dc0cc260adb6fa57b858b1416b30610ba22ba5dbd92388c55a1a691fec2b1fb5

Analysis

max time kernel
114s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0c08064a07e228501d161249af029a0N.exe
Size

64KB
MD5

c0c08064a07e228501d161249af029a0
SHA1

25e13d7c91c0bcd6ecc439a8303028be1b50d1bd
SHA256

dc0cc260adb6fa57b858b1416b30610ba22ba5dbd92388c55a1a691fec2b1fb5
SHA512

e4dc505936a0514ffed06fa0e07cc5aa41da5933e367de73443188f2ab902154c2de577672106e86d7699ac756d1feeaaa044dbfca1f86493c82069115cdbccb
SSDEEP

768:rd1cFlXjCZUmqvFJmZ49m6g9z3L6lC6CjR/1H5HZAQ6AfX8tG9nB6rRIrztrTmks:jcvjMqvFMZ49mB9rL6EQQ6OX8UwwPnBm

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbjbnnfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffjgpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klpjad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkgdhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Leabphmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkqgno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbnlim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Logicn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkgdhp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbebilli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdpiqehp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbqinm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klgqabib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klgqabib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldbefe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbhool32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbgfhnhi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kblpcndd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlkafdco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klbgfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbnlim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Logicn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llkjmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c0c08064a07e228501d161249af029a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffjgpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leabphmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbebilli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ledoegkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ledoegkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Keceoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdpiqehp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlkafdco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keceoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klbgfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaopoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbgfhnhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkqgno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klpjad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kblpcndd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaopoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbqinm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldbefe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llkjmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c0c08064a07e228501d161249af029a0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbjbnnfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbhool32.exe

Executes dropped EXE 25 IoCs

pid	Process
996	Jlkafdco.exe
3324	Keceoj32.exe
2096	Kdffjgpj.exe
3172	Kkpnga32.exe
644	Kbgfhnhi.exe
4776	Kdhbpf32.exe
1020	Klpjad32.exe
1612	Kbjbnnfg.exe
4700	Klbgfc32.exe
2672	Kblpcndd.exe
1344	Kaopoj32.exe
3128	Kkgdhp32.exe
2996	Kbnlim32.exe
5052	Kdpiqehp.exe
4244	Klgqabib.exe
4548	Lbqinm32.exe
1088	Ldbefe32.exe
2420	Logicn32.exe
3144	Leabphmp.exe
4948	Llkjmb32.exe
4360	Lbebilli.exe
2440	Ledoegkm.exe
32	Lkqgno32.exe
3320	Lbhool32.exe
2868	Ldikgdpe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dcmnee32.dll	c0c08064a07e228501d161249af029a0N.exe
File opened for modification	C:\Windows\SysWOW64\Kaopoj32.exe	Kblpcndd.exe
File created	C:\Windows\SysWOW64\Kdpiqehp.exe	Kbnlim32.exe
File created	C:\Windows\SysWOW64\Idjcam32.dll	Leabphmp.exe
File created	C:\Windows\SysWOW64\Lbebilli.exe	Llkjmb32.exe
File created	C:\Windows\SysWOW64\Fhjaco32.dll	Lkqgno32.exe
File opened for modification	C:\Windows\SysWOW64\Kkgdhp32.exe	Kaopoj32.exe
File created	C:\Windows\SysWOW64\Llkjmb32.exe	Leabphmp.exe
File created	C:\Windows\SysWOW64\Kdffjgpj.exe	Keceoj32.exe
File created	C:\Windows\SysWOW64\Lamgof32.dll	Klbgfc32.exe
File created	C:\Windows\SysWOW64\Klgqabib.exe	Kdpiqehp.exe
File opened for modification	C:\Windows\SysWOW64\Leabphmp.exe	Logicn32.exe
File created	C:\Windows\SysWOW64\Oojnjjli.dll	Keceoj32.exe
File created	C:\Windows\SysWOW64\Ekheml32.dll	Kkpnga32.exe
File created	C:\Windows\SysWOW64\Kdhbpf32.exe	Kbgfhnhi.exe
File created	C:\Windows\SysWOW64\Dpjkgoka.dll	Klgqabib.exe
File created	C:\Windows\SysWOW64\Fooqlnoa.dll	Ldbefe32.exe
File created	C:\Windows\SysWOW64\Hbhgkfkg.dll	Jlkafdco.exe
File opened for modification	C:\Windows\SysWOW64\Klpjad32.exe	Kdhbpf32.exe
File opened for modification	C:\Windows\SysWOW64\Kbjbnnfg.exe	Klpjad32.exe
File created	C:\Windows\SysWOW64\Lkqgno32.exe	Ledoegkm.exe
File opened for modification	C:\Windows\SysWOW64\Klbgfc32.exe	Kbjbnnfg.exe
File created	C:\Windows\SysWOW64\Kaopoj32.exe	Kblpcndd.exe
File created	C:\Windows\SysWOW64\Logicn32.exe	Ldbefe32.exe
File created	C:\Windows\SysWOW64\Ledoegkm.exe	Lbebilli.exe
File opened for modification	C:\Windows\SysWOW64\Lkqgno32.exe	Ledoegkm.exe
File opened for modification	C:\Windows\SysWOW64\Kdpiqehp.exe	Kbnlim32.exe
File created	C:\Windows\SysWOW64\Epqblnhh.dll	Kbnlim32.exe
File created	C:\Windows\SysWOW64\Bekdaogi.dll	Lbhool32.exe
File opened for modification	C:\Windows\SysWOW64\Jlkafdco.exe	c0c08064a07e228501d161249af029a0N.exe
File created	C:\Windows\SysWOW64\Hhodke32.dll	Kdffjgpj.exe
File created	C:\Windows\SysWOW64\Kblpcndd.exe	Klbgfc32.exe
File created	C:\Windows\SysWOW64\Aomqdipk.dll	Kblpcndd.exe
File created	C:\Windows\SysWOW64\Odehaccj.dll	Kkgdhp32.exe
File created	C:\Windows\SysWOW64\Leabphmp.exe	Logicn32.exe
File created	C:\Windows\SysWOW64\Jlkafdco.exe	c0c08064a07e228501d161249af029a0N.exe
File created	C:\Windows\SysWOW64\Keceoj32.exe	Jlkafdco.exe
File opened for modification	C:\Windows\SysWOW64\Kbgfhnhi.exe	Kkpnga32.exe
File opened for modification	C:\Windows\SysWOW64\Kblpcndd.exe	Klbgfc32.exe
File created	C:\Windows\SysWOW64\Kbnlim32.exe	Kkgdhp32.exe
File opened for modification	C:\Windows\SysWOW64\Kbnlim32.exe	Kkgdhp32.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnga32.exe	Kdffjgpj.exe
File created	C:\Windows\SysWOW64\Klpjad32.exe	Kdhbpf32.exe
File created	C:\Windows\SysWOW64\Kbjbnnfg.exe	Klpjad32.exe
File created	C:\Windows\SysWOW64\Kkgdhp32.exe	Kaopoj32.exe
File created	C:\Windows\SysWOW64\Lbhool32.exe	Lkqgno32.exe
File opened for modification	C:\Windows\SysWOW64\Klgqabib.exe	Kdpiqehp.exe
File opened for modification	C:\Windows\SysWOW64\Lbebilli.exe	Llkjmb32.exe
File created	C:\Windows\SysWOW64\Ldikgdpe.exe	Lbhool32.exe
File opened for modification	C:\Windows\SysWOW64\Keceoj32.exe	Jlkafdco.exe
File opened for modification	C:\Windows\SysWOW64\Ledoegkm.exe	Lbebilli.exe
File opened for modification	C:\Windows\SysWOW64\Ldikgdpe.exe	Lbhool32.exe
File created	C:\Windows\SysWOW64\Mnfooh32.dll	Llkjmb32.exe
File opened for modification	C:\Windows\SysWOW64\Lbhool32.exe	Lkqgno32.exe
File created	C:\Windows\SysWOW64\Kbgfhnhi.exe	Kkpnga32.exe
File created	C:\Windows\SysWOW64\Ndnoffic.dll	Kbgfhnhi.exe
File created	C:\Windows\SysWOW64\Lajbnn32.dll	Kdhbpf32.exe
File created	C:\Windows\SysWOW64\Klbgfc32.exe	Kbjbnnfg.exe
File created	C:\Windows\SysWOW64\Acibndof.dll	Kdpiqehp.exe
File opened for modification	C:\Windows\SysWOW64\Logicn32.exe	Ldbefe32.exe
File created	C:\Windows\SysWOW64\Kkpnga32.exe	Kdffjgpj.exe
File opened for modification	C:\Windows\SysWOW64\Ldbefe32.exe	Lbqinm32.exe
File opened for modification	C:\Windows\SysWOW64\Llkjmb32.exe	Leabphmp.exe
File created	C:\Windows\SysWOW64\Ieaqqigc.dll	Ledoegkm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2548	2868	WerFault.exe	116

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbebilli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ledoegkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logicn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keceoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdhbpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kblpcndd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldikgdpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0c08064a07e228501d161249af029a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlkafdco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klbgfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaopoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbnlim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leabphmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdffjgpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdpiqehp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klgqabib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbqinm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldbefe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbgfhnhi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbnnfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkqgno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkpnga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkgdhp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llkjmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klpjad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbhool32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcmnee32.dll"	c0c08064a07e228501d161249af029a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdpiqehp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpjkgoka.dll"	Klgqabib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c0c08064a07e228501d161249af029a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kblpcndd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klgqabib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idjcam32.dll"	Leabphmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekdaogi.dll"	Lbhool32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	c0c08064a07e228501d161249af029a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Keceoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbjbnnfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebpmamlm.dll"	Kaopoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Logicn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkqgno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c0c08064a07e228501d161249af029a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbhgkfkg.dll"	Jlkafdco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkgdhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhodke32.dll"	Kdffjgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomqdipk.dll"	Kblpcndd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaopoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdffjgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhfhohgp.dll"	Kbjbnnfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fooqlnoa.dll"	Ldbefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieaqqigc.dll"	Ledoegkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Leabphmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlkafdco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlkafdco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbgfhnhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbgfhnhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdhbpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klpjad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbjbnnfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llkjmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbhool32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c0c08064a07e228501d161249af029a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndnoffic.dll"	Kbgfhnhi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbnlim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbqinm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Logicn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbhool32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkpnga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekheml32.dll"	Kkpnga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lajbnn32.dll"	Kdhbpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klbgfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klgqabib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ledoegkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopaik32.dll"	Lbebilli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdffjgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkpnga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdhbpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kblpcndd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbqinm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldbefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnfooh32.dll"	Llkjmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ledoegkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oojnjjli.dll"	Keceoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Leabphmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkqgno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klpjad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epqblnhh.dll"	Kbnlim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhmimi32.dll"	Lbqinm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldbefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klbgfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odehaccj.dll"	Kkgdhp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 996	1152	c0c08064a07e228501d161249af029a0N.exe	91
PID 1152 wrote to memory of 996	1152	c0c08064a07e228501d161249af029a0N.exe	91
PID 1152 wrote to memory of 996	1152	c0c08064a07e228501d161249af029a0N.exe	91
PID 996 wrote to memory of 3324	996	Jlkafdco.exe	92
PID 996 wrote to memory of 3324	996	Jlkafdco.exe	92
PID 996 wrote to memory of 3324	996	Jlkafdco.exe	92
PID 3324 wrote to memory of 2096	3324	Keceoj32.exe	93
PID 3324 wrote to memory of 2096	3324	Keceoj32.exe	93
PID 3324 wrote to memory of 2096	3324	Keceoj32.exe	93
PID 2096 wrote to memory of 3172	2096	Kdffjgpj.exe	94
PID 2096 wrote to memory of 3172	2096	Kdffjgpj.exe	94
PID 2096 wrote to memory of 3172	2096	Kdffjgpj.exe	94
PID 3172 wrote to memory of 644	3172	Kkpnga32.exe	95
PID 3172 wrote to memory of 644	3172	Kkpnga32.exe	95
PID 3172 wrote to memory of 644	3172	Kkpnga32.exe	95
PID 644 wrote to memory of 4776	644	Kbgfhnhi.exe	96
PID 644 wrote to memory of 4776	644	Kbgfhnhi.exe	96
PID 644 wrote to memory of 4776	644	Kbgfhnhi.exe	96
PID 4776 wrote to memory of 1020	4776	Kdhbpf32.exe	97
PID 4776 wrote to memory of 1020	4776	Kdhbpf32.exe	97
PID 4776 wrote to memory of 1020	4776	Kdhbpf32.exe	97
PID 1020 wrote to memory of 1612	1020	Klpjad32.exe	98
PID 1020 wrote to memory of 1612	1020	Klpjad32.exe	98
PID 1020 wrote to memory of 1612	1020	Klpjad32.exe	98
PID 1612 wrote to memory of 4700	1612	Kbjbnnfg.exe	99
PID 1612 wrote to memory of 4700	1612	Kbjbnnfg.exe	99
PID 1612 wrote to memory of 4700	1612	Kbjbnnfg.exe	99
PID 4700 wrote to memory of 2672	4700	Klbgfc32.exe	100
PID 4700 wrote to memory of 2672	4700	Klbgfc32.exe	100
PID 4700 wrote to memory of 2672	4700	Klbgfc32.exe	100
PID 2672 wrote to memory of 1344	2672	Kblpcndd.exe	101
PID 2672 wrote to memory of 1344	2672	Kblpcndd.exe	101
PID 2672 wrote to memory of 1344	2672	Kblpcndd.exe	101
PID 1344 wrote to memory of 3128	1344	Kaopoj32.exe	102
PID 1344 wrote to memory of 3128	1344	Kaopoj32.exe	102
PID 1344 wrote to memory of 3128	1344	Kaopoj32.exe	102
PID 3128 wrote to memory of 2996	3128	Kkgdhp32.exe	104
PID 3128 wrote to memory of 2996	3128	Kkgdhp32.exe	104
PID 3128 wrote to memory of 2996	3128	Kkgdhp32.exe	104
PID 2996 wrote to memory of 5052	2996	Kbnlim32.exe	105
PID 2996 wrote to memory of 5052	2996	Kbnlim32.exe	105
PID 2996 wrote to memory of 5052	2996	Kbnlim32.exe	105
PID 5052 wrote to memory of 4244	5052	Kdpiqehp.exe	106
PID 5052 wrote to memory of 4244	5052	Kdpiqehp.exe	106
PID 5052 wrote to memory of 4244	5052	Kdpiqehp.exe	106
PID 4244 wrote to memory of 4548	4244	Klgqabib.exe	107
PID 4244 wrote to memory of 4548	4244	Klgqabib.exe	107
PID 4244 wrote to memory of 4548	4244	Klgqabib.exe	107
PID 4548 wrote to memory of 1088	4548	Lbqinm32.exe	108
PID 4548 wrote to memory of 1088	4548	Lbqinm32.exe	108
PID 4548 wrote to memory of 1088	4548	Lbqinm32.exe	108
PID 1088 wrote to memory of 2420	1088	Ldbefe32.exe	109
PID 1088 wrote to memory of 2420	1088	Ldbefe32.exe	109
PID 1088 wrote to memory of 2420	1088	Ldbefe32.exe	109
PID 2420 wrote to memory of 3144	2420	Logicn32.exe	110
PID 2420 wrote to memory of 3144	2420	Logicn32.exe	110
PID 2420 wrote to memory of 3144	2420	Logicn32.exe	110
PID 3144 wrote to memory of 4948	3144	Leabphmp.exe	111
PID 3144 wrote to memory of 4948	3144	Leabphmp.exe	111
PID 3144 wrote to memory of 4948	3144	Leabphmp.exe	111
PID 4948 wrote to memory of 4360	4948	Llkjmb32.exe	112
PID 4948 wrote to memory of 4360	4948	Llkjmb32.exe	112
PID 4948 wrote to memory of 4360	4948	Llkjmb32.exe	112
PID 4360 wrote to memory of 2440	4360	Lbebilli.exe	113

C:\Users\Admin\AppData\Local\Temp\c0c08064a07e228501d161249af029a0N.exe
"C:\Users\Admin\AppData\Local\Temp\c0c08064a07e228501d161249af029a0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\SysWOW64\Jlkafdco.exe
  C:\Windows\system32\Jlkafdco.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Windows\SysWOW64\Keceoj32.exe
    C:\Windows\system32\Keceoj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3324
  - - C:\Windows\SysWOW64\Kdffjgpj.exe
      C:\Windows\system32\Kdffjgpj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2096
    - - C:\Windows\SysWOW64\Kkpnga32.exe
        
        C:\Windows\system32\Kkpnga32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3172
      - C:\Windows\SysWOW64\Kbgfhnhi.exe
        
        C:\Windows\system32\Kbgfhnhi.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        C:\Windows\SysWOW64\Kdhbpf32.exe
        
        C:\Windows\system32\Kdhbpf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Klpjad32.exe
        
        C:\Windows\system32\Klpjad32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Kbjbnnfg.exe
        
        C:\Windows\system32\Kbjbnnfg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\Klbgfc32.exe
        
        C:\Windows\system32\Klbgfc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\SysWOW64\Kblpcndd.exe
        
        C:\Windows\system32\Kblpcndd.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Kaopoj32.exe
        
        C:\Windows\system32\Kaopoj32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Kkgdhp32.exe
        
        C:\Windows\system32\Kkgdhp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\SysWOW64\Kbnlim32.exe
        
        C:\Windows\system32\Kbnlim32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Kdpiqehp.exe
        
        C:\Windows\system32\Kdpiqehp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Klgqabib.exe
        
        C:\Windows\system32\Klgqabib.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Lbqinm32.exe
        
        C:\Windows\system32\Lbqinm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Ldbefe32.exe
        
        C:\Windows\system32\Ldbefe32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\Logicn32.exe
        
        C:\Windows\system32\Logicn32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Leabphmp.exe
        
        C:\Windows\system32\Leabphmp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\SysWOW64\Llkjmb32.exe
        
        C:\Windows\system32\Llkjmb32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Lbebilli.exe
        
        C:\Windows\system32\Lbebilli.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Ledoegkm.exe
        
        C:\Windows\system32\Ledoegkm.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Lkqgno32.exe
        
        C:\Windows\system32\Lkqgno32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:32
        
        C:\Windows\SysWOW64\Lbhool32.exe
        
        C:\Windows\system32\Lbhool32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 408
        27⤵
        Program crash
        
        PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2868 -ip 2868
1⤵
PID:1600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4400,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=4440 /prefetch:8
1⤵
PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jlkafdco.exe

Filesize
64KB

MD5
b4f256a61d6f7a61f7ea03e2c4a4d2ec

SHA1
3da7a46b7fb15d09cda8269ee282eaff3dc45b0a

SHA256
065cdcc205472679284b1f42907c5214a6c02292dde4547c9c1e6dc36611c767

SHA512
843658f0fc2eb231825ddd8661530c1a4f1edf3a542d47b69fb5dd5cd9a89ef1c015233fa6e9e5d0409866cab297184716e5240c949297243982a2cbd2181ea3

Download Submit
C:\Windows\SysWOW64\Kaopoj32.exe

Filesize
64KB

MD5
6560a4e6e37e14461ab4525e8a8cf3dd

SHA1
6869599e4269eb30a4a9cce6910e5c947f114d84

SHA256
2c70b8aa8907eaf25529c769b9b094c5f030355409510477fd2a789587fce498

SHA512
f7adc31480b1aa0bab96a896b120c26c795db2c5119d01b3e1b7f29f0513eb073ec1b249c60cec8c767f22887ec844fd0243baee0cc1535535f43924c17dc8f5

Download Submit
C:\Windows\SysWOW64\Kbgfhnhi.exe

Filesize
64KB

MD5
3b04ca6307369df47c307ec0d5d998aa

SHA1
978efdc9ca95a9fef4e67775aabb2517345c1a33

SHA256
0248743c63286fd0da09a7872b5ea3429a6bc2737419ce3dd79ae8914b990e64

SHA512
976bf6df447fb7b473d66701cc003759b8f4036cb751089d7c261dbb3188cb5d3e8c3381edc679752c63011443096b80fad6e937919c93e6131ca77fa195809b

Download Submit
C:\Windows\SysWOW64\Kbjbnnfg.exe

Filesize
64KB

MD5
d4f54aa6936c6f646b4badce81321789

SHA1
d3645e9033935cb8d23a7b1809261650eb30c072

SHA256
53077b138843822f7f16ddde9528b470aa37d4da19a376cccdddfcb3ac147e8b

SHA512
7a3183f8c405d9ec7f474e921dbeffa7649c8443b53c123c739be41b34e4b2dddbce11881e57f7041732393a7d4062f3c85abfd866cc48310b02cfc8a00f7080

Download Submit
C:\Windows\SysWOW64\Kblpcndd.exe

Filesize
64KB

MD5
edc33c164061fb275083c6adff4ec449

SHA1
7f79fa027f49d5453b080e144053a458724d3d60

SHA256
2ad6bda14d1fd1fd014553925ac837cd47452bac1076522d047f8debcd339c73

SHA512
dd5783edb5b36e0430bd110be95e311e124184754e43cfd0f652b1e4226fe0e50036fd1603433070a4f6e57aba5d5c04301840a6bf2bd499f9e60cce4cf3a660

Download Submit
C:\Windows\SysWOW64\Kbnlim32.exe

Filesize
64KB

MD5
e7e541cd636f9299a10423ebea5d94c9

SHA1
a8d32e1b07a878a8a871ffadede28130f2cdd9dd

SHA256
8d76948b2d049695eb5f582bfd9057facef900eacff9ee1d3e4ab7d95dfb9e81

SHA512
724401e9f1193e58b32fd749cd537fbe832fade0eb84e21512c640ad9591a5548549fe5fb5a680e76892f5bbf859dfc48b4ede508c088f656ae8db7ab3aecce3

Download Submit
C:\Windows\SysWOW64\Kdffjgpj.exe

Filesize
64KB

MD5
2731ac5c8178b6307dfd430b7131a4cf

SHA1
8e8cfcd69923c870d9594cf9fafd777cbe61e44b

SHA256
3947a31625cb2dfcc7cf658146aea29def7ee67b373fcb3982e3c391060fef6b

SHA512
66eb189894adb8342bd99314f94e52a59e59948cf22109231542504c3f3ac4fdc9f60016ba9fdbd609053b7156a5605b9f2d93be4c29a40264269010ffede720

Download Submit
C:\Windows\SysWOW64\Kdhbpf32.exe

Filesize
64KB

MD5
ed34341a540337d21816ae4cc894dcc9

SHA1
af3c3a42ca3dd56fc280ece53a571159a2a5e8a0

SHA256
ae8c483c84b4a659072d30325e89c6a5b9e73ab1abd010809cd431d7f2befb7f

SHA512
ac899f6dd8b842ec71443394cdeb4a476dacb6796b3cf0d97b47d0f9f906a4f483da4bb70b39dc18380411966cde9a2058585d983197790e0f23008a1e2f777f

Download Submit
C:\Windows\SysWOW64\Kdpiqehp.exe

Filesize
64KB

MD5
042593caa884583d7b6bbcc5b9befb46

SHA1
6ae50db3b29bcbeb3a5ff68485283f103bf2e690

SHA256
bdd67a950b432473a29e1a5737bd59a8c63f5901a1ce8d578496b733d2b930f0

SHA512
39dd05761f6b58b755396df1a8d3eedfae7e3fe6f9878dd77991a9013217fa331c283d935f4901d478303230150577ba59dcad75e9101ac519a3613cbaebccfb

Download Submit
C:\Windows\SysWOW64\Keceoj32.exe

Filesize
64KB

MD5
999c4a4fca4a8973451b75f76fd211b1

SHA1
15023ffd3ef2e054607a7e81e7447150dac07472

SHA256
6093e58e822eaf5172a6df7bba9abc00a2fb010e8f56be95f0d2a8e3e7dba43c

SHA512
431bdb829381c96150e54f504a45fd683ca6ff11c9f79e350549ad760a5409f2d3744646898176395c9dac8d423d3711a007aba293d3d0943d2635f36604a645

Download Submit
C:\Windows\SysWOW64\Kkgdhp32.exe

Filesize
64KB

MD5
189e188ebd48801d850442fbe9076dbc

SHA1
1d6a6ca19ff2c3c37c2984cfb279b47b20ba9860

SHA256
e1c4895fc20a78b0c7535a02c6630bb15da565188ae028b09a1b2a1ae0e213ed

SHA512
0087726e0d2eee9a99187c7fba71815f3cb5436a00dd1885f5eb5b72902713c16c786eee2618f37255920039c56d728b4bafebbf320ea9018840c948be85badc

Download Submit
C:\Windows\SysWOW64\Kkpnga32.exe

Filesize
64KB

MD5
da90870d212d323c2ef27ac3f07e084a

SHA1
65efce1c0f79adaaafe80606fd1b3528f4aa09f8

SHA256
8ece90a4a97078826fd9618b538d77e5945c4e99473bb5260a410211894da719

SHA512
2cb5fde585343ba28b793148798754eabb558b7530efec5d2393de0eb07a9aff271cbec6b6cb6d712231d515232a1ad49206cfefc344edf4734355963cfbbfc5

Download Submit
C:\Windows\SysWOW64\Klbgfc32.exe

Filesize
64KB

MD5
62c2e279789920b745ad45ccc8722ce6

SHA1
36f9aa0ba8deb63ee9f017dcefe62b3353f5d072

SHA256
59cd15b79de1562365bc01a891edcfb222bf4143e7e164a6d6bd2a0b73b85982

SHA512
c16a626f8911e09e7979109c7d4ad54e98cd38a0e80c40bc6780b75634b29c82222d9e65246437a04d15aa9b0dfbffb16885d1d8df6b892d9ea84df47a69f663

Download Submit
C:\Windows\SysWOW64\Klgqabib.exe

Filesize
64KB

MD5
7c35536d88e33ebe6fb61d4627f294ba

SHA1
31affbd1e9f924350830b429c94e6c9c41ec12e2

SHA256
f2129fbb5251e50ef6c6f3ac4ea3aec83768c24c58238dcfc9052d410f6bfb3c

SHA512
f7567b5dbe2040b000190044edb1491478ed1d6b0b8d2de19dfffc37bc61e3d3d4c46d45e8a2785670e436b4b5781ddb17db78377c17d8d2c51a5caba89949dc

Download Submit
C:\Windows\SysWOW64\Klpjad32.exe

Filesize
64KB

MD5
e68ad7af6eb5b4c2f79ea54a4f99ee07

SHA1
55bd04637fea337586201ab1341c6624edbe3003

SHA256
71deeb31c70163ba9202efaf4f56dc9cf1678e33d03d7e3d05f413c001e49d7d

SHA512
d02707a1a3ee6446812a22b0f938dd759627fe1d15effb2723ec13d424ba471e81e18fbccc4ce69db5c5de21c898e4af13a3b0296347bec54a41730bf4b99c3e

Download Submit
C:\Windows\SysWOW64\Lbebilli.exe

Filesize
64KB

MD5
54d0c92a1fcb5d358f9a209f06d3ecb0

SHA1
815089111ca132642eff4362c9d9a520022768c5

SHA256
d600d7e9142e9225b33b4587ed86a35cb40fb0e9e6abfeeaad7c9cacca25800b

SHA512
311e612bd25db40781e7fd72d1ce11a4a0ce7598e5cc8dbeaf9d9274d4cd68ae624885b7a3ef13996b738c74ea33cfe751d7e378fbf05e7aa4ddf6b9a8d66e2d

Download Submit
C:\Windows\SysWOW64\Lbhool32.exe

Filesize
64KB

MD5
56c7298653ffec08f657c367108792bc

SHA1
c23ac374f148db59e622509c58e24f93ab25b574

SHA256
cd0bbed42d69608e9e2f9bf8e2748d947ba6ba5d2eb547d345e855d46cbf7be3

SHA512
53dbdc466cd4b326f2e9d620ca6843cdd2578656e40c5978e4f39f41e47b3b06bf69ec345a8dc9a2e53b64d24dc133e1e94859b3edd9622ca137a667d9c959be

Download Submit
C:\Windows\SysWOW64\Lbqinm32.exe

Filesize
64KB

MD5
1d6f48eba359871c29fbf027d5c0a228

SHA1
a6c4d21e87dee33e0f1180abacdf5dbc923ab797

SHA256
2c11336551b5a7075f34eb25fdc1fab6ad5014bbff8e2582a3f89617241cb0dd

SHA512
4bd04da0bf42e11e32deb0bfef0039cc6317ae0535f24b7c15b7753a1f5b1b024d2e7580c950ab1eb4d7c2802703b18b08486b4f9d90d5ea2ad7acba72c408e3

Download Submit
C:\Windows\SysWOW64\Ldbefe32.exe

Filesize
64KB

MD5
97c36c41659cd9b60022a251e4fd0736

SHA1
533d1ea61b62bf9006dbdcdd02e2e018edfb8c3e

SHA256
94ca81c37c6a7683beecde541b008756165df9aab411bc53057afcebd801779f

SHA512
ed7c30d758d87677129c1ff1198c326f31e88a5a072a941f6128aa11070aa031d9c72678e058835f6b889dba1823337a6f0fe7d071b225458dc7682434c7f1cd

Download Submit
C:\Windows\SysWOW64\Ldikgdpe.exe

Filesize
64KB

MD5
e54b7d5af64c456840249fa9fa28799f

SHA1
1e93617676cd8ced9c652373d5c27848958ee0df

SHA256
ca311d53d4b699358875fd541829c106c3953573c766ccc2c4a1630df4f16098

SHA512
98bbc6ab8edaa1b029bdf25f2de9cf54028a96ea9b75ffc938c5ec2ffdb19c415a139889e8b1a3757c3910e926cddb880f7da2f0259bc24315be3c384b3a2cf7

Download Submit
C:\Windows\SysWOW64\Leabphmp.exe

Filesize
64KB

MD5
112cee63ba3b171ef7b8367abd81c2f9

SHA1
9fe7746ccfbf67f09ae7cc5eb05cc800c7480d3a

SHA256
8e85fa668b46a573821a83ad2156881839cc61df9f49356023ba8303d3419424

SHA512
a8681a3af7081c6d92fb16e6cc5cfcfe213a8acd689bbfab10f343a29bd3e1f64da9122e1fbce01696363b0ea86a417dc27d635ee56f190549d617f8b50cd0d5

Download Submit
C:\Windows\SysWOW64\Ledoegkm.exe

Filesize
64KB

MD5
91d2da7b18a6c5109914e73b94101a86

SHA1
0fb08d023390adce58ce4ce4043fb43b253dc784

SHA256
327cd55a4717edc3043b635971e6ba46ece902299d9f0b25d1033281d4b761d7

SHA512
b3859487ab7637d809d44335bd245596b4debec60fe952b43ef45376d3c7323958825a1ab387685d969993ae4f2c9f51eb1ff29afd7dbad6eaf8f94c164b5456

Download Submit
C:\Windows\SysWOW64\Lkqgno32.exe

Filesize
64KB

MD5
8a984898556b4ee1e5653b2245299145

SHA1
5a94b976b8200011782891d97862006d68e25a3b

SHA256
529ddab1eec2a1ed11ac7ad4663ac97a95182d7ebe5c64c0284d4fcf5872cd09

SHA512
0971231975981de3aa1ac68a6e2caac7ea8747a90823962829fcc1a70922bc07f26895fba68b58bdacb7832a0bac9c7ce5a81a9430b18f08071573bdba2312ae

Download Submit
C:\Windows\SysWOW64\Llkjmb32.exe

Filesize
64KB

MD5
868b974add16ff03cd21173ed6178616

SHA1
bed8ac5b39df13a88a49b3d161da9be42c9eaf1e

SHA256
38a873616925c0ac1751fa051236a5b255f3a1f7f76969a6cb103d7f8e8619fc

SHA512
4aacf97e3566a702c383860f2b2701fc1761e94d8d93669d655b779811a1836b3115873599082eb43da557dce567e194be22de2697f66e384eb3f0f374752565

Download Submit
C:\Windows\SysWOW64\Logicn32.exe

Filesize
64KB

MD5
ace748d3488f23f0bfe3bfefed190272

SHA1
f16f777d537f67af992bc83b5152883b1e9bd8d0

SHA256
546cd5c57b1206e6affba963599ab054418925e095d2d51b4551d09b98bae0a6

SHA512
ad1416c16ec056086cb1bc6b618601adee6b392b8108a15e68092d82255d13bc67155f308973f8e67abb1baafec780d7f36e9d7c3f86b463e4db627f5ae17139

Download Submit
memory/32-206-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/32-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/644-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/644-242-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/996-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/996-250-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1020-238-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1020-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1088-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1088-218-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1152-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1152-252-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1344-230-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1344-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1612-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1612-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2096-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2096-246-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2420-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2420-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2440-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2440-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2672-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2672-84-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2868-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2868-202-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2996-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2996-226-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3128-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3128-228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3144-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3144-214-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3172-244-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3172-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3320-204-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3320-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3324-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3324-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4244-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4244-222-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4360-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4360-210-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4548-220-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4548-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4700-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4700-234-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4776-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4776-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4948-212-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4948-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5052-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5052-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads