b657f97976c53e112b2386c6a12745418ac3c52cadb066845632afa242e31a9a

Analysis

max time kernel
0s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/01/2024, 19:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

01c60cc10a2009064d779cab3e9014d5.exe
Size

1.4MB
MD5

01c60cc10a2009064d779cab3e9014d5
SHA1

14c592839f989b32c06ab84906e2021947449807
SHA256

b657f97976c53e112b2386c6a12745418ac3c52cadb066845632afa242e31a9a
SHA512

f30bc8af1e9cdd8c18f6f5890e61ab7b2707f056a16c699fac2f16e68a629f8f3233b04b40839a4ca878e9b0986e4437ecb14f96b43028c7ae1489dd8434c66c
SSDEEP

24576:xMkEJFXkEsIkEJFXkEs7vHkEJFXkEsIkEJFXkE:xMkQXklIkQXktkQXklIkQXk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	01c60cc10a2009064d779cab3e9014d5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	01c60cc10a2009064d779cab3e9014d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe

Executes dropped EXE 12 IoCs

pid	Process
860	Kpccnefa.exe
2020	Kgmlkp32.exe
996	Kilhgk32.exe
3124	Kacphh32.exe
2992	Kbdmpqcb.exe
4908	Kkkdan32.exe
3924	Kaemnhla.exe
4516	Kdcijcke.exe
5040	Kknafn32.exe
1828	Kmlnbi32.exe
3168	Kdffocib.exe
1592	Kgdbkohf.exe

Drops file in System32 directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kdffocib.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Kkkdan32.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Ojmmkpmf.dll	Kacphh32.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Kilhgk32.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	Kbdmpqcb.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Kpccnefa.exe	01c60cc10a2009064d779cab3e9014d5.exe
File opened for modification	C:\Windows\SysWOW64\Kgmlkp32.exe	Kpccnefa.exe
File opened for modification	C:\Windows\SysWOW64\Kilhgk32.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Kaemnhla.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	01c60cc10a2009064d779cab3e9014d5.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Mghpbg32.dll	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Kaemnhla.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Kgmlkp32.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Nphqml32.dll	01c60cc10a2009064d779cab3e9014d5.exe

Program crash 1 IoCs

pid	pid_target	Process
5824	5736	WerFault.exe

Modifies registry class 42 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	01c60cc10a2009064d779cab3e9014d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	01c60cc10a2009064d779cab3e9014d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	01c60cc10a2009064d779cab3e9014d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghpbg32.dll"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	01c60cc10a2009064d779cab3e9014d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphqml32.dll"	01c60cc10a2009064d779cab3e9014d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	01c60cc10a2009064d779cab3e9014d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpkbc32.dll"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmmkpmf.dll"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncoccha.dll"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdeek32.dll"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 860	1216	01c60cc10a2009064d779cab3e9014d5.exe	89
PID 1216 wrote to memory of 860	1216	01c60cc10a2009064d779cab3e9014d5.exe	89
PID 1216 wrote to memory of 860	1216	01c60cc10a2009064d779cab3e9014d5.exe	89
PID 860 wrote to memory of 2020	860	Kpccnefa.exe	90
PID 860 wrote to memory of 2020	860	Kpccnefa.exe	90
PID 860 wrote to memory of 2020	860	Kpccnefa.exe	90
PID 2020 wrote to memory of 996	2020	Kgmlkp32.exe	164
PID 2020 wrote to memory of 996	2020	Kgmlkp32.exe	164
PID 2020 wrote to memory of 996	2020	Kgmlkp32.exe	164
PID 996 wrote to memory of 3124	996	Kilhgk32.exe	163
PID 996 wrote to memory of 3124	996	Kilhgk32.exe	163
PID 996 wrote to memory of 3124	996	Kilhgk32.exe	163
PID 3124 wrote to memory of 2992	3124	Kacphh32.exe	162
PID 3124 wrote to memory of 2992	3124	Kacphh32.exe	162
PID 3124 wrote to memory of 2992	3124	Kacphh32.exe	162
PID 2992 wrote to memory of 4908	2992	Kbdmpqcb.exe	161
PID 2992 wrote to memory of 4908	2992	Kbdmpqcb.exe	161
PID 2992 wrote to memory of 4908	2992	Kbdmpqcb.exe	161
PID 4908 wrote to memory of 3924	4908	Kkkdan32.exe	160
PID 4908 wrote to memory of 3924	4908	Kkkdan32.exe	160
PID 4908 wrote to memory of 3924	4908	Kkkdan32.exe	160
PID 3924 wrote to memory of 4516	3924	Kaemnhla.exe	91
PID 3924 wrote to memory of 4516	3924	Kaemnhla.exe	91
PID 3924 wrote to memory of 4516	3924	Kaemnhla.exe	91
PID 4516 wrote to memory of 5040	4516	Kdcijcke.exe	159
PID 4516 wrote to memory of 5040	4516	Kdcijcke.exe	159
PID 4516 wrote to memory of 5040	4516	Kdcijcke.exe	159
PID 5040 wrote to memory of 1828	5040	Kknafn32.exe	92
PID 5040 wrote to memory of 1828	5040	Kknafn32.exe	92
PID 5040 wrote to memory of 1828	5040	Kknafn32.exe	92
PID 1828 wrote to memory of 3168	1828	Kmlnbi32.exe	93
PID 1828 wrote to memory of 3168	1828	Kmlnbi32.exe	93
PID 1828 wrote to memory of 3168	1828	Kmlnbi32.exe	93
PID 3168 wrote to memory of 1592	3168	Kdffocib.exe	157
PID 3168 wrote to memory of 1592	3168	Kdffocib.exe	157
PID 3168 wrote to memory of 1592	3168	Kdffocib.exe	157

C:\Users\Admin\AppData\Local\Temp\01c60cc10a2009064d779cab3e9014d5.exe
"C:\Users\Admin\AppData\Local\Temp\01c60cc10a2009064d779cab3e9014d5.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\SysWOW64\Kpccnefa.exe
  C:\Windows\system32\Kpccnefa.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\SysWOW64\Kgmlkp32.exe
    C:\Windows\system32\Kgmlkp32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Windows\SysWOW64\Kilhgk32.exe
      C:\Windows\system32\Kilhgk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:996

C:\Windows\SysWOW64\Kdcijcke.exe
C:\Windows\system32\Kdcijcke.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Windows\SysWOW64\Kknafn32.exe
  C:\Windows\system32\Kknafn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5040

C:\Windows\SysWOW64\Kmlnbi32.exe
C:\Windows\system32\Kmlnbi32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Windows\SysWOW64\Kdffocib.exe
  C:\Windows\system32\Kdffocib.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3168
- - C:\Windows\SysWOW64\Kgdbkohf.exe
    C:\Windows\system32\Kgdbkohf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    PID:1592

C:\Windows\SysWOW64\Ldohebqh.exe
C:\Windows\system32\Ldohebqh.exe
1⤵
PID:1656
- C:\Windows\SysWOW64\Lgneampk.exe
  C:\Windows\system32\Lgneampk.exe
  2⤵
  PID:4344

C:\Windows\SysWOW64\Laciofpa.exe
C:\Windows\system32\Laciofpa.exe
1⤵
PID:1784
- C:\Windows\SysWOW64\Ldaeka32.exe
  C:\Windows\system32\Ldaeka32.exe
  2⤵
  PID:2696
- - C:\Windows\SysWOW64\Lklnhlfb.exe
    C:\Windows\system32\Lklnhlfb.exe
    3⤵
    PID:4444
  - - C:\Windows\SysWOW64\Lphfpbdi.exe
      C:\Windows\system32\Lphfpbdi.exe
      4⤵
      PID:3656
    - - C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        5⤵
        
        PID:4280
      - C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        6⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        7⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        8⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        9⤵
        
        PID:4776

C:\Windows\SysWOW64\Mdiklqhm.exe
C:\Windows\system32\Mdiklqhm.exe
1⤵
PID:3900
- C:\Windows\SysWOW64\Mkbchk32.exe
  C:\Windows\system32\Mkbchk32.exe
  2⤵
  PID:3032
- - C:\Windows\SysWOW64\Mnapdf32.exe
    C:\Windows\system32\Mnapdf32.exe
    3⤵
    PID:4368
  - - C:\Windows\SysWOW64\Mdkhapfj.exe
      C:\Windows\system32\Mdkhapfj.exe
      4⤵
      PID:1120

C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
1⤵
PID:1996
- C:\Windows\SysWOW64\Mpaifalo.exe
  C:\Windows\system32\Mpaifalo.exe
  2⤵
  PID:2468
- - C:\Windows\SysWOW64\Mcpebmkb.exe
    C:\Windows\system32\Mcpebmkb.exe
    3⤵
    PID:2376

C:\Windows\SysWOW64\Mkgmcjld.exe
C:\Windows\system32\Mkgmcjld.exe
1⤵
PID:2340
- C:\Windows\SysWOW64\Mnfipekh.exe
  C:\Windows\system32\Mnfipekh.exe
  2⤵
  PID:1564

C:\Windows\SysWOW64\Mgnnhk32.exe
C:\Windows\system32\Mgnnhk32.exe
1⤵
PID:3520
- C:\Windows\SysWOW64\Njljefql.exe
  C:\Windows\system32\Njljefql.exe
  2⤵
  PID:5152
- - C:\Windows\SysWOW64\Nqfbaq32.exe
    C:\Windows\system32\Nqfbaq32.exe
    3⤵
    PID:5196

C:\Windows\SysWOW64\Nklfoi32.exe
C:\Windows\system32\Nklfoi32.exe
1⤵
PID:5280
- C:\Windows\SysWOW64\Nnjbke32.exe
  C:\Windows\system32\Nnjbke32.exe
  2⤵
  PID:5320
- - C:\Windows\SysWOW64\Nqiogp32.exe
    C:\Windows\system32\Nqiogp32.exe
    3⤵
    PID:5368
  - - C:\Windows\SysWOW64\Ncgkcl32.exe
      C:\Windows\system32\Ncgkcl32.exe
      4⤵
      PID:5412

C:\Windows\SysWOW64\Njacpf32.exe
C:\Windows\system32\Njacpf32.exe
1⤵
PID:5452
- C:\Windows\SysWOW64\Nnmopdep.exe
  C:\Windows\system32\Nnmopdep.exe
  2⤵
  PID:5492
- - C:\Windows\SysWOW64\Ngedij32.exe
    C:\Windows\system32\Ngedij32.exe
    3⤵
    PID:5528

C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
1⤵
PID:5608
- C:\Windows\SysWOW64\Nqmhbpba.exe
  C:\Windows\system32\Nqmhbpba.exe
  2⤵
  PID:5648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5736 -ip 5736
1⤵
PID:5792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 400
1⤵
- Program crash
PID:5824

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
1⤵
PID:5736

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
1⤵
PID:5692

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
1⤵
PID:5568

C:\Windows\SysWOW64\Nceonl32.exe
C:\Windows\system32\Nceonl32.exe
1⤵
PID:5240

C:\Windows\SysWOW64\Mdpalp32.exe
C:\Windows\system32\Mdpalp32.exe
1⤵
PID:1284

C:\Windows\SysWOW64\Mgidml32.exe
C:\Windows\system32\Mgidml32.exe
1⤵
PID:3992

C:\Windows\SysWOW64\Majopeii.exe
C:\Windows\system32\Majopeii.exe
1⤵
PID:2900

C:\Windows\SysWOW64\Lilanioo.exe
C:\Windows\system32\Lilanioo.exe
1⤵
PID:3624

C:\Windows\SysWOW64\Laalifad.exe
C:\Windows\system32\Laalifad.exe
1⤵
PID:3192

C:\Windows\SysWOW64\Lkgdml32.exe
C:\Windows\system32\Lkgdml32.exe
1⤵
PID:3796

C:\Windows\SysWOW64\Lcpllo32.exe
C:\Windows\system32\Lcpllo32.exe
1⤵
PID:1736

C:\Windows\SysWOW64\Laopdgcg.exe
C:\Windows\system32\Laopdgcg.exe
1⤵
PID:224

C:\Windows\SysWOW64\Liggbi32.exe
C:\Windows\system32\Liggbi32.exe
1⤵
PID:4780

C:\Windows\SysWOW64\Lgikfn32.exe
C:\Windows\system32\Lgikfn32.exe
1⤵
PID:3156

C:\Windows\SysWOW64\Ldkojb32.exe
C:\Windows\system32\Ldkojb32.exe
1⤵
PID:4556

C:\Windows\SysWOW64\Lmqgnhmp.exe
C:\Windows\system32\Lmqgnhmp.exe
1⤵
PID:3612

C:\Windows\SysWOW64\Kgfoan32.exe
C:\Windows\system32\Kgfoan32.exe
1⤵
PID:3668

C:\Windows\SysWOW64\Kpmfddnf.exe
C:\Windows\system32\Kpmfddnf.exe
1⤵
PID:3388

C:\Windows\SysWOW64\Kmnjhioc.exe
C:\Windows\system32\Kmnjhioc.exe
1⤵
PID:760

C:\Windows\SysWOW64\Kaemnhla.exe
C:\Windows\system32\Kaemnhla.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3924

C:\Windows\SysWOW64\Kkkdan32.exe
C:\Windows\system32\Kkkdan32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4908

C:\Windows\SysWOW64\Kbdmpqcb.exe
C:\Windows\system32\Kbdmpqcb.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2992

C:\Windows\SysWOW64\Kacphh32.exe
C:\Windows\system32\Kacphh32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kacphh32.exe

Filesize
1.4MB

MD5
42d457e8582a8dd73c3472813bf9a7b0

SHA1
3b7f55f1583c6ece10f1535d6d819a3280beee8b

SHA256
c0e2d0ef2af3d2f4cac55e41e77d99b496b65f10358c768fbae2b4ca5fe0f6bf

SHA512
4531ac634ecd193cc4d240fcec57cccdf188fbf888f6487f2f5f733879be3c05f1f6daef6c6859b381964188134a56e3a3fcea486ba7e2cce475a5bba6beb4c7

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
1.4MB

MD5
ef078e69a0a4216abcefb4521c488d74

SHA1
4e2de10870feef4e76ba15468cb0eb009048485b

SHA256
ffdab0455c5fc47bd58f07f57173c6da3e410ad102d28de2c648bc4d8ff698e2

SHA512
faf75c45048addb58bfbf4037f4cfb43780a52fac0d36df54ae8e834cd7b0ca83c72dbd5e67adcecc610934d0a51b18f2c4fbe9c437e3d4c56e10209d37433b9

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
1.4MB

MD5
7e77c9f8bb2b5e3a16eddf6b1bacc5be

SHA1
255fdbd17b55c3944bd0ef9be0f3c7387d6f366f

SHA256
d13dace3dded245c3334445b063ad3cace0f930e731501bbc26a4b8a5d7c6c52

SHA512
cf51d4fe3b1a8b3deb1a48fdac56d600c50a3a8a87f428536e5d960d468b071e01ffb29489806068e8e900f3b8e324452922b9fa7b12c4f525f81cbdfebc5be4

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
1.4MB

MD5
b2017f88bf4bde20609ecd79431e57ff

SHA1
a8b9f982c33a2d6615aaab491f02d0313eea47da

SHA256
02de7610af230179f4492d92a6cc06924d60e4b3bf24c53c1fbd3da2ee842af5

SHA512
5bf04e809b3860ade11e7096efae763ca3ea67f016e66e22a80d5a84c8c65290e79374b0daff6e81d54d5af27009a683a9b39ebe64048b07014fbc7df6fe5dbe

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
1.4MB

MD5
b541b85454ad3593be53ef5bdfb49f29

SHA1
ffe8f0dc10d73c2f198f246884b7ba85cc395d67

SHA256
2029d6c70a098bf82726b8f72e78dd6ae4fe2c660763a55dabe4d302cc93c0af

SHA512
837ef640bc318320965594023a44942c215d0107c927988147e3e1c60adfe66184f1f55d50e951f0a5dd638b90b8a9f397c523caa6084c1d51f40b9aed63e291

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
1.4MB

MD5
9314da394b09f1b0a00e9934a89ab0f7

SHA1
b742a15a94a66cf09c1d8af874f773984b7c4d40

SHA256
26adb5f16079da21a6fcf769342f8938412b52e253fc56b4329739ee899f6b34

SHA512
e7eff1c229b07fa2480e7e92478dcfed4bcb592cd6bb1904ccf4fc2cd33e3e966618af33102241796881acefa7cabefc853cf1b1db1ca494ef7be4be473a71e6

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
893KB

MD5
0d5edae7305e98fc603cc86e0ab8387d

SHA1
efae2a73c226edbf5fb57d8f900b8e1e406f77e5

SHA256
a3ddecd698c465c1dcf443057d3b53ab912f7ec8fee14e1eb4841482cdf4cfbf

SHA512
e0da38f5437dfee7261e177986a90817317e1dd57c9e396c54680bd239e237b7eb62aa10ac42f8eabdfa7243c844b050301136fc429bf5c5e85d77b88590b27e

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe

Filesize
1.1MB

MD5
9232cfdecddaeed8c8ce54b6503ebe84

SHA1
587cdd04392c762e38970c9c990c3072a28fe2f5

SHA256
b2ca56c5454dc80ade3ed8b4775c803d92112bb1fca1b300ff029f4aae230e43

SHA512
e69d911f2ca81e5eaa29571c57e71cefe34f751d06268acb45ab8123c9fac9efc4f465cf20d9e808c94d3d17f1d73f4a8ba3d862951f5c1071f4f7e8576cdc78

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe

Filesize
1.4MB

MD5
d2cc15c28148a93259280cd412c3b2d5

SHA1
d17fed2f73706a256e3a2a925fface698acf42a8

SHA256
11a7cb5fb045792971febca7edca68a646f62259df56168fb4465c04c9742d82

SHA512
a7407e4513eee532c0dec290a27408bf6ebdca31dde3c4531e69f42f84c78dd6de864b469437eaa034cd3376cc5231bac40e9814f92508a2f3528fa71b6789b9

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
1.4MB

MD5
3f421dbd82b1d064f47a4f79e60b9cdc

SHA1
1a8f7e7cf5232d5b7dfb96580017beee09b3dba8

SHA256
cfcd4f1567b213922a1fd476f1ac249df4b6b886b387049e8f129ae48dfdb359

SHA512
12dfe103f4c374a46e43755e5bee15855950170e6d20234fc1f054017c29809369e3e408b675a4d8dd452ea4085dfa3ac18ef3a35b6c588917d815c472142a65

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
1.4MB

MD5
981ed9d307d0ad983debe1acdf2b9620

SHA1
bf46275abdbace5e117a29394b2a57ace924fad8

SHA256
263fb37428e7d670d3deeb9c6b6792bf993c7357ccb19b210305a33ca4be74d2

SHA512
59858818c24c51db4990efaa5fc996574f122664412e9e0f92b0809d0cd47e0da389890eded2bde40606fc0e36b38e9c8e9241b01a45796b858dac117cbcd69e

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
1.4MB

MD5
55ccca9c39bb1923a182098a008c955e

SHA1
e8166a7ac80fca4417c7c97f197b611778fe4747

SHA256
535d514aa4e05e9330f705ee965b04f2e5cc60e097ae4e02a61876185f11f26b

SHA512
e0479f736905b51b5998595fd1c42c6b09bdadc743321670b9fee2708c04cc5ecb2bc55b722954e7d76ee0eab2406addba044dcd4542689ff7c3625915513c04

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
1.4MB

MD5
b919b2dc3e3afd69aa863806b1016b01

SHA1
38b466f877b32e2f50c836e8e7d07b403ffede7f

SHA256
f4f881159f18509140d624b39630286a4385924b5d799c9d46078d079793c697

SHA512
90b872d2f75ddfcc23432672397fe4008933131aa0e606922258ecdf5967bfc99781663added103053e02b0277023e437dff2c236922759078ad40b7c9ec7cf7

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
1.4MB

MD5
472fbd25dd111125afb37646be4a1259

SHA1
895877c1e1f36b26443d8f8cb89826352234f0a7

SHA256
fe5fe775072938f1f02e282b86c24bd13cc2aed39c1dc6e7cc3b1a8d2214621a

SHA512
36eb8a583d5cf3f6e0031e966e506247427a74ac8909e93f5a146bf0468f629a54676533f249814876bec54aa0b547a5e8841af1e6300aac1907243c916f5c50

Download Submit
memory/224-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/224-481-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/760-108-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/860-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/860-499-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/996-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1120-461-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1120-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1216-500-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1216-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1284-341-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1284-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1404-272-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1564-455-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1564-335-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1592-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1592-489-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1656-196-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1736-480-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1736-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1784-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1784-474-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1828-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1828-491-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1996-459-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1996-317-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2020-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2340-456-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2340-331-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2376-457-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2376-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2468-458-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2468-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2696-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2696-473-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2900-284-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2900-465-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2992-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2992-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3032-296-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3124-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3124-497-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3156-483-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3156-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3168-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3168-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3192-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3192-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3252-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3252-468-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3388-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3388-487-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3520-351-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3612-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3612-485-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3624-475-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3624-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3656-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3656-471-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3668-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3668-486-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3796-479-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3796-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3900-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3900-464-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3924-58-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3924-494-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3992-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3992-312-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4280-470-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4280-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4344-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4344-476-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4368-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4368-462-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4444-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4444-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4516-493-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4516-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4556-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4556-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4684-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4684-469-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4776-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4776-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4780-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4780-482-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4908-495-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4908-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5040-492-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5040-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5152-355-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5152-452-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5196-359-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5196-451-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5240-369-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5280-375-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5320-381-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5320-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5368-387-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5412-446-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5412-390-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5452-399-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5452-445-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5492-405-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5528-411-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5568-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5608-423-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5648-425-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5648-440-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5692-439-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5692-431-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5736-437-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5736-438-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads