81f1056ddfcfd2df885def8ac5a2485b57660f540a2eb2a11ce2b89ccfa07bcc

Analysis

max time kernel
142s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/05/2024, 19:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4ceca75b67fd547463e5c4a569a5d7d4_JaffaCakes118.exe
Size

81KB
MD5

4ceca75b67fd547463e5c4a569a5d7d4
SHA1

4e9a6f0098b891cc7a772e63db5c88c48fca85de
SHA256

81f1056ddfcfd2df885def8ac5a2485b57660f540a2eb2a11ce2b89ccfa07bcc
SHA512

ca575825f1ee674ebf8fbea0a2a21aec61735f33f6cd61fc5aca5961c0ef6923ca5469338e356b0d83283fe1d2d69c80ef18a446ed6f91c18f5ca4c6bf6ffa0d
SSDEEP

1536:BkMLzTVM0+nqVnFXt5sfFv56T7m4LO++/+1m6KadhYxU33HX0L:+MLvyFnqVn1IFv5S/LrCimBaH8UH30L

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4ceca75b67fd547463e5c4a569a5d7d4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gogangdc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glfhll32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpfdalii.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gobgcg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpapln32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgbebiao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Flmefm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffbicfoc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkkemh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4ceca75b67fd547463e5c4a569a5d7d4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkkemh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hahjpbad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fpfdalii.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flmefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffbicfoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gegfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghhofmql.exe

Executes dropped EXE 25 IoCs

pid	Process
1792	Fpfdalii.exe
2008	Flmefm32.exe
2728	Ffbicfoc.exe
2760	Gpknlk32.exe
2468	Gegfdb32.exe
2452	Gpmjak32.exe
2404	Ghhofmql.exe
2540	Gobgcg32.exe
2776	Glfhll32.exe
1536	Gacpdbej.exe
2184	Gkkemh32.exe
640	Gogangdc.exe
608	Hgbebiao.exe
2336	Hahjpbad.exe
1224	Hgdbhi32.exe
2952	Hlakpp32.exe
3048	Hdhbam32.exe
1488	Hlcgeo32.exe
572	Hgilchkf.exe
1016	Hhjhkq32.exe
3004	Hpapln32.exe
1800	Hjjddchg.exe
3000	Hogmmjfo.exe
1992	Ieqeidnl.exe
2904	Iagfoe32.exe

Loads dropped DLL 54 IoCs

pid	Process
2128	4ceca75b67fd547463e5c4a569a5d7d4_JaffaCakes118.exe
2128	4ceca75b67fd547463e5c4a569a5d7d4_JaffaCakes118.exe
1792	Fpfdalii.exe
1792	Fpfdalii.exe
2008	Flmefm32.exe
2008	Flmefm32.exe
2728	Ffbicfoc.exe
2728	Ffbicfoc.exe
2760	Gpknlk32.exe
2760	Gpknlk32.exe
2468	Gegfdb32.exe
2468	Gegfdb32.exe
2452	Gpmjak32.exe
2452	Gpmjak32.exe
2404	Ghhofmql.exe
2404	Ghhofmql.exe
2540	Gobgcg32.exe
2540	Gobgcg32.exe
2776	Glfhll32.exe
2776	Glfhll32.exe
1536	Gacpdbej.exe
1536	Gacpdbej.exe
2184	Gkkemh32.exe
2184	Gkkemh32.exe
640	Gogangdc.exe
640	Gogangdc.exe
608	Hgbebiao.exe
608	Hgbebiao.exe
2336	Hahjpbad.exe
2336	Hahjpbad.exe
1224	Hgdbhi32.exe
1224	Hgdbhi32.exe
2952	Hlakpp32.exe
2952	Hlakpp32.exe
3048	Hdhbam32.exe
3048	Hdhbam32.exe
1488	Hlcgeo32.exe
1488	Hlcgeo32.exe
572	Hgilchkf.exe
572	Hgilchkf.exe
1016	Hhjhkq32.exe
1016	Hhjhkq32.exe
3004	Hpapln32.exe
3004	Hpapln32.exe
1800	Hjjddchg.exe
1800	Hjjddchg.exe
3000	Hogmmjfo.exe
3000	Hogmmjfo.exe
1992	Ieqeidnl.exe
1992	Ieqeidnl.exe
996	WerFault.exe
996	WerFault.exe
996	WerFault.exe
996	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Fpfdalii.exe	4ceca75b67fd547463e5c4a569a5d7d4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Gogangdc.exe	Gkkemh32.exe
File opened for modification	C:\Windows\SysWOW64\Hpapln32.exe	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Nfmjcmjd.dll	Hogmmjfo.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Ohbepi32.dll	4ceca75b67fd547463e5c4a569a5d7d4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Ffbicfoc.exe	Flmefm32.exe
File created	C:\Windows\SysWOW64\Ahpjhc32.dll	Gpmjak32.exe
File created	C:\Windows\SysWOW64\Gogangdc.exe	Gkkemh32.exe
File created	C:\Windows\SysWOW64\Ndabhn32.dll	Hlakpp32.exe
File created	C:\Windows\SysWOW64\Hhjhkq32.exe	Hgilchkf.exe
File created	C:\Windows\SysWOW64\Ieqeidnl.exe	Hogmmjfo.exe
File opened for modification	C:\Windows\SysWOW64\Ieqeidnl.exe	Hogmmjfo.exe
File created	C:\Windows\SysWOW64\Ocjcidbb.dll	Gpknlk32.exe
File opened for modification	C:\Windows\SysWOW64\Gpmjak32.exe	Gegfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Gkkemh32.exe	Gacpdbej.exe
File opened for modification	C:\Windows\SysWOW64\Hahjpbad.exe	Hgbebiao.exe
File opened for modification	C:\Windows\SysWOW64\Hlcgeo32.exe	Hdhbam32.exe
File created	C:\Windows\SysWOW64\Ojhcelga.dll	Hjjddchg.exe
File created	C:\Windows\SysWOW64\Ffbicfoc.exe	Flmefm32.exe
File opened for modification	C:\Windows\SysWOW64\Gpknlk32.exe	Ffbicfoc.exe
File opened for modification	C:\Windows\SysWOW64\Gegfdb32.exe	Gpknlk32.exe
File created	C:\Windows\SysWOW64\Chhpdp32.dll	Ghhofmql.exe
File created	C:\Windows\SysWOW64\Hdhbam32.exe	Hlakpp32.exe
File opened for modification	C:\Windows\SysWOW64\Gacpdbej.exe	Glfhll32.exe
File created	C:\Windows\SysWOW64\Hgbebiao.exe	Gogangdc.exe
File created	C:\Windows\SysWOW64\Cnkajfop.dll	Hahjpbad.exe
File created	C:\Windows\SysWOW64\Anllbdkl.dll	Hgdbhi32.exe
File created	C:\Windows\SysWOW64\Ooghhh32.dll	Gobgcg32.exe
File created	C:\Windows\SysWOW64\Gkkemh32.exe	Gacpdbej.exe
File created	C:\Windows\SysWOW64\Njmekj32.dll	Hgbebiao.exe
File created	C:\Windows\SysWOW64\Hojopmqk.dll	Hgilchkf.exe
File created	C:\Windows\SysWOW64\Hogmmjfo.exe	Hjjddchg.exe
File created	C:\Windows\SysWOW64\Flmefm32.exe	Fpfdalii.exe
File created	C:\Windows\SysWOW64\Ghhofmql.exe	Gpmjak32.exe
File created	C:\Windows\SysWOW64\Hgdbhi32.exe	Hahjpbad.exe
File created	C:\Windows\SysWOW64\Hgilchkf.exe	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Kcaipkch.dll	Gacpdbej.exe
File opened for modification	C:\Windows\SysWOW64\Hgdbhi32.exe	Hahjpbad.exe
File created	C:\Windows\SysWOW64\Hlakpp32.exe	Hgdbhi32.exe
File created	C:\Windows\SysWOW64\Glqllcbf.dll	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Jnmgmhmc.dll	Fpfdalii.exe
File created	C:\Windows\SysWOW64\Gpmjak32.exe	Gegfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Glfhll32.exe	Gobgcg32.exe
File opened for modification	C:\Windows\SysWOW64\Hlakpp32.exe	Hgdbhi32.exe
File opened for modification	C:\Windows\SysWOW64\Hjjddchg.exe	Hpapln32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Fpfdalii.exe	4ceca75b67fd547463e5c4a569a5d7d4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Hpapln32.exe	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Gobgcg32.exe	Ghhofmql.exe
File opened for modification	C:\Windows\SysWOW64\Gobgcg32.exe	Ghhofmql.exe
File created	C:\Windows\SysWOW64\Elpbcapg.dll	Glfhll32.exe
File opened for modification	C:\Windows\SysWOW64\Hhjhkq32.exe	Hgilchkf.exe
File created	C:\Windows\SysWOW64\Hjjddchg.exe	Hpapln32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Gegfdb32.exe	Gpknlk32.exe
File created	C:\Windows\SysWOW64\Hahjpbad.exe	Hgbebiao.exe
File opened for modification	C:\Windows\SysWOW64\Hdhbam32.exe	Hlakpp32.exe
File opened for modification	C:\Windows\SysWOW64\Hgilchkf.exe	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Gpknlk32.exe	Ffbicfoc.exe
File created	C:\Windows\SysWOW64\Glfhll32.exe	Gobgcg32.exe
File created	C:\Windows\SysWOW64\Gacpdbej.exe	Glfhll32.exe
File created	C:\Windows\SysWOW64\Hlcgeo32.exe	Hdhbam32.exe
File created	C:\Windows\SysWOW64\Ipjchc32.dll	Flmefm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
996	2904	WerFault.exe	52

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooghhh32.dll"	Gobgcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkkemh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fpfdalii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpbcapg.dll"	Glfhll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcpjl32.dll"	Gogangdc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpapln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	4ceca75b67fd547463e5c4a569a5d7d4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjchc32.dll"	Flmefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Flmefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fpfdalii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffbicfoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njmekj32.dll"	Hgbebiao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Glfhll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	4ceca75b67fd547463e5c4a569a5d7d4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocjcidbb.dll"	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqllcbf.dll"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbepi32.dll"	4ceca75b67fd547463e5c4a569a5d7d4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gegfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcaipkch.dll"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkajfop.dll"	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllbdkl.dll"	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hogmmjfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	4ceca75b67fd547463e5c4a569a5d7d4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gegfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojhcelga.dll"	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll"	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	4ceca75b67fd547463e5c4a569a5d7d4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffbicfoc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gobgcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpapln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	4ceca75b67fd547463e5c4a569a5d7d4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfkbo32.dll"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllopfgo.dll"	Gkkemh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfoihbdp.dll"	Ffbicfoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndabhn32.dll"	Hlakpp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 1792	2128	4ceca75b67fd547463e5c4a569a5d7d4_JaffaCakes118.exe	28
PID 2128 wrote to memory of 1792	2128	4ceca75b67fd547463e5c4a569a5d7d4_JaffaCakes118.exe	28
PID 2128 wrote to memory of 1792	2128	4ceca75b67fd547463e5c4a569a5d7d4_JaffaCakes118.exe	28
PID 2128 wrote to memory of 1792	2128	4ceca75b67fd547463e5c4a569a5d7d4_JaffaCakes118.exe	28
PID 1792 wrote to memory of 2008	1792	Fpfdalii.exe	29
PID 1792 wrote to memory of 2008	1792	Fpfdalii.exe	29
PID 1792 wrote to memory of 2008	1792	Fpfdalii.exe	29
PID 1792 wrote to memory of 2008	1792	Fpfdalii.exe	29
PID 2008 wrote to memory of 2728	2008	Flmefm32.exe	30
PID 2008 wrote to memory of 2728	2008	Flmefm32.exe	30
PID 2008 wrote to memory of 2728	2008	Flmefm32.exe	30
PID 2008 wrote to memory of 2728	2008	Flmefm32.exe	30
PID 2728 wrote to memory of 2760	2728	Ffbicfoc.exe	31
PID 2728 wrote to memory of 2760	2728	Ffbicfoc.exe	31
PID 2728 wrote to memory of 2760	2728	Ffbicfoc.exe	31
PID 2728 wrote to memory of 2760	2728	Ffbicfoc.exe	31
PID 2760 wrote to memory of 2468	2760	Gpknlk32.exe	32
PID 2760 wrote to memory of 2468	2760	Gpknlk32.exe	32
PID 2760 wrote to memory of 2468	2760	Gpknlk32.exe	32
PID 2760 wrote to memory of 2468	2760	Gpknlk32.exe	32
PID 2468 wrote to memory of 2452	2468	Gegfdb32.exe	33
PID 2468 wrote to memory of 2452	2468	Gegfdb32.exe	33
PID 2468 wrote to memory of 2452	2468	Gegfdb32.exe	33
PID 2468 wrote to memory of 2452	2468	Gegfdb32.exe	33
PID 2452 wrote to memory of 2404	2452	Gpmjak32.exe	34
PID 2452 wrote to memory of 2404	2452	Gpmjak32.exe	34
PID 2452 wrote to memory of 2404	2452	Gpmjak32.exe	34
PID 2452 wrote to memory of 2404	2452	Gpmjak32.exe	34
PID 2404 wrote to memory of 2540	2404	Ghhofmql.exe	35
PID 2404 wrote to memory of 2540	2404	Ghhofmql.exe	35
PID 2404 wrote to memory of 2540	2404	Ghhofmql.exe	35
PID 2404 wrote to memory of 2540	2404	Ghhofmql.exe	35
PID 2540 wrote to memory of 2776	2540	Gobgcg32.exe	36
PID 2540 wrote to memory of 2776	2540	Gobgcg32.exe	36
PID 2540 wrote to memory of 2776	2540	Gobgcg32.exe	36
PID 2540 wrote to memory of 2776	2540	Gobgcg32.exe	36
PID 2776 wrote to memory of 1536	2776	Glfhll32.exe	37
PID 2776 wrote to memory of 1536	2776	Glfhll32.exe	37
PID 2776 wrote to memory of 1536	2776	Glfhll32.exe	37
PID 2776 wrote to memory of 1536	2776	Glfhll32.exe	37
PID 1536 wrote to memory of 2184	1536	Gacpdbej.exe	38
PID 1536 wrote to memory of 2184	1536	Gacpdbej.exe	38
PID 1536 wrote to memory of 2184	1536	Gacpdbej.exe	38
PID 1536 wrote to memory of 2184	1536	Gacpdbej.exe	38
PID 2184 wrote to memory of 640	2184	Gkkemh32.exe	39
PID 2184 wrote to memory of 640	2184	Gkkemh32.exe	39
PID 2184 wrote to memory of 640	2184	Gkkemh32.exe	39
PID 2184 wrote to memory of 640	2184	Gkkemh32.exe	39
PID 640 wrote to memory of 608	640	Gogangdc.exe	40
PID 640 wrote to memory of 608	640	Gogangdc.exe	40
PID 640 wrote to memory of 608	640	Gogangdc.exe	40
PID 640 wrote to memory of 608	640	Gogangdc.exe	40
PID 608 wrote to memory of 2336	608	Hgbebiao.exe	41
PID 608 wrote to memory of 2336	608	Hgbebiao.exe	41
PID 608 wrote to memory of 2336	608	Hgbebiao.exe	41
PID 608 wrote to memory of 2336	608	Hgbebiao.exe	41
PID 2336 wrote to memory of 1224	2336	Hahjpbad.exe	42
PID 2336 wrote to memory of 1224	2336	Hahjpbad.exe	42
PID 2336 wrote to memory of 1224	2336	Hahjpbad.exe	42
PID 2336 wrote to memory of 1224	2336	Hahjpbad.exe	42
PID 1224 wrote to memory of 2952	1224	Hgdbhi32.exe	43
PID 1224 wrote to memory of 2952	1224	Hgdbhi32.exe	43
PID 1224 wrote to memory of 2952	1224	Hgdbhi32.exe	43
PID 1224 wrote to memory of 2952	1224	Hgdbhi32.exe	43

C:\Users\Admin\AppData\Local\Temp\4ceca75b67fd547463e5c4a569a5d7d4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4ceca75b67fd547463e5c4a569a5d7d4_JaffaCakes118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\SysWOW64\Fpfdalii.exe
  C:\Windows\system32\Fpfdalii.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Windows\SysWOW64\Flmefm32.exe
    C:\Windows\system32\Flmefm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Windows\SysWOW64\Ffbicfoc.exe
      C:\Windows\system32\Ffbicfoc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Windows\SysWOW64\Gpknlk32.exe
        
        C:\Windows\system32\Gpknlk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2760
      - C:\Windows\SysWOW64\Gegfdb32.exe
        
        C:\Windows\system32\Gegfdb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Gpmjak32.exe
        
        C:\Windows\system32\Gpmjak32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Ghhofmql.exe
        
        C:\Windows\system32\Ghhofmql.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Gobgcg32.exe
        
        C:\Windows\system32\Gobgcg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Glfhll32.exe
        
        C:\Windows\system32\Glfhll32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Gacpdbej.exe
        
        C:\Windows\system32\Gacpdbej.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\SysWOW64\Gkkemh32.exe
        
        C:\Windows\system32\Gkkemh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Gogangdc.exe
        
        C:\Windows\system32\Gogangdc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Hgbebiao.exe
        
        C:\Windows\system32\Hgbebiao.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:608
        
        C:\Windows\SysWOW64\Hahjpbad.exe
        
        C:\Windows\system32\Hahjpbad.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Hgdbhi32.exe
        
        C:\Windows\system32\Hgdbhi32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\Hlakpp32.exe
        
        C:\Windows\system32\Hlakpp32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Hdhbam32.exe
        
        C:\Windows\system32\Hdhbam32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Hlcgeo32.exe
        
        C:\Windows\system32\Hlcgeo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Hgilchkf.exe
        
        C:\Windows\system32\Hgilchkf.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:572
        
        C:\Windows\SysWOW64\Hhjhkq32.exe
        
        C:\Windows\system32\Hhjhkq32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\Hpapln32.exe
        
        C:\Windows\system32\Hpapln32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Hjjddchg.exe
        
        C:\Windows\system32\Hjjddchg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Hogmmjfo.exe
        
        C:\Windows\system32\Hogmmjfo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Ieqeidnl.exe
        
        C:\Windows\system32\Ieqeidnl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        26⤵
        Executes dropped EXE
        
        PID:2904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 140
        27⤵
        Loads dropped DLL
        Program crash
        
        PID:996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gobgcg32.exe

Filesize
81KB

MD5
5742633f7c8e22638bc680f2a01f9ae3

SHA1
6df3cc1fab4bac57be53a7c987498d716eb8adec

SHA256
935122ba9fc2faa92075d091f3326744f3ce652c01aea0ae5172fc025e5c6f5d

SHA512
5e619109ff7893c0d0b65a604cb3725fe94fa5212e25b111e952e5f81d0112a94e7cfe4134e003c151ce256f187631684db1752cf4ef5b59c80547adbdee8e77

Download Submit
C:\Windows\SysWOW64\Hdhbam32.exe

Filesize
81KB

MD5
dbbd417e1f0000931780cdb8f1e8fceb

SHA1
6c784d1bb9c38a308c3cdbd88d095cf6a32d343b

SHA256
b4e957d726d95d66e122ce06eb03f2f60d67d7aca370468347b9c31c28a1349a

SHA512
86da7bde314153547d9c84ca9b05164cc9f5d8e69cd2ee0703fa89256a2830d85e35cdd766a0e7f5c6446925352712fe333828e3c6dd951e773c821039bcad80

Download Submit
C:\Windows\SysWOW64\Hgilchkf.exe

Filesize
81KB

MD5
96a312b5f5af8e8d3cce88873c25d38e

SHA1
6a998ae62b99e25dc180253aedcf6b5ba42f0173

SHA256
73a8286157c0ffc6a02456b6ab1b7b4fd7e0c74c4c6cceda907c268c745207e5

SHA512
f5191abd555a81364b6b4499306fe1125df11ede9ef09795e8d3b6fd6842ba15ca0f2b425aefa6068ca1fd214377f3eea2f49bbde1e21c67c6ffa471ddcfbe90

Download Submit
C:\Windows\SysWOW64\Hhjhkq32.exe

Filesize
81KB

MD5
4aa801bf9077da7bf202fa44d136bcab

SHA1
50b7d8c9bbf44723b86b260099d3130a41edeba8

SHA256
a32f8d15fcf8717a21ea74ca19e915dc71590417e7275a488bd277da45d52834

SHA512
81129a0425553fc6a6bbeb020d15fa453f4bc64fd5ed20c12ff187626e5328c80bd1d4c25d320970fc68c070a3a1bc46e0cbbc3840e1ff083885b569928dc9a8

Download Submit
C:\Windows\SysWOW64\Hjjddchg.exe

Filesize
81KB

MD5
45bfa4a76e557b22282851f8d3749f9a

SHA1
77448582306606ab032e67f3411176d1d2c2783c

SHA256
9896d7eb20877cbe3c826c894ab2f20831aa6d07f88830981768fd751e7346e5

SHA512
05fdf005dd155125154aef170398708ff226a4aa912311ee8257930728d4064e61d79b076f57aab775522fa06633c0908e6dae695320368edcfbe4fd5c13af01

Download Submit
C:\Windows\SysWOW64\Hlcgeo32.exe

Filesize
81KB

MD5
fa9b9dacfaf311d22fa8980202e2ca33

SHA1
2989ba1d3f0aa797f783753e9699820ec0ab1e93

SHA256
3e1b601ecced03d1c04ab158b072c31a0ca7b0d18bda2325442022be2620f09a

SHA512
8c486fceb301b2d05c67d0e4416058dae2ed1c0b16ae43c34215da7bc37c70b1b5cdc5ef014dd4da758752530632ee34d44af559464515a0a4ddcc7d82c621f5

Download Submit
C:\Windows\SysWOW64\Hogmmjfo.exe

Filesize
81KB

MD5
bb5b748702d6328392009ff2e28d5e11

SHA1
1d33abeeaf5a5a1f30be3dec46e86272216739e9

SHA256
e730837c4b066f5bf7ed489fb2612f521be8e854a3ef11d96d7a8be1b2379160

SHA512
442da8a539ff2d460218ff1606ff35cb8d23697fad4f1f795d891d60f7b2e75348e3d00cdcda762e626dfbe19482c8ce16a329c799285235ed0ee8c473e1e79f

Download Submit
C:\Windows\SysWOW64\Hpapln32.exe

Filesize
81KB

MD5
c0cd1bce30f984aa91fdbc945b4ca99a

SHA1
5729542bbc26fced4b8968e0118cf9b330676d6c

SHA256
c3cf609f1793f114359d103a6943d3a3624bff1b196576a7ebd787e222829fe7

SHA512
3cbae3369fd415c5d2ee148230ca8247b09a4cf61bd6a4105ed0434485b3f85e8d53e76c1e485335cdc23c34172187ec39143e7f878c49c0f5d6af6c80fbb601

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
81KB

MD5
5f98579f80991ced670a228fcb4e982a

SHA1
3c2cb5ffe8eed9e460c5d259657047d3965b2e59

SHA256
4155fb7f60b37d891288b026071f2aa2ea95e1443b10458d23baaa95dae8933c

SHA512
1a0e00740c4c232d6aeb2558014f3345205797c8a8635d8bc664ec0dbaf40b5b1909731262fb83418ac53569377471d9546ad442028ef74a671d48bbabfe2938

Download Submit
C:\Windows\SysWOW64\Ieqeidnl.exe

Filesize
81KB

MD5
60a0a9e765bf98a7d0c5d03fd634a033

SHA1
3d9ad2192dcd1d7d7209a10ced6b3831786b6e04

SHA256
2a0725b01e9ba056abd024c483bce81f763232c59c395bfb089a33ddf16917ce

SHA512
d479c597af93ea6a02b3c71436a371cf2f3fb465490e83da7b4a67a759e02104e51725ce6a71cb1027df601ff641f70c9139337452e63c9335af41f621137622

Download Submit
\Windows\SysWOW64\Ffbicfoc.exe

Filesize
81KB

MD5
398f22075bc9bd1717f55bb0bb4837c5

SHA1
120e6126b945cc9306e7725cdd794ca4acb89b9f

SHA256
8a944eac2ba25d0cde65545970d12da31fb9bc0595e21859be2bbb86da9a8341

SHA512
3fd4382c8fcb248985d815f910c8d3586e84f4b73b171d26ce815fc36c459968716917c41fca5321f0eab7a03eda8c2bd27bf871d7f5941258873921368679a4

Download Submit
\Windows\SysWOW64\Flmefm32.exe

Filesize
81KB

MD5
e50d75b2b7ea42505843bed19299e200

SHA1
2e8ad11bc37e02cf2ee9c94d24214ec559f894b5

SHA256
ef09c638541149171459a032b050621657185f89bbf33ff793e03223f7503d3d

SHA512
46ce83ff73dcd4d7fca5994d6720ab83f9a571f3d5b50d9c4dfed493437087f72f764124fbc525825a9ab5ffc845d9bc1eb878f6b1d3f55f9ddf49d9601009ac

Download Submit
\Windows\SysWOW64\Fpfdalii.exe

Filesize
81KB

MD5
43805135a0a8bd3b72836f76abaf0b45

SHA1
ced3e3b387fee9942950d79d0ce230276b677562

SHA256
cc3efc0bd6cd47a9bf2b9973f012ede36489829cd06e7dd39e7aa57e936572ad

SHA512
50658d6f4011b6a164525c97b7e1938423242e92069408a0f9ce5b6dfbf590b08ed8de4689d72092927969b988acb43e505a4ee89213da65dcc49cf0beb079ed

Download Submit
\Windows\SysWOW64\Gacpdbej.exe

Filesize
81KB

MD5
913c4bab3fdab942f172cce61cea8b0d

SHA1
3f7a5242c37fc084788856834b091ab21f630e1b

SHA256
548beb223cbd343036f5ebf17a410b2ce740f7c1997366e164e333f96dba837c

SHA512
d72efe871ecfd6a71c73d54ab158cfe02426b7144ad5c753035311f56d605aa606be752d9865688946e8fc565e501b197b1940fed607b763b67f5ae0979c590f

Download Submit
\Windows\SysWOW64\Gegfdb32.exe

Filesize
81KB

MD5
403e137ed76358304875a7596ca2d775

SHA1
b12bd675ff462133f7ccd9747dfe9ed2211f4f38

SHA256
6652cb04ddaa029fd26d0e31c1366612d4ce3d11484f4a92b5c85bf242684cd1

SHA512
27799467d58ab0af8d4e571326aa01540ae75ff909f25faa7d8a693001d63f0e2df72a95536b791ccd2fb1ec59818b48fee65713d43147ab92f33ba2e0e0aa8f

Download Submit
\Windows\SysWOW64\Ghhofmql.exe

Filesize
81KB

MD5
7e180b17a51e6e75c88a8b3fabab79ba

SHA1
c910a2928c03a40760623fecc7ba7179c2707680

SHA256
42948cf92e6d38368a942cdb4239b212742e367c462ad78d9d5aa5fa86f1c7e8

SHA512
728961b0f15b92e93c85203a8fcf352a33f00a6aa77aa5dd1bed45f706dbb6e3e267357ea9f89d392e8b8b7a4f01b9247ad4c8a7aabc8620a19f2b4081972c0d

Download Submit
\Windows\SysWOW64\Gkkemh32.exe

Filesize
81KB

MD5
4e96a96d5bb34e46adb3adbacdd78db4

SHA1
43410a33f980f7b274d2c7a1f92cfdaf36aef382

SHA256
d31e30ac59b7bb0b105ef8fe6f8a1def36cda2f1981fd25e2f9e729b83837447

SHA512
ac65debf160b91d218a982bdb7847c66b8fc6b76253705cabe9008e17760d92e85e8c235093df5e2180e858619a34ad081f6b8367d144e30e1f1d4652c03fd17

Download Submit
\Windows\SysWOW64\Glfhll32.exe

Filesize
81KB

MD5
57598c48d4bbd65e0749c01078bf7ed5

SHA1
6a2dfc6b1ecc1150922a0f27da7d01c798906573

SHA256
37505f97023919c72503391ed6b7b37f1a5a4d7ef8107a40a5c0b9b7d38b4e1d

SHA512
f6ae2077b9d819afc380920b8c3af4617ccc583aaa9950ce2080142f2aee27da89c3a064ad41fb96436206163549863c571a7f0ee4232c5204ff6bdff5025d7e

Download Submit
\Windows\SysWOW64\Gogangdc.exe

Filesize
81KB

MD5
b0a993f84ad1a0e53807c5bfed38ce6b

SHA1
5a82cb7a785a4388af7967bde092808320ed4e80

SHA256
efba220185aa9f1f661f8f396d6fe881bc568e677aef9499ef646a6760e92266

SHA512
a5a640e7d89f3400d7bed2394f842a73aa1e56184f67753dea4c643c07d93c71a27cdfe9e5a0697b6a80b9b1d17842bcf9ce4c8b28c5b1cfe3f11fe775fde4b3

Download Submit
\Windows\SysWOW64\Gpknlk32.exe

Filesize
81KB

MD5
b704d3f9245f9c9d2590b1ed37cd2c01

SHA1
173a5c3051d5f43061fc3a773010a85d5491d569

SHA256
5567549fe7c669a9dbcbd7a597db888d9f9a0fdd14bae79de9303f63c6193626

SHA512
77782c3e769ddc07cd75577cd4d93d81ecfba635a1a1b2ca409230a95d7d0617e2f0d9ad2295dcb711d84633ea72d819c1d6c6a9398ecc16c245bb2154f8662a

Download Submit
\Windows\SysWOW64\Gpmjak32.exe

Filesize
81KB

MD5
f7a58719ceb29b9282d62ff5ac8724cd

SHA1
4bec8ce6580d8385975ec6236436221c77d44b8c

SHA256
cdc6ef59d5992739d85e146b4655755ad3f8e83c0c2aa6e95b1d402da3f96b6e

SHA512
5d9d4cb70578491dd5e61fd92e783efdfbc3115a95be1f9a04b39543962f8bd9b02d81fba4c3ed5b007c6ad7548aff5eca68cbf10378a1b8f8bfe6b835c1ab2c

Download Submit
\Windows\SysWOW64\Hahjpbad.exe

Filesize
81KB

MD5
8cb8c6c107ba32c6e72a523275f66dc9

SHA1
92c4238ae58cb19e716961112ac57eda65b4fe85

SHA256
1c49ba59c2e7fee72aee3121382b408ef114134a120592e2a5883b160037a2dd

SHA512
080559f3ea7e8424eeaacf15a7e32c32b5faacf2f136b81a4b148fe0884ba5e6490d9c946407ad3df285b00cdc01afe38135c10ba7097a2cf3aa76b8a1a8966e

Download Submit
\Windows\SysWOW64\Hgbebiao.exe

Filesize
81KB

MD5
fdb45dc78236743790897ae171a23ee8

SHA1
ee9585955b3d4d09aee2b6b03543fc456ecb0ab9

SHA256
debb6a797f4f519838c7e258d386299b6aea02b7a867fb2d68024508c5e6d355

SHA512
fa9773eb0d0f55f8053d965759d4a0c1a608f91c225d112c09576214d0dd1118ae891c06be0c52c51c733f0ec57451e4f5ee9dfed69cb293bca0789b85c066ea

Download Submit
\Windows\SysWOW64\Hgdbhi32.exe

Filesize
81KB

MD5
2f6fb91dd5e264dcde152a48a9babee8

SHA1
1e2d99984faa872552a029a50481311cb96c640f

SHA256
56cea83a9dcd264a2ab5ecb2326ee65eda8f7da3b8847cfca3752f5a46206417

SHA512
a22e3f04a8e51a5423a73c0a991fe6ea79fe26746f2279df1850b8c9d19a4ec1ab37f94dbc66521eb966962dfcb7df74041893223930095ccc2547e2938c568c

Download Submit
\Windows\SysWOW64\Hlakpp32.exe

Filesize
81KB

MD5
4218838ea8f63e7b2de6f23ed4c2b82c

SHA1
94c5b45264ad017c3af6ffddc80be780110a3d94

SHA256
56205b04f303d8721525f323c469b0a8656abfe934c38242361a2311d2f2fa76

SHA512
5430c99737ef42ba951e4627f1e7cc42ad182aefa7f99d112b65f72d313d1f00aed4bf468cf67d4dbff05fa4f2d87f2259c7e8ab74f76ea8f46d38d1d52b866e

Download Submit
memory/572-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/608-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/640-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/640-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/640-167-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/1016-261-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1016-251-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1016-325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1016-256-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1224-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1224-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1224-212-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1488-235-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1488-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1488-239-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1536-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1536-133-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1792-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1800-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1800-282-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/1800-281-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/1800-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1992-303-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1992-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1992-299-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2008-34-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2008-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2008-26-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2128-13-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2128-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2128-6-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2128-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2184-150-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2184-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-193-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2336-319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2404-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2404-94-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2452-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2452-93-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2468-80-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2468-73-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2468-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2468-66-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2540-115-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2540-107-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2540-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2728-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-60-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2760-309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-52-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2776-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-220-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3000-289-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3000-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3000-293-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3004-267-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/3004-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3004-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3048-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3048-229-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads