berbew | 2daca9a6adafc5b260bda2691768e0eee1ebf8605201fe33369cf31d75e35dd9

Analysis

max time kernel
124s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2024 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2daca9a6adafc5b260bda2691768e0eee1ebf8605201fe33369cf31d75e35dd9.exe
Size

96KB
MD5

b0d353f27b0af4579ee54a3b55d1ea32
SHA1

4550f2c4c9a0c3d8c6e4495887af56add8d6b65e
SHA256

2daca9a6adafc5b260bda2691768e0eee1ebf8605201fe33369cf31d75e35dd9
SHA512

a3f248bcb1702842ba95834e34375739be0a3d5cc8ab10803d1ba7d0ec6521c90e539c24da805bf3abf41ab92eb2d1a90ea6def10e790f7084e936554738d1f8
SSDEEP

1536:41DfAxredq+mqvRzi1QM6icwis2ZuE8TNI/BOm10CMy0QiLiizHNQNdq:41kpsmqti1aZCI5Om6CMyELiAHONdq

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klpjad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkbkmqed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kblpcndd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kblpcndd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiamp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laffpi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llngbabj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Janghmia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdkoef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbnlim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llkjmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhhodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdopjh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjihfbno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kejloi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lojfin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iloajfml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lacijjgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lolcnman.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jehfcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Koljgppp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdpiqehp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lklnconj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhpnlclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhoeef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaopoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klgqabib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Loemnnhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kahinkaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klmnkdal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khdoqefq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhoeef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdhbpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kongmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kalcik32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kehojiej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaopoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kejloi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbncbpqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klmnkdal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kemhei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldbefe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnconj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lajokiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klbgfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lahbei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lahbei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbhool32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbncbpqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdopjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kongmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Janghmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhhodg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkegbpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkegbpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lhbkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaemilci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koljgppp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kajfdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klpjad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kehojiej.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 58 IoCs

pid	Process
4948	Iloajfml.exe
3664	Jehfcl32.exe
4376	Jhfbog32.exe
2196	Janghmia.exe
3616	Jhhodg32.exe
2912	Jbncbpqd.exe
2476	Jdopjh32.exe
4432	Jjihfbno.exe
1908	Jacpcl32.exe
1616	Jlidpe32.exe
2728	Jaemilci.exe
1004	Jhoeef32.exe
4856	Kahinkaf.exe
4408	Keceoj32.exe
1864	Klmnkdal.exe
2232	Kkpnga32.exe
3208	Koljgppp.exe
4684	Kajfdk32.exe
3856	Kdhbpf32.exe
4788	Khdoqefq.exe
320	Klpjad32.exe
2188	Kkbkmqed.exe
4580	Kongmo32.exe
4084	Kalcik32.exe
1148	Kehojiej.exe
2952	Kdkoef32.exe
4340	Klbgfc32.exe
440	Kkegbpca.exe
2380	Kblpcndd.exe
2244	Kaopoj32.exe
3392	Kejloi32.exe
972	Khihld32.exe
3736	Klddlckd.exe
2696	Kocphojh.exe
2412	Kbnlim32.exe
884	Kemhei32.exe
3444	Kdpiqehp.exe
3064	Klgqabib.exe
3816	Lkiamp32.exe
1772	Loemnnhe.exe
4252	Lacijjgi.exe
4472	Ldbefe32.exe
2080	Lhmafcnf.exe
3608	Lklnconj.exe
1260	Logicn32.exe
1948	Laffpi32.exe
3340	Leabphmp.exe
4288	Lhpnlclc.exe
4960	Llkjmb32.exe
2764	Lojfin32.exe
1100	Lahbei32.exe
3524	Ledoegkm.exe
1436	Lhbkac32.exe
4500	Llngbabj.exe
1548	Lolcnman.exe
2336	Lbhool32.exe
4612	Lajokiaa.exe
4900	Ldikgdpe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jhmimi32.dll	Lacijjgi.exe
File opened for modification	C:\Windows\SysWOW64\Lhmafcnf.exe	Ldbefe32.exe
File opened for modification	C:\Windows\SysWOW64\Jhoeef32.exe	Jaemilci.exe
File created	C:\Windows\SysWOW64\Koljgppp.exe	Kkpnga32.exe
File opened for modification	C:\Windows\SysWOW64\Klpjad32.exe	Khdoqefq.exe
File created	C:\Windows\SysWOW64\Mjlhjjnc.dll	Kdhbpf32.exe
File created	C:\Windows\SysWOW64\Pmbpeafn.dll	Kongmo32.exe
File opened for modification	C:\Windows\SysWOW64\Kkegbpca.exe	Klbgfc32.exe
File opened for modification	C:\Windows\SysWOW64\Kbnlim32.exe	Kocphojh.exe
File created	C:\Windows\SysWOW64\Acibndof.dll	Kdpiqehp.exe
File created	C:\Windows\SysWOW64\Kahinkaf.exe	Jhoeef32.exe
File created	C:\Windows\SysWOW64\Kajfdk32.exe	Koljgppp.exe
File opened for modification	C:\Windows\SysWOW64\Kajfdk32.exe	Koljgppp.exe
File created	C:\Windows\SysWOW64\Qagfppeh.dll	Laffpi32.exe
File created	C:\Windows\SysWOW64\Llkjmb32.exe	Lhpnlclc.exe
File opened for modification	C:\Windows\SysWOW64\Llngbabj.exe	Lhbkac32.exe
File created	C:\Windows\SysWOW64\Jacpcl32.exe	Jjihfbno.exe
File created	C:\Windows\SysWOW64\Kaopoj32.exe	Kblpcndd.exe
File opened for modification	C:\Windows\SysWOW64\Kehojiej.exe	Kalcik32.exe
File created	C:\Windows\SysWOW64\Fcnhog32.dll	Klgqabib.exe
File created	C:\Windows\SysWOW64\Hbfhni32.dll	Lbhool32.exe
File created	C:\Windows\SysWOW64\Lfeliqka.dll	Lojfin32.exe
File opened for modification	C:\Windows\SysWOW64\Ldikgdpe.exe	Lajokiaa.exe
File opened for modification	C:\Windows\SysWOW64\Jaemilci.exe	Jlidpe32.exe
File created	C:\Windows\SysWOW64\Lamgof32.dll	Kkegbpca.exe
File opened for modification	C:\Windows\SysWOW64\Lklnconj.exe	Lhmafcnf.exe
File created	C:\Windows\SysWOW64\Dhfhohgp.dll	Kdkoef32.exe
File opened for modification	C:\Windows\SysWOW64\Kaopoj32.exe	Kblpcndd.exe
File opened for modification	C:\Windows\SysWOW64\Klgqabib.exe	Kdpiqehp.exe
File opened for modification	C:\Windows\SysWOW64\Loemnnhe.exe	Lkiamp32.exe
File opened for modification	C:\Windows\SysWOW64\Janghmia.exe	Jhfbog32.exe
File created	C:\Windows\SysWOW64\Jhoeef32.exe	Jaemilci.exe
File created	C:\Windows\SysWOW64\Mhfdfbqe.dll	Kkbkmqed.exe
File opened for modification	C:\Windows\SysWOW64\Lojfin32.exe	Llkjmb32.exe
File created	C:\Windows\SysWOW64\Ldikgdpe.exe	Lajokiaa.exe
File created	C:\Windows\SysWOW64\Gpmmbfem.dll	2daca9a6adafc5b260bda2691768e0eee1ebf8605201fe33369cf31d75e35dd9.exe
File opened for modification	C:\Windows\SysWOW64\Kocphojh.exe	Klddlckd.exe
File created	C:\Windows\SysWOW64\Lojfin32.exe	Llkjmb32.exe
File created	C:\Windows\SysWOW64\Kejloi32.exe	Kaopoj32.exe
File created	C:\Windows\SysWOW64\Bkjbah32.dll	Klddlckd.exe
File created	C:\Windows\SysWOW64\Mjfkgg32.dll	Iloajfml.exe
File created	C:\Windows\SysWOW64\Fbbojb32.dll	Klbgfc32.exe
File opened for modification	C:\Windows\SysWOW64\Kblpcndd.exe	Kkegbpca.exe
File created	C:\Windows\SysWOW64\Cmkjoj32.dll	Jacpcl32.exe
File created	C:\Windows\SysWOW64\Laffpi32.exe	Logicn32.exe
File created	C:\Windows\SysWOW64\Fhjaco32.dll	Lolcnman.exe
File created	C:\Windows\SysWOW64\Bekdaogi.dll	Lajokiaa.exe
File created	C:\Windows\SysWOW64\Kblpcndd.exe	Kkegbpca.exe
File created	C:\Windows\SysWOW64\Ofnfbijk.dll	Khihld32.exe
File created	C:\Windows\SysWOW64\Lbhool32.exe	Lolcnman.exe
File opened for modification	C:\Windows\SysWOW64\Kahinkaf.exe	Jhoeef32.exe
File opened for modification	C:\Windows\SysWOW64\Klbgfc32.exe	Kdkoef32.exe
File created	C:\Windows\SysWOW64\Odehaccj.dll	Kocphojh.exe
File created	C:\Windows\SysWOW64\Iloajfml.exe	2daca9a6adafc5b260bda2691768e0eee1ebf8605201fe33369cf31d75e35dd9.exe
File opened for modification	C:\Windows\SysWOW64\Jehfcl32.exe	Iloajfml.exe
File created	C:\Windows\SysWOW64\Jaemilci.exe	Jlidpe32.exe
File created	C:\Windows\SysWOW64\Qekjhmdj.dll	Kaopoj32.exe
File created	C:\Windows\SysWOW64\Ehilac32.dll	Kejloi32.exe
File created	C:\Windows\SysWOW64\Lhmafcnf.exe	Ldbefe32.exe
File created	C:\Windows\SysWOW64\Jhfbog32.exe	Jehfcl32.exe
File created	C:\Windows\SysWOW64\Jhhodg32.exe	Janghmia.exe
File created	C:\Windows\SysWOW64\Oacmli32.dll	Kkpnga32.exe
File created	C:\Windows\SysWOW64\Anjkcakk.dll	Klpjad32.exe
File created	C:\Windows\SysWOW64\Kemhei32.exe	Kbnlim32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
928	4900	WerFault.exe	146

System Location Discovery: System Language Discovery 1 TTPs 59 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlidpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaemilci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lahbei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocphojh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemhei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logicn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhhodg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdhbpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kejloi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klbgfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbhool32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klgqabib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lolcnman.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldikgdpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klddlckd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbncbpqd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kehojiej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khihld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ledoegkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kblpcndd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbnlim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lklnconj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kajfdk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkiamp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leabphmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhbkac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lajokiaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhfbog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klmnkdal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkpnga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loemnnhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lojfin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llngbabj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkbkmqed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdpiqehp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaopoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keceoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klpjad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdkoef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kongmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kalcik32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldbefe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laffpi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llkjmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iloajfml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdopjh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khdoqefq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Janghmia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkegbpca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjihfbno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kahinkaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhpnlclc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2daca9a6adafc5b260bda2691768e0eee1ebf8605201fe33369cf31d75e35dd9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jehfcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lacijjgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhmafcnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jacpcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhoeef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koljgppp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jhhodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndnoffic.dll"	Kajfdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmbpeafn.dll"	Kongmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbojb32.dll"	Klbgfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehilac32.dll"	Kejloi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Khihld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldbefe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lhmafcnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Llngbabj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjkcakk.dll"	Klpjad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkbkmqed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdkoef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfhni32.dll"	Lbhool32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdopjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acibndof.dll"	Kdpiqehp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhdlmdd.dll"	Leabphmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhodke32.dll"	Klmnkdal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Koljgppp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkegbpca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kblpcndd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Logicn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopaik32.dll"	Lahbei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oofial32.dll"	Llngbabj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	2daca9a6adafc5b260bda2691768e0eee1ebf8605201fe33369cf31d75e35dd9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbncbpqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jjihfbno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kajfdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fooqlnoa.dll"	Lklnconj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Logicn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lhpnlclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lbhool32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekdaogi.dll"	Lajokiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	2daca9a6adafc5b260bda2691768e0eee1ebf8605201fe33369cf31d75e35dd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmkjoj32.dll"	Jacpcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lhbkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdhbpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klpjad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kongmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kalcik32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkpnga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oacmli32.dll"	Kkpnga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdkoef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klbgfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdklc32.dll"	Lhmafcnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jacpcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jhoeef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Khdoqefq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idjcam32.dll"	Lhpnlclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Llkjmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lajokiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mapchaef.dll"	Jehfcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jhfbog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jlidpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Koljgppp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfdfbqe.dll"	Kkbkmqed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lacijjgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klmnkdal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lahbei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lolcnman.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lajokiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Janghmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjihfbno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jacpcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljnakk32.dll"	Jhoeef32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 4948	2884	2daca9a6adafc5b260bda2691768e0eee1ebf8605201fe33369cf31d75e35dd9.exe	89
PID 2884 wrote to memory of 4948	2884	2daca9a6adafc5b260bda2691768e0eee1ebf8605201fe33369cf31d75e35dd9.exe	89
PID 2884 wrote to memory of 4948	2884	2daca9a6adafc5b260bda2691768e0eee1ebf8605201fe33369cf31d75e35dd9.exe	89
PID 4948 wrote to memory of 3664	4948	Iloajfml.exe	90
PID 4948 wrote to memory of 3664	4948	Iloajfml.exe	90
PID 4948 wrote to memory of 3664	4948	Iloajfml.exe	90
PID 3664 wrote to memory of 4376	3664	Jehfcl32.exe	91
PID 3664 wrote to memory of 4376	3664	Jehfcl32.exe	91
PID 3664 wrote to memory of 4376	3664	Jehfcl32.exe	91
PID 4376 wrote to memory of 2196	4376	Jhfbog32.exe	92
PID 4376 wrote to memory of 2196	4376	Jhfbog32.exe	92
PID 4376 wrote to memory of 2196	4376	Jhfbog32.exe	92
PID 2196 wrote to memory of 3616	2196	Janghmia.exe	93
PID 2196 wrote to memory of 3616	2196	Janghmia.exe	93
PID 2196 wrote to memory of 3616	2196	Janghmia.exe	93
PID 3616 wrote to memory of 2912	3616	Jhhodg32.exe	94
PID 3616 wrote to memory of 2912	3616	Jhhodg32.exe	94
PID 3616 wrote to memory of 2912	3616	Jhhodg32.exe	94
PID 2912 wrote to memory of 2476	2912	Jbncbpqd.exe	95
PID 2912 wrote to memory of 2476	2912	Jbncbpqd.exe	95
PID 2912 wrote to memory of 2476	2912	Jbncbpqd.exe	95
PID 2476 wrote to memory of 4432	2476	Jdopjh32.exe	96
PID 2476 wrote to memory of 4432	2476	Jdopjh32.exe	96
PID 2476 wrote to memory of 4432	2476	Jdopjh32.exe	96
PID 4432 wrote to memory of 1908	4432	Jjihfbno.exe	97
PID 4432 wrote to memory of 1908	4432	Jjihfbno.exe	97
PID 4432 wrote to memory of 1908	4432	Jjihfbno.exe	97
PID 1908 wrote to memory of 1616	1908	Jacpcl32.exe	98
PID 1908 wrote to memory of 1616	1908	Jacpcl32.exe	98
PID 1908 wrote to memory of 1616	1908	Jacpcl32.exe	98
PID 1616 wrote to memory of 2728	1616	Jlidpe32.exe	99
PID 1616 wrote to memory of 2728	1616	Jlidpe32.exe	99
PID 1616 wrote to memory of 2728	1616	Jlidpe32.exe	99
PID 2728 wrote to memory of 1004	2728	Jaemilci.exe	100
PID 2728 wrote to memory of 1004	2728	Jaemilci.exe	100
PID 2728 wrote to memory of 1004	2728	Jaemilci.exe	100
PID 1004 wrote to memory of 4856	1004	Jhoeef32.exe	101
PID 1004 wrote to memory of 4856	1004	Jhoeef32.exe	101
PID 1004 wrote to memory of 4856	1004	Jhoeef32.exe	101
PID 4856 wrote to memory of 4408	4856	Kahinkaf.exe	102
PID 4856 wrote to memory of 4408	4856	Kahinkaf.exe	102
PID 4856 wrote to memory of 4408	4856	Kahinkaf.exe	102
PID 4408 wrote to memory of 1864	4408	Keceoj32.exe	103
PID 4408 wrote to memory of 1864	4408	Keceoj32.exe	103
PID 4408 wrote to memory of 1864	4408	Keceoj32.exe	103
PID 1864 wrote to memory of 2232	1864	Klmnkdal.exe	104
PID 1864 wrote to memory of 2232	1864	Klmnkdal.exe	104
PID 1864 wrote to memory of 2232	1864	Klmnkdal.exe	104
PID 2232 wrote to memory of 3208	2232	Kkpnga32.exe	105
PID 2232 wrote to memory of 3208	2232	Kkpnga32.exe	105
PID 2232 wrote to memory of 3208	2232	Kkpnga32.exe	105
PID 3208 wrote to memory of 4684	3208	Koljgppp.exe	106
PID 3208 wrote to memory of 4684	3208	Koljgppp.exe	106
PID 3208 wrote to memory of 4684	3208	Koljgppp.exe	106
PID 4684 wrote to memory of 3856	4684	Kajfdk32.exe	107
PID 4684 wrote to memory of 3856	4684	Kajfdk32.exe	107
PID 4684 wrote to memory of 3856	4684	Kajfdk32.exe	107
PID 3856 wrote to memory of 4788	3856	Kdhbpf32.exe	108
PID 3856 wrote to memory of 4788	3856	Kdhbpf32.exe	108
PID 3856 wrote to memory of 4788	3856	Kdhbpf32.exe	108
PID 4788 wrote to memory of 320	4788	Khdoqefq.exe	109
PID 4788 wrote to memory of 320	4788	Khdoqefq.exe	109
PID 4788 wrote to memory of 320	4788	Khdoqefq.exe	109
PID 320 wrote to memory of 2188	320	Klpjad32.exe	110

C:\Users\Admin\AppData\Local\Temp\2daca9a6adafc5b260bda2691768e0eee1ebf8605201fe33369cf31d75e35dd9.exe
"C:\Users\Admin\AppData\Local\Temp\2daca9a6adafc5b260bda2691768e0eee1ebf8605201fe33369cf31d75e35dd9.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\SysWOW64\Iloajfml.exe
  C:\Windows\system32\Iloajfml.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Windows\SysWOW64\Jehfcl32.exe
    C:\Windows\system32\Jehfcl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3664
  - - C:\Windows\SysWOW64\Jhfbog32.exe
      C:\Windows\system32\Jhfbog32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4376
    - - C:\Windows\SysWOW64\Janghmia.exe
        
        C:\Windows\system32\Janghmia.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
      - C:\Windows\SysWOW64\Jhhodg32.exe
        
        C:\Windows\system32\Jhhodg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\SysWOW64\Jbncbpqd.exe
        
        C:\Windows\system32\Jbncbpqd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Jdopjh32.exe
        
        C:\Windows\system32\Jdopjh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\Jjihfbno.exe
        
        C:\Windows\system32\Jjihfbno.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SysWOW64\Jacpcl32.exe
        
        C:\Windows\system32\Jacpcl32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Jlidpe32.exe
        
        C:\Windows\system32\Jlidpe32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\Jaemilci.exe
        
        C:\Windows\system32\Jaemilci.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Jhoeef32.exe
        
        C:\Windows\system32\Jhoeef32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\Kahinkaf.exe
        
        C:\Windows\system32\Kahinkaf.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Keceoj32.exe
        
        C:\Windows\system32\Keceoj32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\Klmnkdal.exe
        
        C:\Windows\system32\Klmnkdal.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Kkpnga32.exe
        
        C:\Windows\system32\Kkpnga32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Koljgppp.exe
        
        C:\Windows\system32\Koljgppp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\Kajfdk32.exe
        
        C:\Windows\system32\Kajfdk32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Kdhbpf32.exe
        
        C:\Windows\system32\Kdhbpf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3856
        
        C:\Windows\SysWOW64\Khdoqefq.exe
        
        C:\Windows\system32\Khdoqefq.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Klpjad32.exe
        
        C:\Windows\system32\Klpjad32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\Kkbkmqed.exe
        
        C:\Windows\system32\Kkbkmqed.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Kongmo32.exe
        
        C:\Windows\system32\Kongmo32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Kalcik32.exe
        
        C:\Windows\system32\Kalcik32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Kehojiej.exe
        
        C:\Windows\system32\Kehojiej.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1148
        
        C:\Windows\SysWOW64\Kdkoef32.exe
        
        C:\Windows\system32\Kdkoef32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Klbgfc32.exe
        
        C:\Windows\system32\Klbgfc32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Kkegbpca.exe
        
        C:\Windows\system32\Kkegbpca.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Kblpcndd.exe
        
        C:\Windows\system32\Kblpcndd.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Kaopoj32.exe
        
        C:\Windows\system32\Kaopoj32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Windows\SysWOW64\Kejloi32.exe
        
        C:\Windows\system32\Kejloi32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3392
        
        C:\Windows\SysWOW64\Khihld32.exe
        
        C:\Windows\system32\Khihld32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\Klddlckd.exe
        
        C:\Windows\system32\Klddlckd.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3736
        
        C:\Windows\SysWOW64\Kocphojh.exe
        
        C:\Windows\system32\Kocphojh.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\Kbnlim32.exe
        
        C:\Windows\system32\Kbnlim32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Windows\SysWOW64\Kemhei32.exe
        
        C:\Windows\system32\Kemhei32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Windows\SysWOW64\Kdpiqehp.exe
        
        C:\Windows\system32\Kdpiqehp.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\Klgqabib.exe
        
        C:\Windows\system32\Klgqabib.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\Lkiamp32.exe
        
        C:\Windows\system32\Lkiamp32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3816
        
        C:\Windows\SysWOW64\Loemnnhe.exe
        
        C:\Windows\system32\Loemnnhe.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Windows\SysWOW64\Lacijjgi.exe
        
        C:\Windows\system32\Lacijjgi.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4252
        
        C:\Windows\SysWOW64\Ldbefe32.exe
        
        C:\Windows\system32\Ldbefe32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Lhmafcnf.exe
        
        C:\Windows\system32\Lhmafcnf.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Lklnconj.exe
        
        C:\Windows\system32\Lklnconj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Logicn32.exe
        
        C:\Windows\system32\Logicn32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Laffpi32.exe
        
        C:\Windows\system32\Laffpi32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\Leabphmp.exe
        
        C:\Windows\system32\Leabphmp.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Lhpnlclc.exe
        
        C:\Windows\system32\Lhpnlclc.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Llkjmb32.exe
        
        C:\Windows\system32\Llkjmb32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Lojfin32.exe
        
        C:\Windows\system32\Lojfin32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\Lahbei32.exe
        
        C:\Windows\system32\Lahbei32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Ledoegkm.exe
        
        C:\Windows\system32\Ledoegkm.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3524
        
        C:\Windows\SysWOW64\Lhbkac32.exe
        
        C:\Windows\system32\Lhbkac32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Llngbabj.exe
        
        C:\Windows\system32\Llngbabj.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Lolcnman.exe
        
        C:\Windows\system32\Lolcnman.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Lbhool32.exe
        
        C:\Windows\system32\Lbhool32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Lajokiaa.exe
        
        C:\Windows\system32\Lajokiaa.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 412
        60⤵
        Program crash
        
        PID:928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4900 -ip 4900
1⤵
PID:3512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4436,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=3828 /prefetch:8
1⤵
PID:544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Balfdi32.dll

Filesize
7KB

MD5
a3d72ae02ddc546463767c395e062e52

SHA1
609e6410f8f4f43ad2dd024bf9c63b4fc9ba1d03

SHA256
867920656637df09a27e1e2e422052a7ebc383b43cb02d204a415b833f3435ae

SHA512
140ede7f03f15cb0627b1a27e58d39705fc8da0e1a6e1a5309aeb18538ca70194dc7be1c9f57df21255ee1ffe16f09fcae3be896c214e26aab46e71577caea2d

Download Submit
C:\Windows\SysWOW64\Iloajfml.exe

Filesize
96KB

MD5
6cd65cbd653a47b0a05ca8a7fffe19a9

SHA1
1a76bcb906026c9869c9d259a0f0de933f3177c5

SHA256
aa40c96d6db38222c65fcd53c31e93656e9ca6caefa270bd09f902a701a259ad

SHA512
17da69ce3aeaba0324baaab22a0be37d5c9523c644a88a56fc22da7f9445acafc246b1a1b5fb17cdd4afcaa575de3f4ac5c25eb07d05605015ebfa6a45206426

Download Submit
C:\Windows\SysWOW64\Jacpcl32.exe

Filesize
96KB

MD5
589a93874585f29f79dfdeb194674675

SHA1
efb6f17b31bd6bb684e6dd203280152567ecce0e

SHA256
7955004c9883c3e357a4395a3e5ed2b3c77bb19648180326b8be5c27396530b7

SHA512
a127f81d835bd2a47c0811b447de1fea32c211bf0075287865b44eaaac1664df71d2d3010a4dbd22e30279d7fe4a69db72b537dc6153036ab4cfbade61cda638

Download Submit
C:\Windows\SysWOW64\Jaemilci.exe

Filesize
96KB

MD5
610e3ffe4235c39ddd49e4b006f25ed0

SHA1
49a5f987939b7c63024a93f238e9c640a1d6d3f9

SHA256
384e2f238bb64f623cd6e24d46ebfafaddd59d2a1873037fa14dfa97cb06573a

SHA512
be5036ed1deadcc509b9f16d8e74e765ad792560bcea453dfacbb3054d471c7b8e02bf3e584ddb22a69c4efd47eef82339464916533fb41b6cdf203dc5c5f984

Download Submit
C:\Windows\SysWOW64\Janghmia.exe

Filesize
96KB

MD5
4c017913fd2606bf8142c140e49742d4

SHA1
414792ccec032e2471ba5e00cbc7bb1242b775a2

SHA256
cd363bdf817d85ce0b8e142e5d0ccc96ccaddccb47fd10d65deeaf679e2286de

SHA512
99daddd479302d08671268df0109746f128f985a2cba620ebe2c1acd277fd477e20039fd3800bb27b56ac67a4b65448e18db399e8f16d1cc16e702605d3f1915

Download Submit
C:\Windows\SysWOW64\Jbncbpqd.exe

Filesize
96KB

MD5
501e939820fd269fe4fcc670d4c1f0c4

SHA1
029380dd90e558b5d3bf0fe81ea6e4e22b69c438

SHA256
a5dbe54e67be8f3cf1e419768e63456c7d3ff12165a84e1da32ba75fca21c858

SHA512
06f0cc0983f6608dcac1adb2582406e6715f2761b96cc12e9c4df644e20ff7f18923b013a46be4373218e2b7723e153a08695be3411a0a91c323ff669309aaf2

Download Submit
C:\Windows\SysWOW64\Jdopjh32.exe

Filesize
96KB

MD5
d2f55ddd0d412a76bde5372742f3b110

SHA1
88b1d59163dfa5aeac101f67e88db2f35049f6c9

SHA256
5bb64e2424f12da9802225d58c569a0661948c3105ceedd9f733e93618c5f8c3

SHA512
efc6bfaf8ddf69f27c017b8e61f1637e796df63e16806f341d7cf3e4adc963be7f66ee216917845d8e6232dcf4972557a51b090eeb0a5b42d0c27b3060d373c6

Download Submit
C:\Windows\SysWOW64\Jehfcl32.exe

Filesize
96KB

MD5
2676587bc40120ec5a2da75cdb70d729

SHA1
fd5455038492bad13c51ab07a0952603ef1c297d

SHA256
4eb84a7829224abf5e0bbba69caa4fa53da21e74ee1426a84b17250aeec48c31

SHA512
a745757f30357ec00103549fac97ed7657f22e4598ce6278f61e93513a4c8236af938ac87a1f6c4698c7726decc58320a94fdc6694d9f00cd08f0bb1eb87629d

Download Submit
C:\Windows\SysWOW64\Jhfbog32.exe

Filesize
96KB

MD5
d6fdc7e98a5720ffdc29bb27b087fb36

SHA1
415e6fbc25cab74da9a715d12a0a7d544f001c06

SHA256
0683d72806cdd3c6ccb018797511bbb9e66e5dd2aac8081ccadd261136d540fc

SHA512
f2d2451e1a4e96f39179cdcef67d17f04a92f44686a1b75b2dc037985a111710cbb0d32d37b061ec9eee54f1a8e228028a1cf80f180da7aee5c84620dce55b13

Download Submit
C:\Windows\SysWOW64\Jhhodg32.exe

Filesize
96KB

MD5
420aacfe14b98fc03c29eb16f1732fa6

SHA1
aaf7400ca8020284179133c24f176c210ab8c676

SHA256
916df40c55397689ddd3c59bb02de85a93f0136e42e4c24871543e3269c1d125

SHA512
192045da6ca8fbb4031ebcd42f1519de6fd57b6549865f6f5801870a0a6380d3311c7cba8e2b8217c91db459baef3c4818ba424740b6a99071e7a862515167e1

Download Submit
C:\Windows\SysWOW64\Jhoeef32.exe

Filesize
96KB

MD5
2c2e6a2e6fcaaaaf042cdd3d6291dc84

SHA1
b24bbe9073308fb74229f6b6b9c5a4edc992a406

SHA256
e2468a661777556ac73143ede59e65c4196884c0667e76e2fbc62dec8d979b5a

SHA512
aa9a64d01b93a7477ccf255ee525ef10de8667a3a9558f97ed939aa3032f5e19fad50bbf0661eef12dbffd7786153377a91bd66aa1dd9260bdfe0a219cac1771

Download Submit
C:\Windows\SysWOW64\Jjihfbno.exe

Filesize
96KB

MD5
ccaa9c08125bcc4395ead6f52dbc2806

SHA1
e75eb063ce068793866ef1b73043c7e2a089eede

SHA256
f90166302e5290007d21dc1dac7fec5c97218c438e1da872fabffc503d5b89dc

SHA512
9934b392992ca9ae49883d352d4be3965a1f3a778fd3a3a109b2f91b862b3b0a3654fb137f25a6efc116b90cb185baa454e5389734f5014a5e77d4eb4cefa86e

Download Submit
C:\Windows\SysWOW64\Jlidpe32.exe

Filesize
96KB

MD5
cd75fb895d14f58f3d3e2ce43f75162f

SHA1
c0405aa074bb42d35d36d347cab29ad83728581e

SHA256
e4e0f343dcac0622829d72dd7739094a42202ed3bc39191f1b587ef048cc37a0

SHA512
6d5a11bcedcaa5bf511e550a5186820dd480b62c1e1dd412e4331b68d048e872f563fdcbaba149b76699525237f8b4ee5db2aaa2f9231c7839c837a046ed9c39

Download Submit
C:\Windows\SysWOW64\Kahinkaf.exe

Filesize
96KB

MD5
2c9f8617168af34b796ce74c848d12f8

SHA1
78649fae2a1522eedff6b66a2b809ec9ef68c27a

SHA256
908a68005592c698c4f2a544ca2412e0c63bc74e4795fa6f913c7b0b016adb6b

SHA512
29e6ec42c0aae90f4545f2789d5bcf75fc4205bc15d236426d6f4270921e14c764a85e9a7511b5833b8c547cb4faa2b0857632e15cc6e9d04421aac0d272bbd7

Download Submit
C:\Windows\SysWOW64\Kajfdk32.exe

Filesize
96KB

MD5
f5842c2b07cff79627967607aa066378

SHA1
01949dd839b28b5c0dbb1473a042de2334749b8c

SHA256
993f7feb906e32002f1491e2c41ac7f3211bd071e3ffa5d3db1500031c90ec52

SHA512
8997f95c264abf77f1b4e0a37e8720f7703240bec32522192f611bdc7e291952d3f2e40741d4ef44ef20a30974c9670b6f89440e881744e07e24bd049510421c

Download Submit
C:\Windows\SysWOW64\Kalcik32.exe

Filesize
96KB

MD5
e38c73ca12699274f70d6d25f061dbba

SHA1
c92bd0a8318022c7660a578728bdeda072632e9f

SHA256
17f007a9915cf970562aaf6d116182b3c06cbb862fb752fb2df839c7c2425ab6

SHA512
9f98ac8cd9e3e41c08a33d4330573edb4163398cd4b5e4aeb1672b8e856acf651238f94bb085dc36cc18887410886e8967cb105b0d4cffa9a8050c7bd239e51b

Download Submit
C:\Windows\SysWOW64\Kaopoj32.exe

Filesize
96KB

MD5
a146445b24776e6fd06530e43c6cb20d

SHA1
0b42b2c22ea0747a8725ec0ad08d972ed2080c82

SHA256
189eeeb376f08efef1d3c4084ec7dca305314c16f78af8e09c265bc71695fcc5

SHA512
13aea6456b6e2b33cbda30e726e886e7eb36a529171e875bfb5439082a93187aa854f359a032cdc30e30ba789c38cb4a999946bc2a92a8564b0504d732be7c57

Download Submit
C:\Windows\SysWOW64\Kblpcndd.exe

Filesize
96KB

MD5
1dbfb64bdfb84183c0ac40fa3fce7f13

SHA1
1d430b24d9c518444201673d495636717e7a315a

SHA256
7b9588ec3659dbb7315358ad1f6db39cda00d8e85c87ffe43ba81a6b9127eb84

SHA512
02bdffdf55817bce740c3a643f1793c956cc6f0deb4f76bee37465338265ec747ebe88e92611eaf7b4dd91d0c1d7e5f3be15ec6a1ccd3af729e3b6882fb77146

Download Submit
C:\Windows\SysWOW64\Kdhbpf32.exe

Filesize
96KB

MD5
47850a5083a3ddd2530a4a0e2d7b4658

SHA1
c651e122d5bd0d484451e53ef20e17354b0a8237

SHA256
ac9d247d6e01be17a7b31e2d59ed7becdc7949bda3bbf502e682d381bdd052fd

SHA512
83894c00ea7dceffae0e75b62607ab9ee71d86315099ce827c19f787d1ad4363e42e765a067514efe5c28000af3864738d923ec2c60778cc60cf99421da11b6d

Download Submit
C:\Windows\SysWOW64\Kdkoef32.exe

Filesize
96KB

MD5
d84647967d09389bafd2beb9cb31b24c

SHA1
c9ef6a0f65808ff32de2a56e14af92bc1a84e0ef

SHA256
27461fbaccf044d980865e70325b4b0de94e008e99472f72717f8a5689b2bff9

SHA512
93dc21bf27ecb4e65e03820d4bddec298eda319601aac214331b476f4317a42743b8203f589efb7ec0871cc88048f5f4c8a5a90c6bb00a2c45a3a25a3cf9d630

Download Submit
C:\Windows\SysWOW64\Keceoj32.exe

Filesize
96KB

MD5
10db04237b52e1b0eea87c69202c478c

SHA1
f2a9021de14141ba637d25e739b4b2ee0cac7b22

SHA256
f9e194281e9b8084ea28cae712e01509d193fef9424d01333c62e66d2ba4bada

SHA512
59c3abc85b2890bc80b318f1a1fa4c70753fbf83e0a146e047176c9c11b6cb5624ba4e212f665dcdade56c9526228263d1bb2c885c01494a70f047c984cfdd9d

Download Submit
C:\Windows\SysWOW64\Kehojiej.exe

Filesize
96KB

MD5
8ad6877569514a2a63b47b8751f43de2

SHA1
3bda0c5b8e9a6338a30b822b131912b04f26a1fb

SHA256
3609d1bcbf69e67d6a00a260fc2bafc84c65a241b9fc2d6a6a28faba3dce4af0

SHA512
c94e13619d36a77ce71fb266d50d50bb4a8b2e1fb0fceec3b36eaf19ac0de0d1c826e146808b7a739b2633aa34086b7ee4502b5e9c98b81d0a1d2880c576f575

Download Submit
C:\Windows\SysWOW64\Kejloi32.exe

Filesize
96KB

MD5
1a6aa49f7467e68e656b7152df39b70e

SHA1
dc99f510396113f3966ce165459ee28fac6d9bbf

SHA256
61c3511d4c5603676d9c52b0781fffe3d0f75880b635a3a31160fa47db60c37e

SHA512
47b02f3ab88d2d416d4aa1d0e4858cf05ce30fde4c8467b8f5e0cab5e3ca3c3a329aeaca1a4c254dd4b3498d586c385fbcc850e170caa63768cdb340531a9d73

Download Submit
C:\Windows\SysWOW64\Khdoqefq.exe

Filesize
96KB

MD5
f1482470c1074b34cf5f49f1b0049ef6

SHA1
eeffb7ee22bb7f6900da01105ff7c0720e4dfb3a

SHA256
b26d1f572eac6829e89ba19702b61f2ab9bb52cc3ec302d02af193d3a9f61756

SHA512
cfbb2c5ea0a10b1a5a2111969a879c7455ef5a2224019255f2948a79f5f30587d7cf5bbee8ce7735eadc6c958b914a5b4d8587562d38492220904e87c8ea6ead

Download Submit
C:\Windows\SysWOW64\Khihld32.exe

Filesize
96KB

MD5
2b0a368d33e829a1beed347b212a4d55

SHA1
5373943af761e7244a76929fdc20027e2087579c

SHA256
f7cc86f9c6c445345f0af5461957126061c276f39a5b149261e255a8e0ac1c9a

SHA512
b967e1cc3d65764a8c04aaa5a955f807d66b9e8df1dc4bb94372fba26823972c137124572c10c423688fcbd8e46fce9a0ef482c68a09e22ffc464d1c8d4b373a

Download Submit
C:\Windows\SysWOW64\Kkbkmqed.exe

Filesize
96KB

MD5
9a857c76474c4cad81b6828d77ad84f9

SHA1
bcb0be8f4204ce318449f971a4ac976841d49ed4

SHA256
73299b6f26caa114aeb747b634aba14300c34a5e127f27033caf3c5843c08284

SHA512
ee4c0bcda378f4a67162ef4977b7de65b6283ddc1013073367adf9b172b3303efb237ff842beff9ce9e8ec9cc04c2969749b3f028ee9ef4d19bc7621fe703a25

Download Submit
C:\Windows\SysWOW64\Kkegbpca.exe

Filesize
96KB

MD5
586cbe7606e554fea062adc1ed152b0f

SHA1
faac04eab2afd410869c5a374da5ad8a9e14defd

SHA256
53a542be35fcfdb972cc11d07ad9295025d966591c8e10e4929d475e5843117c

SHA512
aa5fd2d873fbb524e4e503e22a722b2f2122f733b701e1ab51e6e39352c30efc6e43a32ff11c856d33e33fcaaf4ce4a5a515d0696318ba72a0c6dbc7e5cbabe1

Download Submit
C:\Windows\SysWOW64\Kkpnga32.exe

Filesize
96KB

MD5
0e5ed1770c4d69ccdc9808efaddfc0d8

SHA1
816aa26b0e2e66ce6f3a8c29af19397e9c2b3875

SHA256
06930fe7a878dfa7e740777ab025ef4003af66a12612eb727880c4790476316c

SHA512
d7377ba6ef7ca9a2d6ad31e7867da79663345b4b90944bd4ecb7c5e74fd58ac57cecb6281337504521006b65f7dc64e3dc5cc5a1902a5fe2c7ac28cbe05b1ba4

Download Submit
C:\Windows\SysWOW64\Klbgfc32.exe

Filesize
96KB

MD5
b946f3c3c9951816fa89992e811ba93f

SHA1
e1708012d06bba59bdc9d7dbd942dfc67362c4cb

SHA256
1af61fefeab52c15226f1340731ff4af6cd34c5d2bd35126faa3919d202df031

SHA512
41efbd8e6d20ffb5285f4c9209ddbe8ce17180020c97abc6d7cadbd30017b7ffb9043cbcecbd376586a3b7a8656a37f374ca249dc9e8fad009aecf1160bbc7b6

Download Submit
C:\Windows\SysWOW64\Klmnkdal.exe

Filesize
96KB

MD5
8b39647918513eee93bbac80a23fb87f

SHA1
d57630f0cb211c9f453fcb688d3a733e0f6fed38

SHA256
08b7670c88e8409c9a8d01d2df4199e284d11cd93bb325a992372f255997e0da

SHA512
748f2867b24e445418fac5066741d1efec25ffdec92b1e151f9b90651fd12c9f58563f140be886edd7ff64e1a5b1a2a0ff22139db7fe9997f12863c9e079ecd8

Download Submit
C:\Windows\SysWOW64\Klpjad32.exe

Filesize
96KB

MD5
c6e7549590cd55a3c47579c9c46688bb

SHA1
537540a70794440ad55918e89e6083a928eb68e4

SHA256
570b53b87a7474d63583133ffdc911e178a13d68a81b2f7fa2c60eda8026fdc9

SHA512
410a96103a0049f95929d9db511f362ba6a78df61c676524aba6319216bb36871e9c6b8da79c17d89930a51d9833efcd4a92732d77dd804fd252d2101665ca2e

Download Submit
C:\Windows\SysWOW64\Koljgppp.exe

Filesize
96KB

MD5
e2eb9161e50d6abe4f083577122e3b3c

SHA1
534273b4f4bf63fcd8ff2a3ce0c5652f3ea81d05

SHA256
0a72af9d80972bf8871c496351e4f27aa917a3f1e059b595f8eaa3e8994ff95a

SHA512
8632908221c4e5a5ce92c3880c483bc180875fc7244b4e6c921ee0bb515269a88c4d649b9a5e443452a7bff41c3e5e969e7d5480935dafa1eec0d0d908055d9e

Download Submit
C:\Windows\SysWOW64\Kongmo32.exe

Filesize
96KB

MD5
ea2f95eaed11e21e312173914eae6d84

SHA1
2ec9a2b4b713dae7b894cf2355bb67f1f4571b78

SHA256
5c22ae5c652d7ac6b434fa35f91099b559e823bcd34a218e5357d02062fa72c8

SHA512
9853e9d83725145ee5c2220a8b861b15bafc465b790f2e0f835c417ce5db97d90d1dcd8eba1d634597286455442abe3395b39ba4bb32d3eaa6532ad72fb85494

Download Submit
memory/320-184-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/440-243-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/884-298-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/972-274-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1004-98-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1004-192-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1100-388-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1148-218-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1260-353-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1436-401-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1548-413-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1616-175-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1616-81-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1772-323-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1864-130-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1908-165-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1908-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1948-359-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2080-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2188-193-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2196-115-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2196-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2232-139-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2244-259-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2336-418-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2380-251-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2412-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2476-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2476-147-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2696-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2728-183-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2728-90-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2764-383-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2884-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2884-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2912-138-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2912-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2952-227-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3064-311-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3208-148-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3340-364-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3392-267-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3444-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3524-395-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3608-347-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3616-39-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3616-129-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3664-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3664-97-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3736-280-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3816-317-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3856-167-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4084-211-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4252-329-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4288-370-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4340-234-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4376-110-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4376-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4408-209-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4408-116-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4432-156-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4432-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4472-335-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4500-407-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4580-202-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4612-425-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4684-157-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4788-176-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4856-113-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4900-426-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4948-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4948-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4960-377-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads