ea1de8415a403c6234a8bfb408b94845309f10969ee71bac08178db9ecc98712

Analysis

max time kernel
112s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
05/09/2024, 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b94aa40d1689a9173adc64281e657b20N.exe
Size

407KB
MD5

b94aa40d1689a9173adc64281e657b20
SHA1

1122414eeefc6a002c6458d356ab5095eb334654
SHA256

ea1de8415a403c6234a8bfb408b94845309f10969ee71bac08178db9ecc98712
SHA512

1fa24e7d35a4048015ba62c6a72688093dfc9402a7aa2bf46556f96a66c95d6ab9f06e3af6c2adcdd49599567850964d1134112dc8e9d98a4d70320bb457462c
SSDEEP

6144:qwxNGTr6ZH5hOpui6yYPaIGcjDpui6yYPaIGckSU05836pui6yYPaIGckN:qwxtapV6yYP3pV6yYPg058KpV6yYPS

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbdghi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ledpjdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	b94aa40d1689a9173adc64281e657b20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jigmeagl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jepjpajn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kakdpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Klgbfo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfmfchfo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lheilofe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lghigl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmbadfdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mlikkbga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmkodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kakdpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lbdghi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lojhmjag.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgmbbkij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgmbbkij.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmbadfdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpqnpacp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcccglnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jffddfjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmplqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lheilofe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcccglnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ledpjdid.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b94aa40d1689a9173adc64281e657b20N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmdig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Joaebkni.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmkodd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmbeecaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lebcdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kfmfchfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lghigl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jffddfjk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmplqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbmdig32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Joaebkni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmbeecaq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klgbfo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlikkbga.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfccmini.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lojhmjag.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigmeagl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jepjpajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kfccmini.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebcdd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpqnpacp.exe

Executes dropped EXE 24 IoCs

pid	Process
2312	Jffddfjk.exe
2156	Jmplqp32.exe
2740	Jbmdig32.exe
2832	Jigmeagl.exe
2752	Joaebkni.exe
2632	Jepjpajn.exe
3064	Kmkodd32.exe
2436	Kfccmini.exe
2684	Kakdpb32.exe
1652	Kmbeecaq.exe
2872	Klgbfo32.exe
1824	Kfmfchfo.exe
1440	Lbdghi32.exe
2420	Lebcdd32.exe
2372	Lojhmjag.exe
2208	Ledpjdid.exe
2480	Lheilofe.exe
2292	Lghigl32.exe
1616	Lmbadfdl.exe
3000	Lpqnpacp.exe
2324	Mgmbbkij.exe
2092	Mlikkbga.exe
1752	Mcccglnn.exe
1780	Mllhpb32.exe

Loads dropped DLL 52 IoCs

pid	Process
2524	b94aa40d1689a9173adc64281e657b20N.exe
2524	b94aa40d1689a9173adc64281e657b20N.exe
2312	Jffddfjk.exe
2312	Jffddfjk.exe
2156	Jmplqp32.exe
2156	Jmplqp32.exe
2740	Jbmdig32.exe
2740	Jbmdig32.exe
2832	Jigmeagl.exe
2832	Jigmeagl.exe
2752	Joaebkni.exe
2752	Joaebkni.exe
2632	Jepjpajn.exe
2632	Jepjpajn.exe
3064	Kmkodd32.exe
3064	Kmkodd32.exe
2436	Kfccmini.exe
2436	Kfccmini.exe
2684	Kakdpb32.exe
2684	Kakdpb32.exe
1652	Kmbeecaq.exe
1652	Kmbeecaq.exe
2872	Klgbfo32.exe
2872	Klgbfo32.exe
1824	Kfmfchfo.exe
1824	Kfmfchfo.exe
1440	Lbdghi32.exe
1440	Lbdghi32.exe
2420	Lebcdd32.exe
2420	Lebcdd32.exe
2372	Lojhmjag.exe
2372	Lojhmjag.exe
2208	Ledpjdid.exe
2208	Ledpjdid.exe
2480	Lheilofe.exe
2480	Lheilofe.exe
2292	Lghigl32.exe
2292	Lghigl32.exe
1616	Lmbadfdl.exe
1616	Lmbadfdl.exe
3000	Lpqnpacp.exe
3000	Lpqnpacp.exe
2324	Mgmbbkij.exe
2324	Mgmbbkij.exe
2092	Mlikkbga.exe
2092	Mlikkbga.exe
1752	Mcccglnn.exe
1752	Mcccglnn.exe
1624	WerFault.exe
1624	WerFault.exe
1624	WerFault.exe
1624	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kakdpb32.exe	Kfccmini.exe
File created	C:\Windows\SysWOW64\Ajnncp32.dll	Kfccmini.exe
File created	C:\Windows\SysWOW64\Kfmfchfo.exe	Klgbfo32.exe
File created	C:\Windows\SysWOW64\Nbnhppoa.dll	Klgbfo32.exe
File created	C:\Windows\SysWOW64\Hialpf32.dll	Lpqnpacp.exe
File created	C:\Windows\SysWOW64\Ihmjnmbc.dll	Joaebkni.exe
File opened for modification	C:\Windows\SysWOW64\Kakdpb32.exe	Kfccmini.exe
File opened for modification	C:\Windows\SysWOW64\Klgbfo32.exe	Kmbeecaq.exe
File created	C:\Windows\SysWOW64\Jcgjno32.dll	Lbdghi32.exe
File opened for modification	C:\Windows\SysWOW64\Lpqnpacp.exe	Lmbadfdl.exe
File created	C:\Windows\SysWOW64\Jepjpajn.exe	Joaebkni.exe
File created	C:\Windows\SysWOW64\Kmbeecaq.exe	Kakdpb32.exe
File opened for modification	C:\Windows\SysWOW64\Lbdghi32.exe	Kfmfchfo.exe
File created	C:\Windows\SysWOW64\Idmkjp32.dll	Lebcdd32.exe
File created	C:\Windows\SysWOW64\Lmbadfdl.exe	Lghigl32.exe
File created	C:\Windows\SysWOW64\Kfccmini.exe	Kmkodd32.exe
File opened for modification	C:\Windows\SysWOW64\Mllhpb32.exe	Mcccglnn.exe
File opened for modification	C:\Windows\SysWOW64\Jbmdig32.exe	Jmplqp32.exe
File created	C:\Windows\SysWOW64\Lbdghi32.exe	Kfmfchfo.exe
File created	C:\Windows\SysWOW64\Ledpjdid.exe	Lojhmjag.exe
File opened for modification	C:\Windows\SysWOW64\Lmbadfdl.exe	Lghigl32.exe
File created	C:\Windows\SysWOW64\Lpqnpacp.exe	Lmbadfdl.exe
File created	C:\Windows\SysWOW64\Mcccglnn.exe	Mlikkbga.exe
File created	C:\Windows\SysWOW64\Mfmffpjl.dll	b94aa40d1689a9173adc64281e657b20N.exe
File opened for modification	C:\Windows\SysWOW64\Joaebkni.exe	Jigmeagl.exe
File created	C:\Windows\SysWOW64\Aljcblpk.dll	Jigmeagl.exe
File created	C:\Windows\SysWOW64\Kmkodd32.exe	Jepjpajn.exe
File opened for modification	C:\Windows\SysWOW64\Kmbeecaq.exe	Kakdpb32.exe
File created	C:\Windows\SysWOW64\Cdcpdjga.dll	Lghigl32.exe
File created	C:\Windows\SysWOW64\Jffddfjk.exe	b94aa40d1689a9173adc64281e657b20N.exe
File created	C:\Windows\SysWOW64\Jigmeagl.exe	Jbmdig32.exe
File created	C:\Windows\SysWOW64\Klgbfo32.exe	Kmbeecaq.exe
File opened for modification	C:\Windows\SysWOW64\Jmplqp32.exe	Jffddfjk.exe
File created	C:\Windows\SysWOW64\Mfglbp32.dll	Jepjpajn.exe
File created	C:\Windows\SysWOW64\Bmghlppm.dll	Kmbeecaq.exe
File opened for modification	C:\Windows\SysWOW64\Lojhmjag.exe	Lebcdd32.exe
File opened for modification	C:\Windows\SysWOW64\Ledpjdid.exe	Lojhmjag.exe
File opened for modification	C:\Windows\SysWOW64\Mlikkbga.exe	Mgmbbkij.exe
File created	C:\Windows\SysWOW64\Jbmdig32.exe	Jmplqp32.exe
File opened for modification	C:\Windows\SysWOW64\Jepjpajn.exe	Joaebkni.exe
File created	C:\Windows\SysWOW64\Apgkaakf.dll	Kfmfchfo.exe
File created	C:\Windows\SysWOW64\Lojhmjag.exe	Lebcdd32.exe
File created	C:\Windows\SysWOW64\Mgmbbkij.exe	Lpqnpacp.exe
File created	C:\Windows\SysWOW64\Bmjbmidh.dll	Mgmbbkij.exe
File created	C:\Windows\SysWOW64\Bhgjifff.dll	Jmplqp32.exe
File opened for modification	C:\Windows\SysWOW64\Lebcdd32.exe	Lbdghi32.exe
File created	C:\Windows\SysWOW64\Cbbfhncl.dll	Ledpjdid.exe
File created	C:\Windows\SysWOW64\Mlikkbga.exe	Mgmbbkij.exe
File created	C:\Windows\SysWOW64\Kfbhhdep.dll	Jffddfjk.exe
File opened for modification	C:\Windows\SysWOW64\Kmkodd32.exe	Jepjpajn.exe
File created	C:\Windows\SysWOW64\Cfmnepnb.dll	Lheilofe.exe
File opened for modification	C:\Windows\SysWOW64\Mcccglnn.exe	Mlikkbga.exe
File created	C:\Windows\SysWOW64\Mllhpb32.exe	Mcccglnn.exe
File created	C:\Windows\SysWOW64\Fkbqmd32.dll	Mcccglnn.exe
File opened for modification	C:\Windows\SysWOW64\Lghigl32.exe	Lheilofe.exe
File created	C:\Windows\SysWOW64\Imqkdcib.dll	Kakdpb32.exe
File created	C:\Windows\SysWOW64\Lghigl32.exe	Lheilofe.exe
File created	C:\Windows\SysWOW64\Jlkqopoi.dll	Lmbadfdl.exe
File opened for modification	C:\Windows\SysWOW64\Jigmeagl.exe	Jbmdig32.exe
File opened for modification	C:\Windows\SysWOW64\Kfccmini.exe	Kmkodd32.exe
File opened for modification	C:\Windows\SysWOW64\Kfmfchfo.exe	Klgbfo32.exe
File created	C:\Windows\SysWOW64\Hbdmij32.dll	Lojhmjag.exe
File created	C:\Windows\SysWOW64\Lheilofe.exe	Ledpjdid.exe
File opened for modification	C:\Windows\SysWOW64\Jffddfjk.exe	b94aa40d1689a9173adc64281e657b20N.exe

Program crash 1 IoCs

pid	pid_target	Process
1624	1780	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ledpjdid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lghigl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mllhpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmbeecaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbdghi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lojhmjag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgmbbkij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmkodd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfccmini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klgbfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jigmeagl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqnpacp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jffddfjk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbmdig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jepjpajn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kakdpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lheilofe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b94aa40d1689a9173adc64281e657b20N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcccglnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebcdd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlikkbga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmplqp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Joaebkni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfmfchfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmbadfdl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lbdghi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jepjpajn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmkodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbnhppoa.dll"	Klgbfo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lheilofe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgmbbkij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mlikkbga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkbqmd32.dll"	Mcccglnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmghlppm.dll"	Kmbeecaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lebcdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idmkjp32.dll"	Lebcdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajojkjfk.dll"	Mlikkbga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbdmij32.dll"	Lojhmjag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdcpdjga.dll"	Lghigl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpqnpacp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jffddfjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jigmeagl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajnncp32.dll"	Kfccmini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgmbbkij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jbmdig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Joaebkni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lmbadfdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	b94aa40d1689a9173adc64281e657b20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmjbmidh.dll"	Mgmbbkij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Klgbfo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lbdghi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpqnpacp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcccglnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aljcblpk.dll"	Jigmeagl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lebcdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mlikkbga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lojhmjag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ledpjdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkqopoi.dll"	Lmbadfdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	b94aa40d1689a9173adc64281e657b20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbmdig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kfmfchfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kfccmini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	b94aa40d1689a9173adc64281e657b20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhgjifff.dll"	Jmplqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfglbp32.dll"	Jepjpajn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kakdpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbbfhncl.dll"	Ledpjdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihmjnmbc.dll"	Joaebkni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kfccmini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imqkdcib.dll"	Kakdpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmbeecaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ledpjdid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jffddfjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jmplqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Facfgahm.dll"	Jbmdig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lghigl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmkodd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Klgbfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgjno32.dll"	Lbdghi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfmnepnb.dll"	Lheilofe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lheilofe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	b94aa40d1689a9173adc64281e657b20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jmplqp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jepjpajn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lojhmjag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcccglnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfbhhdep.dll"	Jffddfjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmbeecaq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2312	2524	b94aa40d1689a9173adc64281e657b20N.exe	29
PID 2524 wrote to memory of 2312	2524	b94aa40d1689a9173adc64281e657b20N.exe	29
PID 2524 wrote to memory of 2312	2524	b94aa40d1689a9173adc64281e657b20N.exe	29
PID 2524 wrote to memory of 2312	2524	b94aa40d1689a9173adc64281e657b20N.exe	29
PID 2312 wrote to memory of 2156	2312	Jffddfjk.exe	30
PID 2312 wrote to memory of 2156	2312	Jffddfjk.exe	30
PID 2312 wrote to memory of 2156	2312	Jffddfjk.exe	30
PID 2312 wrote to memory of 2156	2312	Jffddfjk.exe	30
PID 2156 wrote to memory of 2740	2156	Jmplqp32.exe	31
PID 2156 wrote to memory of 2740	2156	Jmplqp32.exe	31
PID 2156 wrote to memory of 2740	2156	Jmplqp32.exe	31
PID 2156 wrote to memory of 2740	2156	Jmplqp32.exe	31
PID 2740 wrote to memory of 2832	2740	Jbmdig32.exe	32
PID 2740 wrote to memory of 2832	2740	Jbmdig32.exe	32
PID 2740 wrote to memory of 2832	2740	Jbmdig32.exe	32
PID 2740 wrote to memory of 2832	2740	Jbmdig32.exe	32
PID 2832 wrote to memory of 2752	2832	Jigmeagl.exe	33
PID 2832 wrote to memory of 2752	2832	Jigmeagl.exe	33
PID 2832 wrote to memory of 2752	2832	Jigmeagl.exe	33
PID 2832 wrote to memory of 2752	2832	Jigmeagl.exe	33
PID 2752 wrote to memory of 2632	2752	Joaebkni.exe	34
PID 2752 wrote to memory of 2632	2752	Joaebkni.exe	34
PID 2752 wrote to memory of 2632	2752	Joaebkni.exe	34
PID 2752 wrote to memory of 2632	2752	Joaebkni.exe	34
PID 2632 wrote to memory of 3064	2632	Jepjpajn.exe	35
PID 2632 wrote to memory of 3064	2632	Jepjpajn.exe	35
PID 2632 wrote to memory of 3064	2632	Jepjpajn.exe	35
PID 2632 wrote to memory of 3064	2632	Jepjpajn.exe	35
PID 3064 wrote to memory of 2436	3064	Kmkodd32.exe	36
PID 3064 wrote to memory of 2436	3064	Kmkodd32.exe	36
PID 3064 wrote to memory of 2436	3064	Kmkodd32.exe	36
PID 3064 wrote to memory of 2436	3064	Kmkodd32.exe	36
PID 2436 wrote to memory of 2684	2436	Kfccmini.exe	37
PID 2436 wrote to memory of 2684	2436	Kfccmini.exe	37
PID 2436 wrote to memory of 2684	2436	Kfccmini.exe	37
PID 2436 wrote to memory of 2684	2436	Kfccmini.exe	37
PID 2684 wrote to memory of 1652	2684	Kakdpb32.exe	38
PID 2684 wrote to memory of 1652	2684	Kakdpb32.exe	38
PID 2684 wrote to memory of 1652	2684	Kakdpb32.exe	38
PID 2684 wrote to memory of 1652	2684	Kakdpb32.exe	38
PID 1652 wrote to memory of 2872	1652	Kmbeecaq.exe	39
PID 1652 wrote to memory of 2872	1652	Kmbeecaq.exe	39
PID 1652 wrote to memory of 2872	1652	Kmbeecaq.exe	39
PID 1652 wrote to memory of 2872	1652	Kmbeecaq.exe	39
PID 2872 wrote to memory of 1824	2872	Klgbfo32.exe	40
PID 2872 wrote to memory of 1824	2872	Klgbfo32.exe	40
PID 2872 wrote to memory of 1824	2872	Klgbfo32.exe	40
PID 2872 wrote to memory of 1824	2872	Klgbfo32.exe	40
PID 1824 wrote to memory of 1440	1824	Kfmfchfo.exe	41
PID 1824 wrote to memory of 1440	1824	Kfmfchfo.exe	41
PID 1824 wrote to memory of 1440	1824	Kfmfchfo.exe	41
PID 1824 wrote to memory of 1440	1824	Kfmfchfo.exe	41
PID 1440 wrote to memory of 2420	1440	Lbdghi32.exe	42
PID 1440 wrote to memory of 2420	1440	Lbdghi32.exe	42
PID 1440 wrote to memory of 2420	1440	Lbdghi32.exe	42
PID 1440 wrote to memory of 2420	1440	Lbdghi32.exe	42
PID 2420 wrote to memory of 2372	2420	Lebcdd32.exe	43
PID 2420 wrote to memory of 2372	2420	Lebcdd32.exe	43
PID 2420 wrote to memory of 2372	2420	Lebcdd32.exe	43
PID 2420 wrote to memory of 2372	2420	Lebcdd32.exe	43
PID 2372 wrote to memory of 2208	2372	Lojhmjag.exe	44
PID 2372 wrote to memory of 2208	2372	Lojhmjag.exe	44
PID 2372 wrote to memory of 2208	2372	Lojhmjag.exe	44
PID 2372 wrote to memory of 2208	2372	Lojhmjag.exe	44

C:\Users\Admin\AppData\Local\Temp\b94aa40d1689a9173adc64281e657b20N.exe
"C:\Users\Admin\AppData\Local\Temp\b94aa40d1689a9173adc64281e657b20N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\SysWOW64\Jffddfjk.exe
  C:\Windows\system32\Jffddfjk.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Windows\SysWOW64\Jmplqp32.exe
    C:\Windows\system32\Jmplqp32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\SysWOW64\Jbmdig32.exe
      C:\Windows\system32\Jbmdig32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\SysWOW64\Jigmeagl.exe
        
        C:\Windows\system32\Jigmeagl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2832
      - C:\Windows\SysWOW64\Joaebkni.exe
        
        C:\Windows\system32\Joaebkni.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Jepjpajn.exe
        
        C:\Windows\system32\Jepjpajn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Kmkodd32.exe
        
        C:\Windows\system32\Kmkodd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Kfccmini.exe
        
        C:\Windows\system32\Kfccmini.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Kakdpb32.exe
        
        C:\Windows\system32\Kakdpb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Kmbeecaq.exe
        
        C:\Windows\system32\Kmbeecaq.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Klgbfo32.exe
        
        C:\Windows\system32\Klgbfo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Kfmfchfo.exe
        
        C:\Windows\system32\Kfmfchfo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Lbdghi32.exe
        
        C:\Windows\system32\Lbdghi32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\Lebcdd32.exe
        
        C:\Windows\system32\Lebcdd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Lojhmjag.exe
        
        C:\Windows\system32\Lojhmjag.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\Ledpjdid.exe
        
        C:\Windows\system32\Ledpjdid.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Lheilofe.exe
        
        C:\Windows\system32\Lheilofe.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Lghigl32.exe
        
        C:\Windows\system32\Lghigl32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Lmbadfdl.exe
        
        C:\Windows\system32\Lmbadfdl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Lpqnpacp.exe
        
        C:\Windows\system32\Lpqnpacp.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Mgmbbkij.exe
        
        C:\Windows\system32\Mgmbbkij.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Mlikkbga.exe
        
        C:\Windows\system32\Mlikkbga.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Mcccglnn.exe
        
        C:\Windows\system32\Mcccglnn.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Mllhpb32.exe
        
        C:\Windows\system32\Mllhpb32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 140
        26⤵
        Loads dropped DLL
        Program crash
        
        PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aljcblpk.dll

Filesize
7KB

MD5
40103412b045a249dcc751f88c92441d

SHA1
5d49f1f2d98aba20d1dadc7da05e282e4641cf34

SHA256
67f43385318e4a9d58bb810f621439741a14540dc96789c41df0b587774980f7

SHA512
39a662f8a0c127ad9f1c8d8c840a3ae6da251ac4c9613ffec9c1550a4557cad9475d1896d6981b8b60ed2a014872469b646721af8383c6bf918bb7999809a546

Download Submit
C:\Windows\SysWOW64\Jepjpajn.exe

Filesize
407KB

MD5
d2f0fed1330550ade9ac7a267b2a0350

SHA1
603099f93d59e77187463b8f0dbd641dace8f4e5

SHA256
e6a9c24f098d5b5784c086b73ca11db9f2d116a4767f5172a860e384b74d4b05

SHA512
0249ddb01d47a4ba4c42ba30c8e2d24334eea4f74db343177f51c6bb0e1f29a1078062006d3363883e79950e4251cfcc2ea0181fad1e7d1f6faaea612f765176

Download Submit
C:\Windows\SysWOW64\Jffddfjk.exe

Filesize
407KB

MD5
cf88d71a49457ac83ff8bf9ebf743f98

SHA1
04c346a892a4ab2fb5ac3e646baca3dad9ab7103

SHA256
33272328908d3037c2fc3deec534b61441eed1ac7d51695ff144d465ace323bc

SHA512
71cf180ce1492fcce87b20aa4bc2efbdc5a80d4578fa21a7ede37d444f4a75411ef76d55391ae94df5f236d8bbdf8b5cce38a2460952b3f69bb225a8add5a7be

Download Submit
C:\Windows\SysWOW64\Jigmeagl.exe

Filesize
407KB

MD5
fb8eb5163524a746cfef7f1785fbdd53

SHA1
dd2b9e60066e43947613280d786cb49949c60c93

SHA256
e70dbbbe0a5bfa5adec62da5c4058f3588cb385230fd9c5b455cc20db3a805b2

SHA512
47c8faadb5757fac65dbe13b8a85a9ed8008295332139314d8e1a1e1757dab8dfc9fed778c3e5b563734c919676125edb0561f6807f10822b4ccffd64f4784c1

Download Submit
C:\Windows\SysWOW64\Jmplqp32.exe

Filesize
407KB

MD5
7b735c75df734c4caa41563c17eeb3d8

SHA1
aea08223ed2d3888553a542001ea277daf4c597c

SHA256
83f796007485564fa73cc149c7d4ad397b2f920a34b7b3affbd196ca9a45a016

SHA512
911d68f589259110dbb60978e0d08fcc354c939b06cebc6cb769cb0945eeaa055b0f17cc1109d6b0f11cae2191ea5de49a59c690d080ad505482cf5a2c91a024

Download Submit
C:\Windows\SysWOW64\Kakdpb32.exe

Filesize
407KB

MD5
b0ed40e26e601babce9bdfa701c7a296

SHA1
689926a0d2170f898486f2f798a2f8325ff17da8

SHA256
0586cdba61730aa48c6d5fd935a4ddc6e2714f2983f11d6b455a09742d3f72fe

SHA512
b11becfc07e705895cbd9ffd6c6c4c516efdc90bb57833c625983106ccd93ec3f2162d59086bc22d272ae3e2b47c95d80a6b96e331bf5b3810af2c41f4f6bca7

Download Submit
C:\Windows\SysWOW64\Kfccmini.exe

Filesize
407KB

MD5
fcd2d8559b1a424e0b5aed1ae1c7b66c

SHA1
5988f8a068cc68bc6ec6d26951db5158c1c54b5d

SHA256
6385060a1b82f20593aa542cc1d00d01e10060149d7cf67d23d10e6cc78aff11

SHA512
3d5af8d11349fc4b4cbfa3d4f08036a87093ea21fcd2f87c0269fe2dd4019a447d58c555ee3e4d2dbbc78c14267189c6b7af1a9a5d229873c0002e60d337bb03

Download Submit
C:\Windows\SysWOW64\Kfmfchfo.exe

Filesize
407KB

MD5
4ef265e7ba27398b54c4327f58b24f62

SHA1
86b14ca4fa465e3007f5c4e200cb827019836674

SHA256
262dc6ea75f880b29e99c0ce6860889521b73898ecac6f456b06ad0d820269d1

SHA512
67ae4c548e6064376903b88a2307b5aca833438e474e0e1af8dd5606d7535e3989e43e93bc1eb52350497ea0eef79487c31dfdb627c2e8cfb48e97205bd8f4fc

Download Submit
C:\Windows\SysWOW64\Kmbeecaq.exe

Filesize
407KB

MD5
fdfc37434dce0217dc96b86f2e578b54

SHA1
9fb4ecfbcb467610f844c816f9a37059a75500bf

SHA256
77678d25d209a9ec03aeb8ecbf8b702a20c4738581d9d428b5e81d016b679024

SHA512
bd6f2fde2f797ef92532504603148ef377b298535b0d7280a79ee8e738faf93b75fb3031321831aaaba2d8ad0cdbe3cf36fcbe80fdb5025888cca1798765ab9b

Download Submit
C:\Windows\SysWOW64\Kmkodd32.exe

Filesize
407KB

MD5
60e603b13ff22c5c3fb739a192a8f844

SHA1
d01a13b08f1f3d13f2679223b3782895a1f4f927

SHA256
7bcde7348455ae2a166053e77f87c99d108f82ff8f9d388b4b149f6794d6581c

SHA512
74bc9184bbb847b3dcf4a8487167c2bee32b1eea2cc539b89364988beda3ea51277a414797637bde89de4884702edc450178799d34cd26b6080c102a570f463f

Download Submit
C:\Windows\SysWOW64\Lbdghi32.exe

Filesize
407KB

MD5
2065a7c6ad2554ad0cf8a48df974f9bc

SHA1
34e1818e6716ccf7d499a58addf7a87f96907087

SHA256
a111715e2718abe226fea53da71726f9a60b4c05dee2d25e5e559d83848c239b

SHA512
e5871039ca512e85b6f40cccd202784830dd163ca8b59e814072e1525b0ea59133210937fa8342b9629bed3b8ae80be9ec1241b7f06a6b3b10be93d981133414

Download Submit
C:\Windows\SysWOW64\Lebcdd32.exe

Filesize
407KB

MD5
e88b8087b482840a62576f940f2be8b1

SHA1
21f2125a7cd98c276ffcf5a4a0d90888f8aaae4e

SHA256
45d1a0f7cd142dbf7b20e968ff6d377e8dc7ca869366abb797bf64537fdf98cc

SHA512
1464057664e02e3ba60d7a5676d1461df155fb7088b4216f61c1c33c01b1ffe6d8766d99d1d519db49b3d18deaabb8192c9ca3ca11c61636cfdffe65b2c134a5

Download Submit
C:\Windows\SysWOW64\Ledpjdid.exe

Filesize
407KB

MD5
b79cd7fb53b06180caa7251f124e2b72

SHA1
46ff23567573027f02a6cce11e4853cb0c7541b0

SHA256
4abf30407edc2d948a575c2608c757a20a555b7dfc6095f2002d9ba5c555e5aa

SHA512
8da9eeddef5e293ae2356186ea67f6355f49f61cde2a46cf5c837ee6ae8750a196ec5015222acea29771475c937fe011bc6556c3bdb3f16c5afa911df880e2fd

Download Submit
C:\Windows\SysWOW64\Lghigl32.exe

Filesize
407KB

MD5
20af532b422ed1348b2ba10deb3b8667

SHA1
97ed964873d763f19c064858ba10046a148ed9fb

SHA256
c512630356036a0cd02d390793a3dcd43e3e79f4117fcfd1164a81b6a919e980

SHA512
026a34833d84af7879d9327f055d66df7149ec54fd88d7cb910c9c3790c9827855c4cba957614bf2ce529f30b1b61a5d994b9da91bdc3b18ddc9dbdb8a954e47

Download Submit
C:\Windows\SysWOW64\Lheilofe.exe

Filesize
407KB

MD5
10dd2798adb9fdcd8e09c8e8a19aff42

SHA1
b53b227fd782ca5e7f229ffbc6bc523af8356902

SHA256
798dff6d01d09f58122477178b201a8bd5fbd40f132510eab86658c368558878

SHA512
a6f01dd906d5af3f823ab19502ef95a33be940bfdb9ead3676130ed779ab37e6125c61df82ed17c11f2d6a388d84c52d273a556cc0a3f6b27d09beed314ce281

Download Submit
C:\Windows\SysWOW64\Lmbadfdl.exe

Filesize
407KB

MD5
99fd9c6f561c04652b341f316b948ac3

SHA1
5872d097d882c9e38a966bfca0df582576c78a2c

SHA256
99510e3f1e58551214e678cf82a3579612a9aae2bb7380a753bc6555ea22ef57

SHA512
40968af22c999c5ace0e0239cba606a27b0a8c0b86fbf83cb92fd8ea01a53a39e322b8caad2766d4a8e55f8e56dce006fdbaa20d447e4abce96c65a9da340272

Download Submit
C:\Windows\SysWOW64\Lpqnpacp.exe

Filesize
407KB

MD5
bd8bd75732df8afc39be848e9913dff7

SHA1
14984a00266b837a8137e308ba01e2f128d775dd

SHA256
996e78dc08dcb819cff3030ec0103fd6ee969b6c40aa5f5f903e14775e654e64

SHA512
cf60dc6718aa8c7eed3aeb0ddcaea32e179e3ceff61549acd3b4cfcf79665cb508d094dfb94c01169f8672be0edd542a52d235230a557530f602b97c0a784a5b

Download Submit
C:\Windows\SysWOW64\Mcccglnn.exe

Filesize
407KB

MD5
5c349bcf9a4551777d770d9fd14c54e1

SHA1
9bba2337cb93ddefcc88de0920b69ea63d5e52af

SHA256
0139d17857b56b011e59a9eeb0cc9211be11a8fec1e76223b734f3fe600015ca

SHA512
085ee31d53f2bb85b0564b585dcbc7e2bb28d8de820c7777f703c2046c6040f99d0efdcd9589ba05948804559fdbbe9150c78aa2c4e248d9bbcebba3adb956c7

Download Submit
C:\Windows\SysWOW64\Mgmbbkij.exe

Filesize
407KB

MD5
63c00f9955152c7607a86b6df995a1c7

SHA1
dee6c9f54add0d5117d158a37fa8410e0470e906

SHA256
1daaef0837c40965facda365fc0be632df9ab0deb0c6b0b6d0f078345a66e8b2

SHA512
b2d01f164a7fafd5009b1a0ce8abc1a4e594e58f60f578eb975df6d9a2c2f1dd6bc41a4f1da4b3f599a1f31a6013c7f5bed634acbbec4e05b9278ba86b4e8a44

Download Submit
C:\Windows\SysWOW64\Mlikkbga.exe

Filesize
407KB

MD5
3a9c21f93e29e47d3c0878d8a9cc2145

SHA1
d48bb433cf981394bec9382879efb237d22d4595

SHA256
9a5a4e00271af7ca99e6ec7f1ab2200ddea1eb5eb51d33dce1336662ee97bc6c

SHA512
55581ced4baed4e5d541cb0993bfb02d56aa8d5ea2ea7cad35781d543e9d9e11cdab7b60e8380a6b928fe66433fdc79fc51704ae786d086965b210e3274b14ab

Download Submit
C:\Windows\SysWOW64\Mllhpb32.exe

Filesize
407KB

MD5
5cacd269d8375eed339d320043938740

SHA1
da0e0062a45b77d2f81bdb2e78634cd1cf8851a1

SHA256
b2bbf31a89e7e5dad40fe9afaed7980a9e2ee443c75970c73baa321eeb958748

SHA512
88bffc2b352da1f19e2f85a4c7f578b2e0da468d254a0587fe7917a7f1cd90a567fb9fde31ad5b1a1869eb8bc07a1ceb532bdf217138f4c026e36bcb9c1fa024

Download Submit
\Windows\SysWOW64\Jbmdig32.exe

Filesize
407KB

MD5
29e53a30feee7d23a326cfeaa66730fe

SHA1
14f4afa5575c1c0323295bffb40b54b5f6eb54f3

SHA256
9acf852dad036a20011c7c44a83d86751aa8d2e1563eb948588e39f68ef446ca

SHA512
66ba3c38683cc20c6a7de7529afdf0d894b648185e433ef543fe846e28b74b959f217a2125a9cd619fd44723416d98523db6830f8cc750abc2b55a261f43d170

Download Submit
\Windows\SysWOW64\Joaebkni.exe

Filesize
407KB

MD5
c8697736de547c312645714919763860

SHA1
b9e1900cf7243f775af14b7fec1afba72d58bec7

SHA256
c2efeac1aa83b4cf2552f0bee9fb6737a0ad9cc068e96734a2d5179e52e3b1f2

SHA512
0123a5e4ca3ee2deab859f7821f49af2a5d06f06832a54dad85141849d10116a56f7bbf7127abd0f58b89decd7c33bbe396cb614fc0b597f3faafcbbf02c1f67

Download Submit
\Windows\SysWOW64\Klgbfo32.exe

Filesize
407KB

MD5
27af4724ba0018517cfb0186fac7cc89

SHA1
15830767d8a3e42cb409f0a96a669372717f13d9

SHA256
b096d39bb9ab666073d201c67ecb14c19718487d39ebcb0f7418088daa12e35f

SHA512
6ff79f71ead96ce91c196eeb74e778de3734516b427dbe44f64acf2576a0209211f7866254d3f519a950b4fa06e4ac8d9bb8431b5490ff1f3479d09ddcc7b45b

Download Submit
\Windows\SysWOW64\Lojhmjag.exe

Filesize
407KB

MD5
13ac65f2216b1a0a8b623a26e0f618df

SHA1
37d03f1d35d65e1451442a5f0301f93c1ca2a1f1

SHA256
db4ec2c08bad30caf6d9ae75a28bfea6590e1b2c83ce6948ad5afa90cf60231a

SHA512
7c1b207d6fa1626a773d00623b8252d8c0ca7f7b80746a2517f5a9d421a2298158d28c6e9fc6a218c075a3a57ac0dd4cf4f3d4852fdc295a08acb5c5e923e5b3

Download Submit
memory/1440-195-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1440-190-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1440-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1440-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1616-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-149-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1752-307-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1752-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1780-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1780-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1824-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1824-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1824-180-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2092-293-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2092-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-297-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2156-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-36-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2156-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-234-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2208-235-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2292-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-257-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2292-253-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2292-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-335-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2312-26-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2312-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-283-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2324-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-223-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2372-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-204-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2420-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-125-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2436-119-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2436-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2480-242-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2480-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2480-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2480-246-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2524-334-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2524-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-11-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2524-12-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2632-97-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2632-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-83-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-90-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2684-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-135-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2740-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-352-0x00000000004B0000-0x00000000004E3000-memory.dmp

Filesize
204KB

Download
memory/2740-49-0x00000000004B0000-0x00000000004E3000-memory.dmp

Filesize
204KB

Download
memory/2752-363-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2752-362-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2752-82-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2752-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-63-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2872-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-272-0x0000000000330000-0x0000000000363000-memory.dmp

Filesize
204KB

Download
memory/3000-276-0x0000000000330000-0x0000000000363000-memory.dmp

Filesize
204KB

Download
memory/3064-110-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3064-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3064-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads