169babe0c1fd6e56cef21734a368cec51f7729858b4aa1c27640de14bdae7eda

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c99e993b02c9e23fc74e3603e093c720N.exe
Size

96KB
MD5

c99e993b02c9e23fc74e3603e093c720
SHA1

684e648e08e0d4ac47797bcc92ea1c4da20277c1
SHA256

169babe0c1fd6e56cef21734a368cec51f7729858b4aa1c27640de14bdae7eda
SHA512

db70ec12c1a6c7e1491a03023b8d93d835c002e115395e77393bc7d303c914d620d341dcdcf9c32aa058424449e384b7a671be21ff1ee7b23a599e9e3d62c2cd
SSDEEP

1536:nD3yGwJf1TsjFhU1GFKG1UNGpitJ8KGlnh699tXAghFRWC34MduV9jojTIvjrH:n4JfxsjU0K6AGphLhuLzhrb34Md69jcs

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhmhpfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjhokg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcjmhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iecmhlhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kocphojh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klgqabib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibnjkbog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhhodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jacpcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjkdlall.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klpjad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lknjhokg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkqgno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hkaeih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iagqgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jblflp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlkafdco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Leabphmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbknebqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ielfgmnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keceoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jlanpfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhhodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jlkafdco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Logicn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbiapb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijiopd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnedgq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jnedgq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbeibo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iecmhlhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jelonkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjkdlall.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeaiij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdkoef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c99e993b02c9e23fc74e3603e093c720N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jnnnfalp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kblpcndd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klgqabib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	c99e993b02c9e23fc74e3603e093c720N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbiapb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iencmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iccpniqp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnnnfalp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibnjkbog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iccpniqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ilkhog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kocphojh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbhool32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ilhkigcd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljbmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kejloi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibbcfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Idhiii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kehojiej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkqgno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klddlckd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Logicn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcjmhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ielfgmnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Inkaqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idhiii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kejloi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnkhjdle.exe

Executes dropped EXE 57 IoCs

pid	Process
1828	Hnkhjdle.exe
2156	Hgcmbj32.exe
2280	Hbiapb32.exe
3044	Hcjmhk32.exe
916	Hkaeih32.exe
3736	Hbknebqi.exe
3904	Hghfnioq.exe
5016	Ibnjkbog.exe
868	Ielfgmnj.exe
4856	Ijiopd32.exe
4508	Iencmm32.exe
2472	Ilhkigcd.exe
4524	Ibbcfa32.exe
704	Iccpniqp.exe
5088	Ilkhog32.exe
4788	Iagqgn32.exe
3360	Iecmhlhb.exe
2336	Inkaqb32.exe
4580	Idhiii32.exe
2924	Jnnnfalp.exe
1524	Jaljbmkd.exe
1036	Jlanpfkj.exe
3316	Jblflp32.exe
3156	Jhhodg32.exe
4844	Jjgkab32.exe
972	Jelonkph.exe
4768	Jnedgq32.exe
2412	Jacpcl32.exe
4020	Jhmhpfmi.exe
2988	Jjkdlall.exe
2052	Jeaiij32.exe
2144	Jlkafdco.exe
1548	Kbeibo32.exe
3840	Keceoj32.exe
4312	Kkpnga32.exe
1556	Kajfdk32.exe
1500	Klpjad32.exe
2004	Kongmo32.exe
2260	Kehojiej.exe
4336	Kdkoef32.exe
4972	Kblpcndd.exe
2300	Kejloi32.exe
2476	Klddlckd.exe
1908	Kocphojh.exe
5076	Kdpiqehp.exe
2400	Klgqabib.exe
1348	Lacijjgi.exe
2232	Lhmafcnf.exe
3856	Logicn32.exe
2544	Leabphmp.exe
2168	Lddble32.exe
4348	Lknjhokg.exe
3692	Lahbei32.exe
1332	Lhbkac32.exe
3752	Lkqgno32.exe
1764	Lbhool32.exe
1920	Ldikgdpe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jeaiij32.exe	Jjkdlall.exe
File opened for modification	C:\Windows\SysWOW64\Kdkoef32.exe	Kehojiej.exe
File created	C:\Windows\SysWOW64\Bkclkjqn.dll	Leabphmp.exe
File created	C:\Windows\SysWOW64\Lkqgno32.exe	Lhbkac32.exe
File opened for modification	C:\Windows\SysWOW64\Jlkafdco.exe	Jeaiij32.exe
File opened for modification	C:\Windows\SysWOW64\Kblpcndd.exe	Kdkoef32.exe
File created	C:\Windows\SysWOW64\Lhmafcnf.exe	Lacijjgi.exe
File opened for modification	C:\Windows\SysWOW64\Lkqgno32.exe	Lhbkac32.exe
File created	C:\Windows\SysWOW64\Hgcmbj32.exe	Hnkhjdle.exe
File created	C:\Windows\SysWOW64\Iecmhlhb.exe	Iagqgn32.exe
File opened for modification	C:\Windows\SysWOW64\Jlanpfkj.exe	Jaljbmkd.exe
File created	C:\Windows\SysWOW64\Kajfdk32.exe	Kkpnga32.exe
File created	C:\Windows\SysWOW64\Ofnfbijk.dll	Kejloi32.exe
File created	C:\Windows\SysWOW64\Epqblnhh.dll	Kocphojh.exe
File opened for modification	C:\Windows\SysWOW64\Hbiapb32.exe	Hgcmbj32.exe
File created	C:\Windows\SysWOW64\Icajjnkn.dll	Inkaqb32.exe
File created	C:\Windows\SysWOW64\Pakfglam.dll	Jnnnfalp.exe
File created	C:\Windows\SysWOW64\Qhomgchl.dll	Jelonkph.exe
File opened for modification	C:\Windows\SysWOW64\Kongmo32.exe	Klpjad32.exe
File created	C:\Windows\SysWOW64\Lacijjgi.exe	Klgqabib.exe
File opened for modification	C:\Windows\SysWOW64\Lahbei32.exe	Lknjhokg.exe
File created	C:\Windows\SysWOW64\Ejioqkck.dll	Hbiapb32.exe
File opened for modification	C:\Windows\SysWOW64\Inkaqb32.exe	Iecmhlhb.exe
File created	C:\Windows\SysWOW64\Gqpbcn32.dll	Jlanpfkj.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnga32.exe	Keceoj32.exe
File opened for modification	C:\Windows\SysWOW64\Jelonkph.exe	Jjgkab32.exe
File created	C:\Windows\SysWOW64\Logicn32.exe	Lhmafcnf.exe
File opened for modification	C:\Windows\SysWOW64\Lbhool32.exe	Lkqgno32.exe
File opened for modification	C:\Windows\SysWOW64\Ldikgdpe.exe	Lbhool32.exe
File created	C:\Windows\SysWOW64\Mfodpbqp.dll	c99e993b02c9e23fc74e3603e093c720N.exe
File opened for modification	C:\Windows\SysWOW64\Hbknebqi.exe	Hkaeih32.exe
File opened for modification	C:\Windows\SysWOW64\Hghfnioq.exe	Hbknebqi.exe
File created	C:\Windows\SysWOW64\Iencmm32.exe	Ijiopd32.exe
File created	C:\Windows\SysWOW64\Lhbkac32.exe	Lahbei32.exe
File created	C:\Windows\SysWOW64\Hgpchp32.dll	Hghfnioq.exe
File created	C:\Windows\SysWOW64\Cadpqeqg.dll	Iencmm32.exe
File opened for modification	C:\Windows\SysWOW64\Jaljbmkd.exe	Jnnnfalp.exe
File created	C:\Windows\SysWOW64\Kehojiej.exe	Kongmo32.exe
File opened for modification	C:\Windows\SysWOW64\Ilhkigcd.exe	Iencmm32.exe
File created	C:\Windows\SysWOW64\Hmijcp32.dll	Jlkafdco.exe
File opened for modification	C:\Windows\SysWOW64\Klddlckd.exe	Kejloi32.exe
File created	C:\Windows\SysWOW64\Ldikgdpe.exe	Lbhool32.exe
File created	C:\Windows\SysWOW64\Hghfnioq.exe	Hbknebqi.exe
File created	C:\Windows\SysWOW64\Ielfgmnj.exe	Ibnjkbog.exe
File created	C:\Windows\SysWOW64\Jjkdlall.exe	Jhmhpfmi.exe
File opened for modification	C:\Windows\SysWOW64\Lhbkac32.exe	Lahbei32.exe
File opened for modification	C:\Windows\SysWOW64\Kehojiej.exe	Kongmo32.exe
File opened for modification	C:\Windows\SysWOW64\Kejloi32.exe	Kblpcndd.exe
File opened for modification	C:\Windows\SysWOW64\Kdpiqehp.exe	Kocphojh.exe
File created	C:\Windows\SysWOW64\Lfeliqka.dll	Lknjhokg.exe
File created	C:\Windows\SysWOW64\Hbiapb32.exe	Hgcmbj32.exe
File created	C:\Windows\SysWOW64\Jhhodg32.exe	Jblflp32.exe
File created	C:\Windows\SysWOW64\Jelonkph.exe	Jjgkab32.exe
File created	C:\Windows\SysWOW64\Lajbnn32.dll	Kajfdk32.exe
File created	C:\Windows\SysWOW64\Ieaqqigc.dll	Lhbkac32.exe
File created	C:\Windows\SysWOW64\Klgqabib.exe	Kdpiqehp.exe
File opened for modification	C:\Windows\SysWOW64\Lknjhokg.exe	Lddble32.exe
File created	C:\Windows\SysWOW64\Kbeibo32.exe	Jlkafdco.exe
File created	C:\Windows\SysWOW64\Klpjad32.exe	Kajfdk32.exe
File opened for modification	C:\Windows\SysWOW64\Lacijjgi.exe	Klgqabib.exe
File created	C:\Windows\SysWOW64\Lahbei32.exe	Lknjhokg.exe
File created	C:\Windows\SysWOW64\Hbknebqi.exe	Hkaeih32.exe
File created	C:\Windows\SysWOW64\Mkojhm32.dll	Idhiii32.exe
File created	C:\Windows\SysWOW64\Jeaiij32.exe	Jjkdlall.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4016	1920	WerFault.exe	149

System Location Discovery: System Language Discovery 1 TTPs 58 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kajfdk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lknjhokg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkqgno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldikgdpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjgkab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjkdlall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iagqgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnnnfalp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbeibo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kehojiej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgcmbj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilkhog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlanpfkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkpnga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klddlckd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klgqabib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhbkac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hghfnioq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iccpniqp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logicn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Idhiii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeaiij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kblpcndd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbhool32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keceoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klpjad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdkoef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnkhjdle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlkafdco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kejloi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iecmhlhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jacpcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jblflp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhmhpfmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaljbmkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnedgq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhmafcnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcjmhk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iencmm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibbcfa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kongmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkaeih32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbknebqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdpiqehp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lacijjgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijiopd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhhodg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c99e993b02c9e23fc74e3603e093c720N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lahbei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilhkigcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inkaqb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocphojh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lddble32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbiapb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ielfgmnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leabphmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibnjkbog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jelonkph.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfdfbqe.dll"	Klpjad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kongmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epqblnhh.dll"	Kocphojh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmjdlb32.dll"	Klgqabib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibnjkbog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ielfgmnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkojhm32.dll"	Idhiii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jaljbmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klddlckd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acibndof.dll"	Kdpiqehp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hkaeih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kehojiej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdkoef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kblpcndd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Leabphmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iecmhlhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhomgchl.dll"	Jelonkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdqeooaa.dll"	Jacpcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klpjad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jhhodg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkpnga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kejloi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iecmhlhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbeibo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lahbei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkqgno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbiapb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iencmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iccpniqp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ilkhog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jeaiij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kongmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lhmafcnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lbhool32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c99e993b02c9e23fc74e3603e093c720N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hghfnioq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmgglf32.dll"	Ilkhog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcmnee32.dll"	Jeaiij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iagqgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Inkaqb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkqgno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cobnge32.dll"	Hkaeih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jjkdlall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kajfdk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kblpcndd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhodke32.dll"	Keceoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmaoca32.dll"	Hcjmhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpchp32.dll"	Hghfnioq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ielfgmnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jlkafdco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbknebqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijiopd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjkdlall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekdaogi.dll"	Lbhool32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jhhodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekjhmdj.dll"	Kblpcndd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lhbkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbiapb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cadpqeqg.dll"	Iencmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibbcfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ilkhog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hnkhjdle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejioqkck.dll"	Hbiapb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Keceoj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4620 wrote to memory of 1828	4620	c99e993b02c9e23fc74e3603e093c720N.exe	90
PID 4620 wrote to memory of 1828	4620	c99e993b02c9e23fc74e3603e093c720N.exe	90
PID 4620 wrote to memory of 1828	4620	c99e993b02c9e23fc74e3603e093c720N.exe	90
PID 1828 wrote to memory of 2156	1828	Hnkhjdle.exe	91
PID 1828 wrote to memory of 2156	1828	Hnkhjdle.exe	91
PID 1828 wrote to memory of 2156	1828	Hnkhjdle.exe	91
PID 2156 wrote to memory of 2280	2156	Hgcmbj32.exe	92
PID 2156 wrote to memory of 2280	2156	Hgcmbj32.exe	92
PID 2156 wrote to memory of 2280	2156	Hgcmbj32.exe	92
PID 2280 wrote to memory of 3044	2280	Hbiapb32.exe	93
PID 2280 wrote to memory of 3044	2280	Hbiapb32.exe	93
PID 2280 wrote to memory of 3044	2280	Hbiapb32.exe	93
PID 3044 wrote to memory of 916	3044	Hcjmhk32.exe	94
PID 3044 wrote to memory of 916	3044	Hcjmhk32.exe	94
PID 3044 wrote to memory of 916	3044	Hcjmhk32.exe	94
PID 916 wrote to memory of 3736	916	Hkaeih32.exe	96
PID 916 wrote to memory of 3736	916	Hkaeih32.exe	96
PID 916 wrote to memory of 3736	916	Hkaeih32.exe	96
PID 3736 wrote to memory of 3904	3736	Hbknebqi.exe	97
PID 3736 wrote to memory of 3904	3736	Hbknebqi.exe	97
PID 3736 wrote to memory of 3904	3736	Hbknebqi.exe	97
PID 3904 wrote to memory of 5016	3904	Hghfnioq.exe	98
PID 3904 wrote to memory of 5016	3904	Hghfnioq.exe	98
PID 3904 wrote to memory of 5016	3904	Hghfnioq.exe	98
PID 5016 wrote to memory of 868	5016	Ibnjkbog.exe	100
PID 5016 wrote to memory of 868	5016	Ibnjkbog.exe	100
PID 5016 wrote to memory of 868	5016	Ibnjkbog.exe	100
PID 868 wrote to memory of 4856	868	Ielfgmnj.exe	101
PID 868 wrote to memory of 4856	868	Ielfgmnj.exe	101
PID 868 wrote to memory of 4856	868	Ielfgmnj.exe	101
PID 4856 wrote to memory of 4508	4856	Ijiopd32.exe	102
PID 4856 wrote to memory of 4508	4856	Ijiopd32.exe	102
PID 4856 wrote to memory of 4508	4856	Ijiopd32.exe	102
PID 4508 wrote to memory of 2472	4508	Iencmm32.exe	103
PID 4508 wrote to memory of 2472	4508	Iencmm32.exe	103
PID 4508 wrote to memory of 2472	4508	Iencmm32.exe	103
PID 2472 wrote to memory of 4524	2472	Ilhkigcd.exe	104
PID 2472 wrote to memory of 4524	2472	Ilhkigcd.exe	104
PID 2472 wrote to memory of 4524	2472	Ilhkigcd.exe	104
PID 4524 wrote to memory of 704	4524	Ibbcfa32.exe	106
PID 4524 wrote to memory of 704	4524	Ibbcfa32.exe	106
PID 4524 wrote to memory of 704	4524	Ibbcfa32.exe	106
PID 704 wrote to memory of 5088	704	Iccpniqp.exe	107
PID 704 wrote to memory of 5088	704	Iccpniqp.exe	107
PID 704 wrote to memory of 5088	704	Iccpniqp.exe	107
PID 5088 wrote to memory of 4788	5088	Ilkhog32.exe	108
PID 5088 wrote to memory of 4788	5088	Ilkhog32.exe	108
PID 5088 wrote to memory of 4788	5088	Ilkhog32.exe	108
PID 4788 wrote to memory of 3360	4788	Iagqgn32.exe	109
PID 4788 wrote to memory of 3360	4788	Iagqgn32.exe	109
PID 4788 wrote to memory of 3360	4788	Iagqgn32.exe	109
PID 3360 wrote to memory of 2336	3360	Iecmhlhb.exe	110
PID 3360 wrote to memory of 2336	3360	Iecmhlhb.exe	110
PID 3360 wrote to memory of 2336	3360	Iecmhlhb.exe	110
PID 2336 wrote to memory of 4580	2336	Inkaqb32.exe	111
PID 2336 wrote to memory of 4580	2336	Inkaqb32.exe	111
PID 2336 wrote to memory of 4580	2336	Inkaqb32.exe	111
PID 4580 wrote to memory of 2924	4580	Idhiii32.exe	112
PID 4580 wrote to memory of 2924	4580	Idhiii32.exe	112
PID 4580 wrote to memory of 2924	4580	Idhiii32.exe	112
PID 2924 wrote to memory of 1524	2924	Jnnnfalp.exe	113
PID 2924 wrote to memory of 1524	2924	Jnnnfalp.exe	113
PID 2924 wrote to memory of 1524	2924	Jnnnfalp.exe	113
PID 1524 wrote to memory of 1036	1524	Jaljbmkd.exe	114

C:\Users\Admin\AppData\Local\Temp\c99e993b02c9e23fc74e3603e093c720N.exe
"C:\Users\Admin\AppData\Local\Temp\c99e993b02c9e23fc74e3603e093c720N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Windows\SysWOW64\Hnkhjdle.exe
  C:\Windows\system32\Hnkhjdle.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\SysWOW64\Hgcmbj32.exe
    C:\Windows\system32\Hgcmbj32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\SysWOW64\Hbiapb32.exe
      C:\Windows\system32\Hbiapb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2280
    - - C:\Windows\SysWOW64\Hcjmhk32.exe
        
        C:\Windows\system32\Hcjmhk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
      - C:\Windows\SysWOW64\Hkaeih32.exe
        
        C:\Windows\system32\Hkaeih32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Hbknebqi.exe
        
        C:\Windows\system32\Hbknebqi.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\SysWOW64\Hghfnioq.exe
        
        C:\Windows\system32\Hghfnioq.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\SysWOW64\Ibnjkbog.exe
        
        C:\Windows\system32\Ibnjkbog.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Ielfgmnj.exe
        
        C:\Windows\system32\Ielfgmnj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Ijiopd32.exe
        
        C:\Windows\system32\Ijiopd32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Iencmm32.exe
        
        C:\Windows\system32\Iencmm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\SysWOW64\Ilhkigcd.exe
        
        C:\Windows\system32\Ilhkigcd.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\Ibbcfa32.exe
        
        C:\Windows\system32\Ibbcfa32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Iccpniqp.exe
        
        C:\Windows\system32\Iccpniqp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:704
        
        C:\Windows\SysWOW64\Ilkhog32.exe
        
        C:\Windows\system32\Ilkhog32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Iagqgn32.exe
        
        C:\Windows\system32\Iagqgn32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Iecmhlhb.exe
        
        C:\Windows\system32\Iecmhlhb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\SysWOW64\Inkaqb32.exe
        
        C:\Windows\system32\Inkaqb32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Idhiii32.exe
        
        C:\Windows\system32\Idhiii32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Jnnnfalp.exe
        
        C:\Windows\system32\Jnnnfalp.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Jaljbmkd.exe
        
        C:\Windows\system32\Jaljbmkd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\Jlanpfkj.exe
        
        C:\Windows\system32\Jlanpfkj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1036
        
        C:\Windows\SysWOW64\Jblflp32.exe
        
        C:\Windows\system32\Jblflp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3316
        
        C:\Windows\SysWOW64\Jhhodg32.exe
        
        C:\Windows\system32\Jhhodg32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Jjgkab32.exe
        
        C:\Windows\system32\Jjgkab32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Windows\SysWOW64\Jelonkph.exe
        
        C:\Windows\system32\Jelonkph.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\Jnedgq32.exe
        
        C:\Windows\system32\Jnedgq32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Windows\SysWOW64\Jacpcl32.exe
        
        C:\Windows\system32\Jacpcl32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Jhmhpfmi.exe
        
        C:\Windows\system32\Jhmhpfmi.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Windows\SysWOW64\Jjkdlall.exe
        
        C:\Windows\system32\Jjkdlall.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Jeaiij32.exe
        
        C:\Windows\system32\Jeaiij32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Jlkafdco.exe
        
        C:\Windows\system32\Jlkafdco.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Kbeibo32.exe
        
        C:\Windows\system32\Kbeibo32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Keceoj32.exe
        
        C:\Windows\system32\Keceoj32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3840
        
        C:\Windows\SysWOW64\Kkpnga32.exe
        
        C:\Windows\system32\Kkpnga32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Kajfdk32.exe
        
        C:\Windows\system32\Kajfdk32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Klpjad32.exe
        
        C:\Windows\system32\Klpjad32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Kongmo32.exe
        
        C:\Windows\system32\Kongmo32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Kehojiej.exe
        
        C:\Windows\system32\Kehojiej.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Kdkoef32.exe
        
        C:\Windows\system32\Kdkoef32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Kblpcndd.exe
        
        C:\Windows\system32\Kblpcndd.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Kejloi32.exe
        
        C:\Windows\system32\Kejloi32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Klddlckd.exe
        
        C:\Windows\system32\Klddlckd.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Kocphojh.exe
        
        C:\Windows\system32\Kocphojh.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Kdpiqehp.exe
        
        C:\Windows\system32\Kdpiqehp.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Klgqabib.exe
        
        C:\Windows\system32\Klgqabib.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Lacijjgi.exe
        
        C:\Windows\system32\Lacijjgi.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1348
        
        C:\Windows\SysWOW64\Lhmafcnf.exe
        
        C:\Windows\system32\Lhmafcnf.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Logicn32.exe
        
        C:\Windows\system32\Logicn32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3856
        
        C:\Windows\SysWOW64\Leabphmp.exe
        
        C:\Windows\system32\Leabphmp.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Lddble32.exe
        
        C:\Windows\system32\Lddble32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\Lknjhokg.exe
        
        C:\Windows\system32\Lknjhokg.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4348
        
        C:\Windows\SysWOW64\Lahbei32.exe
        
        C:\Windows\system32\Lahbei32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Lhbkac32.exe
        
        C:\Windows\system32\Lhbkac32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Lkqgno32.exe
        
        C:\Windows\system32\Lkqgno32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Lbhool32.exe
        
        C:\Windows\system32\Lbhool32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1764
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 412
        59⤵
        Program crash
        
        PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1920 -ip 1920
1⤵
PID:3956

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4444,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:8
1⤵
PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bmaoca32.dll

Filesize
7KB

MD5
3f8bbedb8483f6b72189f4d0ef2f1c31

SHA1
cee90786fc22121a800153e0fd3f56f7f350f160

SHA256
f25def39ac90a9f8d96d94f6c6a99636caaaf5279bbfcb351e91affe16954803

SHA512
0bb9b8f5fa688c8a100595d33e10d52d260f3949b0e1a2d79e544d2d1ab34860e0ee691ac04546c9fd045f95cfa50336fa1136696b6422f8397f968270a7df9b

Download Submit
C:\Windows\SysWOW64\Hbiapb32.exe

Filesize
96KB

MD5
2150407e6e818ba2666ac6b567c8033a

SHA1
8869d68e5a2863804b75cd49bb3826da33b1b999

SHA256
3416e4d0bb614ff05f5eca16cc54a43291970c9ea467698a2913bce91ac1b5dc

SHA512
83ae0160bef4b6320317db20aedf54b629b4a8288338dd1151de33774fae072b1949432314dcaa70089e1b655ec9c0d544cfddcf15901a1fe0f3ff769d82cc9c

Download Submit
C:\Windows\SysWOW64\Hbknebqi.exe

Filesize
96KB

MD5
2516e36b05934093529f4a7a484c7d46

SHA1
f3c509e16b0120c1853345fed749c3869e3aaaaa

SHA256
8b4aa6d7ac218fded42cc8fdb2cd71105301c72b8cb7a9e11bb5757b9f296ab1

SHA512
cf17a3a6e80182ee1a1b07a92b0f34d9d7f60a16906b34249402bfc04743c78c058b07228bc51ad8603025bd176f137e047032bae25ad6e62022d58b1584320d

Download Submit
C:\Windows\SysWOW64\Hcjmhk32.exe

Filesize
96KB

MD5
e09cada28ec293c403730ec73bb1a269

SHA1
1822f7c5aea696f5b82f2271a09218af944044f3

SHA256
c4b1283473c63ad2deb12f4f51035e12d33a43c8c6729506f7beed141e978aef

SHA512
d6b19a9f2a896e33140cb59a08c7305a11d96de53834232d6f784cb245316783a40bfdf60bcbebab9e1a084723bb573fe3b6805ef26237e429aa9beb316115f9

Download Submit
C:\Windows\SysWOW64\Hgcmbj32.exe

Filesize
96KB

MD5
66ef277669b867ff97c319f2d4ce9d3a

SHA1
541e6e539cd43926feec757cdf10a5718a6f4f66

SHA256
ea0a73a5e86ca65d05b4cf3386e1399b245eefd12c6ffa7172cf241b9854ca26

SHA512
65b83162c0daf26e970a3b342d07667255fa250134203be0284715c80281362208f75b7f9187f20975a2a5b32084c408c90706edf82f9fd495fdf251b78c1526

Download Submit
C:\Windows\SysWOW64\Hghfnioq.exe

Filesize
96KB

MD5
53affa412f020108d00b299d2595d7b2

SHA1
73105352c22c786c2da252dccf41de551f8209af

SHA256
2a5156a9140797e61709b2fe83c88c358dd5f2aef506b12a93e252dfd4dd07d2

SHA512
a640bc9f19f450b7cf6b637e96f46c70702a67cf665873063cdda6984821f15d6827b5bcd432eba4a61b45730e1529030568dfed309103fcdc58cb274d658d70

Download Submit
C:\Windows\SysWOW64\Hkaeih32.exe

Filesize
96KB

MD5
241d635912e277a7e23f7bc3b89e5684

SHA1
c76782b4382a7665a2f2afdad1ba3238af4482f7

SHA256
94bf1cdb0b3b2dcf4999496863c31207f070f6d34707cbb4271e684163c149ba

SHA512
af9304891a17018465a53225c08b432dbdac35a1d21cda3d3c1c3817583f5bc85b18c252a8d7a76bf3284c159e84492de67c061acccd0f254cf5761ecde60dcb

Download Submit
C:\Windows\SysWOW64\Hnkhjdle.exe

Filesize
96KB

MD5
486ed1907847d329fa0ca326553c4e74

SHA1
1e0e8b60abb4d3480b5115ba1903c8287a5b3004

SHA256
25d615248b3d772829704be3ae7185b593d796288fb788bad66b02c67d662e34

SHA512
c2c9c13b06214a678692788d3c262b553f4e8cc567307b5bd6974a866b516c06f475f6f01f3fad545f941e369788c09706d2661c871584c823f58a89e43f0a02

Download Submit
C:\Windows\SysWOW64\Iagqgn32.exe

Filesize
96KB

MD5
70b9dbccdad0ffc002d872f960c9a933

SHA1
32ca84fb820ebb9584cb0620c6103509082d958a

SHA256
f41dba6390776d24321402803747c3fb4d7e6253c3a18c2642237e91f34feafa

SHA512
075ad3a7d92cc8d97ec823d7a12fc667ff203cc0bdb259dcd9f242eddd955a2d6ca4e85e80484cee0e5831cd22d8014821d58443841eeae4529755502268bc8b

Download Submit
C:\Windows\SysWOW64\Ibbcfa32.exe

Filesize
96KB

MD5
9aaac17cacc4ae0955c8a79e0599b12b

SHA1
a77a4c6cdfa895a6a6d8a1ad590e03471c60ed63

SHA256
84feb8e28277a4768a9999609f424f2d14294e56a6dba4aa51e10cbb3a4e9eb5

SHA512
bede823d279edddce74a005280f4e7919d6ec821110f9f9c289ca5c872ee988069f6534913fa6b41ee608f3a21b86fb977689ecef18d3550cc3c98457d3d86c6

Download Submit
C:\Windows\SysWOW64\Ibnjkbog.exe

Filesize
96KB

MD5
7179de8c92f5e3682c5a045679d66274

SHA1
b31604106a28b5361844e00ccf423a450a7a36c4

SHA256
48f1058af343c66c4de2226cee81340ff11ba2149e59d5d80710f3148d3518e7

SHA512
fc850be662e9036aff76b8d811d9ae64468b6e4764635d995d323e51342c90aaf330797bdec094e0f43d986a07299343773362b76973f2e21ead007a4bf3e703

Download Submit
C:\Windows\SysWOW64\Iccpniqp.exe

Filesize
96KB

MD5
535b1437e6d077eecfa65df305925487

SHA1
2f133796dd6cc96b2469328562a0272401a2b463

SHA256
845d16d1a783c314f240c45ef539a7719b9dee0551c595cab71b10c34d9fd14f

SHA512
796a89030697ff5f86987d4f920b5cc9644593af93e458d5a522be7304a86fc1dd20ffb24f78db1946c599e4933974b0b03fcf3774c700d78b5d913941df8972

Download Submit
C:\Windows\SysWOW64\Idhiii32.exe

Filesize
96KB

MD5
74d8cc59a29454d04a66f0c442d028e1

SHA1
9bfaceee254f17dc8cd42d36bdeedf2cfc644597

SHA256
15739cc310ba5c6f330e59e7fe25ee07f19e08f64baee14a7cb5aafeacd5c704

SHA512
80295ce8f10ef36de1483cd3dfc6789d01588d2f9a3be9b9b0f85db5d6f4a7cb811b0eb71095847b7c02bccb178c5c9995634c721dcb1d481fd521620d7cd5c3

Download Submit
C:\Windows\SysWOW64\Iecmhlhb.exe

Filesize
96KB

MD5
3678eb05c87c30c0c6f738c0c04840ba

SHA1
aa4ea789fe5d76168296a95a56c3cefcd06b4b5d

SHA256
60c7859cebf1d7a99b01e160645673ff41178317d01601fe2570568b1e9b8fde

SHA512
7b1f8a9e7d6c6682569c38033bef809420fc8e30e2b1780971769218849fa3bc6abe01965f94a2619545edd1c42e9145ad5913b8ed4876276d8e1e692b5bbd20

Download Submit
C:\Windows\SysWOW64\Ielfgmnj.exe

Filesize
96KB

MD5
2370518b575a6c07bfc5fb6d74b9eaf4

SHA1
ce0e48effbbb75b8ea87681a38821fde05b4e13e

SHA256
5b3d66f991e6d43202f4c98693c880e1042dd5a0d457dd41918af6e8604cb224

SHA512
577016cba08b4de5e4d93e1a3182d391ba6e3dd90059b00ff9e1914deff33b4fcbffdc7ce841e11754d61c0d4da94bc8bacd4f29909262616e824f92da36c88b

Download Submit
C:\Windows\SysWOW64\Iencmm32.exe

Filesize
96KB

MD5
d7656440c56d5deee73bddff55cbe3fa

SHA1
f8b5fbfd3eb6c57754a7876dbad63391c95edc82

SHA256
60690b7d5522cd1548ef37c79c6f57ac8cf0f3e40d5202caefa839d8f53a2d9e

SHA512
f2313c59f14fd36ad5735ef617f7938a4d9c9554938c97d62c78e7ccea70e09628c862c6eeefe25ce686ff35fafc042df7f31ce257d7197c410b7e3df34972d9

Download Submit
C:\Windows\SysWOW64\Ijiopd32.exe

Filesize
96KB

MD5
596c8db311f8a80bee087c608ab45dd4

SHA1
46d0999d071f9b2475941729cdd37e90615bae9b

SHA256
1b209837cc7be831e61e13943c8d4803ded92cb70ba99d0f5ac1fea746c3e272

SHA512
576f3de0f338479e31ef1a7f16f0b05e5740a70dfeac4f7d52b20b7e8014c9d3365e8f96beeebe0c37736e19265d60b7c4e08991154fc44e847c60449407c9fc

Download Submit
C:\Windows\SysWOW64\Ilhkigcd.exe

Filesize
96KB

MD5
138bfb9c82c113157137c25ecab5745d

SHA1
39a3cb3b9cad061705eb0c855dfc45c75f22ff01

SHA256
dea90915711e6a5318f6b88fe892eddb70d4ad16d0a1b0f7e8e3194e8ee6ff9c

SHA512
030038a200b79d1aa7c4dad0489a6f62032f84f03b3268a3c3378bbbdc5753e5f62486acc1954da021ed41d1f67164a7d46d7a57c008259c9e6fea6de964fb72

Download Submit
C:\Windows\SysWOW64\Ilkhog32.exe

Filesize
96KB

MD5
5ef4f90e7731811235c4cdcb76b71f4f

SHA1
845b09194ba7a1d8eba225f4577915170e7caae2

SHA256
7327e1b13864deaeb7f0d8ad347b3e5c2ac938f1ca4c55c18c35dd00793d0344

SHA512
f24c6f916686b93a891dcd1f9fd26e8e16de9c0d1289147fe3348eda1c0e411f1cc8c80dc1ad1dc6dd00b83b0210b5923a7ad2ea692a5672d0eb6f89f749abfa

Download Submit
C:\Windows\SysWOW64\Inkaqb32.exe

Filesize
96KB

MD5
058b174877c840d9ae4391426b62bb3f

SHA1
45c2859056b895e2f2edf6be6bcea60b0cd06d26

SHA256
a8cd35670a272f7f45355132afdfd22ac11a21ba2b0f2ce3b001b542e99773d6

SHA512
e27572afed97b4100182182587e3e6d7c23b64b78796e31646456e2d82db66dacb003a605c70ca8e42d7a1eec71151b56a660091dfbc3f47a0a1bf40bf93ff6e

Download Submit
C:\Windows\SysWOW64\Jacpcl32.exe

Filesize
96KB

MD5
ecb783378af6d6e24c1e09c2f30721d2

SHA1
388cf22286480b158df33826831403bde98bcd06

SHA256
a6cdf22d60d620be6659dde0a5a12ce46652c3bb91891ed9e9b0b44e2009fd54

SHA512
51c0c88349cbf9a19242062453227a48e39713356fb1e5858786455ccbffd6c421283e15175a128199949d14156783374416476b6885f9f445362f56f9c75426

Download Submit
C:\Windows\SysWOW64\Jaljbmkd.exe

Filesize
96KB

MD5
01cc17237c6d02d5236721f95747a7d2

SHA1
8e16a24265f693b0122fb226ec541d591b9a9d3e

SHA256
e8fc4c442f6f0f974002caf7a039a82c08a0362966f1c4ba358eb4e8c3348154

SHA512
26ea14cb53b2dcfcd7aeeb8ea1b13c8b5792f9fb29d874925a22f17e4419180e9e38f33120bfc41ac6aefb7dfe2c7a7803d537e247a88762cf6ebae83d3bd30d

Download Submit
C:\Windows\SysWOW64\Jblflp32.exe

Filesize
96KB

MD5
79227770f0b174900f74837c6fb0dbfe

SHA1
d5d233b074503377a47bc6564b50e27d53d2bbf3

SHA256
b87ce1a023840d1a76e1bc686f1b239fddcef75590df3fd03f864a8d0324f416

SHA512
88cda5226dfa992d0f8e8c3c1a099297b08c06930185256e91b9ca0ea93bcfdb75d9d945cb6b45aaefbce7b082e51710f13c442ef3e3c0bb2e8b53b1ec19ec10

Download Submit
C:\Windows\SysWOW64\Jeaiij32.exe

Filesize
96KB

MD5
b2fbd2b3df5e63e1c45507d8ccc70f42

SHA1
9d094edaf417dacb88dbb4c6e0bd541386bb4256

SHA256
c97701d53204d708e67ef92a770ee466ec4ae802bbee1f58091b9bb90478210a

SHA512
33e272894c3f36151b385cbf9b8ed9b44006824a27a9cc3c3e89bc84e6b1add051a855f5e081681bf74299673bb8beabd176fe2907ef52d2d8ea96d4ede61ed0

Download Submit
C:\Windows\SysWOW64\Jelonkph.exe

Filesize
96KB

MD5
79f93a5e9acf9bd96d03ce3436fa1e13

SHA1
2df7fd8bbd5e2a0bc9a2f3606f61a5c0ada7ee3e

SHA256
21b92c913cf6f2672e1d24e59471e774f5a98a3cb9625de7489b2eb375bd825c

SHA512
c7f38a5f3d851f49c639c69f76b3f9f324d5e9d3415dcaf9981971880c36b29bb00f0180a92bb280f3660363a0d7e9ac5c31ecd25f07666015bc2827262728f0

Download Submit
C:\Windows\SysWOW64\Jhhodg32.exe

Filesize
96KB

MD5
39e77acb45ff0282ab5a181121131903

SHA1
6aa561026cda449df9a3c03ac5f35c3ea4b90609

SHA256
bce33e0474f426b6dd47e5ae010ecc126a8da8d0105efbeebd4c0240874876a5

SHA512
1ad60132a0646ca79ccebfda24855f71e347020a4751dadb1bf72300be5b38a81c3b5fa3a296729a46190ecdaa645c4f753abf1658594d08e2406c6ca07a9729

Download Submit
C:\Windows\SysWOW64\Jhmhpfmi.exe

Filesize
96KB

MD5
a75f796ce734fdbd022a6a72327994c8

SHA1
1930ef1b080f560f5f0abd9c869d6da2ea9de6b2

SHA256
e0f9a4de6f7c65c300b7e74d979134f25d3a929e78bb161ed5a804531f71e135

SHA512
de76dc26ad3ceae70664a824f39349fd985056a841d9036fda2a69e2d26e286c6d40e3f67035ef429c90232e894502c5ce04ca8db9ddbdccf400540cb5763708

Download Submit
C:\Windows\SysWOW64\Jjgkab32.exe

Filesize
96KB

MD5
11def88a6e29c97cec4ffedaa84dc0e9

SHA1
32d83245aab8f35d006343efda1efe428274f138

SHA256
3858baa7b79e7a2533b9f885c861f0204f6fca4f2eb9c08ba192c9062ffdebab

SHA512
eeb39b13c14f0acfb439e935dc2c708034bd970222174a75de9d247a9ec91970013fbd7440348db2816769ee70ee0a7960d4a9ffc62fadfc0e10ea33736817ec

Download Submit
C:\Windows\SysWOW64\Jjkdlall.exe

Filesize
96KB

MD5
46d00cc29da882f10fa1a0154be7223f

SHA1
aa66989e2600395009008c326243adb10bd9fce7

SHA256
63b61459ed94e5f39f6a44da9d69e03f30d7f662d3ae559919ac9bc400fdf6a3

SHA512
91c631d8c3919fcd9f1ac670769d45ec249ba014b1f31445c042ea6e5f53937b5e688c34e8d7b3788fb71fbb0c66d8e60259e2028833caea6540bc12c826cf70

Download Submit
C:\Windows\SysWOW64\Jlanpfkj.exe

Filesize
96KB

MD5
7424e475c5d1fbd8947460e7fbb70d5d

SHA1
cf61baeed95e7faf4d9f158284818848bd276fee

SHA256
04ea37a43ac3b9f2e407d02dbc8ce93d4d41a74c71183d27f07d7c76738f9efa

SHA512
73fc9811976add8fd1e7a5a1f3fe4331b886b8d237dca119eabfca65fe4c76afa8ef3ea465c55cdc1b3dca19406cbceae480f4b411fc2aa268b14f5caf85721a

Download Submit
C:\Windows\SysWOW64\Jlkafdco.exe

Filesize
96KB

MD5
ad99351a170cb513042491394fc0161a

SHA1
5e66d4e68c43eeb0a66f460b5cf8205b0c107fe5

SHA256
0df9972c94411e1820bf500cf9dc52401544fe18823b07cd78a6a89bc50dfd04

SHA512
1fe5d8bd4d04c6eb24a2003fc66baee7d3853ac7b35db7c1405b4432ee3637471847b64f3b4f8bed5beb5832e33fa034fcaf1bb1eb5bbcff4d4ffe5d2f488a2a

Download Submit
C:\Windows\SysWOW64\Jnedgq32.exe

Filesize
96KB

MD5
b1a7df2a84168ab1e709093f049cbaca

SHA1
2ed31b3596a40badc4eb17ce2773e481728f32ad

SHA256
1d9028be158c710b8c50f1496199c45c8f369d91937a25cb13598213ee096cb6

SHA512
b218ece7c86c17b0b54d0890bec0ae6a21bb035bbe8c31a88377453c65773fbeef7bd25a58ef79fbc57ba81cdf8ffd675c26e7269c1472f1ff247f2f0293bfd6

Download Submit
C:\Windows\SysWOW64\Jnnnfalp.exe

Filesize
96KB

MD5
3a6f5caefcff48f95ae22b168c2b3b69

SHA1
1fdcd8b3e56744492ceabcdf7ef3b17e2cad5917

SHA256
a19ffd98bb569db0930e277806928762b5dc5e54884eb88c3deb67b10f73b036

SHA512
10ee47e305bd5e631e759b02155d19f6060582ccb1ed8a5e38d9a676bfc1916ef6b9c79c5232fcbeff010b8f5db78637ac4f7d8317c3b0e503e910b35c1450c9

Download Submit
C:\Windows\SysWOW64\Kajfdk32.exe

Filesize
96KB

MD5
492fb5c2c9e3716b5764c270f595648c

SHA1
dc80d822214d9154701518a5afe42b3466e20b66

SHA256
3497fed312942ac1b9ee5faa273d7b3889bd0cdd97012eda9f966cbb078187d4

SHA512
223d9e029f0ce50f219c092afa87737f8a7b7b9c5d2d7ab744f616c040cfaf497a8774775677f25607bbdc22e446ea32a5dc9c8a1ec1f7689ff7eab357319a71

Download Submit
C:\Windows\SysWOW64\Lhmafcnf.exe

Filesize
96KB

MD5
bdd38685bca74823cdd91d5871468f53

SHA1
1cc40fc6f69b6767b4a1844a1c0ca8b62d0171c8

SHA256
c1c4ee75408b6216019f8523ff68a485a2b15f5e91042b0247ec41827fa97782

SHA512
cffbf38b4398043048a0d66627fb889469bb9c2d57a6f90cee1a570c9d930983de5aeb6d9317ab7e1cf2bec75ac4afae124eb0d15f6d5c3cce8d09582df61420

Download Submit
memory/704-111-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/868-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/916-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/972-207-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/972-436-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1036-176-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1036-439-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1332-388-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1332-409-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1348-416-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1348-346-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1500-286-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1500-425-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1524-168-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1524-440-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1548-429-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1548-262-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1556-426-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1556-280-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1764-408-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1764-400-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1828-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1908-328-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1920-406-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1920-407-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2004-424-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2004-292-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2052-248-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2052-431-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2144-255-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2144-430-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2156-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2168-370-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2168-413-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2232-415-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2232-352-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2260-298-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2260-423-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2280-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2300-316-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2300-420-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2336-442-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2336-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2400-340-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2400-417-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2412-224-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2412-434-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2472-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2476-419-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2476-322-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2544-411-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2544-366-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2924-164-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2988-240-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2988-432-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3044-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3156-196-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3316-438-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3316-184-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3360-443-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3360-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3692-382-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3692-412-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3736-48-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3752-398-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3840-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3840-428-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3856-414-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3856-358-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3904-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4020-232-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4020-433-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4312-274-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4312-427-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4336-304-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4336-422-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4348-376-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4348-410-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4508-87-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4524-104-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4580-441-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4580-151-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4620-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4768-215-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4768-435-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4788-444-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4788-130-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4844-437-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4844-200-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4856-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4972-421-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4972-310-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5016-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5076-418-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5076-334-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5088-119-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads