e0856facdca05c2d24fd6ba905a0ebbe8924b7d192fb7a167e59649d822324be

Analysis

max time kernel
142s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-08-2024 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0856facdca05c2d24fd6ba905a0ebbe8924b7d192fb7a167e59649d822324be.exe
Size

386KB
MD5

b69cc6932d031d17f31882a2f231020f
SHA1

7895966e50b6dd928a10ae1b297f1a147e464f31
SHA256

e0856facdca05c2d24fd6ba905a0ebbe8924b7d192fb7a167e59649d822324be
SHA512

28b67160b8ecec7ca95fc4de86c5a4fe81d28cb7bf281db33ea4960f49908491b8450b3b9b5bffe8671c8590f502b75132d05fbcfaacb0a3fdaab24e782aae40
SSDEEP

12288:0GnuwQZ7287xmPFRkfJg9qwQZ7287xmP:duZZ/aFKm9qZZ/a

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iccpniqp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjkdlall.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhoeef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkiamp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbqinm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lhpnlclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hejjanpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjkdlall.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaemilci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koljgppp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iccpniqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhoeef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kemhei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbijgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlfhke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kefbdjgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kemhei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lahbei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hejjanpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefbdjgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klbgfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiamp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbqinm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jehfcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	e0856facdca05c2d24fd6ba905a0ebbe8924b7d192fb7a167e59649d822324be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hghfnioq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijiopd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iaedanal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Inkaqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieeimlep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ieeimlep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhfbog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhfbog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jaemilci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhpnlclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lahbei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hghfnioq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijiopd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inkaqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jlfhke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Koljgppp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klbgfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e0856facdca05c2d24fd6ba905a0ebbe8924b7d192fb7a167e59649d822324be.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iaedanal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbijgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jehfcl32.exe

Executes dropped EXE 23 IoCs

pid	Process
2612	Hejjanpm.exe
2244	Hghfnioq.exe
860	Ijiopd32.exe
972	Iaedanal.exe
1204	Iccpniqp.exe
4772	Inkaqb32.exe
672	Ieeimlep.exe
800	Jbijgp32.exe
4408	Jehfcl32.exe
4500	Jhfbog32.exe
2232	Jlfhke32.exe
3164	Jjkdlall.exe
3512	Jaemilci.exe
4000	Jhoeef32.exe
4996	Koljgppp.exe
2564	Kefbdjgm.exe
2488	Klbgfc32.exe
876	Kemhei32.exe
2168	Lkiamp32.exe
4356	Lbqinm32.exe
3676	Lhpnlclc.exe
2300	Lahbei32.exe
1324	Ldikgdpe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Afgfhaab.dll	Jhfbog32.exe
File opened for modification	C:\Windows\SysWOW64\Kefbdjgm.exe	Koljgppp.exe
File opened for modification	C:\Windows\SysWOW64\Hejjanpm.exe	e0856facdca05c2d24fd6ba905a0ebbe8924b7d192fb7a167e59649d822324be.exe
File created	C:\Windows\SysWOW64\Iccpniqp.exe	Iaedanal.exe
File created	C:\Windows\SysWOW64\Ncapfeoc.dll	Iccpniqp.exe
File created	C:\Windows\SysWOW64\Jbijgp32.exe	Ieeimlep.exe
File opened for modification	C:\Windows\SysWOW64\Jlfhke32.exe	Jhfbog32.exe
File created	C:\Windows\SysWOW64\Klbgfc32.exe	Kefbdjgm.exe
File created	C:\Windows\SysWOW64\Dhfhohgp.dll	Kefbdjgm.exe
File created	C:\Windows\SysWOW64\Bfdkqcmb.dll	Klbgfc32.exe
File created	C:\Windows\SysWOW64\Hlnecf32.dll	Ijiopd32.exe
File opened for modification	C:\Windows\SysWOW64\Jjkdlall.exe	Jlfhke32.exe
File opened for modification	C:\Windows\SysWOW64\Jaemilci.exe	Jjkdlall.exe
File created	C:\Windows\SysWOW64\Hejjanpm.exe	e0856facdca05c2d24fd6ba905a0ebbe8924b7d192fb7a167e59649d822324be.exe
File created	C:\Windows\SysWOW64\Gcqpalio.dll	e0856facdca05c2d24fd6ba905a0ebbe8924b7d192fb7a167e59649d822324be.exe
File opened for modification	C:\Windows\SysWOW64\Hghfnioq.exe	Hejjanpm.exe
File created	C:\Windows\SysWOW64\Ijiopd32.exe	Hghfnioq.exe
File created	C:\Windows\SysWOW64\Jhfbog32.exe	Jehfcl32.exe
File created	C:\Windows\SysWOW64\Mapchaef.dll	Jehfcl32.exe
File created	C:\Windows\SysWOW64\Lfeliqka.dll	Lhpnlclc.exe
File created	C:\Windows\SysWOW64\Lkiamp32.exe	Kemhei32.exe
File created	C:\Windows\SysWOW64\Lahbei32.exe	Lhpnlclc.exe
File created	C:\Windows\SysWOW64\Lqcnhf32.dll	Hghfnioq.exe
File created	C:\Windows\SysWOW64\Jehfcl32.exe	Jbijgp32.exe
File created	C:\Windows\SysWOW64\Jjmannfj.dll	Jlfhke32.exe
File created	C:\Windows\SysWOW64\Bekdaogi.dll	Lahbei32.exe
File created	C:\Windows\SysWOW64\Hghfnioq.exe	Hejjanpm.exe
File opened for modification	C:\Windows\SysWOW64\Koljgppp.exe	Jhoeef32.exe
File created	C:\Windows\SysWOW64\Idhdlmdd.dll	Lbqinm32.exe
File opened for modification	C:\Windows\SysWOW64\Ldikgdpe.exe	Lahbei32.exe
File created	C:\Windows\SysWOW64\Iaedanal.exe	Ijiopd32.exe
File opened for modification	C:\Windows\SysWOW64\Inkaqb32.exe	Iccpniqp.exe
File created	C:\Windows\SysWOW64\Dfaadk32.dll	Inkaqb32.exe
File opened for modification	C:\Windows\SysWOW64\Lahbei32.exe	Lhpnlclc.exe
File created	C:\Windows\SysWOW64\Dpjkgoka.dll	Lkiamp32.exe
File opened for modification	C:\Windows\SysWOW64\Iccpniqp.exe	Iaedanal.exe
File opened for modification	C:\Windows\SysWOW64\Jhoeef32.exe	Jaemilci.exe
File created	C:\Windows\SysWOW64\Eloeba32.dll	Jaemilci.exe
File opened for modification	C:\Windows\SysWOW64\Lkiamp32.exe	Kemhei32.exe
File created	C:\Windows\SysWOW64\Jjkdlall.exe	Jlfhke32.exe
File created	C:\Windows\SysWOW64\Kefbdjgm.exe	Koljgppp.exe
File opened for modification	C:\Windows\SysWOW64\Klbgfc32.exe	Kefbdjgm.exe
File created	C:\Windows\SysWOW64\Aedfbe32.dll	Iaedanal.exe
File created	C:\Windows\SysWOW64\Ieeimlep.exe	Inkaqb32.exe
File opened for modification	C:\Windows\SysWOW64\Ieeimlep.exe	Inkaqb32.exe
File opened for modification	C:\Windows\SysWOW64\Jbijgp32.exe	Ieeimlep.exe
File created	C:\Windows\SysWOW64\Kemhei32.exe	Klbgfc32.exe
File opened for modification	C:\Windows\SysWOW64\Kemhei32.exe	Klbgfc32.exe
File created	C:\Windows\SysWOW64\Bdelednc.dll	Hejjanpm.exe
File created	C:\Windows\SysWOW64\Inkaqb32.exe	Iccpniqp.exe
File opened for modification	C:\Windows\SysWOW64\Jhfbog32.exe	Jehfcl32.exe
File created	C:\Windows\SysWOW64\Jhoeef32.exe	Jaemilci.exe
File created	C:\Windows\SysWOW64\Mjfkgg32.dll	Jbijgp32.exe
File created	C:\Windows\SysWOW64\Fcnhog32.dll	Kemhei32.exe
File created	C:\Windows\SysWOW64\Lbqinm32.exe	Lkiamp32.exe
File created	C:\Windows\SysWOW64\Lhpnlclc.exe	Lbqinm32.exe
File opened for modification	C:\Windows\SysWOW64\Iaedanal.exe	Ijiopd32.exe
File created	C:\Windows\SysWOW64\Jlfhke32.exe	Jhfbog32.exe
File created	C:\Windows\SysWOW64\Ijaaij32.dll	Jjkdlall.exe
File opened for modification	C:\Windows\SysWOW64\Jehfcl32.exe	Jbijgp32.exe
File opened for modification	C:\Windows\SysWOW64\Lhpnlclc.exe	Lbqinm32.exe
File created	C:\Windows\SysWOW64\Oacmli32.dll	Jhoeef32.exe
File created	C:\Windows\SysWOW64\Hgnfpc32.dll	Koljgppp.exe
File opened for modification	C:\Windows\SysWOW64\Lbqinm32.exe	Lkiamp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2264	1324	WerFault.exe	116

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijiopd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jehfcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhfbog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjkdlall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koljgppp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkiamp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbqinm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hghfnioq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iaedanal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldikgdpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0856facdca05c2d24fd6ba905a0ebbe8924b7d192fb7a167e59649d822324be.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hejjanpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iccpniqp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inkaqb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieeimlep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaemilci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhoeef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemhei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhpnlclc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lahbei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbijgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlfhke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefbdjgm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klbgfc32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kefbdjgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcqpalio.dll"	e0856facdca05c2d24fd6ba905a0ebbe8924b7d192fb7a167e59649d822324be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqcnhf32.dll"	Hghfnioq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ieeimlep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afgfhaab.dll"	Jhfbog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jhfbog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jehfcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oacmli32.dll"	Jhoeef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfeliqka.dll"	Lhpnlclc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	e0856facdca05c2d24fd6ba905a0ebbe8924b7d192fb7a167e59649d822324be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijiopd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbijgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekdaogi.dll"	Lahbei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hejjanpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hghfnioq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jlfhke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jaemilci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcnhog32.dll"	Kemhei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kemhei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpjkgoka.dll"	Lkiamp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Inkaqb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Koljgppp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Koljgppp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfdkqcmb.dll"	Klbgfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klbgfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	e0856facdca05c2d24fd6ba905a0ebbe8924b7d192fb7a167e59649d822324be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	e0856facdca05c2d24fd6ba905a0ebbe8924b7d192fb7a167e59649d822324be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkiamp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lbqinm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lahbei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdelednc.dll"	Hejjanpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkiamp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lbqinm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e0856facdca05c2d24fd6ba905a0ebbe8924b7d192fb7a167e59649d822324be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iaedanal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jaemilci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lhpnlclc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e0856facdca05c2d24fd6ba905a0ebbe8924b7d192fb7a167e59649d822324be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jjkdlall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jhoeef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgnfpc32.dll"	Koljgppp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kefbdjgm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iccpniqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncapfeoc.dll"	Iccpniqp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jhfbog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klbgfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjkdlall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eloeba32.dll"	Jaemilci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhfhohgp.dll"	Kefbdjgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hejjanpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijiopd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iaedanal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Inkaqb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jlfhke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhdlmdd.dll"	Lbqinm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aedfbe32.dll"	Iaedanal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mapchaef.dll"	Jehfcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jhoeef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlnecf32.dll"	Ijiopd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iccpniqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfaadk32.dll"	Inkaqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjfkgg32.dll"	Jbijgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lahbei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ieeimlep.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 2612	1756	e0856facdca05c2d24fd6ba905a0ebbe8924b7d192fb7a167e59649d822324be.exe	91
PID 1756 wrote to memory of 2612	1756	e0856facdca05c2d24fd6ba905a0ebbe8924b7d192fb7a167e59649d822324be.exe	91
PID 1756 wrote to memory of 2612	1756	e0856facdca05c2d24fd6ba905a0ebbe8924b7d192fb7a167e59649d822324be.exe	91
PID 2612 wrote to memory of 2244	2612	Hejjanpm.exe	92
PID 2612 wrote to memory of 2244	2612	Hejjanpm.exe	92
PID 2612 wrote to memory of 2244	2612	Hejjanpm.exe	92
PID 2244 wrote to memory of 860	2244	Hghfnioq.exe	93
PID 2244 wrote to memory of 860	2244	Hghfnioq.exe	93
PID 2244 wrote to memory of 860	2244	Hghfnioq.exe	93
PID 860 wrote to memory of 972	860	Ijiopd32.exe	94
PID 860 wrote to memory of 972	860	Ijiopd32.exe	94
PID 860 wrote to memory of 972	860	Ijiopd32.exe	94
PID 972 wrote to memory of 1204	972	Iaedanal.exe	95
PID 972 wrote to memory of 1204	972	Iaedanal.exe	95
PID 972 wrote to memory of 1204	972	Iaedanal.exe	95
PID 1204 wrote to memory of 4772	1204	Iccpniqp.exe	98
PID 1204 wrote to memory of 4772	1204	Iccpniqp.exe	98
PID 1204 wrote to memory of 4772	1204	Iccpniqp.exe	98
PID 4772 wrote to memory of 672	4772	Inkaqb32.exe	99
PID 4772 wrote to memory of 672	4772	Inkaqb32.exe	99
PID 4772 wrote to memory of 672	4772	Inkaqb32.exe	99
PID 672 wrote to memory of 800	672	Ieeimlep.exe	100
PID 672 wrote to memory of 800	672	Ieeimlep.exe	100
PID 672 wrote to memory of 800	672	Ieeimlep.exe	100
PID 800 wrote to memory of 4408	800	Jbijgp32.exe	101
PID 800 wrote to memory of 4408	800	Jbijgp32.exe	101
PID 800 wrote to memory of 4408	800	Jbijgp32.exe	101
PID 4408 wrote to memory of 4500	4408	Jehfcl32.exe	102
PID 4408 wrote to memory of 4500	4408	Jehfcl32.exe	102
PID 4408 wrote to memory of 4500	4408	Jehfcl32.exe	102
PID 4500 wrote to memory of 2232	4500	Jhfbog32.exe	104
PID 4500 wrote to memory of 2232	4500	Jhfbog32.exe	104
PID 4500 wrote to memory of 2232	4500	Jhfbog32.exe	104
PID 2232 wrote to memory of 3164	2232	Jlfhke32.exe	105
PID 2232 wrote to memory of 3164	2232	Jlfhke32.exe	105
PID 2232 wrote to memory of 3164	2232	Jlfhke32.exe	105
PID 3164 wrote to memory of 3512	3164	Jjkdlall.exe	106
PID 3164 wrote to memory of 3512	3164	Jjkdlall.exe	106
PID 3164 wrote to memory of 3512	3164	Jjkdlall.exe	106
PID 3512 wrote to memory of 4000	3512	Jaemilci.exe	107
PID 3512 wrote to memory of 4000	3512	Jaemilci.exe	107
PID 3512 wrote to memory of 4000	3512	Jaemilci.exe	107
PID 4000 wrote to memory of 4996	4000	Jhoeef32.exe	108
PID 4000 wrote to memory of 4996	4000	Jhoeef32.exe	108
PID 4000 wrote to memory of 4996	4000	Jhoeef32.exe	108
PID 4996 wrote to memory of 2564	4996	Koljgppp.exe	109
PID 4996 wrote to memory of 2564	4996	Koljgppp.exe	109
PID 4996 wrote to memory of 2564	4996	Koljgppp.exe	109
PID 2564 wrote to memory of 2488	2564	Kefbdjgm.exe	110
PID 2564 wrote to memory of 2488	2564	Kefbdjgm.exe	110
PID 2564 wrote to memory of 2488	2564	Kefbdjgm.exe	110
PID 2488 wrote to memory of 876	2488	Klbgfc32.exe	111
PID 2488 wrote to memory of 876	2488	Klbgfc32.exe	111
PID 2488 wrote to memory of 876	2488	Klbgfc32.exe	111
PID 876 wrote to memory of 2168	876	Kemhei32.exe	112
PID 876 wrote to memory of 2168	876	Kemhei32.exe	112
PID 876 wrote to memory of 2168	876	Kemhei32.exe	112
PID 2168 wrote to memory of 4356	2168	Lkiamp32.exe	113
PID 2168 wrote to memory of 4356	2168	Lkiamp32.exe	113
PID 2168 wrote to memory of 4356	2168	Lkiamp32.exe	113
PID 4356 wrote to memory of 3676	4356	Lbqinm32.exe	114
PID 4356 wrote to memory of 3676	4356	Lbqinm32.exe	114
PID 4356 wrote to memory of 3676	4356	Lbqinm32.exe	114
PID 3676 wrote to memory of 2300	3676	Lhpnlclc.exe	115

C:\Users\Admin\AppData\Local\Temp\e0856facdca05c2d24fd6ba905a0ebbe8924b7d192fb7a167e59649d822324be.exe
"C:\Users\Admin\AppData\Local\Temp\e0856facdca05c2d24fd6ba905a0ebbe8924b7d192fb7a167e59649d822324be.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\SysWOW64\Hejjanpm.exe
  C:\Windows\system32\Hejjanpm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\SysWOW64\Hghfnioq.exe
    C:\Windows\system32\Hghfnioq.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Windows\SysWOW64\Ijiopd32.exe
      C:\Windows\system32\Ijiopd32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:860
    - - C:\Windows\SysWOW64\Iaedanal.exe
        
        C:\Windows\system32\Iaedanal.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:972
      - C:\Windows\SysWOW64\Iccpniqp.exe
        
        C:\Windows\system32\Iccpniqp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\Inkaqb32.exe
        
        C:\Windows\system32\Inkaqb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\SysWOW64\Ieeimlep.exe
        
        C:\Windows\system32\Ieeimlep.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Windows\SysWOW64\Jbijgp32.exe
        
        C:\Windows\system32\Jbijgp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\SysWOW64\Jehfcl32.exe
        
        C:\Windows\system32\Jehfcl32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\Jhfbog32.exe
        
        C:\Windows\system32\Jhfbog32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Jlfhke32.exe
        
        C:\Windows\system32\Jlfhke32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Jjkdlall.exe
        
        C:\Windows\system32\Jjkdlall.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Windows\SysWOW64\Jaemilci.exe
        
        C:\Windows\system32\Jaemilci.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\Jhoeef32.exe
        
        C:\Windows\system32\Jhoeef32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\SysWOW64\Koljgppp.exe
        
        C:\Windows\system32\Koljgppp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Kefbdjgm.exe
        
        C:\Windows\system32\Kefbdjgm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Klbgfc32.exe
        
        C:\Windows\system32\Klbgfc32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Kemhei32.exe
        
        C:\Windows\system32\Kemhei32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\Lkiamp32.exe
        
        C:\Windows\system32\Lkiamp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Lbqinm32.exe
        
        C:\Windows\system32\Lbqinm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\SysWOW64\Lhpnlclc.exe
        
        C:\Windows\system32\Lhpnlclc.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\SysWOW64\Lahbei32.exe
        
        C:\Windows\system32\Lahbei32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 412
        25⤵
        Program crash
        
        PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1324 -ip 1324
1⤵
PID:2484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4396,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=4400 /prefetch:8
1⤵
PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aedfbe32.dll

Filesize
7KB

MD5
25d1adfe66ab61b0d55b230015a7ada0

SHA1
71293f952180f5c6065e1d10ee5d4ff473f2e632

SHA256
8e53dfbcb88f9bb82b1f1bd2820ae7c7107a340bcd9d455a6f952cef4862ace0

SHA512
becf0d23d490aea5624c969890301eec560414f2585dd2072a5ec3880d3adc45d0ec2fe6f21e5d06eb329ab8f26b3becd7a012297ff9d15c2674db673583b6c6

Download Submit
C:\Windows\SysWOW64\Hejjanpm.exe

Filesize
386KB

MD5
05050e551fa8feeac91a5894e3661138

SHA1
5974859dd48e4a4d9e9876ddebf69119016e5450

SHA256
26b874e471e6ca214c0b920974168a961a8c4ecfcab6d1e71ce3ebe16bccbb98

SHA512
1414e6ea12f3b368f1c079e59d3d3c8124ceeb135d4601981a783a7ec120388b6632705fe59622ef4cb9607deb0114eef1409ab14b91f8f163456367874c28d0

Download Submit
C:\Windows\SysWOW64\Hghfnioq.exe

Filesize
386KB

MD5
d02fb93be2c0842665a1d983a7f509e7

SHA1
51cfaaa45c46b4d0dd5d90b696902423c36a3549

SHA256
312de79a00df457d959949a82e30d3435a2cca84046b39bd4957eaf339ee3d7b

SHA512
fd1d747baf36266980c89206ba584f549778668f809bbbff370875765641c6c2803a8eabaf0aeb8c7f7a928f0d352ba40cb381bc4725694ad6d055a130af8ce8

Download Submit
C:\Windows\SysWOW64\Iaedanal.exe

Filesize
386KB

MD5
6813b35bf5ac4d40acbc2151d74aa259

SHA1
e42ede8e265fffd251dc863de7e3a01e4e2332b6

SHA256
34948690c9a2cd0f530966388a49e17b071e59404d92e75a2747ac63e54db178

SHA512
eed1cd379056d141d401ac537711ff723e61484ba9e114dc93e652959798ee5a147fc836d9dcb1d6395184c0fc6b3c1bbca7c35e4129ceeea3e4b4c4c606fa14

Download Submit
C:\Windows\SysWOW64\Iccpniqp.exe

Filesize
386KB

MD5
13f914589c2cb643f60dcb6b0a27e136

SHA1
98fba765c3561a43350562f292206e8afa98a943

SHA256
125ba7021e809dbc65fb7c9446af90707d69fc3c91a3fe12643c64ce0ae5602c

SHA512
91b9abb6addb38bdb3d0d859879cd16f16c1fe6c2f3c78d5e39697c4f17902047e180c3374f351223cc0e5a16b0e5dbccd653f7eec278fa3298d3432c02d0b82

Download Submit
C:\Windows\SysWOW64\Ieeimlep.exe

Filesize
386KB

MD5
09c04c3a0c62968e2bafcf2690856b0f

SHA1
e3a5bcd10741db13952327c025fb255af1a74d8c

SHA256
54dacb7a0b9ac0c106ccb8fda111066246faa03046f2e11c582962f29b9be957

SHA512
291ee372af8d75a3416109bc91afd8ae593bb6f76a1f75ab629d6a38751c9f4900606560b4de070479ecc4adb3b127b2e67e374235a4437ee74d84751804fc5a

Download Submit
C:\Windows\SysWOW64\Ijiopd32.exe

Filesize
386KB

MD5
eea7f72b90d64ccafc184ff5b0a68cc9

SHA1
f06d4e8451920320335f3c1c1c14398def78019a

SHA256
926c8dec70392fa5f9abd921333e8b0a211a493f0670b649652c7d3d1bc0008c

SHA512
222dc2299b8461c912b3d3b03fa8b4ced3dcdbfd2209cb1c3bb04a861382f4e8a05233674baed68bfc14001a37b5e13ab0654a9d3af1de0040ff1689c8a7cccc

Download Submit
C:\Windows\SysWOW64\Inkaqb32.exe

Filesize
386KB

MD5
a6bf21cfe29f1c98d2b7070cdad8812a

SHA1
d8ebe4772d2c3be35b32257479f850b79b24cf14

SHA256
bd97b02102c730e3b9d17ff0bade4895c13d705c0958c73c865477e9f723ce15

SHA512
eb369a5254611696b753993819efda4dd0ed59282faf36a1c470624cbe7be5a07b1c8876547d330f8a360ff12b339b42661ab6b1a7b42eeb63c8bf1af25a808e

Download Submit
C:\Windows\SysWOW64\Jaemilci.exe

Filesize
386KB

MD5
ebb4ea778e5881fc9b1905a323bccd4e

SHA1
e76bdba7ee2ef1e532d0f209d0dbac19b4f7ffe3

SHA256
caead38add4368efa1d48e015e0303f523fcceb00326a8e04c5f97e2d0417c93

SHA512
bf180bfe968e542efd4c24b131ed06dbdae10bf359c236d74c6cc31e24a7c8cdc2f51b304a758ca63a12a66bd9a82de976de64aea47351eacb4adafefd1aa69e

Download Submit
C:\Windows\SysWOW64\Jbijgp32.exe

Filesize
386KB

MD5
2df59e2d91e951984e97435dabdfd025

SHA1
aaccf1a151535fbc6b31f2b477167f430ee0bf1b

SHA256
941f09f4e94bd6c8df22da2b96c8b3683b3c6fe0002c1275efde721118854ad3

SHA512
ceb03518b35e7cf6f1fffb7d972dc9b191f6e1cdda56c1c704cf4c37d4500fca130fab34839de15aec8c5e6cf18b7daa7797610694d6fa0a6aa0a7491f5465ee

Download Submit
C:\Windows\SysWOW64\Jehfcl32.exe

Filesize
386KB

MD5
d633cac0598f4d73d5c48bad578c4b85

SHA1
ed72a3367cf8439d0e77aea5eb592f1b01997a0d

SHA256
a17d153f5a05efd8fdf2a99ad6764004553af37249cfea61600c2b25af746fd6

SHA512
52e3f45f91617c576473f2e8485ca04f02c9e8492d49294d0593e0e91bcd7f7a3c95cf503416b40998867f4edcce83eb033f8eb1e5429e1d6f4eef3869583b98

Download Submit
C:\Windows\SysWOW64\Jhfbog32.exe

Filesize
386KB

MD5
ae57f376a191ec3e5ba6b776bb9712a5

SHA1
8539d02604cb045b7351cacbee4e09d5d1ba4ed1

SHA256
59f13922a7f096baef57b08c4b3373b009734f01c62ce9eb815dfe0f0a71b4b1

SHA512
16ccc2d9a7264c3bf521f7e4d86e21b174a06b170172f53e9aa61630e9c670780514e4b6fee8ddeaa6c37491a32f9a5d262a4e7450633a70b5eea07bc9a0568d

Download Submit
C:\Windows\SysWOW64\Jhoeef32.exe

Filesize
386KB

MD5
3917af852249aa6808ddb8c7b3c3f0ab

SHA1
59b9efe3b3a416efa29be6af7b7b49b537481a16

SHA256
7cc7737115947dec3172731734dd4d9035189f6c4b24a9f32706fd13b1c225a3

SHA512
07ccb1138b44c858d6c6cdf72bb820e55f1cfa0f83ab5226829fab6040b3078edda93323033a60b77042ec910d4eed970d6850df1bba3d4cd690d1a24df6fd32

Download Submit
C:\Windows\SysWOW64\Jjkdlall.exe

Filesize
386KB

MD5
8131210026a1ea0521fa7777f3657491

SHA1
89ef4c1933aaa531afbeafe8f8c3090215002adc

SHA256
647e528dc29c9bfdefa9ec0edb52c1268f8e2b320925eb805b2877142b987469

SHA512
dc27f6f5f921d385f66b048536ecf5a4da5e769b197472943509a7e4e618e9a71fe3495d3ce786234fd9bb000600aaffb38a0d1f54aa5e4d2641f910fea9210c

Download Submit
C:\Windows\SysWOW64\Jlfhke32.exe

Filesize
386KB

MD5
6cddc661de22b1c11506e08e109ac7c6

SHA1
12b2856f17c93a930bef87be9cb7a1f1d17161aa

SHA256
b9971ea7b9d67e45a6e335465607e3329ee0eab5b94aded8a3588ebb30728a19

SHA512
59e9c6e81a46ddefea81e2f8d6fb3a26a48e01295bf362fd294422a921ea72f8f42f531a696adf216d9aa72aa94578bae63cd08bb6ff9feb69afaad7325032b6

Download Submit
C:\Windows\SysWOW64\Kefbdjgm.exe

Filesize
386KB

MD5
1d209078d7b239f60248f439dcdc7722

SHA1
097172e5592ed9af7843eee97378479f48c2fae4

SHA256
d1f7bcaa3cc4a3a3bc538e96f82a08428a4f43f99a16f3c0c047533fd725b19e

SHA512
5e6a7da7a6a9985d9de43ab8102f4564d3e8c98641371950ff92a1a80565e0b57b012c7574795a530106cc78459b54c132f90b40e5313d20dce65ccc7fb2e01f

Download Submit
C:\Windows\SysWOW64\Kemhei32.exe

Filesize
386KB

MD5
5f97f7f71f44b7280cb0b9ace6df3a31

SHA1
f6a867843f66b18a223771f844be16cb13543333

SHA256
9742aad05b03afa32da2ec3a0219998d165198d70b94b92902e2581c4d20a4ad

SHA512
c45e322c1d64cfca986d77a18552175a60d7312cb9b4ac4a6222742f1f8d84e9107cfe63f472fd49586aefc0698e86b3962cd2dbb6faeea3f91e2779545892b4

Download Submit
C:\Windows\SysWOW64\Klbgfc32.exe

Filesize
386KB

MD5
0b967c486768597fe2e17d63908945ef

SHA1
0f2f99a00f8553e9f1df4a43901b120381a2099c

SHA256
a29f23102ec9e4e9f9d14d3feef7e9c72090cb395aa389d3acd56f35284b50ef

SHA512
c2fc41a13c776a52dbf6fec5b872d8b190f52f9a49da49c0574599d713ff24b1fd25d0ad49914fc7effd63d58a0b6427385506e8fa2b7518a6431ebe405bdf8b

Download Submit
C:\Windows\SysWOW64\Koljgppp.exe

Filesize
386KB

MD5
b726c8cf250b9116f5de27e6ad2b5a03

SHA1
6b8ecae5b95876b052801028b9879f143452c2b8

SHA256
51d0253635f1f828218743df46810a42adaa76edc6f0cca1f011dd5864932bbb

SHA512
ed10ade1c7488e3cb65eab31cb38b69f1e9ea94a71f3af7563bcdc1221feed2a7d7adf5f7a25f1e6afa036f060d395b18e7d962a62b784820b73de45180c7b78

Download Submit
C:\Windows\SysWOW64\Lahbei32.exe

Filesize
386KB

MD5
35853cb63b08ee6a792e65a2d0385ed7

SHA1
576a43227b44e2adad7a26fb57bf0619c85f3a22

SHA256
fda39cd91ab8d95eca7611ac3a8d596b036a1a4cfc53d6e39b1b83255dad24b4

SHA512
a4018688c023a1e030323305846741173aef1670ab43e75922cdc0bfa8313435270e7fb3a50627f16482e55c00aefcbd5a55c9b9040c38c463ebae61cf2a68e0

Download Submit
C:\Windows\SysWOW64\Lbqinm32.exe

Filesize
386KB

MD5
6770dcbddea30600fff0aca12dc213ac

SHA1
d71c9db73ba6b2f4b7ded052aee496f8c08df2c4

SHA256
3a3200a64f23cce49258445b2c8a0a3ef084f9bd922de5ee78b2ffc4fe04be68

SHA512
a262eac03b3ba9bf0bdc5c1b48255e4714956ef7239f6dd824b682e33b826bffb5b755d8f355b96247a80381a41a4c3e71ff4507d5242c83430e7fad9a039438

Download Submit
C:\Windows\SysWOW64\Ldikgdpe.exe

Filesize
386KB

MD5
262ca81d1570ac952f5fb0bd2d647f8d

SHA1
9d995f9c2d4bfde09917a90c118357fcd92fdd65

SHA256
4c861117c70bdd1597ba16e0fad383bcae9516650e9a86c1aa1902bce73d4fef

SHA512
70d6d73f952af96395b9c9c0fb5ba4508a8613351a097622e004239c62119fe0683e9c7aa6e1b8cea58437ac630b61bc97afea5a3c352e2de27ca7ca2837174e

Download Submit
C:\Windows\SysWOW64\Lhpnlclc.exe

Filesize
386KB

MD5
6e5d9237f52dd49160afa9be5010f818

SHA1
4f124c4bb44b766c0b98c9889cce8b5dd89a0e69

SHA256
bf39dca48a1b934969238064c2ff27d30d68404b1c3a0fb8abf91ae6a8a81798

SHA512
244392dc8347f34ce9483fb698f56fa6c3ff4b945114180f339c01b1bb1269bfbd19e58bf0d4fd4ca8296111a13587462796f2e425b34b1cc446f43dda07cf95

Download Submit
C:\Windows\SysWOW64\Lkiamp32.exe

Filesize
386KB

MD5
ddd8c5d39d290a7bf27d0ad4dfb61a54

SHA1
91504116b6b3f13a83644c93fee88883a7ca66b3

SHA256
50a8d6a1a9ca8031acffcb5c62ebac984e9f439188ba98920a7eedd7fa6eaf31

SHA512
1ac5c3d849896f7a5bac2a8a88d667d66ef98bf72196799c07989e971d685588f5f8d2ff0cacbe746252e01b7db6e7e7072a6bcf98e54ac21a55175ee8e20468

Download Submit
memory/672-216-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/672-63-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/800-214-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/800-64-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/860-24-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/860-224-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/876-144-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/876-197-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/972-222-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/972-39-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1204-40-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1204-220-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1324-186-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1324-183-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1756-230-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1756-0-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2168-193-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2168-159-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2232-231-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2232-87-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2244-19-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2244-226-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2300-174-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2300-187-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2488-196-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2488-135-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2564-199-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2564-132-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2612-228-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2612-12-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3164-207-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3164-101-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3512-205-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3512-103-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3676-189-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4000-112-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4000-203-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4356-160-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4356-191-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4408-76-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4408-212-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4500-80-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4500-210-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4772-48-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4772-218-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4996-201-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4996-131-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads