294dd33b758aae64caf14d181c81e4d53178ae64cf81f31a0ae51a5008a27566

Analysis

max time kernel
112s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07b8a776376d84cda9033034865204f0N.exe
Size

181KB
MD5

07b8a776376d84cda9033034865204f0
SHA1

99dd97e4d49e348ca8429ce4acb7fa8a1d3533ac
SHA256

294dd33b758aae64caf14d181c81e4d53178ae64cf81f31a0ae51a5008a27566
SHA512

6d7a5d3b419f824215e58f8c23a0b632d0b8fe6d2d442e88730b86133b2c071b7a340d39888e96e3b09f517003646af2fec9c64380df2f281ffe08c5f41989ab
SSDEEP

3072:b3ZibclcQDrFDHZtOgxBOXXwwfBoD6N3h8N5G2qVUDrFDHZtOg:lpWo5tTDUZNSN58VU5tT

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	07b8a776376d84cda9033034865204f0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfmkbebl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcqlkjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kekkiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfpmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jgjkfi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgmpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnmiag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhenjmbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhenjmbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	07b8a776376d84cda9033034865204f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kageia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfmkbebl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcqlkjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmfpmc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kageia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldgnklmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldgnklmi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgjkfi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnmiag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kekkiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khldkllj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpgmpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Keioca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khldkllj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khnapkjg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kapohbfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kapohbfp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfodfh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khnapkjg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdeaelok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jedehaea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jedehaea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keioca32.exe

Executes dropped EXE 23 IoCs

pid	Process
2376	Jgjkfi32.exe
2776	Jfmkbebl.exe
2708	Jcqlkjae.exe
2868	Jpgmpk32.exe
2624	Jedehaea.exe
2348	Jnmiag32.exe
2324	Jhenjmbb.exe
2208	Kbjbge32.exe
2460	Keioca32.exe
2840	Kapohbfp.exe
1916	Kekkiq32.exe
2956	Kmfpmc32.exe
948	Khldkllj.exe
2340	Kfodfh32.exe
2008	Kadica32.exe
600	Khnapkjg.exe
1624	Kageia32.exe
1244	Kdeaelok.exe
2928	Kbhbai32.exe
1852	Kkojbf32.exe
2284	Lmmfnb32.exe
2664	Ldgnklmi.exe
776	Lbjofi32.exe

Loads dropped DLL 50 IoCs

pid	Process
2188	07b8a776376d84cda9033034865204f0N.exe
2188	07b8a776376d84cda9033034865204f0N.exe
2376	Jgjkfi32.exe
2376	Jgjkfi32.exe
2776	Jfmkbebl.exe
2776	Jfmkbebl.exe
2708	Jcqlkjae.exe
2708	Jcqlkjae.exe
2868	Jpgmpk32.exe
2868	Jpgmpk32.exe
2624	Jedehaea.exe
2624	Jedehaea.exe
2348	Jnmiag32.exe
2348	Jnmiag32.exe
2324	Jhenjmbb.exe
2324	Jhenjmbb.exe
2208	Kbjbge32.exe
2208	Kbjbge32.exe
2460	Keioca32.exe
2460	Keioca32.exe
2840	Kapohbfp.exe
2840	Kapohbfp.exe
1916	Kekkiq32.exe
1916	Kekkiq32.exe
2956	Kmfpmc32.exe
2956	Kmfpmc32.exe
948	Khldkllj.exe
948	Khldkllj.exe
2340	Kfodfh32.exe
2340	Kfodfh32.exe
2008	Kadica32.exe
2008	Kadica32.exe
600	Khnapkjg.exe
600	Khnapkjg.exe
1624	Kageia32.exe
1624	Kageia32.exe
1244	Kdeaelok.exe
1244	Kdeaelok.exe
2928	Kbhbai32.exe
2928	Kbhbai32.exe
1852	Kkojbf32.exe
1852	Kkojbf32.exe
2284	Lmmfnb32.exe
2284	Lmmfnb32.exe
2664	Ldgnklmi.exe
2664	Ldgnklmi.exe
1988	WerFault.exe
1988	WerFault.exe
1988	WerFault.exe
1988	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kbjbge32.exe	Jhenjmbb.exe
File opened for modification	C:\Windows\SysWOW64\Kmfpmc32.exe	Kekkiq32.exe
File created	C:\Windows\SysWOW64\Lmmfnb32.exe	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Pigckoki.dll	Kkojbf32.exe
File opened for modification	C:\Windows\SysWOW64\Ldgnklmi.exe	Lmmfnb32.exe
File created	C:\Windows\SysWOW64\Jcqlkjae.exe	Jfmkbebl.exe
File created	C:\Windows\SysWOW64\Jhenjmbb.exe	Jnmiag32.exe
File opened for modification	C:\Windows\SysWOW64\Jhenjmbb.exe	Jnmiag32.exe
File created	C:\Windows\SysWOW64\Lpgcln32.dll	Jnmiag32.exe
File created	C:\Windows\SysWOW64\Kageia32.exe	Khnapkjg.exe
File created	C:\Windows\SysWOW64\Jpbpbbdb.dll	07b8a776376d84cda9033034865204f0N.exe
File created	C:\Windows\SysWOW64\Jfmkbebl.exe	Jgjkfi32.exe
File created	C:\Windows\SysWOW64\Kapohbfp.exe	Keioca32.exe
File created	C:\Windows\SysWOW64\Jmegnj32.dll	Keioca32.exe
File created	C:\Windows\SysWOW64\Abqcpo32.dll	Kbjbge32.exe
File created	C:\Windows\SysWOW64\Kekkiq32.exe	Kapohbfp.exe
File opened for modification	C:\Windows\SysWOW64\Kkojbf32.exe	Kbhbai32.exe
File created	C:\Windows\SysWOW64\Gffdobll.dll	Kbhbai32.exe
File opened for modification	C:\Windows\SysWOW64\Lbjofi32.exe	Ldgnklmi.exe
File opened for modification	C:\Windows\SysWOW64\Jfmkbebl.exe	Jgjkfi32.exe
File created	C:\Windows\SysWOW64\Keioca32.exe	Kbjbge32.exe
File created	C:\Windows\SysWOW64\Jpgmpk32.exe	Jcqlkjae.exe
File created	C:\Windows\SysWOW64\Eghoka32.dll	Kmfpmc32.exe
File created	C:\Windows\SysWOW64\Mbbhfl32.dll	Kageia32.exe
File created	C:\Windows\SysWOW64\Bndneq32.dll	Kdeaelok.exe
File created	C:\Windows\SysWOW64\Ljnfmlph.dll	Jgjkfi32.exe
File opened for modification	C:\Windows\SysWOW64\Kdeaelok.exe	Kageia32.exe
File opened for modification	C:\Windows\SysWOW64\Kbhbai32.exe	Kdeaelok.exe
File created	C:\Windows\SysWOW64\Cbamip32.dll	Lmmfnb32.exe
File created	C:\Windows\SysWOW64\Mobafhlg.dll	Jhenjmbb.exe
File opened for modification	C:\Windows\SysWOW64\Kadica32.exe	Kfodfh32.exe
File created	C:\Windows\SysWOW64\Ipafocdg.dll	Ldgnklmi.exe
File opened for modification	C:\Windows\SysWOW64\Jedehaea.exe	Jpgmpk32.exe
File created	C:\Windows\SysWOW64\Khldkllj.exe	Kmfpmc32.exe
File opened for modification	C:\Windows\SysWOW64\Kfodfh32.exe	Khldkllj.exe
File created	C:\Windows\SysWOW64\Kadica32.exe	Kfodfh32.exe
File opened for modification	C:\Windows\SysWOW64\Lmmfnb32.exe	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Jnmiag32.exe	Jedehaea.exe
File created	C:\Windows\SysWOW64\Agioom32.dll	Kapohbfp.exe
File created	C:\Windows\SysWOW64\Knfddo32.dll	Jedehaea.exe
File opened for modification	C:\Windows\SysWOW64\Kageia32.exe	Khnapkjg.exe
File opened for modification	C:\Windows\SysWOW64\Kapohbfp.exe	Keioca32.exe
File opened for modification	C:\Windows\SysWOW64\Jpgmpk32.exe	Jcqlkjae.exe
File created	C:\Windows\SysWOW64\Hhhamf32.dll	Kfodfh32.exe
File opened for modification	C:\Windows\SysWOW64\Keioca32.exe	Kbjbge32.exe
File created	C:\Windows\SysWOW64\Khnapkjg.exe	Kadica32.exe
File created	C:\Windows\SysWOW64\Ldgnklmi.exe	Lmmfnb32.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Ldgnklmi.exe
File opened for modification	C:\Windows\SysWOW64\Jgjkfi32.exe	07b8a776376d84cda9033034865204f0N.exe
File created	C:\Windows\SysWOW64\Iddpheep.dll	Jpgmpk32.exe
File created	C:\Windows\SysWOW64\Kbjbge32.exe	Jhenjmbb.exe
File opened for modification	C:\Windows\SysWOW64\Kekkiq32.exe	Kapohbfp.exe
File created	C:\Windows\SysWOW64\Kcjeje32.dll	Khldkllj.exe
File created	C:\Windows\SysWOW64\Jkbcekmn.dll	Kadica32.exe
File created	C:\Windows\SysWOW64\Jgjkfi32.exe	07b8a776376d84cda9033034865204f0N.exe
File created	C:\Windows\SysWOW64\Cmojeo32.dll	Jfmkbebl.exe
File created	C:\Windows\SysWOW64\Jedehaea.exe	Jpgmpk32.exe
File opened for modification	C:\Windows\SysWOW64\Khldkllj.exe	Kmfpmc32.exe
File opened for modification	C:\Windows\SysWOW64\Khnapkjg.exe	Kadica32.exe
File created	C:\Windows\SysWOW64\Jlflfm32.dll	Khnapkjg.exe
File created	C:\Windows\SysWOW64\Kbhbai32.exe	Kdeaelok.exe
File opened for modification	C:\Windows\SysWOW64\Jcqlkjae.exe	Jfmkbebl.exe
File created	C:\Windows\SysWOW64\Khljoh32.dll	Jcqlkjae.exe
File created	C:\Windows\SysWOW64\Kcadppco.dll	Kekkiq32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1988	776	WerFault.exe	52

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khnapkjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgjkfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfmkbebl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedehaea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kapohbfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kekkiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmfpmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kageia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeaelok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhbai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkojbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldgnklmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keioca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khldkllj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfodfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmmfnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kadica32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07b8a776376d84cda9033034865204f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcqlkjae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpgmpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnmiag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhenjmbb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kapohbfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcadppco.dll"	Kekkiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfmkbebl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Keioca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmegnj32.dll"	Keioca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kekkiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khljoh32.dll"	Jcqlkjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agioom32.dll"	Kapohbfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	07b8a776376d84cda9033034865204f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpgmpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlflfm32.dll"	Khnapkjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	07b8a776376d84cda9033034865204f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmfpmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldgnklmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kekkiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcjeje32.dll"	Khldkllj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khldkllj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbamip32.dll"	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jgjkfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jhenjmbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghoka32.dll"	Kmfpmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkbcekmn.dll"	Kadica32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfmkbebl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jedehaea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfddo32.dll"	Jedehaea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpgmpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jedehaea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abqcpo32.dll"	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbbhfl32.dll"	Kageia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khldkllj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffdobll.dll"	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	07b8a776376d84cda9033034865204f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbpbbdb.dll"	07b8a776376d84cda9033034865204f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	07b8a776376d84cda9033034865204f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhenjmbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kadica32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kageia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kageia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldgnklmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	07b8a776376d84cda9033034865204f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljnfmlph.dll"	Jgjkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jnmiag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll"	Ldgnklmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddpheep.dll"	Jpgmpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khnapkjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndneq32.dll"	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mobafhlg.dll"	Jhenjmbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Keioca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kapohbfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmfpmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfodfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcqlkjae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jnmiag32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2376	2188	07b8a776376d84cda9033034865204f0N.exe	30
PID 2188 wrote to memory of 2376	2188	07b8a776376d84cda9033034865204f0N.exe	30
PID 2188 wrote to memory of 2376	2188	07b8a776376d84cda9033034865204f0N.exe	30
PID 2188 wrote to memory of 2376	2188	07b8a776376d84cda9033034865204f0N.exe	30
PID 2376 wrote to memory of 2776	2376	Jgjkfi32.exe	31
PID 2376 wrote to memory of 2776	2376	Jgjkfi32.exe	31
PID 2376 wrote to memory of 2776	2376	Jgjkfi32.exe	31
PID 2376 wrote to memory of 2776	2376	Jgjkfi32.exe	31
PID 2776 wrote to memory of 2708	2776	Jfmkbebl.exe	32
PID 2776 wrote to memory of 2708	2776	Jfmkbebl.exe	32
PID 2776 wrote to memory of 2708	2776	Jfmkbebl.exe	32
PID 2776 wrote to memory of 2708	2776	Jfmkbebl.exe	32
PID 2708 wrote to memory of 2868	2708	Jcqlkjae.exe	33
PID 2708 wrote to memory of 2868	2708	Jcqlkjae.exe	33
PID 2708 wrote to memory of 2868	2708	Jcqlkjae.exe	33
PID 2708 wrote to memory of 2868	2708	Jcqlkjae.exe	33
PID 2868 wrote to memory of 2624	2868	Jpgmpk32.exe	34
PID 2868 wrote to memory of 2624	2868	Jpgmpk32.exe	34
PID 2868 wrote to memory of 2624	2868	Jpgmpk32.exe	34
PID 2868 wrote to memory of 2624	2868	Jpgmpk32.exe	34
PID 2624 wrote to memory of 2348	2624	Jedehaea.exe	35
PID 2624 wrote to memory of 2348	2624	Jedehaea.exe	35
PID 2624 wrote to memory of 2348	2624	Jedehaea.exe	35
PID 2624 wrote to memory of 2348	2624	Jedehaea.exe	35
PID 2348 wrote to memory of 2324	2348	Jnmiag32.exe	36
PID 2348 wrote to memory of 2324	2348	Jnmiag32.exe	36
PID 2348 wrote to memory of 2324	2348	Jnmiag32.exe	36
PID 2348 wrote to memory of 2324	2348	Jnmiag32.exe	36
PID 2324 wrote to memory of 2208	2324	Jhenjmbb.exe	37
PID 2324 wrote to memory of 2208	2324	Jhenjmbb.exe	37
PID 2324 wrote to memory of 2208	2324	Jhenjmbb.exe	37
PID 2324 wrote to memory of 2208	2324	Jhenjmbb.exe	37
PID 2208 wrote to memory of 2460	2208	Kbjbge32.exe	38
PID 2208 wrote to memory of 2460	2208	Kbjbge32.exe	38
PID 2208 wrote to memory of 2460	2208	Kbjbge32.exe	38
PID 2208 wrote to memory of 2460	2208	Kbjbge32.exe	38
PID 2460 wrote to memory of 2840	2460	Keioca32.exe	39
PID 2460 wrote to memory of 2840	2460	Keioca32.exe	39
PID 2460 wrote to memory of 2840	2460	Keioca32.exe	39
PID 2460 wrote to memory of 2840	2460	Keioca32.exe	39
PID 2840 wrote to memory of 1916	2840	Kapohbfp.exe	40
PID 2840 wrote to memory of 1916	2840	Kapohbfp.exe	40
PID 2840 wrote to memory of 1916	2840	Kapohbfp.exe	40
PID 2840 wrote to memory of 1916	2840	Kapohbfp.exe	40
PID 1916 wrote to memory of 2956	1916	Kekkiq32.exe	41
PID 1916 wrote to memory of 2956	1916	Kekkiq32.exe	41
PID 1916 wrote to memory of 2956	1916	Kekkiq32.exe	41
PID 1916 wrote to memory of 2956	1916	Kekkiq32.exe	41
PID 2956 wrote to memory of 948	2956	Kmfpmc32.exe	42
PID 2956 wrote to memory of 948	2956	Kmfpmc32.exe	42
PID 2956 wrote to memory of 948	2956	Kmfpmc32.exe	42
PID 2956 wrote to memory of 948	2956	Kmfpmc32.exe	42
PID 948 wrote to memory of 2340	948	Khldkllj.exe	43
PID 948 wrote to memory of 2340	948	Khldkllj.exe	43
PID 948 wrote to memory of 2340	948	Khldkllj.exe	43
PID 948 wrote to memory of 2340	948	Khldkllj.exe	43
PID 2340 wrote to memory of 2008	2340	Kfodfh32.exe	44
PID 2340 wrote to memory of 2008	2340	Kfodfh32.exe	44
PID 2340 wrote to memory of 2008	2340	Kfodfh32.exe	44
PID 2340 wrote to memory of 2008	2340	Kfodfh32.exe	44
PID 2008 wrote to memory of 600	2008	Kadica32.exe	45
PID 2008 wrote to memory of 600	2008	Kadica32.exe	45
PID 2008 wrote to memory of 600	2008	Kadica32.exe	45
PID 2008 wrote to memory of 600	2008	Kadica32.exe	45

C:\Users\Admin\AppData\Local\Temp\07b8a776376d84cda9033034865204f0N.exe
"C:\Users\Admin\AppData\Local\Temp\07b8a776376d84cda9033034865204f0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\Jgjkfi32.exe
  C:\Windows\system32\Jgjkfi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\SysWOW64\Jfmkbebl.exe
    C:\Windows\system32\Jfmkbebl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\Jcqlkjae.exe
      C:\Windows\system32\Jcqlkjae.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\SysWOW64\Jpgmpk32.exe
        
        C:\Windows\system32\Jpgmpk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
      - C:\Windows\SysWOW64\Jedehaea.exe
        
        C:\Windows\system32\Jedehaea.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Jnmiag32.exe
        
        C:\Windows\system32\Jnmiag32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Jhenjmbb.exe
        
        C:\Windows\system32\Jhenjmbb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Kbjbge32.exe
        
        C:\Windows\system32\Kbjbge32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Keioca32.exe
        
        C:\Windows\system32\Keioca32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Kapohbfp.exe
        
        C:\Windows\system32\Kapohbfp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Kekkiq32.exe
        
        C:\Windows\system32\Kekkiq32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Kmfpmc32.exe
        
        C:\Windows\system32\Kmfpmc32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Khldkllj.exe
        
        C:\Windows\system32\Khldkllj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\SysWOW64\Kfodfh32.exe
        
        C:\Windows\system32\Kfodfh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Kadica32.exe
        
        C:\Windows\system32\Kadica32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Khnapkjg.exe
        
        C:\Windows\system32\Khnapkjg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:600
        
        C:\Windows\SysWOW64\Kageia32.exe
        
        C:\Windows\system32\Kageia32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Kdeaelok.exe
        
        C:\Windows\system32\Kdeaelok.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Kbhbai32.exe
        
        C:\Windows\system32\Kbhbai32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Kkojbf32.exe
        
        C:\Windows\system32\Kkojbf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Lmmfnb32.exe
        
        C:\Windows\system32\Lmmfnb32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Ldgnklmi.exe
        
        C:\Windows\system32\Ldgnklmi.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 140
        25⤵
        Loads dropped DLL
        Program crash
        
        PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jcqlkjae.exe

Filesize
181KB

MD5
708088281206d4abac467ac4df31951c

SHA1
32fc3c0d661ef89cd67b366fc00b4919b6c452b0

SHA256
b0d8817ecb83a1c9f3bca8d5de18ab670ab1ecfbdc693eb4504431a08aa47e5f

SHA512
b22d7e85ed2fc2ffbeafc525c353c25d799b71bed105cdaef23d9cd7baf9fcf217c7f0e982da27367ec4ddb953f8c475e56baea35e6ec1d8ff62e22f2e6f0c59

Download Submit
C:\Windows\SysWOW64\Jgjkfi32.exe

Filesize
181KB

MD5
733e1e414cd416dc34de54bdca4806c9

SHA1
d6ae5e6971979d9c2a9b915edf52f32e8c03b9df

SHA256
8f84288ca9171721163ed2f8824d354fd828196fe7fe603c1f3c46c667dc9cf4

SHA512
1e669cfb589ee5929a85fe5d4b3e793e2dc2970374b254768d438dd5f01a96a4308b1513082ca788748adea4f0eabb8e6ff128285539103fad8d2d8533163d79

Download Submit
C:\Windows\SysWOW64\Kageia32.exe

Filesize
181KB

MD5
ba96470434b362e46a611a502f4bd0ff

SHA1
fd9e8b6a83dde552630fd503a3ceca2352cd7d71

SHA256
7e0432a16fe20443fe8b932c98b00da94520c9d72d2c5c506ecde45891451961

SHA512
760a20c0a4c08df3c0bfa275f9a979e2fb0f11b805431c7527a85229dfd7bc743fc1d878aecab9e766a7b7a3d6e90c8188e91f2e32db6098ca96a56db0e4af63

Download Submit
C:\Windows\SysWOW64\Kbhbai32.exe

Filesize
181KB

MD5
415bb11bbb223d0a6db5bc84b31cba1f

SHA1
cb0be3625b2d6265663e04debb94eebad6fd8d6c

SHA256
18e368eb6f4bccec4081d7b53488728cd3fc184c86aecae988011cc1eb27aade

SHA512
d22fb78a0460a0e23b6e7ee71ff00b52a9540f1f643a11c9f24a0c9c39319423bcd8ee5382d3c1b7b7da2a3bd02450e0b897bc0d325a796bc058968e6edde9bf

Download Submit
C:\Windows\SysWOW64\Kdeaelok.exe

Filesize
181KB

MD5
ab471ef317d529db247a33da014480e5

SHA1
cd98190faeff88fa3736d4a01a60cb2c2a78fdc6

SHA256
44f533edd9edbbc1b164d237188137272b8dec9bd4a66f402a9470220d91b718

SHA512
f70f8fa0b9e8883071ea465397a9c9cb0f86b469bf7f7dc0cf8cbc16c8f81bb90d6127d9d135d0fc08e2015e7393d1bdafe1123a6ba5ae1eee3fe83f281ebf9d

Download Submit
C:\Windows\SysWOW64\Keioca32.exe

Filesize
181KB

MD5
54ea4e5d49f8a9d4e6698169a055f0e7

SHA1
e42d5cac5768d966fc3c9d5bab7752ab0cea00c8

SHA256
96cce459a10a61b677da161e02846369b8487429e092f6cc1306fe2d4f736e8a

SHA512
1f870f8e029f37062dd3c5350ce9ce75f285d2f11e3f16b064fb4996a4bd9f1c6b844c786614c3d5c1952ebec794dbc409aa041203de710436f006190309d5d5

Download Submit
C:\Windows\SysWOW64\Kkojbf32.exe

Filesize
181KB

MD5
348a14999db76c480cdbd24c412f86e5

SHA1
05f1e90016bda4e71cbb5ba3a756d5d759b2f63f

SHA256
06996bc4da90d30dab551e2c6dbefdef01be9549d812151a184d4b472a64bd4a

SHA512
501a5659a9647c8edd841955b1186b1aec57404e2f90f8f60a9c34fc35caed5b1f070fbc75c9377bd60e5a1ce585dc597159d80da31015b7c05f5f2887d4dfd8

Download Submit
C:\Windows\SysWOW64\Lbjofi32.exe

Filesize
181KB

MD5
4f0225d1f5dd703fcb5804e24d513ec7

SHA1
7d7d2d0e4b4266d0a9c35f55d12837688f3792cd

SHA256
dd8ba6e58b5f3a4c60a46363dedd0d71a73d3d5c3e2761dfaa7e6362236cad0f

SHA512
e582b56bdf6f0ca2fd5a169d062897652aed2a3551ed9c66d62276ef50ab6ba9ba665b06643d181d3673082d1ad66c093020e942b3fa38a5427cf0e9aaf1be04

Download Submit
C:\Windows\SysWOW64\Ldgnklmi.exe

Filesize
181KB

MD5
53323d5d070eeef8ceef003736b56d1f

SHA1
02ccb5fe32d77e1732e016890d6d7b77e332232b

SHA256
02f18b7cbe496a6f26710dde14b6038d71501aa721d0a6af87c3be6f1433655e

SHA512
270a16f9b892509dc1a40292047f20d8963a33538dc80dcae979cdb40a9b2f34a8e2841be3d78450e9de48e026d269509b8e565f2139920c479d2a69906734c0

Download Submit
C:\Windows\SysWOW64\Lmmfnb32.exe

Filesize
181KB

MD5
febc595f3c17caf485cc147f56e59945

SHA1
4b51a5398d4dc7f77191e1303fa06633e399b444

SHA256
2791479d1f4ad64180fa151a36023478e9938251752955bd190c4c4e71c404c7

SHA512
81d006369717a5032728895f7f17b90716ce040d73fe077c44ec8377c9ed69babc77b077b38db7152411a830ce7e75c7a6a2d6509b5e2cce60cdaf3d7b27d43a

Download Submit
\Windows\SysWOW64\Jedehaea.exe

Filesize
181KB

MD5
65d9bfb639db1ebe2d7cdbb448b03554

SHA1
63511b32b5e12a7c9b4b78a637181486399299fe

SHA256
5946340fd81de5fbf0227d387347c08d9996b79890f512c143ed583565ce6c4d

SHA512
a7e2962547f0a628e093f795a2aaca7e161023eb62b5117e1c2e3c8db2e036b45b249a79a3a2a254170e902b42532f6adf8cf25e83c325efcb544b0416717cf2

Download Submit
\Windows\SysWOW64\Jfmkbebl.exe

Filesize
181KB

MD5
7c75bba2a16ba56dfd0a5576db9da7a4

SHA1
57059f6b12c8417c40ecabe9b7ea09a123df9657

SHA256
d5b6b210af005e4a023e46765abd17c2f023960dd62c92eaee5152aa930a7d9f

SHA512
d6c2948f576517c0e3b2965cb98f21575fdec78d4d03782bd324ac4aff0f5b44e00ece12fa6bc84d06d57fcbfe9b4e13897bdd3424d1b4f6b59771043b29c5d7

Download Submit
\Windows\SysWOW64\Jhenjmbb.exe

Filesize
181KB

MD5
5c668aa8fc00f862d0d3ea2d5c53e554

SHA1
50d65fd2a8e31d8e83bab6a673cb0778df5e4fff

SHA256
cb2d14816c46cfa66198bbc0e73f16ed18005089f0e11e777c807d022b18ef3e

SHA512
502ada15fac52c0a37bd84334fb63eebabee38c5c9411c1f3432aae29517e8f1df70cb69414e83f96415f31b1cd2e8fca14e5bf17317af9162e54003a479753e

Download Submit
\Windows\SysWOW64\Jnmiag32.exe

Filesize
181KB

MD5
983c9025ccf34d07eb4ba15f54cd0818

SHA1
ab906c1c952bff42c0cbee04b6945d7b27a746d5

SHA256
d483dc2d7c8989a0cafc28efdcd3e2cff14848100fb59ee0266e554806d10dbb

SHA512
55d2c0d087728babc1fd9001b4203add2cf28917c891dd796cd3b4b30909466c42e2e71af2da48962646043d8a1f9f4c330c9482c0de1a58c2acedf643773b65

Download Submit
\Windows\SysWOW64\Jpgmpk32.exe

Filesize
181KB

MD5
64e18e30dbf21fcfdfb90afdbf3a3919

SHA1
4576b59fe6523cdadcc8950cb829cfd5279bf494

SHA256
a0fb67f57ac5269a5f8c8a7b2a677cf4c405271a4049cfd3557fdb59e61e308a

SHA512
bc11bd88b348a5716668e128d42d76ae953fcc2a900b4310111ddd4ad0fcfee36853e86277eb5a449b080220fa7d1b6334a894a9d80501c502c968fa8ed587fc

Download Submit
\Windows\SysWOW64\Kadica32.exe

Filesize
181KB

MD5
0f44a67470563678cacdaa2d1df3a3fb

SHA1
c2c08f2b7726a9bb9d8080d6fb294215733b5190

SHA256
a14067c8014fd746da5bbd5af408592aedf0028c10548b277c0268cbc2793643

SHA512
28b1bd150658581eb8fdccbd4382acc70e741f8978ec73767e59827f3ee1bf0d52a3b531dae7fb04cc9924b2106fab0586c479ad9dad306b57ee133de5be20a5

Download Submit
\Windows\SysWOW64\Kapohbfp.exe

Filesize
181KB

MD5
5f342cd92f382a2246e71e2638a7827c

SHA1
c1c35487e53fa6b75f1b38e658ba38f5c8975ef3

SHA256
e39bf5d93bb388737abd994b96fd6377a8cd0db19a13880779c092117754e633

SHA512
32c011e763c1993d722cc968fcb0a79c8a56c0c38e2b0a461d9b0b468e8af91f8cccd63f614f86da28f1eb7152946d2e9bdf86cc1441553f1be340bd566286bb

Download Submit
\Windows\SysWOW64\Kbjbge32.exe

Filesize
181KB

MD5
3c26e667f828b69468ca63a7a9777686

SHA1
524a62fea634bed29702357cb90779b2967af6e9

SHA256
2f238d6e6a04c5ce2173fe3d59f0f9c148b46f409259ee4d35b43f6d7f43ca51

SHA512
8e3e9439cd816336bf4e6825bd13d3f51939bdf23acd01c1ef0932aa3c5c9cb7727c21927528e0c2e09d4654a933bc951743c66c429dd6a8ad1dc9dbebd3e64a

Download Submit
\Windows\SysWOW64\Kekkiq32.exe

Filesize
181KB

MD5
b229cd3bacf89e70afaffc9ed7f7f86c

SHA1
ed659fc775153f530a60ae27a0a72a404c306d40

SHA256
ef8f3bdd650444c5436b85e21956d7aebd587104c9121876e94cc9066e378ba4

SHA512
ad7d6e39f88da8c77feecbe2befd8998ae3ae805bc2799d9a4b22fcff55722e47caf1e74956dddaa7ea7686fb7d06a824ab514dad8cb5af49be9de7d4a3a843a

Download Submit
\Windows\SysWOW64\Kfodfh32.exe

Filesize
181KB

MD5
9afdab4b90e21f41eec5acccfc5d9219

SHA1
924d5dbb91c67e80099d31b141691aff7f6e4463

SHA256
9aa57cbfd6ea1fb9658999b94620cbe150c12e8f59c366631567ed22c8352e07

SHA512
615d3b0e73a91373b19f20d9a890bcd9da415974e48d40123581728e1182d8c8023158f3ef1457f903f4ca698eaa71ebe67f0566cc09d63d2999a49376f17179

Download Submit
\Windows\SysWOW64\Khldkllj.exe

Filesize
181KB

MD5
12c7e222a882f1932ffb3378183fc5c6

SHA1
29dd75262658b028162c3cc4df548c781b821d8c

SHA256
5419d31687d96231fbea602b81fdbf4a0681520e849802b8e470f012079ae27c

SHA512
cf64a7998910cc1cb11d039cbf9470ca5eee208198b359c5dace258449b16d428aa6508dfed1bfe62d28561f7b69b29ac1c22dbc68cbfb177b13c156a65ff497

Download Submit
\Windows\SysWOW64\Khnapkjg.exe

Filesize
181KB

MD5
6d885429653712f6ef7bc12327af2be5

SHA1
223f2c8fa5ff63019ae7a4279fad7a0ebee2c19c

SHA256
a6ff4ac760f509386e4f0c954ad9191815969fdb5ea48f75ab6cf4a317072082

SHA512
aace3cedaf26410f40a017df788186f6394dbe42e65749b06ba238ac2b4b2d3afef54dd48b1d41f1588841a21e4ae646fab2c3fd6ad3c4b594a07489128dca44

Download Submit
\Windows\SysWOW64\Kmfpmc32.exe

Filesize
181KB

MD5
8397b4f5f2f9d189324cfc6e7882554b

SHA1
9ea80b8c53af286bea45653b8d40e1e1d8fd3210

SHA256
24d1f420bf6824bef7ea152356f580fc467b4582d92aa454fc4eeade6294f22e

SHA512
fe0f75efcab31d77dd4a672799805d46e51ace96ecfb1f2878dc09459ff4bea2dcd02532d1417604dd161ae8ce105d311688198f8dec887e2590da2eaa2f971f

Download Submit
memory/600-226-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/600-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/776-311-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/776-287-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/948-301-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/948-186-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/948-179-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1244-242-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1244-306-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1624-235-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1624-305-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1852-259-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1852-268-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1852-308-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1916-299-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1916-163-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/1916-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2008-214-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/2008-303-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2008-209-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2188-11-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2188-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2188-336-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2188-12-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2188-288-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2208-296-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2208-110-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2208-123-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2284-269-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2284-309-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-97-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-295-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2340-302-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2340-205-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/2348-84-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2348-294-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2376-19-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2376-26-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/2376-337-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/2460-124-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2460-297-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2624-293-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2624-82-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2624-81-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2624-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2664-282-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2708-49-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2708-291-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2708-42-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2776-290-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2776-33-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2776-41-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/2840-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2840-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2840-150-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2868-68-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/2868-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2928-258-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/2928-307-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2928-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2928-254-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/2956-300-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2956-165-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2956-178-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads