	Klbgfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkgdhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijmhkchl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpchag32.dll"	Ihaidhgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdalog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fncnpk32.dll"	Kdffjgpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbebilli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ledoegkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jnpjlajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqpbcn32.dll"	Jnpjlajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afgfhaab.dll"	Jdopjh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdffjgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkmqed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kemhei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejahec32.dll"	Hcljmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jacpcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjkcakk.dll"	Khdoqefq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkcnp32.dll"	Kblpcndd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmfchehg.dll"	Ledoegkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jelonkph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbeibo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kahinkaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilbckfb.dll"	Klgqabib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbcedmnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Leabphmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjfbjdnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idhiii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khfkfedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjbdmo32.dll"	Ldbefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopaik32.dll"	Lbebilli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbjbnnfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhpnlclc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khihld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Loemnnhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbebilli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdklc32.dll"	Llimgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	cbe95c81bb31327e3328c649aa48c230N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbijgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jejbhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebpmamlm.dll"	Khihld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jejbhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnconj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pakfglam.dll"	Jbijgp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 3928	1080	cbe95c81bb31327e3328c649aa48c230N.exe	90
PID 1080 wrote to memory of 3928	1080	cbe95c81bb31327e3328c649aa48c230N.exe	90
PID 1080 wrote to memory of 3928	1080	cbe95c81bb31327e3328c649aa48c230N.exe	90
PID 3928 wrote to memory of 1712	3928	Hegmlnbp.exe	91
PID 3928 wrote to memory of 1712	3928	Hegmlnbp.exe	91
PID 3928 wrote to memory of 1712	3928	Hegmlnbp.exe	91
PID 1712 wrote to memory of 1776	1712	Hcljmj32.exe	92
PID 1712 wrote to memory of 1776	1712	Hcljmj32.exe	92
PID 1712 wrote to memory of 1776	1712	Hcljmj32.exe	92
PID 1776 wrote to memory of 4004	1776	Hjfbjdnd.exe	94
PID 1776 wrote to memory of 4004	1776	Hjfbjdnd.exe	94
PID 1776 wrote to memory of 4004	1776	Hjfbjdnd.exe	94
PID 4004 wrote to memory of 1324	4004	Iabglnco.exe	96
PID 4004 wrote to memory of 1324	4004	Iabglnco.exe	96
PID 4004 wrote to memory of 1324	4004	Iabglnco.exe	96
PID 1324 wrote to memory of 1616	1324	Infhebbh.exe	97
PID 1324 wrote to memory of 1616	1324	Infhebbh.exe	97
PID 1324 wrote to memory of 1616	1324	Infhebbh.exe	97
PID 1616 wrote to memory of 4076	1616	Ijmhkchl.exe	98
PID 1616 wrote to memory of 4076	1616	Ijmhkchl.exe	98
PID 1616 wrote to memory of 4076	1616	Ijmhkchl.exe	98
PID 4076 wrote to memory of 5076	4076	Ihaidhgf.exe	100
PID 4076 wrote to memory of 5076	4076	Ihaidhgf.exe	100
PID 4076 wrote to memory of 5076	4076	Ihaidhgf.exe	100
PID 5076 wrote to memory of 1852	5076	Iajmmm32.exe	101
PID 5076 wrote to memory of 1852	5076	Iajmmm32.exe	101
PID 5076 wrote to memory of 1852	5076	Iajmmm32.exe	101
PID 1852 wrote to memory of 4500	1852	Idhiii32.exe	102
PID 1852 wrote to memory of 4500	1852	Idhiii32.exe	102
PID 1852 wrote to memory of 4500	1852	Idhiii32.exe	102
PID 4500 wrote to memory of 4752	4500	Jbijgp32.exe	103
PID 4500 wrote to memory of 4752	4500	Jbijgp32.exe	103
PID 4500 wrote to memory of 4752	4500	Jbijgp32.exe	103
PID 4752 wrote to memory of 3092	4752	Jaljbmkd.exe	104
PID 4752 wrote to memory of 3092	4752	Jaljbmkd.exe	104
PID 4752 wrote to memory of 3092	4752	Jaljbmkd.exe	104
PID 3092 wrote to memory of 3164	3092	Jdjfohjg.exe	105
PID 3092 wrote to memory of 3164	3092	Jdjfohjg.exe	105
PID 3092 wrote to memory of 3164	3092	Jdjfohjg.exe	105
PID 3164 wrote to memory of 4312	3164	Jlanpfkj.exe	106
PID 3164 wrote to memory of 4312	3164	Jlanpfkj.exe	106
PID 3164 wrote to memory of 4312	3164	Jlanpfkj.exe	106
PID 4312 wrote to memory of 1560	4312	Jnpjlajn.exe	107
PID 4312 wrote to memory of 1560	4312	Jnpjlajn.exe	107
PID 4312 wrote to memory of 1560	4312	Jnpjlajn.exe	107
PID 1560 wrote to memory of 4960	1560	Jblflp32.exe	108
PID 1560 wrote to memory of 4960	1560	Jblflp32.exe	108
PID 1560 wrote to memory of 4960	1560	Jblflp32.exe	108
PID 4960 wrote to memory of 1140	4960	Jejbhk32.exe	109
PID 4960 wrote to memory of 1140	4960	Jejbhk32.exe	109
PID 4960 wrote to memory of 1140	4960	Jejbhk32.exe	109
PID 1140 wrote to memory of 512	1140	Jjgkab32.exe	110
PID 1140 wrote to memory of 512	1140	Jjgkab32.exe	110
PID 1140 wrote to memory of 512	1140	Jjgkab32.exe	110
PID 512 wrote to memory of 4580	512	Jbncbpqd.exe	111
PID 512 wrote to memory of 4580	512	Jbncbpqd.exe	111
PID 512 wrote to memory of 4580	512	Jbncbpqd.exe	111
PID 4580 wrote to memory of 560	4580	Jelonkph.exe	112
PID 4580 wrote to memory of 560	4580	Jelonkph.exe	112
PID 4580 wrote to memory of 560	4580	Jelonkph.exe	112
PID 560 wrote to memory of 4108	560	Jdopjh32.exe	113
PID 560 wrote to memory of 4108	560	Jdopjh32.exe	113
PID 560 wrote to memory of 4108	560	Jdopjh32.exe	113
PID 4108 wrote to memory of 1036	4108	Jlfhke32.exe	114

C:\Users\Admin\AppData\Local\Temp\cbe95c81bb31327e3328c649aa48c230N.exe
"C:\Users\Admin\AppData\Local\Temp\cbe95c81bb31327e3328c649aa48c230N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\SysWOW64\Hegmlnbp.exe
  C:\Windows\system32\Hegmlnbp.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3928
- - C:\Windows\SysWOW64\Hcljmj32.exe
    C:\Windows\system32\Hcljmj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Windows\SysWOW64\Hjfbjdnd.exe
      C:\Windows\system32\Hjfbjdnd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1776
    - - C:\Windows\SysWOW64\Iabglnco.exe
        
        C:\Windows\system32\Iabglnco.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4004
      - C:\Windows\SysWOW64\Infhebbh.exe
        
        C:\Windows\system32\Infhebbh.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\Ijmhkchl.exe
        
        C:\Windows\system32\Ijmhkchl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\Ihaidhgf.exe
        
        C:\Windows\system32\Ihaidhgf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\Iajmmm32.exe
        
        C:\Windows\system32\Iajmmm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Idhiii32.exe
        
        C:\Windows\system32\Idhiii32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\SysWOW64\Jbijgp32.exe
        
        C:\Windows\system32\Jbijgp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Jaljbmkd.exe
        
        C:\Windows\system32\Jaljbmkd.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Jdjfohjg.exe
        
        C:\Windows\system32\Jdjfohjg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\SysWOW64\Jlanpfkj.exe
        
        C:\Windows\system32\Jlanpfkj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Windows\SysWOW64\Jnpjlajn.exe
        
        C:\Windows\system32\Jnpjlajn.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\SysWOW64\Jblflp32.exe
        
        C:\Windows\system32\Jblflp32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\Jejbhk32.exe
        
        C:\Windows\system32\Jejbhk32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Jjgkab32.exe
        
        C:\Windows\system32\Jjgkab32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\SysWOW64\Jbncbpqd.exe
        
        C:\Windows\system32\Jbncbpqd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\SysWOW64\Jelonkph.exe
        
        C:\Windows\system32\Jelonkph.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Jdopjh32.exe
        
        C:\Windows\system32\Jdopjh32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:560
        
        C:\Windows\SysWOW64\Jlfhke32.exe
        
        C:\Windows\system32\Jlfhke32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\SysWOW64\Jnedgq32.exe
        
        C:\Windows\system32\Jnedgq32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1036
        
        C:\Windows\SysWOW64\Jacpcl32.exe
        
        C:\Windows\system32\Jacpcl32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Jdalog32.exe
        
        C:\Windows\system32\Jdalog32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Jlidpe32.exe
        
        C:\Windows\system32\Jlidpe32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Jogqlpde.exe
        
        C:\Windows\system32\Jogqlpde.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:928
        
        C:\Windows\SysWOW64\Jaemilci.exe
        
        C:\Windows\system32\Jaemilci.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\Jddiegbm.exe
        
        C:\Windows\system32\Jddiegbm.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Jhoeef32.exe
        
        C:\Windows\system32\Jhoeef32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3508
        
        C:\Windows\SysWOW64\Jjnaaa32.exe
        
        C:\Windows\system32\Jjnaaa32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4236
        
        C:\Windows\SysWOW64\Kbeibo32.exe
        
        C:\Windows\system32\Kbeibo32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Kahinkaf.exe
        
        C:\Windows\system32\Kahinkaf.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Kdffjgpj.exe
        
        C:\Windows\system32\Kdffjgpj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Klmnkdal.exe
        
        C:\Windows\system32\Klmnkdal.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3856
        
        C:\Windows\SysWOW64\Koljgppp.exe
        
        C:\Windows\system32\Koljgppp.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3360
        
        C:\Windows\SysWOW64\Kbgfhnhi.exe
        
        C:\Windows\system32\Kbgfhnhi.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Kefbdjgm.exe
        
        C:\Windows\system32\Kefbdjgm.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Khdoqefq.exe
        
        C:\Windows\system32\Khdoqefq.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Kkbkmqed.exe
        
        C:\Windows\system32\Kkbkmqed.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Kbjbnnfg.exe
        
        C:\Windows\system32\Kbjbnnfg.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Kehojiej.exe
        
        C:\Windows\system32\Kehojiej.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\Khfkfedn.exe
        
        C:\Windows\system32\Khfkfedn.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Klbgfc32.exe
        
        C:\Windows\system32\Klbgfc32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Kopcbo32.exe
        
        C:\Windows\system32\Kopcbo32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\Kblpcndd.exe
        
        C:\Windows\system32\Kblpcndd.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Kdmlkfjb.exe
        
        C:\Windows\system32\Kdmlkfjb.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Windows\SysWOW64\Khihld32.exe
        
        C:\Windows\system32\Khihld32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Kkgdhp32.exe
        
        C:\Windows\system32\Kkgdhp32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Kbnlim32.exe
        
        C:\Windows\system32\Kbnlim32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5200
        
        C:\Windows\SysWOW64\Kemhei32.exe
        
        C:\Windows\system32\Kemhei32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Kdpiqehp.exe
        
        C:\Windows\system32\Kdpiqehp.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5288
        
        C:\Windows\SysWOW64\Klgqabib.exe
        
        C:\Windows\system32\Klgqabib.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Loemnnhe.exe
        
        C:\Windows\system32\Loemnnhe.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Lacijjgi.exe
        
        C:\Windows\system32\Lacijjgi.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5400
        
        C:\Windows\SysWOW64\Ldbefe32.exe
        
        C:\Windows\system32\Ldbefe32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Llimgb32.exe
        
        C:\Windows\system32\Llimgb32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Lklnconj.exe
        
        C:\Windows\system32\Lklnconj.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Lbcedmnl.exe
        
        C:\Windows\system32\Lbcedmnl.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Leabphmp.exe
        
        C:\Windows\system32\Leabphmp.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Lhpnlclc.exe
        
        C:\Windows\system32\Lhpnlclc.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Lknjhokg.exe
        
        C:\Windows\system32\Lknjhokg.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5680
        
        C:\Windows\SysWOW64\Lbebilli.exe
        
        C:\Windows\system32\Lbebilli.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Ledoegkm.exe
        
        C:\Windows\system32\Ledoegkm.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Llngbabj.exe
        
        C:\Windows\system32\Llngbabj.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Lolcnman.exe
        
        C:\Windows\system32\Lolcnman.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:5840
        
        C:\Windows\SysWOW64\Lajokiaa.exe
        
        C:\Windows\system32\Lajokiaa.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5880
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:5920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5920 -s 400
        69⤵
        Program crash
        
        PID:6012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5920 -ip 5920
1⤵
PID:5988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4404,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=3724 /prefetch:8
1⤵
PID:5192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hcljmj32.exe

Filesize
364KB

MD5
d6d9cfc16c0d3a2a0e8c3f435807b5aa

SHA1
cbb1c7666a0665dda9bde1960f31dda81d487bca

SHA256
59b5a2bada683aaeee50dc649bf007169fea3aa8820d797b1f7d4b9170745312

SHA512
0f992cafdd3d4d2a7d6a83deb35d8b09cfbd5fb4de35b48cb7f6f8bae16cac9da58c97c2b2d3557e2c5a554655f2b9546cccd5f251842980ab47ec435aec01b9

Download Submit
C:\Windows\SysWOW64\Hegmlnbp.exe

Filesize
364KB

MD5
6b977c0a2b27fbd5b4e2d2e609d39eb4

SHA1
1f51eae6d03a5027519554057f087a60108dfebd

SHA256
35b6c2080a8e245289d3dd489236aae6ea0ef34de79a2078d99945598d08b4ab

SHA512
f302d465e821424b673001e0262980cf0fe8fcbd84184b9db4de8931613a0fc1c1ab41a7421cbcd78d71a05e091ea25686a29e1e8ba95af8bb24b0da084e281a

Download Submit
C:\Windows\SysWOW64\Hjfbjdnd.exe

Filesize
364KB

MD5
0f9fb974dde705958740f6e563238430

SHA1
fa6c9d117eb5024fe78d05e86cef112f8703f351

SHA256
64d9290036c421125a9e394b108346dcd70377834fe22801b846c99ee64e2a1d

SHA512
cb233f23cf8e2993e0846dcccc369f4901376ccdf6d03168ac16c9793d421eab14561d2456ea194b9be9395bdc6c6c38bee2309b5430499b548d6a143b62067f

Download Submit
C:\Windows\SysWOW64\Iabglnco.exe

Filesize
364KB

MD5
7a78b7c47f23b53d9b4c4ca9338a49d8

SHA1
9e3c06a04dcf1f05111e725803a5766834c71866

SHA256
99fb92463e543e180d77a6511e68811bea6b628bfc9475cbc73a2a5a46bce265

SHA512
10a4b79cb5695327e8899ed25371072ef5b7aa810ff9ddc1a14771bb8d7b736685e8bb8f7748820ccd1a16f55834ed28b848efab104592a768898df4f2a073c2

Download Submit
C:\Windows\SysWOW64\Iajmmm32.exe

Filesize
364KB

MD5
e671871e04eef78658178196e182fffe

SHA1
918ad6645bc63dfb4a88eb756e787f8427ca7c96

SHA256
b9143db14a20557dd1b735bbe33ae44dc700bbd169549424c1afcea0cc9834a6

SHA512
26849565f0d8ee3cf8d19357ec698db7eb7a39720d7f454cae2cc13a1b6ba7a4e4c6030f31fe3824f363dee25bd155c51064f217b728c4629f2b8887e3216e92

Download Submit
C:\Windows\SysWOW64\Idhiii32.exe

Filesize
364KB

MD5
c0a8bf06fa5015931fbfb2bebfa627e1

SHA1
2010a19181bfe3cccec2c44f5b6907eb05802da1

SHA256
eb729ccb3334554f8b1c0d1eb0da20d9f117ce37922d64a39a40a0e43ca942a9

SHA512
6599833c3ee80b4a44c057569066c43cdd1a8789f13fc2480cc8e08a3ca691cf73a5c531a90531946ba076edf0b8946f2387d126acbbf07d9dcdf366707a4ebb

Download Submit
C:\Windows\SysWOW64\Ihaidhgf.exe

Filesize
364KB

MD5
7e6f392772016f0e07bb3b0270ea4664

SHA1
0d7b5d9d7d002d13d9511bf1a33098267fc68899

SHA256
da62299f2dca385b8810f9cbe7fe11486670ad23425ef9980fc0b850820d41c4

SHA512
fbe32d2328155137ce6a0960dc5c2a9330c8cdc419e750996bb4a9a469a31fbb8175b8ddbcb53ac2a2a6b1833109e1def3d59567249ff8fbdb8e16bb546d0cc7

Download Submit
C:\Windows\SysWOW64\Ijmhkchl.exe

Filesize
364KB

MD5
d97d9439cf3c879bc0e665074378dd0c

SHA1
fb5b373003a9ebf66538ff0e847984b2c0ff8b5b

SHA256
416c791c1f6d930a26ab3f4a8ca6e58affc7be73020c2c41914762b876e803e0

SHA512
0af75b0f39209dc8ffdfa06155aa065119cfe77db5b289fc8949b723cc9464422183826d6fede7fd744f260c6317dce4cfb046f4e290047b6c1d8d426fc309c5

Download Submit
C:\Windows\SysWOW64\Infhebbh.exe

Filesize
364KB

MD5
be6a09014f1113c76fdc1c9b03b0df15

SHA1
bd2626c97bd3ff172c46c3b9c7f7e4b1631a3b52

SHA256
9e65ec518d4e53f7f7ac4cf092da5247987fda2d2ce23c0f45895555a99e6ae3

SHA512
0d4eafde63e7b0d2418ec5ca1162fadfba2045b61e3f8b818c5c1586e254fdb4f4d9a7efdac36d8cfcc9d251fa4b33b635154092687a88019ee275efc93ac95f

Download Submit
C:\Windows\SysWOW64\Jacpcl32.exe

Filesize
364KB

MD5
bbe69c8b39bfaecfe485553d9d25fa5d

SHA1
06924e09dc57d2846562c7c2d1fbcf4348f887f8

SHA256
8c2df8eb8043661ced20b70ac49f186563491735d65425d6e405a4058b26e96d

SHA512
36aef765e4efbb11728d8e6a577711c450041639872fd46226430e977c6b1d90d357d44658ff4488cbbffce01f6c3fa1edf7fb3ed78b5c89f1b8c9b1f14518f9

Download Submit
C:\Windows\SysWOW64\Jaemilci.exe

Filesize
364KB

MD5
11d99effb3dd929026585beb8ec3238c

SHA1
06d9c44fbfdca16d2ce63e5852e38659ec3e9b27

SHA256
fedc5ecf6029e7eba8d2252cddfab21e2238388996e2861a9a108f482c278ddb

SHA512
8b9cab65fa2ae3ccb734b5c52c027401998f37842c73008c5dae770af731e937f0b3a1857b2db541ed5a712dfcf71883ee642a4438a4d4e63b9d31c1da33231e

Download Submit
C:\Windows\SysWOW64\Jaljbmkd.exe

Filesize
364KB

MD5
73ec070b90a6380be45df5dfea5a6078

SHA1
1e24af47b26aa2c3c533c2eb70b8c9c25737cfa8

SHA256
2e7f75d9f65693fe9e0549389fb69a4234a8754d0a1a6dd2c1adefba1ccb543a

SHA512
5cce08783657a455602eb03c8c592aa1aea8c1b4f8373ad8fba31b8b556793041b147d0e12697e9bda9b8613e69490352eeb86b29c8b7b6b9afca26ee47d240b

Download Submit
C:\Windows\SysWOW64\Jbijgp32.exe

Filesize
364KB

MD5
d928ba4520f9d05fba923b854a5ead43

SHA1
c927807c12bd3ada4ac50967c50e58ca6bbeafd5

SHA256
59cf72c9797e717356534c345f8bc62531cf0bd78ea9c7197d137d645d95b77a

SHA512
928ae73d2d5496e99bc5950b1e1fcfb5c8c818391f0954c09f1cda01fadf0ef41e58c0449e5c7c399bf426aaa931cde0bb5ba685c512f49cde95acade34cd20b

Download Submit
C:\Windows\SysWOW64\Jblflp32.exe

Filesize
364KB

MD5
9e63ee844391f242fc7fc96087ca03dc

SHA1
9d8ab7835673cc72f45e0310a5f8b434f7d62aa1

SHA256
cf5c50bad52d821c936b0290f868e6860753a35483c9c890ccba5d8879137c4b

SHA512
fd3398369a68291ee7ce8479cadfff26e6e52a763403530f6239fd060eb683cc606dc3ea26cdbf5ebd5de7ed7ac4f18d0bc51e46db6be92a5b0bee1f54109e4f

Download Submit
C:\Windows\SysWOW64\Jbncbpqd.exe

Filesize
364KB

MD5
2e02e9dbb88b3de1595306339870b3b6

SHA1
f9be5c405e97b246c35f74233271c97f2190510a

SHA256
82d487ea3503c64e2a00165d7133b36505573c1595d4e86d625e938f9a7af4a4

SHA512
56bd07a97a54404126391cf9107b56cfd660fd6ed24298a3885720af3ac8e964c7f22a9ba0c26b25428c0184804a9adac950a38e335a745e26d9de07be89147c

Download Submit
C:\Windows\SysWOW64\Jdalog32.exe

Filesize
364KB

MD5
5baed968ca617295fbf7949ed53eca29

SHA1
47772a625eae497c298589fad5523e27cb013f0c

SHA256
3c3dd009a934c530ed7e37c9454e44052ee53b2e2bd445123a47012736f0addb

SHA512
516ae8199968793523f65e77d86ceb3d9877ceb1408be60f5124845027d1d7fe2fe5f0ebe1afefc2a099e45c5117ca6ec3ce3f3b89bf8dc0553ba78717c04918

Download Submit
C:\Windows\SysWOW64\Jddiegbm.exe

Filesize
364KB

MD5
0e1d2131c823c4936ff64e36be46e935

SHA1
334a0bd7e715fc424c42b9efd14cf3eb0ac3d7cf

SHA256
5d071f73a6f3ed459c55b32c11c1b8f6838b812efcd7b8fd878e4400aba799a6

SHA512
3ce5951bc5a510ecb45c69db8cc3d0aa0169171cd657296ce4fbe3b49457ce0f2589be7d5f5a1ddda789b0218ecd5344cd31ffc2e7fc65546d8cb608de53ceaf

Download Submit
C:\Windows\SysWOW64\Jdjfohjg.exe

Filesize
364KB

MD5
9e0d2ed3530ab96a76c55c48932b3400

SHA1
7118150d9fc5d74e5820477bc4dfb298a1d1b35e

SHA256
2bf24e0cea89ee1dc910fda7327227c3b1dda55a2f9369200c61560f128af9de

SHA512
bc50748aa2bd8934b16629c85b8dff600dad49cf129420f6316f6fb072a4e96262239acb166f21bb2293844d72b77e87cfd9708ce993356b77b15cacab70c7b8

Download Submit
C:\Windows\SysWOW64\Jdopjh32.exe

Filesize
364KB

MD5
7c2726047ee3190b91d05577bbfe402a

SHA1
0bb24375285f6e544c306fae6a86a2da405c3b60

SHA256
2ef0cac52bf11eaa67d59b4ea8422fd88e0d0e6e2001517d8c88b01847183951

SHA512
5acd8ff37625c78b89e7d92d01b4caaeb962559063c50b16ad18c64ea9fdd67448b353fdc8168ed163f3f23f9c3b9896795f1d4f9a8ceea3d4a290eaf21dedbe

Download Submit
C:\Windows\SysWOW64\Jejbhk32.exe

Filesize
364KB

MD5
c0df58de2fde2f4216016440acefcdae

SHA1
86b1fd83b59bbb5c4ea3811e856be84bd1c8462f

SHA256
f512da9867a57d2b4a08df22ef68bd78d5347eaa2aab5f9010f9bba495073b57

SHA512
01db45a525247e7af167a22858a9f7d9187dd2a1cf383db1fc2384584609043463d5560b59a411140944f1c08ff715b323a15eceefbdd7c572ad85b31b92697c

Download Submit
C:\Windows\SysWOW64\Jelonkph.exe

Filesize
364KB

MD5
ff5529b2879e4f4274823236efbd781c

SHA1
a88c17e59267f376ebb90ede9b7b047dae4dee0c

SHA256
f8ed25c58179ada7f75f4e6208e81a9791b0cd3ced099a1998035cd0901b68d4

SHA512
c8a41a4fec6f261daae016d1c470f5d8eb33d0b58250a782a1ef2f76af560b4e14d75210a9fd3e5d619c7ecf62c707c067c3d4a8f148e075434d6266981ff706

Download Submit
C:\Windows\SysWOW64\Jhoeef32.exe

Filesize
364KB

MD5
b08ec0baff1b349ebe71645f5708d412

SHA1
84bb9ad8beb230406ddd6377d7781fa0a3c3ebde

SHA256
64a3bdf1267d7c322c4dfc6ebc84a2715a38fe3aca79c04901f52939c95bde2f

SHA512
0d71a864d8deb6fa5719826c109e46166413463fb780fb4d7ef4edc998e847b5e09f1cffc661e7ca50ef5927a869d84951db7faec6e21f68897397111f33f343

Download Submit
C:\Windows\SysWOW64\Jjgkab32.exe

Filesize
364KB

MD5
0cd86b2ae2e601b3d21bdb9446a72c28

SHA1
7ee55f2738032e1d85097dbabe166f7d64113b3f

SHA256
9137168ae8bd4ce25bf6ebf10d0ef060fdb9aa38511cd7aeab461cf93195da69

SHA512
73966c7deb0e8a1b5a2239e9f6abbd7339717209de5b695928c0ed9d97da95a8ef11ca5873cf0ad30759e939b919e2f39f35ea3cc86a2e490a3a4c996f602dea

Download Submit
C:\Windows\SysWOW64\Jjnaaa32.exe

Filesize
364KB

MD5
df82f855e6d60aa23bee78c9f37b334b

SHA1
c366d42b65f3434016dedb4ea273222985840ff8

SHA256
d3609fe758e42917d515043599cf5d548e8ccd2b22d6e2ea1e512e5a06b62e51

SHA512
24c521aadaf2ea383f613c3d4e98eddf7073148b2b1343eda1ca3add3b7fbf49ade765c631cd9952ae220aa14ea1dc4181d16e69c99af073edebe412c23016d2

Download Submit
C:\Windows\SysWOW64\Jlanpfkj.exe

Filesize
364KB

MD5
fac28b71ccdf3921e36d6effe9095410

SHA1
b6d0974694dd37b4a23967de0f4b171c1ff69006

SHA256
d5b97ff344e0b8d3339ee3826fe250c5bed8a7e001cba7525d26d344e47c8178

SHA512
9f95d70b3a22636ae3e01049a11feec53070a4715027c8cfce1bef14da9394c34e5dde9b2cef519d85c3ac7fc159ff06ca4bbfe0fc0079c47ce1967fc0f38edb

Download Submit
C:\Windows\SysWOW64\Jlfhke32.exe

Filesize
364KB

MD5
2f71dc90ec494268babc2ec72c5e2197

SHA1
87cf4ac195d5dcac3f9e0b2d933ffc36eb001434

SHA256
f36e62050d18739913541a8025fe8cea1496b958911fc20628cf7293549a4aab

SHA512
cdf82db7f7c2da1a26f796567ca8d1e6e4bd38bdd0ef6b22111e1531928fa9c9cd22602cc9c672be4804c72897b3fc9adb5e4198049d0a794678e7e4edd20215

Download Submit
C:\Windows\SysWOW64\Jlidpe32.exe

Filesize
364KB

MD5
30cb259cdc2f75afeda0ced0a18c154d

SHA1
d59d99410d992bc5537794508dccba449294b4f0

SHA256
af68980bf6dfc18d475d79a37f941407f76b07ca5e359412213b724247b76f50

SHA512
d6c606e331de98fac5dec527281f471f0f1c686248ee818f78f0bee5d2cf4d119e67da95857e20928c9987df814ee2f1ba934f099cd32350228b52b387cf6ece

Download Submit
C:\Windows\SysWOW64\Jnedgq32.exe

Filesize
364KB

MD5
d0dc4b014d5aa2bf971501e2dda5e7b8

SHA1
700155f1aba15dd3b8a569a0bbb9a9a62657d549

SHA256
7560ff08f99dcfa54f7cf7981ee2f67e8a8299e124d8f4fa1b5d4201d5fe7943

SHA512
5fa4109c973fcba7dee33282153ef5a5636c77e03c8913c4729cfc2c9290ea82a2659c643a84fa802ac226bb6fc3e43b142e7111f06e956da6ac79ccdab99694

Download Submit
C:\Windows\SysWOW64\Jnpjlajn.exe

Filesize
364KB

MD5
b185c244e555b18774ce0dac1c5dab97

SHA1
30ecdea242aac5155a6b6ad5c10e589cfd55241b

SHA256
9ed61ee586c391ee45a1c130dea453c5b27a90f776e70c6c20dbbad11136e2ae

SHA512
4d1d3c8553aa878603e09e33c64666db3960636706b98edb3872429ddf2eb3f12167a235a8bcb9837a1fec2303329a04a6a56320c4ae33e7c55a22a06e463eac

Download Submit
C:\Windows\SysWOW64\Jogqlpde.exe

Filesize
364KB

MD5
ef7bac6611c7077c6596fadef775d374

SHA1
fa0ef98f3ded70fc82bcc6ba0134ccf13f72d834

SHA256
26cf1ccb8aac7d924cb4f368fdf9f2074088ad7a2a552ffde1ae48c4323f53da

SHA512
cfdbbff3fee7e7d918fc40bb18d929c786010dadc48caa61b8aa1339376a8e5f3e14c480518b74eb28f9d5a42f8616a3af7bd75343a77c43f556c40d1a0ee619

Download Submit
C:\Windows\SysWOW64\Kahinkaf.exe

Filesize
364KB

MD5
15c5ee4a5a94148d7845d76f8ea67813

SHA1
a6da614492e213502cb0f149c3933ee0a2e24a31

SHA256
0d8e93e1de9b2ab41667bb5066cb0fabdd8f4185fef0b2f26f0c2263a910d6ba

SHA512
946c5a5d4246947ded37d3e6f7bce60876ef5ea8d059d23987b4c87a31d9fafc62754e326e82c7cfda2d86adccddc5ea07e1bd2ebf628508a627f66a4d233f82

Download Submit
C:\Windows\SysWOW64\Kbeibo32.exe

Filesize
364KB

MD5
65385874021af486d34c5765d9d0307f

SHA1
b0b49045a512fefe4adb0155150def49637d29bf

SHA256
619ce663141e1144b5364f00acd04eab4589fbc66b0db0cff4d95a29a0a7e17b

SHA512
d0cb8bed08b2b61fe70f3888a132509074bd4087308901c695b42659413d4890a0be9346b0b91470124dbb34f4dd61ab895236543bcd88b88bbde50e7ead4a32

Download Submit
memory/456-267-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/512-149-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/560-165-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/856-221-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/928-213-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1036-181-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1080-543-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1080-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1084-345-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1140-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1324-533-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1324-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1560-124-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1616-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1616-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1712-539-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1712-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1776-537-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1776-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1852-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1852-527-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2012-252-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2092-315-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2164-339-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2244-197-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2288-260-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2336-285-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2472-333-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2632-291-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2676-327-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2728-320-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2856-297-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3092-100-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3164-108-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3316-302-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3360-279-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3508-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3724-229-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3856-272-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3928-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3928-541-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4004-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4004-535-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4076-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4076-530-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4108-172-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4236-244-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4312-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4316-308-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4460-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4500-84-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4580-156-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4752-92-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4756-350-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4844-204-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4960-132-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5076-528-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5076-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5168-357-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5200-363-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5240-368-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5288-375-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5320-381-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5360-387-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5400-393-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5440-399-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5480-404-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5528-411-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5560-416-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5608-423-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5640-429-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5680-435-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5720-441-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5760-447-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5800-453-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5840-459-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5880-465-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5920-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads