3f882c6eff09d96c946bdf27075a88ab5fcba249d755a31c92526b549b6ca1f4

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b02d59912b7fa6861f07842e5078860N.exe
Size

448KB
MD5

7b02d59912b7fa6861f07842e5078860
SHA1

df406edcc7836c3d445e1b0ba3486d19f0f621f0
SHA256

3f882c6eff09d96c946bdf27075a88ab5fcba249d755a31c92526b549b6ca1f4
SHA512

9202032d73e27f0b9a311c7cfb2a2bd84d209236f294f19df3fc1e165009bacce287857b36198ec40d42239d23da1a317b04b3f5cbd8cfbd42084a83abffee6b
SSDEEP

6144:mYSlQDrKPQ///NR5fLYG3eujPQ///NR5fqZo4tjS6Y:mYQQf/NcZ7/NC64tm6Y

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgciff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hqkmplen.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icifjk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieibdnnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjhgbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplfkjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgciff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjaeba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iebldo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iogpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpbcek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jedehaea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klecfkff.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iebldo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgmpk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7b02d59912b7fa6861f07842e5078860N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iogpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icifjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpgmpk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klecfkff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkmmlgik.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifmocb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdbepm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hqkmplen.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplfkjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieibdnnp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpbcek32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	7b02d59912b7fa6861f07842e5078860N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjaeba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifmocb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjhgbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jedehaea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdbepm32.exe

Executes dropped EXE 22 IoCs

pid	Process
2796	Hgciff32.exe
2248	Hjaeba32.exe
2912	Hqkmplen.exe
2576	Ifmocb32.exe
2204	Iebldo32.exe
600	Iogpag32.exe
2972	Icifjk32.exe
2828	Ieibdnnp.exe
792	Jpbcek32.exe
1988	Jjhgbd32.exe
1968	Jpgmpk32.exe
592	Jedehaea.exe
2532	Jplfkjbd.exe
1128	Kbjbge32.exe
1684	Klecfkff.exe
2096	Kablnadm.exe
996	Kdbepm32.exe
2644	Kkmmlgik.exe
1724	Kbhbai32.exe
2480	Kkojbf32.exe
2308	Lmmfnb32.exe
2332	Lbjofi32.exe

Loads dropped DLL 44 IoCs

pid	Process
2264	7b02d59912b7fa6861f07842e5078860N.exe
2264	7b02d59912b7fa6861f07842e5078860N.exe
2796	Hgciff32.exe
2796	Hgciff32.exe
2248	Hjaeba32.exe
2248	Hjaeba32.exe
2912	Hqkmplen.exe
2912	Hqkmplen.exe
2576	Ifmocb32.exe
2576	Ifmocb32.exe
2204	Iebldo32.exe
2204	Iebldo32.exe
600	Iogpag32.exe
600	Iogpag32.exe
2972	Icifjk32.exe
2972	Icifjk32.exe
2828	Ieibdnnp.exe
2828	Ieibdnnp.exe
792	Jpbcek32.exe
792	Jpbcek32.exe
1988	Jjhgbd32.exe
1988	Jjhgbd32.exe
1968	Jpgmpk32.exe
1968	Jpgmpk32.exe
592	Jedehaea.exe
592	Jedehaea.exe
2532	Jplfkjbd.exe
2532	Jplfkjbd.exe
1128	Kbjbge32.exe
1128	Kbjbge32.exe
1684	Klecfkff.exe
1684	Klecfkff.exe
2096	Kablnadm.exe
2096	Kablnadm.exe
996	Kdbepm32.exe
996	Kdbepm32.exe
2644	Kkmmlgik.exe
2644	Kkmmlgik.exe
1724	Kbhbai32.exe
1724	Kbhbai32.exe
2480	Kkojbf32.exe
2480	Kkojbf32.exe
2308	Lmmfnb32.exe
2308	Lmmfnb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hgciff32.exe	7b02d59912b7fa6861f07842e5078860N.exe
File created	C:\Windows\SysWOW64\Kndkfpje.dll	Iebldo32.exe
File created	C:\Windows\SysWOW64\Omfpmb32.dll	Ieibdnnp.exe
File opened for modification	C:\Windows\SysWOW64\Jplfkjbd.exe	Jedehaea.exe
File opened for modification	C:\Windows\SysWOW64\Klecfkff.exe	Kbjbge32.exe
File created	C:\Windows\SysWOW64\Bndneq32.dll	Kkmmlgik.exe
File created	C:\Windows\SysWOW64\Lpfhdddb.dll	Hqkmplen.exe
File created	C:\Windows\SysWOW64\Gbmhafee.dll	Iogpag32.exe
File opened for modification	C:\Windows\SysWOW64\Kbjbge32.exe	Jplfkjbd.exe
File created	C:\Windows\SysWOW64\Onpeobjf.dll	Kdbepm32.exe
File opened for modification	C:\Windows\SysWOW64\Ifmocb32.exe	Hqkmplen.exe
File created	C:\Windows\SysWOW64\Jpbcek32.exe	Ieibdnnp.exe
File created	C:\Windows\SysWOW64\Mobafhlg.dll	Jplfkjbd.exe
File created	C:\Windows\SysWOW64\Klecfkff.exe	Kbjbge32.exe
File created	C:\Windows\SysWOW64\Lmmfnb32.exe	Kkojbf32.exe
File opened for modification	C:\Windows\SysWOW64\Lbjofi32.exe	Lmmfnb32.exe
File created	C:\Windows\SysWOW64\Iebldo32.exe	Ifmocb32.exe
File created	C:\Windows\SysWOW64\Lbfchlee.dll	Ifmocb32.exe
File created	C:\Windows\SysWOW64\Jpgmpk32.exe	Jjhgbd32.exe
File created	C:\Windows\SysWOW64\Kbjbge32.exe	Jplfkjbd.exe
File created	C:\Windows\SysWOW64\Pigckoki.dll	Kkojbf32.exe
File opened for modification	C:\Windows\SysWOW64\Jpbcek32.exe	Ieibdnnp.exe
File created	C:\Windows\SysWOW64\Jjhgbd32.exe	Jpbcek32.exe
File created	C:\Windows\SysWOW64\Khljoh32.dll	Jjhgbd32.exe
File created	C:\Windows\SysWOW64\Jedehaea.exe	Jpgmpk32.exe
File created	C:\Windows\SysWOW64\Gffdobll.dll	Kbhbai32.exe
File opened for modification	C:\Windows\SysWOW64\Iebldo32.exe	Ifmocb32.exe
File opened for modification	C:\Windows\SysWOW64\Icifjk32.exe	Iogpag32.exe
File created	C:\Windows\SysWOW64\Jplfkjbd.exe	Jedehaea.exe
File created	C:\Windows\SysWOW64\Kdbepm32.exe	Kablnadm.exe
File created	C:\Windows\SysWOW64\Kkojbf32.exe	Kbhbai32.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Lmmfnb32.exe
File created	C:\Windows\SysWOW64\Hqkmplen.exe	Hjaeba32.exe
File opened for modification	C:\Windows\SysWOW64\Jpgmpk32.exe	Jjhgbd32.exe
File created	C:\Windows\SysWOW64\Ibodnd32.dll	Jedehaea.exe
File created	C:\Windows\SysWOW64\Kablnadm.exe	Klecfkff.exe
File created	C:\Windows\SysWOW64\Alhpic32.dll	Kablnadm.exe
File created	C:\Windows\SysWOW64\Ipafocdg.dll	Lmmfnb32.exe
File created	C:\Windows\SysWOW64\Kjcijlpq.dll	Hgciff32.exe
File created	C:\Windows\SysWOW64\Iddpheep.dll	Jpgmpk32.exe
File opened for modification	C:\Windows\SysWOW64\Kablnadm.exe	Klecfkff.exe
File created	C:\Windows\SysWOW64\Kbhbai32.exe	Kkmmlgik.exe
File created	C:\Windows\SysWOW64\Jfmgba32.dll	Hjaeba32.exe
File opened for modification	C:\Windows\SysWOW64\Kkmmlgik.exe	Kdbepm32.exe
File opened for modification	C:\Windows\SysWOW64\Hgciff32.exe	7b02d59912b7fa6861f07842e5078860N.exe
File created	C:\Windows\SysWOW64\Hjaeba32.exe	Hgciff32.exe
File created	C:\Windows\SysWOW64\Iogpag32.exe	Iebldo32.exe
File created	C:\Windows\SysWOW64\Ieibdnnp.exe	Icifjk32.exe
File opened for modification	C:\Windows\SysWOW64\Jjhgbd32.exe	Jpbcek32.exe
File created	C:\Windows\SysWOW64\Bcbonpco.dll	Jpbcek32.exe
File created	C:\Windows\SysWOW64\Pdnfmn32.dll	Kbjbge32.exe
File opened for modification	C:\Windows\SysWOW64\Hqkmplen.exe	Hjaeba32.exe
File created	C:\Windows\SysWOW64\Kkmmlgik.exe	Kdbepm32.exe
File opened for modification	C:\Windows\SysWOW64\Kbhbai32.exe	Kkmmlgik.exe
File opened for modification	C:\Windows\SysWOW64\Lmmfnb32.exe	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Ggegqe32.dll	7b02d59912b7fa6861f07842e5078860N.exe
File opened for modification	C:\Windows\SysWOW64\Ieibdnnp.exe	Icifjk32.exe
File created	C:\Windows\SysWOW64\Fbbngc32.dll	Icifjk32.exe
File opened for modification	C:\Windows\SysWOW64\Kkojbf32.exe	Kbhbai32.exe
File opened for modification	C:\Windows\SysWOW64\Iogpag32.exe	Iebldo32.exe
File created	C:\Windows\SysWOW64\Kjpndcho.dll	Klecfkff.exe
File created	C:\Windows\SysWOW64\Ifmocb32.exe	Hqkmplen.exe
File created	C:\Windows\SysWOW64\Icifjk32.exe	Iogpag32.exe
File opened for modification	C:\Windows\SysWOW64\Kdbepm32.exe	Kablnadm.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iogpag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klecfkff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7b02d59912b7fa6861f07842e5078860N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icifjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieibdnnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedehaea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdbepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkojbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmmfnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjaeba32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifmocb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgciff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hqkmplen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iebldo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpbcek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjhgbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpgmpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jplfkjbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kablnadm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkmmlgik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhbai32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jplfkjbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjaeba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfmgba32.dll"	Hjaeba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpbcek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpgmpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jplfkjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggegqe32.dll"	7b02d59912b7fa6861f07842e5078860N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iebldo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iogpag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieibdnnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jedehaea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfpmb32.dll"	Ieibdnnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdbepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifmocb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ieibdnnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpbcek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfhdddb.dll"	Hqkmplen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icifjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddpheep.dll"	Jpgmpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jedehaea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdnfmn32.dll"	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgciff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hgciff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icifjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khljoh32.dll"	Jjhgbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkmmlgik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifmocb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbngc32.dll"	Icifjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kndkfpje.dll"	Iebldo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhafee.dll"	Iogpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjcijlpq.dll"	Hgciff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpgmpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	7b02d59912b7fa6861f07842e5078860N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffdobll.dll"	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hqkmplen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iogpag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjhgbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjhgbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mobafhlg.dll"	Jplfkjbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klecfkff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alhpic32.dll"	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klecfkff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll"	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	7b02d59912b7fa6861f07842e5078860N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	7b02d59912b7fa6861f07842e5078860N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjaeba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hqkmplen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbfchlee.dll"	Ifmocb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onpeobjf.dll"	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndneq32.dll"	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigckoki.dll"	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	7b02d59912b7fa6861f07842e5078860N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	7b02d59912b7fa6861f07842e5078860N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iebldo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcbonpco.dll"	Jpbcek32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2796	2264	7b02d59912b7fa6861f07842e5078860N.exe	30
PID 2264 wrote to memory of 2796	2264	7b02d59912b7fa6861f07842e5078860N.exe	30
PID 2264 wrote to memory of 2796	2264	7b02d59912b7fa6861f07842e5078860N.exe	30
PID 2264 wrote to memory of 2796	2264	7b02d59912b7fa6861f07842e5078860N.exe	30
PID 2796 wrote to memory of 2248	2796	Hgciff32.exe	31
PID 2796 wrote to memory of 2248	2796	Hgciff32.exe	31
PID 2796 wrote to memory of 2248	2796	Hgciff32.exe	31
PID 2796 wrote to memory of 2248	2796	Hgciff32.exe	31
PID 2248 wrote to memory of 2912	2248	Hjaeba32.exe	32
PID 2248 wrote to memory of 2912	2248	Hjaeba32.exe	32
PID 2248 wrote to memory of 2912	2248	Hjaeba32.exe	32
PID 2248 wrote to memory of 2912	2248	Hjaeba32.exe	32
PID 2912 wrote to memory of 2576	2912	Hqkmplen.exe	33
PID 2912 wrote to memory of 2576	2912	Hqkmplen.exe	33
PID 2912 wrote to memory of 2576	2912	Hqkmplen.exe	33
PID 2912 wrote to memory of 2576	2912	Hqkmplen.exe	33
PID 2576 wrote to memory of 2204	2576	Ifmocb32.exe	34
PID 2576 wrote to memory of 2204	2576	Ifmocb32.exe	34
PID 2576 wrote to memory of 2204	2576	Ifmocb32.exe	34
PID 2576 wrote to memory of 2204	2576	Ifmocb32.exe	34
PID 2204 wrote to memory of 600	2204	Iebldo32.exe	35
PID 2204 wrote to memory of 600	2204	Iebldo32.exe	35
PID 2204 wrote to memory of 600	2204	Iebldo32.exe	35
PID 2204 wrote to memory of 600	2204	Iebldo32.exe	35
PID 600 wrote to memory of 2972	600	Iogpag32.exe	36
PID 600 wrote to memory of 2972	600	Iogpag32.exe	36
PID 600 wrote to memory of 2972	600	Iogpag32.exe	36
PID 600 wrote to memory of 2972	600	Iogpag32.exe	36
PID 2972 wrote to memory of 2828	2972	Icifjk32.exe	37
PID 2972 wrote to memory of 2828	2972	Icifjk32.exe	37
PID 2972 wrote to memory of 2828	2972	Icifjk32.exe	37
PID 2972 wrote to memory of 2828	2972	Icifjk32.exe	37
PID 2828 wrote to memory of 792	2828	Ieibdnnp.exe	38
PID 2828 wrote to memory of 792	2828	Ieibdnnp.exe	38
PID 2828 wrote to memory of 792	2828	Ieibdnnp.exe	38
PID 2828 wrote to memory of 792	2828	Ieibdnnp.exe	38
PID 792 wrote to memory of 1988	792	Jpbcek32.exe	39
PID 792 wrote to memory of 1988	792	Jpbcek32.exe	39
PID 792 wrote to memory of 1988	792	Jpbcek32.exe	39
PID 792 wrote to memory of 1988	792	Jpbcek32.exe	39
PID 1988 wrote to memory of 1968	1988	Jjhgbd32.exe	40
PID 1988 wrote to memory of 1968	1988	Jjhgbd32.exe	40
PID 1988 wrote to memory of 1968	1988	Jjhgbd32.exe	40
PID 1988 wrote to memory of 1968	1988	Jjhgbd32.exe	40
PID 1968 wrote to memory of 592	1968	Jpgmpk32.exe	41
PID 1968 wrote to memory of 592	1968	Jpgmpk32.exe	41
PID 1968 wrote to memory of 592	1968	Jpgmpk32.exe	41
PID 1968 wrote to memory of 592	1968	Jpgmpk32.exe	41
PID 592 wrote to memory of 2532	592	Jedehaea.exe	42
PID 592 wrote to memory of 2532	592	Jedehaea.exe	42
PID 592 wrote to memory of 2532	592	Jedehaea.exe	42
PID 592 wrote to memory of 2532	592	Jedehaea.exe	42
PID 2532 wrote to memory of 1128	2532	Jplfkjbd.exe	43
PID 2532 wrote to memory of 1128	2532	Jplfkjbd.exe	43
PID 2532 wrote to memory of 1128	2532	Jplfkjbd.exe	43
PID 2532 wrote to memory of 1128	2532	Jplfkjbd.exe	43
PID 1128 wrote to memory of 1684	1128	Kbjbge32.exe	44
PID 1128 wrote to memory of 1684	1128	Kbjbge32.exe	44
PID 1128 wrote to memory of 1684	1128	Kbjbge32.exe	44
PID 1128 wrote to memory of 1684	1128	Kbjbge32.exe	44
PID 1684 wrote to memory of 2096	1684	Klecfkff.exe	45
PID 1684 wrote to memory of 2096	1684	Klecfkff.exe	45
PID 1684 wrote to memory of 2096	1684	Klecfkff.exe	45
PID 1684 wrote to memory of 2096	1684	Klecfkff.exe	45

C:\Users\Admin\AppData\Local\Temp\7b02d59912b7fa6861f07842e5078860N.exe
"C:\Users\Admin\AppData\Local\Temp\7b02d59912b7fa6861f07842e5078860N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\SysWOW64\Hgciff32.exe
  C:\Windows\system32\Hgciff32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\Hjaeba32.exe
    C:\Windows\system32\Hjaeba32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Windows\SysWOW64\Hqkmplen.exe
      C:\Windows\system32\Hqkmplen.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Windows\SysWOW64\Ifmocb32.exe
        
        C:\Windows\system32\Ifmocb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
      - C:\Windows\SysWOW64\Iebldo32.exe
        
        C:\Windows\system32\Iebldo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Iogpag32.exe
        
        C:\Windows\system32\Iogpag32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:600
        
        C:\Windows\SysWOW64\Icifjk32.exe
        
        C:\Windows\system32\Icifjk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Ieibdnnp.exe
        
        C:\Windows\system32\Ieibdnnp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Jpbcek32.exe
        
        C:\Windows\system32\Jpbcek32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Windows\SysWOW64\Jjhgbd32.exe
        
        C:\Windows\system32\Jjhgbd32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Jpgmpk32.exe
        
        C:\Windows\system32\Jpgmpk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Jedehaea.exe
        
        C:\Windows\system32\Jedehaea.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\SysWOW64\Jplfkjbd.exe
        
        C:\Windows\system32\Jplfkjbd.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Kbjbge32.exe
        
        C:\Windows\system32\Kbjbge32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\Klecfkff.exe
        
        C:\Windows\system32\Klecfkff.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\Kablnadm.exe
        
        C:\Windows\system32\Kablnadm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Kdbepm32.exe
        
        C:\Windows\system32\Kdbepm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Kkmmlgik.exe
        
        C:\Windows\system32\Kkmmlgik.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Kbhbai32.exe
        
        C:\Windows\system32\Kbhbai32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Kkojbf32.exe
        
        C:\Windows\system32\Kkojbf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Lmmfnb32.exe
        
        C:\Windows\system32\Lmmfnb32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hjaeba32.exe

Filesize
448KB

MD5
c92272598d4a87ac7b50bdb238cdf80b

SHA1
bc4e36031e95a63a3481bd812fd4828f27908035

SHA256
1db7278733a301a376ac2b59728f75b6ca5cc04620f8cf0c0440c695b7c6532a

SHA512
bd703bd6c297ba9bec52d335bbad2ed4e41877b99e12215a2956b46046086c1b2db28a4be8623e1a2c87b12174faf25a97f27298f5121a46f0002bbf44becdb9

Download Submit
C:\Windows\SysWOW64\Iogpag32.exe

Filesize
448KB

MD5
70d7060620fda90f5f11f6aa9c447564

SHA1
f0ec378ea4c0bbeea94b146f605250738afe9e5c

SHA256
348a696d11bb6882e513c1ffc1cdbb6a0c77277b8fcd1fb0ffd384bc94774a46

SHA512
d7171594c19b1b0445b801afbd331ee3fab15d0850a2a909a50e4dec599c50113d12e413d9767885e30ecd30c6cd371819c9c02e06cc45da16651eee71e9e968

Download Submit
C:\Windows\SysWOW64\Jedehaea.exe

Filesize
448KB

MD5
185093a494622b6c43ebb908c63e2f67

SHA1
be395a59af9f5992e5db69277fba4e47e4eee978

SHA256
028017180fe0c7696bcd0a4e518a865bb1bce3798e9e68bd95a53d18dd0d0521

SHA512
d36e9a4311039d5c5dcccb8f114f2724e86502643e23e7dac43fb591606c4beb965e896321fb82b47c279e4519a87c9c136a9b8cb15ceecc340bbd2096878639

Download Submit
C:\Windows\SysWOW64\Jjhgbd32.exe

Filesize
448KB

MD5
6a25f976279f7b3038a6fe94eae8423e

SHA1
bfb5ec0171285a1150cee24613b07b1cfacfa4dc

SHA256
d5ee548b74584d343027fcc3e352311390439a0f113d73d53394d32312a77e75

SHA512
439fe1c99449bdad74c86b291ee188acb51a1d69ca9659d50551bc87e3304208ecd25593fe26e93030aed0c4d0008158fdcde6c0aa7c9e4383b080e2a18b896a

Download Submit
C:\Windows\SysWOW64\Kablnadm.exe

Filesize
448KB

MD5
c20ab6bb5bc6adcb265c243e4cc5bbee

SHA1
fc4f734f9c4e5abe4d2795734965ddb4c55ce3af

SHA256
26b552a7a27bdf240c35ae750279bd0762ca36d90f681c8311b27871df40aa58

SHA512
d49b3b065ec5ce09fa55bec0513818f0c18beda6fee478e4f9e6d7bd8f7016f3c74f726e60594aac779b2bb5e8d458453fff4619143c55e9419733f1da1054a8

Download Submit
C:\Windows\SysWOW64\Kbhbai32.exe

Filesize
448KB

MD5
e4b3cb4ebb98529b11ce78e4ef753324

SHA1
7ec2c180b0512cb4229e0a8c45579b0727512a57

SHA256
0614fcc09e57edc9eb451a8fce6a7ddfc81cefa4c93a0705374017d898d0a83f

SHA512
a07eaef88b1de2fce702f48db0e243f655d9bcf9b6dd79d71d336559f6433c7dfd7baae6f81b083a979475c3abb13079f10fb27a6f796944ff0447d1658ccce2

Download Submit
C:\Windows\SysWOW64\Kdbepm32.exe

Filesize
448KB

MD5
0f4442d7890e990595612f35686b11c0

SHA1
41dbb4e56ca983ce9903550a97349935befe490d

SHA256
a22fe9e5abc0a430b09396c6a6dcb97bdb2b8a0d78c96b7bd8bcd031b1468453

SHA512
669f118ea9a9a3668a3525cfd449e81c75f8986afdf7b09cdb20883d84c45023ea89057f6cc920bb4ef208af5cad9508c86ec52ea7bf522e8b1d15d768c0156f

Download Submit
C:\Windows\SysWOW64\Kkmmlgik.exe

Filesize
448KB

MD5
056eff11556a881f06afeec305b2f665

SHA1
dccf46364e7144c317b5be53d4e46190b9f1457c

SHA256
197fe39eed74ba591ae8943e7c80cc0498fbfacc14e85804b8284c6a1baa274e

SHA512
ca70b81ba68ab39dc296d762dd716268daf1d55be39a82a35c1b690a208357ecac19d2c453a16c6ec1097fd99838d0b59cf72cb852b03bfec4096a3a5592a857

Download Submit
C:\Windows\SysWOW64\Kkojbf32.exe

Filesize
448KB

MD5
08d4ee5f0a3e3f76e12bf1cc902f2346

SHA1
2464342dcee148fc47cada6d2c95fc43860b1abb

SHA256
0cad0bb5231f8adb73fb5aa53ef15f26e257cb9962da2449be3e0fc2f1f1449e

SHA512
e7daebcd610a916ecfc3db5a8cb36f3d73a9d933944c444ce59e038169e09d9c7c05fef9d9dd9cafad0cc1f49bb2ecbc0b1c1a5aa29620c4441f2ecb53d68334

Download Submit
C:\Windows\SysWOW64\Lbjofi32.exe

Filesize
448KB

MD5
68beb666f8820bcecafdcc1c514b3dd1

SHA1
6dc34269d81587e07c3554b5a25c38ee588faec1

SHA256
3cea07d97eafeec59e7c580097c8ae80dacd6e26b55b6ea2b472e724098e59fc

SHA512
0633104ee62906adb7b790357a96ea5801c69860fd6c7e838d84a021a168e1c724847800f83357c2901d89ba84d0e4291f74a0155bbae3cfd2cbd8720bbe0aa5

Download Submit
C:\Windows\SysWOW64\Lmmfnb32.exe

Filesize
448KB

MD5
6b76d9f01eecb34a48cf34bfcbba896e

SHA1
4bb137cb39ce3c276a6a7556eb69ef49ba0fb9d7

SHA256
f2b78a8f861653953e4dd501c0c72f2b90ad62a217801c821f486ce2d100b861

SHA512
51863228e9fe59be23b14513ca204eae56bd46a2b082dc93fbad48ba061926bf988e251853bcb3c78917fca1a4e15b78967ee0ea8947fd1d4684f55f2c2b084a

Download Submit
\Windows\SysWOW64\Hgciff32.exe

Filesize
448KB

MD5
6c8eed776c7896f0ddfe4146dac25dd8

SHA1
1308db5451adcf538fa3e4eb5dec7c5b735f765e

SHA256
b56c18dca8e26e71c731344d0a951851941fd5d0cb60b54c529f0af65c08b366

SHA512
2cb7340e49685991752a2c72a01cef8b08805f0c610b5841f2c21d84f29864c4ac1dc8bba4c4b56d53e18d0f9121dd047ef95eb8b43fb6ef732de535028e6a51

Download Submit
\Windows\SysWOW64\Hqkmplen.exe

Filesize
448KB

MD5
2adacdb5088f7608e2a65926c12bb087

SHA1
b28233a21ccd6d45c6f029d514ded24f6f05b632

SHA256
c5f6e31122437ea929212eaf174cc5bbcc439e72987c0f4a06cbfb29c4c044bf

SHA512
33d098ec2b5530526461cb796d5527cad4d8d9f879a384d741cfcf7c8d08b648dbb24646edd036433ecd1945b48b05f27ddec59cf18d467ea8dad7fb8005ca60

Download Submit
\Windows\SysWOW64\Icifjk32.exe

Filesize
448KB

MD5
bde12bb06eb3268c938553953bf8d47a

SHA1
0b8f5b37ee6e1519bc16d95099d8fdae1046ab88

SHA256
7ccd123b6e51d3f4dff88492d149374e00d99fccfea8dcfd5bdaef55cab5330c

SHA512
15288e14aa8d7834532da4314e0fc439846f9dd865e67d7f0d7fb0602a0a083d82da14606db6b087ffd276618f5aee4be181012e4a899bae104aa192ea3a4f20

Download Submit
\Windows\SysWOW64\Iebldo32.exe

Filesize
448KB

MD5
89c8694a59fa34286f5d1b2393b97761

SHA1
ad72778bf8e13e3948477a807544bfac8ec02b8a

SHA256
f1681b397dc7095ad28f91e6cdf2eaffe986ec860149febae93fda132ac7189f

SHA512
4a99056e3ca1b7d45f5e0db4b9dab7e8b58f814fa2ede48555ece0585847552151863d27b926f63cb9cf11cea753894378dc51825d8aa27c81657cd65b9f4f10

Download Submit
\Windows\SysWOW64\Ieibdnnp.exe

Filesize
448KB

MD5
cdb58822588f9ea7db9fc4cdcdaa57c6

SHA1
fbcc0e4c5bbef95fb4654ada5d1a580c07c6af12

SHA256
e031e6ff4862e6b00bab1269cbcf7c20c5bf9b491a313453f8c24bfd03f0bbfa

SHA512
741faa17e7410fd03cf1b338eb3d4bb757be47c7817fe1fd88eafa906a776d12bec310b8f0af7ea41dcc9ef5085bc0cf332dde1fd6ecab4a5860f9fdb614600a

Download Submit
\Windows\SysWOW64\Ifmocb32.exe

Filesize
448KB

MD5
d863c872891fdab58796947aaeadde7f

SHA1
d62f127be30a992fb94bd21e108b38447e0749a5

SHA256
61dc91255f64a19f6dfff909deb35f88e79cf414e8552506ac56093c1874eed3

SHA512
b42474342d406bccffaf4035b846fd0bd6cfe991ae363a574478be32a73438e927f27f832a6597494763d024d4a98150c69eaec01def7a7aef9b7f822b34b402

Download Submit
\Windows\SysWOW64\Jpbcek32.exe

Filesize
448KB

MD5
981f2f7e49d306f3d1b60a6c82948ed7

SHA1
c402c2d1881f34512c643db75355b03fe991b122

SHA256
dec6a4206f1f5036c254c2f9803d0e00400ef41872aba03b3977403480b48f2b

SHA512
422ca232892e009dfab18f036b86036ef7e4f56f75f633e80ea0d6238778ede57d1e17077edd3fcc9293ec26ffb5140e747b8e436b61b6e7ee43c5a8c6d2dea7

Download Submit
\Windows\SysWOW64\Jpgmpk32.exe

Filesize
448KB

MD5
4cf028eb4293301551cddadb35d70edf

SHA1
0710ecd873ed8fe3b6c81462ea1b65bb8f373273

SHA256
bf08b674b923fddcc0787510f141aa0ab3bd93ed91a2b77dd996cb812838dbaa

SHA512
6011e37c4990a8e42a06ddaf0539ed7d741a3bb49de3160ce53cece875dd645f39ac8f001a3581901d994db2de509f61b7fb3e3a9bc6ca1beebd1d270671f7f6

Download Submit
\Windows\SysWOW64\Jplfkjbd.exe

Filesize
448KB

MD5
4bba9adb7a2b23ace296f1a048ec303e

SHA1
0ab3b87f98d5c68245f2d2a8ccb8ef582b832404

SHA256
2e57dbdb6930d7d5ee2b793ad86ce6fe96de6b3fb452fe5b011d05b9da6dcaf8

SHA512
efa9f072ce24ff34ef0b292a7759f088a92a80aba8b03af469107b593daae0a8aaff9b4fef22ea31391bd7f028e12f4fe85f35cbc38d82da87e3236071fcb037

Download Submit
\Windows\SysWOW64\Kbjbge32.exe

Filesize
448KB

MD5
a7715fa4c251f54ffa1bfc030b1b9816

SHA1
28a7b47eac2dc28997ba01dca440fdf21500019f

SHA256
c4d53e726e841e5035d596b7ff3ebb9cd6a3fdbb3a907caa9d28a151f8bec09b

SHA512
946ce2a21ce5215da52f91725bac53a550022ac9862300b4f340af80892be73bc2a4c89f0e93e6724b0d79acac7f3effc7bfe91464d985e9d377753f261dc8fe

Download Submit
\Windows\SysWOW64\Klecfkff.exe

Filesize
448KB

MD5
6ab91fc120f2774be6349b86d2380765

SHA1
cdee36db63db91eb0b18b90405e4c5a4ef5b8c62

SHA256
76884ce8d59bf397bdf27fa6f6c18ebf5d4573a220309f51130367c419a4c4f4

SHA512
b5095e5d6ced9e7aa1a8f8098029202be346765761eceacbfc00d1b9ff3daba4b1ee3a5574c2e900c46a3509b64ff1737a3b963431fe01e0001e3d1e13e6b68e

Download Submit
memory/592-309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/592-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/592-181-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/592-176-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/600-85-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/600-92-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/600-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/792-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/792-138-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/792-137-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/792-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/996-238-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/996-243-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/996-295-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1128-202-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1128-301-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1128-195-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1684-220-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/1684-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1724-262-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1724-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1968-166-0x00000000005D0000-0x0000000000604000-memory.dmp

Filesize
208KB

Download
memory/1968-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1968-154-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-147-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2096-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2096-222-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2096-229-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2096-233-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2204-75-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2204-83-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2204-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-36-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2248-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2264-13-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2264-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2264-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2264-12-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2308-282-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2308-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2308-288-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-283-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2480-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2480-289-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2480-269-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2532-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2576-64-0x0000000001F30000-0x0000000001F64000-memory.dmp

Filesize
208KB

Download
memory/2576-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2576-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2644-250-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2644-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2644-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-27-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2796-26-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2796-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-119-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2828-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-54-0x00000000005D0000-0x0000000000604000-memory.dmp

Filesize
208KB

Download
memory/2912-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-55-0x00000000005D0000-0x0000000000604000-memory.dmp

Filesize
208KB

Download
memory/2972-106-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2972-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads