9ba68687075de892949007365467ca7c2e5f2fa700559b04369415d22a9e1484

Analysis

max time kernel
114s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 11:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dd042f8f086cc221b88616e3fc590b40N.exe
Size

123KB
MD5

dd042f8f086cc221b88616e3fc590b40
SHA1

af2fef34aa3b29a2878953103d801c43157fb6d6
SHA256

9ba68687075de892949007365467ca7c2e5f2fa700559b04369415d22a9e1484
SHA512

615570b9bc9fde0b30d687b892cdf9bc03727a5162fbea08364703dd3e93a38d2fe8dc4dd3a5d61973c1ca22f05211220256a642caca4f059a5b3715c81c917b
SSDEEP

1536:qJrA535o7crsnWitS6jc0LtvbjkePzb4RYSw1mir8CAjXoiDEuGg0opGCR98:6A5r1itb9kuzb4RYSa9rR85DEn5k7r8

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjdokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klgqabib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldbefe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhpnlclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdpiqehp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lajokiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	dd042f8f086cc221b88616e3fc590b40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijpepcfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kejloi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaaldjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibdplaho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ledoegkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icfmci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klddlckd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ledoegkm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lolcnman.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaaldjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lojfin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khabke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khabke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbjbnnfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klbgfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khihld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klddlckd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laffpi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijbbfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbncbpqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kehojiej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Logicn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjnaaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kongmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kehojiej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lklnconj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	dd042f8f086cc221b88616e3fc590b40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jehfcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbncbpqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kemhei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llkjmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kopcbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kocphojh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkiamp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnconj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leabphmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbebilli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibdplaho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdpiqehp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldbefe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhmafcnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kongmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lefkkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iholohii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijpepcfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijbbfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jeaiij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kejloi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Infhebbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbeibo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkpnga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khfkfedn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idhiii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdmcdhhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeolckne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeaiij32.exe

Executes dropped EXE 57 IoCs

pid	Process
1632	Infhebbh.exe
2848	Iholohii.exe
3840	Ibdplaho.exe
2144	Icfmci32.exe
3380	Ijpepcfj.exe
3764	Idhiii32.exe
3420	Ijbbfc32.exe
4700	Jehfcl32.exe
3012	Jjdokb32.exe
1776	Jblflp32.exe
940	Jdmcdhhe.exe
3984	Jjgkab32.exe
216	Jbncbpqd.exe
4560	Jeolckne.exe
4692	Jlidpe32.exe
4100	Jeaiij32.exe
4608	Jjnaaa32.exe
772	Kbeibo32.exe
4076	Kdffjgpj.exe
4568	Khabke32.exe
1820	Kkpnga32.exe
2400	Khdoqefq.exe
4736	Kkbkmqed.exe
2336	Kongmo32.exe
2392	Kbjbnnfg.exe
4976	Kehojiej.exe
4800	Khfkfedn.exe
3376	Klbgfc32.exe
2444	Kopcbo32.exe
4192	Kaopoj32.exe
2512	Kejloi32.exe
2316	Khihld32.exe
5096	Klddlckd.exe
4132	Kocphojh.exe
4376	Kaaldjil.exe
1780	Kemhei32.exe
4012	Kdpiqehp.exe
1784	Klgqabib.exe
3904	Lkiamp32.exe
2020	Lbqinm32.exe
3808	Lacijjgi.exe
1208	Ldbefe32.exe
224	Lhmafcnf.exe
4564	Lklnconj.exe
3120	Logicn32.exe
4984	Laffpi32.exe
4292	Leabphmp.exe
4280	Lhpnlclc.exe
1756	Llkjmb32.exe
2244	Lojfin32.exe
4068	Lbebilli.exe
708	Ledoegkm.exe
5104	Lhbkac32.exe
4792	Llngbabj.exe
3704	Lolcnman.exe
1140	Lefkkg32.exe
5124	Ldikgdpe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Khihld32.exe	Kejloi32.exe
File created	C:\Windows\SysWOW64\Klddlckd.exe	Khihld32.exe
File created	C:\Windows\SysWOW64\Lefkkg32.exe	Lajokiaa.exe
File created	C:\Windows\SysWOW64\Olkpol32.dll	Lajokiaa.exe
File created	C:\Windows\SysWOW64\Kbeibo32.exe	Jjnaaa32.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkmqed.exe	Khdoqefq.exe
File opened for modification	C:\Windows\SysWOW64\Khihld32.exe	Kejloi32.exe
File created	C:\Windows\SysWOW64\Lkiamp32.exe	Klgqabib.exe
File created	C:\Windows\SysWOW64\Jgcnomaa.dll	Logicn32.exe
File opened for modification	C:\Windows\SysWOW64\Llngbabj.exe	Lhbkac32.exe
File created	C:\Windows\SysWOW64\Gjmheb32.dll	Icfmci32.exe
File created	C:\Windows\SysWOW64\Dodipp32.dll	Jbncbpqd.exe
File created	C:\Windows\SysWOW64\Hhodke32.dll	Khabke32.exe
File opened for modification	C:\Windows\SysWOW64\Kbjbnnfg.exe	Kongmo32.exe
File created	C:\Windows\SysWOW64\Jhmimi32.dll	Lacijjgi.exe
File opened for modification	C:\Windows\SysWOW64\Lhbkac32.exe	Ledoegkm.exe
File created	C:\Windows\SysWOW64\Infhebbh.exe	dd042f8f086cc221b88616e3fc590b40N.exe
File created	C:\Windows\SysWOW64\Pceijm32.dll	Jlidpe32.exe
File created	C:\Windows\SysWOW64\Khfkfedn.exe	Kehojiej.exe
File opened for modification	C:\Windows\SysWOW64\Kocphojh.exe	Klddlckd.exe
File opened for modification	C:\Windows\SysWOW64\Kemhei32.exe	Kaaldjil.exe
File opened for modification	C:\Windows\SysWOW64\Klgqabib.exe	Kdpiqehp.exe
File created	C:\Windows\SysWOW64\Lojfin32.exe	Llkjmb32.exe
File opened for modification	C:\Windows\SysWOW64\Jehfcl32.exe	Ijbbfc32.exe
File created	C:\Windows\SysWOW64\Mjlhjjnc.dll	Kkpnga32.exe
File created	C:\Windows\SysWOW64\Bkjbah32.dll	Klddlckd.exe
File opened for modification	C:\Windows\SysWOW64\Lklnconj.exe	Lhmafcnf.exe
File created	C:\Windows\SysWOW64\Idjcam32.dll	Lhpnlclc.exe
File created	C:\Windows\SysWOW64\Jjgkab32.exe	Jdmcdhhe.exe
File created	C:\Windows\SysWOW64\Khabke32.exe	Kdffjgpj.exe
File opened for modification	C:\Windows\SysWOW64\Lbqinm32.exe	Lkiamp32.exe
File opened for modification	C:\Windows\SysWOW64\Logicn32.exe	Lklnconj.exe
File created	C:\Windows\SysWOW64\Laffpi32.exe	Logicn32.exe
File created	C:\Windows\SysWOW64\Leabphmp.exe	Laffpi32.exe
File created	C:\Windows\SysWOW64\Llngbabj.exe	Lhbkac32.exe
File created	C:\Windows\SysWOW64\Pinffi32.dll	dd042f8f086cc221b88616e3fc590b40N.exe
File opened for modification	C:\Windows\SysWOW64\Kaaldjil.exe	Kocphojh.exe
File created	C:\Windows\SysWOW64\Fcnhog32.dll	Klgqabib.exe
File created	C:\Windows\SysWOW64\Ldbefe32.exe	Lacijjgi.exe
File opened for modification	C:\Windows\SysWOW64\Lhmafcnf.exe	Ldbefe32.exe
File opened for modification	C:\Windows\SysWOW64\Leabphmp.exe	Laffpi32.exe
File created	C:\Windows\SysWOW64\Idhdlmdd.dll	Leabphmp.exe
File created	C:\Windows\SysWOW64\Bekdaogi.dll	Lefkkg32.exe
File created	C:\Windows\SysWOW64\Eaeamb32.dll	Iholohii.exe
File opened for modification	C:\Windows\SysWOW64\Icfmci32.exe	Ibdplaho.exe
File created	C:\Windows\SysWOW64\Gqhomdeb.dll	Ldbefe32.exe
File opened for modification	C:\Windows\SysWOW64\Lefkkg32.exe	Lajokiaa.exe
File created	C:\Windows\SysWOW64\Ipmgkhgl.dll	Jeaiij32.exe
File created	C:\Windows\SysWOW64\Mfmeel32.dll	Kbjbnnfg.exe
File created	C:\Windows\SysWOW64\Cmkjoj32.dll	Jeolckne.exe
File opened for modification	C:\Windows\SysWOW64\Ledoegkm.exe	Lbebilli.exe
File created	C:\Windows\SysWOW64\Ijbbfc32.exe	Idhiii32.exe
File created	C:\Windows\SysWOW64\Gqpbcn32.dll	Jjdokb32.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcdhhe.exe	Jblflp32.exe
File opened for modification	C:\Windows\SysWOW64\Jjgkab32.exe	Jdmcdhhe.exe
File created	C:\Windows\SysWOW64\Jeaiij32.exe	Jlidpe32.exe
File created	C:\Windows\SysWOW64\Japjfm32.dll	Kongmo32.exe
File created	C:\Windows\SysWOW64\Eqfnqg32.dll	Kocphojh.exe
File created	C:\Windows\SysWOW64\Lacijjgi.exe	Lbqinm32.exe
File created	C:\Windows\SysWOW64\Obcckehh.dll	Ibdplaho.exe
File opened for modification	C:\Windows\SysWOW64\Ijpepcfj.exe	Icfmci32.exe
File created	C:\Windows\SysWOW64\Lklnconj.exe	Lhmafcnf.exe
File opened for modification	C:\Windows\SysWOW64\Lkiamp32.exe	Klgqabib.exe
File created	C:\Windows\SysWOW64\Llkjmb32.exe	Lhpnlclc.exe

Program crash 1 IoCs

pid	pid_target	Process
5208	5124	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 59 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kopcbo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khihld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhpnlclc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klddlckd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lklnconj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logicn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laffpi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lojfin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icfmci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbeibo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaopoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ledoegkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbncbpqd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leabphmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbebilli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibdplaho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijbbfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdmcdhhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbqinm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhmafcnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llkjmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kongmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kehojiej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khfkfedn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kejloi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaaldjil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd042f8f086cc221b88616e3fc590b40N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdffjgpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khdoqefq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lacijjgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjdokb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjnaaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Infhebbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijpepcfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Idhiii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldbefe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lefkkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iholohii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbnnfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkiamp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klgqabib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldikgdpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khabke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkbkmqed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lajokiaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jehfcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlidpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeolckne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkpnga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhbkac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocphojh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jblflp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjgkab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klbgfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemhei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdpiqehp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llngbabj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeaiij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lolcnman.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jehfcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aannbg32.dll"	Jblflp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmgkhgl.dll"	Jeaiij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbeibo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mobpnd32.dll"	Kehojiej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Khihld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjbah32.dll"	Klddlckd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	dd042f8f086cc221b88616e3fc590b40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lefkkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lojfin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkbkmqed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epqblnhh.dll"	Kemhei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lacijjgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lklnconj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Logicn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jeaiij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qagfppeh.dll"	Laffpi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Leabphmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopaik32.dll"	Lbebilli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjlhjjnc.dll"	Kkpnga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibdplaho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjnaaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kopcbo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Infhebbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pceijm32.dll"	Jlidpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kaopoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lbqinm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Logicn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhbch32.dll"	Jdmcdhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofnfbijk.dll"	Khihld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjkcakk.dll"	Khdoqefq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpjkgoka.dll"	Lkiamp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldbefe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lklnconj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iholohii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohnncn32.dll"	Jjgkab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbncbpqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kocphojh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acibndof.dll"	Kdpiqehp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lbebilli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lajokiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbddhbhn.dll"	Idhiii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lhmafcnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdklc32.dll"	Lhmafcnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lajokiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdpiqehp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kehojiej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehilac32.dll"	Kejloi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Khdoqefq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijpepcfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jblflp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Khabke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klbgfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmfchehg.dll"	Lhbkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Icfmci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kaaldjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldbefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdlmhj32.dll"	Ledoegkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdmcdhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obcckehh.dll"	Ibdplaho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibdplaho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oojnjjli.dll"	Kbeibo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Japjfm32.dll"	Kongmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kongmo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 1632	3004	dd042f8f086cc221b88616e3fc590b40N.exe	90
PID 3004 wrote to memory of 1632	3004	dd042f8f086cc221b88616e3fc590b40N.exe	90
PID 3004 wrote to memory of 1632	3004	dd042f8f086cc221b88616e3fc590b40N.exe	90
PID 1632 wrote to memory of 2848	1632	Infhebbh.exe	91
PID 1632 wrote to memory of 2848	1632	Infhebbh.exe	91
PID 1632 wrote to memory of 2848	1632	Infhebbh.exe	91
PID 2848 wrote to memory of 3840	2848	Iholohii.exe	92
PID 2848 wrote to memory of 3840	2848	Iholohii.exe	92
PID 2848 wrote to memory of 3840	2848	Iholohii.exe	92
PID 3840 wrote to memory of 2144	3840	Ibdplaho.exe	94
PID 3840 wrote to memory of 2144	3840	Ibdplaho.exe	94
PID 3840 wrote to memory of 2144	3840	Ibdplaho.exe	94
PID 2144 wrote to memory of 3380	2144	Icfmci32.exe	95
PID 2144 wrote to memory of 3380	2144	Icfmci32.exe	95
PID 2144 wrote to memory of 3380	2144	Icfmci32.exe	95
PID 3380 wrote to memory of 3764	3380	Ijpepcfj.exe	97
PID 3380 wrote to memory of 3764	3380	Ijpepcfj.exe	97
PID 3380 wrote to memory of 3764	3380	Ijpepcfj.exe	97
PID 3764 wrote to memory of 3420	3764	Idhiii32.exe	98
PID 3764 wrote to memory of 3420	3764	Idhiii32.exe	98
PID 3764 wrote to memory of 3420	3764	Idhiii32.exe	98
PID 3420 wrote to memory of 4700	3420	Ijbbfc32.exe	99
PID 3420 wrote to memory of 4700	3420	Ijbbfc32.exe	99
PID 3420 wrote to memory of 4700	3420	Ijbbfc32.exe	99
PID 4700 wrote to memory of 3012	4700	Jehfcl32.exe	100
PID 4700 wrote to memory of 3012	4700	Jehfcl32.exe	100
PID 4700 wrote to memory of 3012	4700	Jehfcl32.exe	100
PID 3012 wrote to memory of 1776	3012	Jjdokb32.exe	101
PID 3012 wrote to memory of 1776	3012	Jjdokb32.exe	101
PID 3012 wrote to memory of 1776	3012	Jjdokb32.exe	101
PID 1776 wrote to memory of 940	1776	Jblflp32.exe	102
PID 1776 wrote to memory of 940	1776	Jblflp32.exe	102
PID 1776 wrote to memory of 940	1776	Jblflp32.exe	102
PID 940 wrote to memory of 3984	940	Jdmcdhhe.exe	104
PID 940 wrote to memory of 3984	940	Jdmcdhhe.exe	104
PID 940 wrote to memory of 3984	940	Jdmcdhhe.exe	104
PID 3984 wrote to memory of 216	3984	Jjgkab32.exe	105
PID 3984 wrote to memory of 216	3984	Jjgkab32.exe	105
PID 3984 wrote to memory of 216	3984	Jjgkab32.exe	105
PID 216 wrote to memory of 4560	216	Jbncbpqd.exe	106
PID 216 wrote to memory of 4560	216	Jbncbpqd.exe	106
PID 216 wrote to memory of 4560	216	Jbncbpqd.exe	106
PID 4560 wrote to memory of 4692	4560	Jeolckne.exe	107
PID 4560 wrote to memory of 4692	4560	Jeolckne.exe	107
PID 4560 wrote to memory of 4692	4560	Jeolckne.exe	107
PID 4692 wrote to memory of 4100	4692	Jlidpe32.exe	108
PID 4692 wrote to memory of 4100	4692	Jlidpe32.exe	108
PID 4692 wrote to memory of 4100	4692	Jlidpe32.exe	108
PID 4100 wrote to memory of 4608	4100	Jeaiij32.exe	109
PID 4100 wrote to memory of 4608	4100	Jeaiij32.exe	109
PID 4100 wrote to memory of 4608	4100	Jeaiij32.exe	109
PID 4608 wrote to memory of 772	4608	Jjnaaa32.exe	110
PID 4608 wrote to memory of 772	4608	Jjnaaa32.exe	110
PID 4608 wrote to memory of 772	4608	Jjnaaa32.exe	110
PID 772 wrote to memory of 4076	772	Kbeibo32.exe	111
PID 772 wrote to memory of 4076	772	Kbeibo32.exe	111
PID 772 wrote to memory of 4076	772	Kbeibo32.exe	111
PID 4076 wrote to memory of 4568	4076	Kdffjgpj.exe	112
PID 4076 wrote to memory of 4568	4076	Kdffjgpj.exe	112
PID 4076 wrote to memory of 4568	4076	Kdffjgpj.exe	112
PID 4568 wrote to memory of 1820	4568	Khabke32.exe	113
PID 4568 wrote to memory of 1820	4568	Khabke32.exe	113
PID 4568 wrote to memory of 1820	4568	Khabke32.exe	113
PID 1820 wrote to memory of 2400	1820	Kkpnga32.exe	114

C:\Users\Admin\AppData\Local\Temp\dd042f8f086cc221b88616e3fc590b40N.exe
"C:\Users\Admin\AppData\Local\Temp\dd042f8f086cc221b88616e3fc590b40N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\SysWOW64\Infhebbh.exe
  C:\Windows\system32\Infhebbh.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\SysWOW64\Iholohii.exe
    C:\Windows\system32\Iholohii.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\SysWOW64\Ibdplaho.exe
      C:\Windows\system32\Ibdplaho.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3840
    - - C:\Windows\SysWOW64\Icfmci32.exe
        
        C:\Windows\system32\Icfmci32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2144
      - C:\Windows\SysWOW64\Ijpepcfj.exe
        
        C:\Windows\system32\Ijpepcfj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\Idhiii32.exe
        
        C:\Windows\system32\Idhiii32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Windows\SysWOW64\Ijbbfc32.exe
        
        C:\Windows\system32\Ijbbfc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\SysWOW64\Jehfcl32.exe
        
        C:\Windows\system32\Jehfcl32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\SysWOW64\Jjdokb32.exe
        
        C:\Windows\system32\Jjdokb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Jblflp32.exe
        
        C:\Windows\system32\Jblflp32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\Jdmcdhhe.exe
        
        C:\Windows\system32\Jdmcdhhe.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\SysWOW64\Jjgkab32.exe
        
        C:\Windows\system32\Jjgkab32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Jbncbpqd.exe
        
        C:\Windows\system32\Jbncbpqd.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Jeolckne.exe
        
        C:\Windows\system32\Jeolckne.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Jlidpe32.exe
        
        C:\Windows\system32\Jlidpe32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Jeaiij32.exe
        
        C:\Windows\system32\Jeaiij32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\SysWOW64\Jjnaaa32.exe
        
        C:\Windows\system32\Jjnaaa32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Kbeibo32.exe
        
        C:\Windows\system32\Kbeibo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\Kdffjgpj.exe
        
        C:\Windows\system32\Kdffjgpj.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\Khabke32.exe
        
        C:\Windows\system32\Khabke32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Kkpnga32.exe
        
        C:\Windows\system32\Kkpnga32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Khdoqefq.exe
        
        C:\Windows\system32\Khdoqefq.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Kkbkmqed.exe
        
        C:\Windows\system32\Kkbkmqed.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Kongmo32.exe
        
        C:\Windows\system32\Kongmo32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Kbjbnnfg.exe
        
        C:\Windows\system32\Kbjbnnfg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\Kehojiej.exe
        
        C:\Windows\system32\Kehojiej.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Khfkfedn.exe
        
        C:\Windows\system32\Khfkfedn.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4800
        
        C:\Windows\SysWOW64\Klbgfc32.exe
        
        C:\Windows\system32\Klbgfc32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3376
        
        C:\Windows\SysWOW64\Kopcbo32.exe
        
        C:\Windows\system32\Kopcbo32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Kaopoj32.exe
        
        C:\Windows\system32\Kaopoj32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Kejloi32.exe
        
        C:\Windows\system32\Kejloi32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Khihld32.exe
        
        C:\Windows\system32\Khihld32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Klddlckd.exe
        
        C:\Windows\system32\Klddlckd.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Kocphojh.exe
        
        C:\Windows\system32\Kocphojh.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\Kaaldjil.exe
        
        C:\Windows\system32\Kaaldjil.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Kemhei32.exe
        
        C:\Windows\system32\Kemhei32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Kdpiqehp.exe
        
        C:\Windows\system32\Kdpiqehp.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Klgqabib.exe
        
        C:\Windows\system32\Klgqabib.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Windows\SysWOW64\Lkiamp32.exe
        
        C:\Windows\system32\Lkiamp32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3904
        
        C:\Windows\SysWOW64\Lbqinm32.exe
        
        C:\Windows\system32\Lbqinm32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Lacijjgi.exe
        
        C:\Windows\system32\Lacijjgi.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3808
        
        C:\Windows\SysWOW64\Ldbefe32.exe
        
        C:\Windows\system32\Ldbefe32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Lhmafcnf.exe
        
        C:\Windows\system32\Lhmafcnf.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Lklnconj.exe
        
        C:\Windows\system32\Lklnconj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Logicn32.exe
        
        C:\Windows\system32\Logicn32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3120
        
        C:\Windows\SysWOW64\Laffpi32.exe
        
        C:\Windows\system32\Laffpi32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Leabphmp.exe
        
        C:\Windows\system32\Leabphmp.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Lhpnlclc.exe
        
        C:\Windows\system32\Lhpnlclc.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4280
        
        C:\Windows\SysWOW64\Llkjmb32.exe
        
        C:\Windows\system32\Llkjmb32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Windows\SysWOW64\Lojfin32.exe
        
        C:\Windows\system32\Lojfin32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Lbebilli.exe
        
        C:\Windows\system32\Lbebilli.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Ledoegkm.exe
        
        C:\Windows\system32\Ledoegkm.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:708
        
        C:\Windows\SysWOW64\Lhbkac32.exe
        
        C:\Windows\system32\Lhbkac32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Llngbabj.exe
        
        C:\Windows\system32\Llngbabj.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Windows\SysWOW64\Lolcnman.exe
        
        C:\Windows\system32\Lolcnman.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Windows\SysWOW64\Lajokiaa.exe
        
        C:\Windows\system32\Lajokiaa.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3688
        
        C:\Windows\SysWOW64\Lefkkg32.exe
        
        C:\Windows\system32\Lefkkg32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5124
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5124 -s 412
        60⤵
        Program crash
        
        PID:5208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5124 -ip 5124
1⤵
PID:5184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3808,i,10369132178352108590,11047993562598554317,262144 --variations-seed-version --mojo-platform-channel-handle=4092 /prefetch:8
1⤵
PID:5368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gjmheb32.dll

Filesize
7KB

MD5
5a6d6cb723559e3ca53d711abd920b1d

SHA1
dc6c21d7ff54acecd9a8a26e590eef78e4e37449

SHA256
4f48e5c64acbf2f98fb03e2b888930bd84fe41d99cab3e28ba4cb961ba16fe81

SHA512
d8f9c1105fe9f4a2104ec9b55b441134d765855788189696b55e4bf8166b7a5be60f315dd3b96c8490ad7743dc8daa41e64234ec59689fefd07525ad94465aa6

Download Submit
C:\Windows\SysWOW64\Ibdplaho.exe

Filesize
123KB

MD5
fadc7e1d524ce2d4044997f2e3008c34

SHA1
a06d37e4ababcac8088796a7495ac9abff40422e

SHA256
ddb1c3f5c1ae0db3207e7eee4ebd8c15e3e997c7d072d357a013b32a141f0335

SHA512
687f49dfb38e9e555badf045077c77d014793531fc9aaaa25cf54fdb55f00d6d5d9924301beedde88bd42ede0c9d29211da85be49b5267f28d762c725e1dad9f

Download Submit
C:\Windows\SysWOW64\Icfmci32.exe

Filesize
123KB

MD5
9ecdba10aa93dcc1297b180bdc851e64

SHA1
5534d781c620a775a75d179dd4388b796f0761bb

SHA256
016d1c4f34388e6cd58df9a25c66240c4ef2f9198b086d02de8671089eee11c7

SHA512
d3b29bcfa615fd18080648f0e7802d6891fff3b9a70e64d7862a744d975e906e04b12cbd81b3bb9b17b643cb5b65a1c050048b5b9a8776ac0bc6d51e15387a88

Download Submit
C:\Windows\SysWOW64\Idhiii32.exe

Filesize
123KB

MD5
dc22153a4d560c66e9b4cc7c1086eebf

SHA1
30e6eac8b8b4e2ea01aeaf8219f20268d5f4f8c3

SHA256
e5eb94e22027dd03441fffa8400b499fbddb28cc4a9af933370db08bf33c64c9

SHA512
141290d1648ff0a064a28e3374df2238b4b3545f5d410dea8c3a7268a3cd4829a0bd1db4f7d65e02ac46855793c499dc62696f80923e611c069345aca6003790

Download Submit
C:\Windows\SysWOW64\Iholohii.exe

Filesize
123KB

MD5
cc52f71e7ef8e219621f2a9583ac0d3b

SHA1
8321643e387d48d9b8ae0fb603f0c75a573d02ac

SHA256
cf7b444c6ba50cd20f19a1cf910ddc809aeb17b2b0e24eade4f5d892b7147aa2

SHA512
0aa20133ca31bcaa78c1f324bb3fe348f15e054e5527c2e3689e6bb8086dd045a57ec122a58dbbb32f59d718a8a493a1c1f3636fb86fa392b6490f9677f94e2d

Download Submit
C:\Windows\SysWOW64\Ijbbfc32.exe

Filesize
123KB

MD5
70a717dca2f7c76a6af08761c135ded3

SHA1
bb5e2ee8ffbb49d1a26b2ff907cd1178988ffbb9

SHA256
b6949332728d617113bd09f37ccbebe036f239e85d064449c88b662420f324b5

SHA512
c22d4af16f543c5eab27b09c11d00b46d26e3a260c61ecac575cc383ae20615ed86d85163e1afac40e30e5285eef8eba9f0e7e79725a84913f442595ad64e403

Download Submit
C:\Windows\SysWOW64\Ijpepcfj.exe

Filesize
123KB

MD5
a55cd88c1f99e739ca66e1d0b65ce79d

SHA1
2ec00d2a5f767fdb5ad725da21221d42a3395471

SHA256
856cafe3a4fa7f5c3167aba444dd836ed536f37b8ae72f49561820039c5ab61b

SHA512
7176858ec652fb858e681a6b07786e68c0253b41c4b3df3f85ae9a7bafd2252f2db36b9e2eff117e7e1afec911d5728c7e1c2b2ed4227c12970186895f63609f

Download Submit
C:\Windows\SysWOW64\Infhebbh.exe

Filesize
123KB

MD5
aae1be83503857fada763137a139416e

SHA1
5760739fc4cde4104d380c5d4d7b1706ada98803

SHA256
fcd347bc4a54f8ec201db63759472da6b6a09b0d3070ec4bf1f7a50720163afb

SHA512
5910bd61e43031d8d24bd722e41ba6f731ae2aabf140eef210b9291a0a890e44f8c1606d83509b621343d4182f5d024aff10ac03d06ad27b97c6b6c89af9ad81

Download Submit
C:\Windows\SysWOW64\Jblflp32.exe

Filesize
123KB

MD5
25617a38157bb9e7552aa44815f31601

SHA1
13c00533f7d768f99b3819fcaeb0f28b0773a2be

SHA256
643d1f12ee4f00d8f40d3c604def20276a62d974d70aef2ffeae13a7da8ecb8d

SHA512
1621ffb2b65ff9dc5e3c9c52589a6c9138da288d70587d7b3267aa6f9b032c51a1661153953acfed6a07a344207f4c3d5d78b1b2e9879a63d154cd5f1351c5d9

Download Submit
C:\Windows\SysWOW64\Jbncbpqd.exe

Filesize
123KB

MD5
4bf01a17c87be56be069b7cb3ec46558

SHA1
28cfeaeccf622774572df2728bbd76559ede5da2

SHA256
725b8078c6dc154cdbfcabcdbee32cc0fce254b5397c491514ecb0910cc4e01b

SHA512
fa9ae62919432be198f7b6d8facf9d898556a0304727879e6240043e12518c3d6c239f0710566fe2a8708b692f307df8200c6994d7c1a86a2437389daf9490a4

Download Submit
C:\Windows\SysWOW64\Jdmcdhhe.exe

Filesize
123KB

MD5
44b35661d83739d4757ba12088c229eb

SHA1
2ad21978fe2be3e6910ad09c6a15c6114e291b96

SHA256
e5dac7146e3f3c13fea4f43ac279530733505bb72fffa07b6e2eb1f48384b678

SHA512
e6e1dc75c8d6f9bd66035abb6f93cbdb54adc2fec7ad111c977855aacb914db88ea6915257287076e300785464278f82b60e83a222a6e33422e25a3631a4a56a

Download Submit
C:\Windows\SysWOW64\Jeaiij32.exe

Filesize
123KB

MD5
6c71a08029c1f9c11a8d5d1f78f2aded

SHA1
281a2f740d7d06d80c96cedc6e23e7af9fcd5320

SHA256
4750ff338aad03777645741e3d4b2d53307d482b36aa3e7783158b256805bd94

SHA512
596228d2a3b20c7899aab8b8df0caf1e841dbf14f96be88eef9f3b83c1a8d04829ec60a01622804f8e9a9d95c06bd05d4b3cd59497b903e3e82741d13e1a6368

Download Submit
C:\Windows\SysWOW64\Jehfcl32.exe

Filesize
123KB

MD5
4d1b2b4c7976d5695da9722a7b9c1825

SHA1
8124479e2aaf227c87e8ba004a79255561b94908

SHA256
a21c71c32715f9d35411d4314b07d9b073462da5bdaca6ba446f3f23e3f426c6

SHA512
f5cef4caf8bdd24688a4261c53980c23477b4d4e1d7905b1d47c857162c7e9272ebf28dd6b349ec9a976d65d0d59f0cd33b1c5cc6d823d09da66766492eec829

Download Submit
C:\Windows\SysWOW64\Jeolckne.exe

Filesize
123KB

MD5
480f92ec0b6978ab9aa78b4c940112c9

SHA1
28ecb16abe21ae2aadf4c64fb77d926bd93363ae

SHA256
3d80bf1953d231ff004cd1a9cca2b47b7b24ff6dc31cb7bf21995c129ffd3537

SHA512
3c8e09c5fda9cb12673ff8971abcd1e55f1b21df5e2b1778e4d6b075280ba16a352c440aded4ca50484ae032a04e8e6e0f7fd833f8c3e9614e7d224d8338549e

Download Submit
C:\Windows\SysWOW64\Jjdokb32.exe

Filesize
123KB

MD5
3fc83c5b69fd2a17d840bda8c6f9863a

SHA1
12ddfc52a7468e92352e97a539d27260453fe8a4

SHA256
c574ec4a170df73c653d1713496ac09cfd4b2a8bdfb3994cb510b589df0a6f8e

SHA512
202950783d99e72e1cd559b39970c4e1c7eef41fb3da365d2ffe4eaa94e100d4473554d00777f801f1ffaed0d406d21b3359d860b29f7df6647b4b2cd70c8fb3

Download Submit
C:\Windows\SysWOW64\Jjgkab32.exe

Filesize
123KB

MD5
8d6495e4b9f5bf5252196210b306eafa

SHA1
6f9962e6e96defe663b0475ca68d66458d93ebef

SHA256
0c9e9e7b8929511d43f7205a684dba20b0f33652c0d5bdfd6f8cec6c687a1c1d

SHA512
7f3894439ad9c1ce5a8aae468602ca174e8cab7802892abd0b571ab09678798fad7b84728e1d55540a33a1b463d0ef45a49cb1806d3e8a522cb5d53f44824cef

Download Submit
C:\Windows\SysWOW64\Jjnaaa32.exe

Filesize
123KB

MD5
804cdd7e9f1b6c494b0d8bc81316660e

SHA1
4557da074e3ea5c004e1cd0052eb11a8caa012a5

SHA256
64261cebbc90abd84acffceb4552277a66f7090340a7aa856fb6ba878944d9bd

SHA512
77a02f1a0ca6c7e81187df0c5da0dac235a09d5e52284770aabcc15394e6825b6287763cfe11a759494e562266e4733d2da0c010962f2ad88beb14a2662ca694

Download Submit
C:\Windows\SysWOW64\Jlidpe32.exe

Filesize
123KB

MD5
1e49111eb2a15dde6b8c6301858b7bd6

SHA1
9231e18e075265342ed078d95e3fe38aa74833ab

SHA256
53f954c195386eb16113ff1176eae65c5fa51d00d91dfa884a55b75c4f650384

SHA512
bafdb0d4e7cff7e6c257a3ccd3ac9e66ec2234530d6b16fc6f9e174d06cfe21e9d68a65fce6e750912a2c2fc9f1ceaff095806a0d13e33eefddd7c898451e732

Download Submit
C:\Windows\SysWOW64\Kaopoj32.exe

Filesize
123KB

MD5
c4152f0ddc7c27dd43b0ffa09484379a

SHA1
64e433c5f490820dca637b011057db314e8f8c17

SHA256
1ccc16b15d5740b0da92247230c53863320e5db61e6f3ce68161b9ced78d25a1

SHA512
e6549df6d42192f1fe307505bfbc15d275ba8cbcb2c1fafaf6fc0a55e4b6396f2bca4e6fcdd42be962bedd2e16cf838ad5517b4ea580c11f1f10cc9af3115be9

Download Submit
C:\Windows\SysWOW64\Kbeibo32.exe

Filesize
123KB

MD5
3ac719a7078b7d7bce1c1cefe482d78f

SHA1
5bee8ef577e474d7cfc5c9238e36a50f24aed78e

SHA256
77faaa4a0edc818f5f8adb0a75d1da5ba8471603563d9a2444c5f9d40c7a00ab

SHA512
2be8d3dbec3ecdac12a9aae6d7aac291291e71d0ac923b32ef9a21c0bed1d733ee8887a747bda073a95d9e02930eb28dd313cd2007dea62f9440b399b14cd0ea

Download Submit
C:\Windows\SysWOW64\Kbjbnnfg.exe

Filesize
123KB

MD5
6f38595c9abf5819fc22efe0959e077b

SHA1
a9cdaf3e2a5cb1fec254851f90755361ba795099

SHA256
c947621397b7139f89f1588e841610cfbe6fdf48cb314fd5fa39934c39f33a89

SHA512
bb1f7f0a1e46a4624a58f395dc5f7add0e72f71e6b9caaf2519951bcc151d432b5a8b5a31660354c01cb945f6929c0898e202c5b07c6c42bec48460b2fb51ae1

Download Submit
C:\Windows\SysWOW64\Kdffjgpj.exe

Filesize
123KB

MD5
3a14638826a0594e24c3cfee8ca223e6

SHA1
95452e85a314b02c7f7c6761d0c89fd40a08cb26

SHA256
eb97558ac59d7d0a884fd42d616a18dcd86fef921c42f46ad4acbdb300c3bc07

SHA512
fd62379fb342595550be6ae9fe600da397c74935cdd0968b1bcb49c2f19f04e031120fcc78e788bbc309921681bede2363a225043ec10cb0e2c323a9ac403aa3

Download Submit
C:\Windows\SysWOW64\Kehojiej.exe

Filesize
123KB

MD5
f46f9ec243a9d0c92281ef754cb661a3

SHA1
103d32b874fb32555c5d38abe477d20d4c3100a2

SHA256
8531192a0154b06695c79b405b1597fb306de8441c4f15215153aac7373e4493

SHA512
9a972c423d21f3201ae7dad19e673c2e270c2e864d0718352173fc8e3d06e4efe82fc250b05252f10103b8f170fd75342c406105e1cd4ee9f1dc539494124675

Download Submit
C:\Windows\SysWOW64\Kejloi32.exe

Filesize
123KB

MD5
045a7bc87e6fa7ac5954daa246fd3740

SHA1
895556879f1b0ea1d5212de48c1a9b893275234b

SHA256
b928ff69db070065ad886f9dcd005149377f3fd534cd941a0a878314b4b548da

SHA512
80b5803bf393222b07a89f9d890229a2e6b1b1989f25ab014a26c22826465e55b3098043adacfe2884978257ce9479cd51b04d0f6a3b64e22cc826a5ccf71f63

Download Submit
C:\Windows\SysWOW64\Khabke32.exe

Filesize
123KB

MD5
508aff89f6d00ff08fb4eec739de9177

SHA1
01a0ecffc62678b2db6e308f3d8396b41f410a83

SHA256
2925face43d42db0ccda477eb6558c2943262433eb7687da132f11c3fed6989a

SHA512
bdadac0fb60afb70ccef45b219f09b5b3dd7ad52d4a0c608bd038fce05e366d362d5061fdc36fba641d7539db9570894d3838be7f2cc0e88e4d4110619c65a1d

Download Submit
C:\Windows\SysWOW64\Khdoqefq.exe

Filesize
123KB

MD5
72932aa73c1464329bdd41ea7d21bd54

SHA1
6065c506e6fcf3b18537d6559e8531ac775d4ff8

SHA256
464913b59b0f69d62480c6f95344105e73e62a03741863ee9afbcf29e687c875

SHA512
56ae72fa79a31e24b698f5d7d48850690fad736442ec14bae6949330a6b30c5882879a298d5ecc47ab2dc91ec88c2f5ef7ad302f70644ef611551c3324d73416

Download Submit
C:\Windows\SysWOW64\Khfkfedn.exe

Filesize
123KB

MD5
3f200c833f2debaa38f1276cde5a1285

SHA1
7ec13e0a5b7d442a1581c9d8ca24a2b736c9a2a0

SHA256
bf2901bd9070be62885927478f40ae4e7372e5e2f9cfd1e14e6cce7d12a4cc0c

SHA512
ff3696f7fafee28f0da9cc6aac9b9041abe4e34ccae597557c10e96f3ce3f990cd39909666e27273c58e9fc441623a65efb6d26f33ee1ded83c1673bdfc7ddb7

Download Submit
C:\Windows\SysWOW64\Khihld32.exe

Filesize
123KB

MD5
2cee544ee4cbf9eabfa93392bd69d8e8

SHA1
c4328c9a949df620a8499764f5ed3e427a16e4fe

SHA256
a88dd761fdb9882fedd378e2631c8b2dab5a4a791e6eb1268a6fe45e19086f7c

SHA512
5b19459201555d6aef189ae6f57c80f4d4aa97a4904bc7a5e0e7e5137c9b2e1f39e722f2e31549c2f7c7cf0ec272f94fa29d850bbff9e55134ca7b57c12fdbf2

Download Submit
C:\Windows\SysWOW64\Kkbkmqed.exe

Filesize
123KB

MD5
2614da9af85de3aa2bc77d70e6404b01

SHA1
f9ca38c184175ba439ad9460e104777e3904c312

SHA256
38caf82ae8480db08c854d756be23b0ea9cad3736077eafcbc6e0b786c30db56

SHA512
cee0027fd86101b16e29de714b724315cf82f391a23f2c1f81b99d4ea20defe68b2122d730264bf918386a6396199a6a6466472a1828af5c6fac0e5bb3ec4bba

Download Submit
C:\Windows\SysWOW64\Kkpnga32.exe

Filesize
123KB

MD5
bd529fe39c5e994729bd3be2d5993bf7

SHA1
0cf25f8e6b95993f77d6cb43aa88cf09c1403c2d

SHA256
596aebc8e29562bbe75298ed35f575a69118f8b9537339c7008766814b96c1a4

SHA512
47d665c0301fae133eba893404a0ba8b5244e5c33a7a5f2bac934e0038e6c9b58b43b1391f3cee3f74e7cf96cc1fdbad82b9eccebba896cffba5801ec5fa619a

Download Submit
C:\Windows\SysWOW64\Klbgfc32.exe

Filesize
123KB

MD5
571b05a2b875a2c4d22fd82cc0b6e958

SHA1
b018f29ebe3327c887c23a264e3e4d0098ecc52f

SHA256
0babaca60ba5bc6a34f46783086f6979d4a8faccd80bcf3312f0db2228f16cbb

SHA512
e4054e0178064108e4dbf4d742c40caf4715fb3d75d45434f1a73b8edf3ff36d257c0b632b5063fdd3c0c687ce79dc97289a19b976c3179b01ed1aa5fc531fdc

Download Submit
C:\Windows\SysWOW64\Kongmo32.exe

Filesize
123KB

MD5
5c8408a63451172aab0b31ec3f1f0007

SHA1
67904dd062d5e0d949a535a435ec0f9fffe6b13e

SHA256
c5e45bf9a9309c83199b99d9db7e64ff212872dcd4b91db33850cfeb5c3798e6

SHA512
c5ac72b8b2b5b6ec9d9b0edd3d2d9af00b0f31d7ca4a3b15de1de01cabfec4d3c3b590f4d49fb9bb24367a554c70b032e77eb57249ea74a313fe5100146e9d89

Download Submit
C:\Windows\SysWOW64\Kopcbo32.exe

Filesize
123KB

MD5
e28736cf59c71262881f71a56e562d03

SHA1
74f1a9973177db615ccd3dfee5b9a758bda4967d

SHA256
213bb5515d7ed8759e3e900854bcb18f88506048a2b523b8e753125681c9c5df

SHA512
f823349b718d4e67390bcf2cb4d8afa126aa234bdb24f8a1c2fa9e682f0ecc3c03ea17f0c3d88f56313881233ee3ab98b83d9f413896a34d401ca10ba3dd3157

Download Submit
memory/216-108-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/216-200-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/224-343-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/708-397-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/772-244-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/772-157-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/940-90-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/940-183-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1140-422-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1208-337-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1632-7-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1632-88-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1756-379-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1776-174-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1776-81-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1780-301-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1784-313-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1820-184-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2020-325-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2144-31-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2144-116-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2244-385-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2316-277-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2336-210-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2392-219-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2400-192-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2444-253-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2512-269-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2848-102-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2848-15-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3004-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3004-79-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3012-165-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3012-72-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3120-355-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3376-245-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3380-125-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3380-39-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3420-56-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3420-147-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3688-416-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3704-411-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3764-134-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3764-48-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3808-331-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3840-107-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3840-23-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3904-319-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3984-103-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4012-307-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4068-391-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4076-167-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4100-135-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4100-227-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4132-289-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4192-261-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4280-373-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4292-367-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4376-295-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4560-117-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4560-209-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4564-349-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4568-175-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4608-148-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4692-126-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4692-218-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4700-63-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4700-152-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4736-201-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4792-409-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4800-236-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4976-228-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4984-361-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5096-283-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5104-403-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5124-424-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads