a92e969b52c1c84ca99a949c3f92e74a725030feec886aafc6d2e2aedc20886c

Analysis

max time kernel
148s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2024, 02:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d7a787355d2f1ecb90885df072efcef_JaffaCakes118.exe
Size

2.3MB
MD5

0d7a787355d2f1ecb90885df072efcef
SHA1

ace88584859f06e03040b4851fd7a0871f3dc5e9
SHA256

a92e969b52c1c84ca99a949c3f92e74a725030feec886aafc6d2e2aedc20886c
SHA512

395ad105056928bead911a095c150f0972f678115931539549a013cef62edeab2fd7afcad68a738fb6702034262dae56f0b9fe3e5b25bb2ab5aab12c4bfba21b
SSDEEP

49152:1bxLX3lOLrEABY33hIkcNSkCBK1AW9sby1RbsXWQ:JxLX//cRCBQA/X

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 49 IoCs

pid	Process
1436	tpnG4aQH6W7R9Tq.exe
536	ACekBzDob.exe
2352	ZYCekIBrzNx1v2b.exe
780	VL9gTZqjYeIrOyA.exe
3640	dD2onF4am5W7E8T.exe
2308	rBrzPNycAuDoFpH.exe
4556	yqjUCekIBzNx1v2.exe
4228	x4amH6sWKfLgXj.exe
4064	YP0ycA1iv3n4m.exe
4592	qbD3pnG5aHdKfLh.exe
4960	ZibD3pnG4Q6W7R9.exe
4860	wOBtxP0yc1b3n4Q.exe
1960	WRZ9hYXwjVlBz0c.exe
400	hucS2ibF3n5Q6W8.exe
3496	klONtxP0uSiDpGa.exe
3248	iBtxP0ucSi.exe
4896	Q6dEK8gRZhXkVlB.exe
3904	GaQJ6dEK8R.exe
5112	FpnG5aQJ6W8R9Tw.exe
3840	GH6dWK8fR9.exe
3284	r4aQH6dWKfLhXjC.exe
636	e3onG4aQHsKfLgX.exe
2988	G0ycS1ivDoGaHsK.exe
4532	YwjUVelIBz0c1v3.exe
4504	rbD3pnG5aHdKfLh.exe
116	grlOBtxP0c1b3n.exe
4872	q9hYXwkUVlBx0c1.exe
2780	W5aQJ6dEKfZhXjV.exe
4316	BS2ibF3pn5Q6W8R.exe
2308	C5aQH6dWKfLhXj.exe
3412	sRZqhYXwkVlBx0c.exe
1852	l5sQJ6dEKgZhXkV.exe
460	mvS2ibF3pGaJdKf.exe
976	WONtxA0uc2b3n5Q.exe
60	s7dEL8gRZhCkVlN.exe
4064	fpmG5sQJ7E8RqYw.exe
2140	PsQJ6dEK8R9YwU.exe
2716	YjYCwkIVrOtAuSi.exe
4284	SJ7dEL8gTqYwIrO.exe
3144	obF4pmH5sJ7E8Rq.exe
1280	zrzONyxA1v2b4m5.exe
4948	rWJ7fEL9gZjCkVz.exe
388	SNycA1ivDo.exe
4196	SRL9hTXqjClBzNc.exe
1372	p0ycS1ibDoGaHsK.exe
4744	YUVelOBtz0c1v3n.exe
4580	sJ6dWK8fR9TwUe.exe
4088	eUVrlONtx0c2b3n.exe
2136	IJ7dEK8gRqYwUrO.exe

Adds Run key to start application 2 TTPs 49 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\J6sWJ7fEL8234A = "C:\\Windows\\system32\\YP0ycA1iv3n4m.exe"	x4amH6sWKfLgXj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QD3pnG4aQ6W7R9T8234A = "C:\\Windows\\system32\\iBtxP0ucSi.exe"	klONtxP0uSiDpGa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BxP0ycS1iDoGaHs8234A = "C:\\Windows\\system32\\Q6dEK8gRZhXkVlB.exe"	iBtxP0ucSi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SCelIBtzPy8234A = "C:\\Windows\\system32\\C5aQH6dWKfLhXj.exe"	BS2ibF3pn5Q6W8R.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GlOBtxP0ySiDoGa8234A = "C:\\Windows\\system32\\l5sQJ6dEKgZhXkV.exe"	sRZqhYXwkVlBx0c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IxP0ucS2iDpGaHd8234A = "C:\\Windows\\system32\\s7dEL8gRZhCkVlN.exe"	WONtxA0uc2b3n5Q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yF4amH5sW7E8TqY8234A = "C:\\Windows\\system32\\SNycA1ivDo.exe"	rWJ7fEL9gZjCkVz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msWJ7dEL8TqYw8234A = "C:\\Windows\\system32\\rBrzPNycAuDoFpH.exe"	dD2onF4am5W7E8T.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\m5aQH6dWKfLhXjC8234A = "C:\\Windows\\system32\\eUVrlONtx0c2b3n.exe"	sJ6dWK8fR9TwUe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\o1uvD2onFpHsJdL8234A = "C:\\Windows\\system32\\SRL9hTXqjClBzNc.exe"	SNycA1ivDo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FH6dWK8fR9TwUeI8234A = "C:\\Windows\\system32\\klONtxP0uSiDpGa.exe"	hucS2ibF3n5Q6W8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfEL9gTXqYeIrOy8234A = "C:\\Windows\\system32\\G0ycS1ivDoGaHsK.exe"	e3onG4aQHsKfLgX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bbD3onG4aHsKfL8234A = "C:\\Windows\\system32\\q9hYXwkUVlBx0c1.exe"	grlOBtxP0c1b3n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\melOBtxP0c8234A = "C:\\Windows\\system32\\PsQJ6dEK8R9YwU.exe"	fpmG5sQJ7E8RqYw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\e4amH6sWKfLgXj8234A = "C:\\Windows\\system32\\YUVelOBtz0c1v3n.exe"	p0ycS1ibDoGaHsK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wIBtzP0yc18234A = "C:\\Windows\\system32\\sJ6dWK8fR9TwUe.exe"	YUVelOBtz0c1v3n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ttxP0ucS1b3n4Q68234A = "C:\\Windows\\system32\\IJ7dEK8gRqYwUrO.exe"	eUVrlONtx0c2b3n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zuvS2obF3m5Q6E88234A = "C:\\Windows\\system32\\VL9gTZqjYeIrOyA.exe"	ZYCekIBrzNx1v2b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jTXqjUCelBzNc1v8234A = "C:\\Windows\\system32\\ZibD3pnG4Q6W7R9.exe"	qbD3pnG5aHdKfLh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BlOBtzP0ySiDo8234A = "C:\\Windows\\system32\\W5aQJ6dEKfZhXjV.exe"	q9hYXwkUVlBx0c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\otxA0ucS2b3n5Q68234A = "C:\\Windows\\system32\\SJ7dEL8gTqYwIrO.exe"	YjYCwkIVrOtAuSi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QUCelIBrzNc1v2n8234A = "C:\\Windows\\system32\\tpnG4aQH6W7R9Tq.exe"	0d7a787355d2f1ecb90885df072efcef_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CZ9hYXwjUeOtPyS8234A = "C:\\Windows\\system32\\mvS2ibF3pGaJdKf.exe"	l5sQJ6dEKgZhXkV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HQJ7dEK8gZhXkVl8234A = "C:\\Windows\\system32\\zrzONyxA1v2b4m5.exe"	obF4pmH5sJ7E8Rq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YfRL9gTXqUeIr8234A = "C:\\Windows\\system32\\p0ycS1ibDoGaHsK.exe"	SRL9hTXqjClBzNc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\B1ivD3onGaHsKfL8234A = "C:\\Windows\\system32\\WRZ9hYXwjVlBz0c.exe"	wOBtxP0yc1b3n4Q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OqjYCwkIVzNx08234A = "C:\\Windows\\system32\\dD2onF4am5W7E8T.exe"	VL9gTZqjYeIrOyA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\njUCekIBrPyAuDo8234A = "C:\\Windows\\system32\\e3onG4aQHsKfLgX.exe"	r4aQH6dWKfLhXjC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\t4aQH6dWKf8234A = "C:\\Windows\\system32\\grlOBtxP0c1b3n.exe"	rbD3pnG5aHdKfLh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\k4pmG5sQJdKgZh8234A = "C:\\Windows\\system32\\ZYCekIBrzNx1v2b.exe"	ACekBzDob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SRZ9hTXwjVlBz8234A = "C:\\Windows\\system32\\hucS2ibF3n5Q6W8.exe"	WRZ9hYXwjVlBz0c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\o9hYXwjUVlBz0c18234A = "C:\\Windows\\system32\\GaQJ6dEK8R.exe"	Q6dEK8gRZhXkVlB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\B6dWK8fRZhXjVlB8234A = "C:\\Windows\\system32\\WONtxA0uc2b3n5Q.exe"	mvS2ibF3pGaJdKf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mNyxA0uvSoFpG8234A = "C:\\Windows\\system32\\rWJ7fEL9gZjCkVz.exe"	zrzONyxA1v2b4m5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sCekIBrzOyA8234A = "C:\\Windows\\system32\\x4amH6sWKfLgXj.exe"	yqjUCekIBzNx1v2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b6sWK7fRLgXjCkB8234A = "C:\\Windows\\system32\\wOBtxP0yc1b3n4Q.exe"	ZibD3pnG4Q6W7R9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oTXwjUCelBzNc1v8234A = "C:\\Windows\\system32\\GH6dWK8fR9.exe"	FpnG5aQJ6W8R9Tw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QlIBrzPNyAuDoF8234A = "C:\\Windows\\system32\\r4aQH6dWKfLhXjC.exe"	GH6dWK8fR9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mXwjUCelItPyA8234A = "C:\\Windows\\system32\\rbD3pnG5aHdKfLh.exe"	YwjUVelIBz0c1v3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\x9hTXwjUVlBz0c8234A = "C:\\Windows\\system32\\BS2ibF3pn5Q6W8R.exe"	W5aQJ6dEKfZhXjV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PUVrlOBtx0c1b3n8234A = "C:\\Windows\\system32\\fpmG5sQJ7E8RqYw.exe"	s7dEL8gRZhCkVlN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hYCwkUVrlNx0c2b8234A = "C:\\Windows\\system32\\obF4pmH5sJ7E8Rq.exe"	SJ7dEL8gTqYwIrO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\i4pmH5sQJdLgZhC8234A = "C:\\Windows\\system32\\ACekBzDob.exe"	tpnG4aQH6W7R9Tq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vXwjUCelItPyA8234A = "C:\\Windows\\system32\\qbD3pnG5aHdKfLh.exe"	YP0ycA1iv3n4m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aUVelIBtz0c1v8234A = "C:\\Windows\\system32\\FpnG5aQJ6W8R9Tw.exe"	GaQJ6dEK8R.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\enF4amH6sJfLgZj8234A = "C:\\Windows\\system32\\YwjUVelIBz0c1v3.exe"	G0ycS1ivDoGaHsK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\I1ibD3pnGaHdKfL8234A = "C:\\Windows\\system32\\sRZqhYXwkVlBx0c.exe"	C5aQH6dWKfLhXj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eF3pmG5aQ6E8R9Y8234A = "C:\\Windows\\system32\\YjYCwkIVrOtAuSi.exe"	PsQJ6dEK8R9YwU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WbF4pmH5sJdLgZh8234A = "C:\\Windows\\system32\\yqjUCekIBzNx1v2.exe"	rBrzPNycAuDoFpH.exe

Drops file in System32 directory 49 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fpmG5sQJ7E8RqYw.exe	s7dEL8gRZhCkVlN.exe
File created	C:\Windows\SysWOW64\p0ycS1ibDoGaHsK.exe	SRL9hTXqjClBzNc.exe
File created	C:\Windows\SysWOW64\sJ6dWK8fR9TwUe.exe	YUVelOBtz0c1v3n.exe
File created	C:\Windows\SysWOW64\yqjUCekIBzNx1v2.exe	rBrzPNycAuDoFpH.exe
File created	C:\Windows\SysWOW64\GH6dWK8fR9.exe	FpnG5aQJ6W8R9Tw.exe
File created	C:\Windows\SysWOW64\G0ycS1ivDoGaHsK.exe	e3onG4aQHsKfLgX.exe
File created	C:\Windows\SysWOW64\WONtxA0uc2b3n5Q.exe	mvS2ibF3pGaJdKf.exe
File created	C:\Windows\SysWOW64\q9hYXwkUVlBx0c1.exe	grlOBtxP0c1b3n.exe
File created	C:\Windows\SysWOW64\SNycA1ivDo.exe	rWJ7fEL9gZjCkVz.exe
File created	C:\Windows\SysWOW64\eUVrlONtx0c2b3n.exe	sJ6dWK8fR9TwUe.exe
File created	C:\Windows\SysWOW64\ZibD3pnG4Q6W7R9.exe	qbD3pnG5aHdKfLh.exe
File created	C:\Windows\SysWOW64\Q6dEK8gRZhXkVlB.exe	iBtxP0ucSi.exe
File created	C:\Windows\SysWOW64\GaQJ6dEK8R.exe	Q6dEK8gRZhXkVlB.exe
File created	C:\Windows\SysWOW64\rbD3pnG5aHdKfLh.exe	YwjUVelIBz0c1v3.exe
File created	C:\Windows\SysWOW64\VL9gTZqjYeIrOyA.exe	ZYCekIBrzNx1v2b.exe
File created	C:\Windows\SysWOW64\x4amH6sWKfLgXj.exe	yqjUCekIBzNx1v2.exe
File created	C:\Windows\SysWOW64\SJ7dEL8gTqYwIrO.exe	YjYCwkIVrOtAuSi.exe
File created	C:\Windows\SysWOW64\zrzONyxA1v2b4m5.exe	obF4pmH5sJ7E8Rq.exe
File created	C:\Windows\SysWOW64\grlOBtxP0c1b3n.exe	rbD3pnG5aHdKfLh.exe
File created	C:\Windows\SysWOW64\W5aQJ6dEKfZhXjV.exe	q9hYXwkUVlBx0c1.exe
File created	C:\Windows\SysWOW64\BS2ibF3pn5Q6W8R.exe	W5aQJ6dEKfZhXjV.exe
File created	C:\Windows\SysWOW64\rWJ7fEL9gZjCkVz.exe	zrzONyxA1v2b4m5.exe
File created	C:\Windows\SysWOW64\YP0ycA1iv3n4m.exe	x4amH6sWKfLgXj.exe
File created	C:\Windows\SysWOW64\klONtxP0uSiDpGa.exe	hucS2ibF3n5Q6W8.exe
File created	C:\Windows\SysWOW64\iBtxP0ucSi.exe	klONtxP0uSiDpGa.exe
File created	C:\Windows\SysWOW64\FpnG5aQJ6W8R9Tw.exe	GaQJ6dEK8R.exe
File created	C:\Windows\SysWOW64\YUVelOBtz0c1v3n.exe	p0ycS1ibDoGaHsK.exe
File created	C:\Windows\SysWOW64\IJ7dEK8gRqYwUrO.exe	eUVrlONtx0c2b3n.exe
File created	C:\Windows\SysWOW64\PsQJ6dEK8R9YwU.exe	fpmG5sQJ7E8RqYw.exe
File created	C:\Windows\SysWOW64\SRL9hTXqjClBzNc.exe	SNycA1ivDo.exe
File created	C:\Windows\SysWOW64\rBrzPNycAuDoFpH.exe	dD2onF4am5W7E8T.exe
File created	C:\Windows\SysWOW64\YwjUVelIBz0c1v3.exe	G0ycS1ivDoGaHsK.exe
File created	C:\Windows\SysWOW64\C5aQH6dWKfLhXj.exe	BS2ibF3pn5Q6W8R.exe
File created	C:\Windows\SysWOW64\l5sQJ6dEKgZhXkV.exe	sRZqhYXwkVlBx0c.exe
File created	C:\Windows\SysWOW64\tpnG4aQH6W7R9Tq.exe	0d7a787355d2f1ecb90885df072efcef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ACekBzDob.exe	tpnG4aQH6W7R9Tq.exe
File created	C:\Windows\SysWOW64\r4aQH6dWKfLhXjC.exe	GH6dWK8fR9.exe
File created	C:\Windows\SysWOW64\e3onG4aQHsKfLgX.exe	r4aQH6dWKfLhXjC.exe
File created	C:\Windows\SysWOW64\wOBtxP0yc1b3n4Q.exe	ZibD3pnG4Q6W7R9.exe
File created	C:\Windows\SysWOW64\WRZ9hYXwjVlBz0c.exe	wOBtxP0yc1b3n4Q.exe
File created	C:\Windows\SysWOW64\hucS2ibF3n5Q6W8.exe	WRZ9hYXwjVlBz0c.exe
File created	C:\Windows\SysWOW64\s7dEL8gRZhCkVlN.exe	WONtxA0uc2b3n5Q.exe
File created	C:\Windows\SysWOW64\mvS2ibF3pGaJdKf.exe	l5sQJ6dEKgZhXkV.exe
File created	C:\Windows\SysWOW64\YjYCwkIVrOtAuSi.exe	PsQJ6dEK8R9YwU.exe
File created	C:\Windows\SysWOW64\obF4pmH5sJ7E8Rq.exe	SJ7dEL8gTqYwIrO.exe
File created	C:\Windows\SysWOW64\ZYCekIBrzNx1v2b.exe	ACekBzDob.exe
File created	C:\Windows\SysWOW64\dD2onF4am5W7E8T.exe	VL9gTZqjYeIrOyA.exe
File created	C:\Windows\SysWOW64\qbD3pnG5aHdKfLh.exe	YP0ycA1iv3n4m.exe
File created	C:\Windows\SysWOW64\sRZqhYXwkVlBx0c.exe	C5aQH6dWKfLhXj.exe

UPX packed file 53 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1464-1-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/1464-2-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/1464-8-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/1436-10-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/1436-11-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/1436-17-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/536-25-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/2352-30-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/780-36-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/3640-42-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/2308-48-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/4556-54-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/4228-60-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/4064-66-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/4592-72-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/4960-78-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/4860-84-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/1960-90-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/400-96-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/3496-102-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/3248-108-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/4896-114-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/3904-120-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/5112-126-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/3840-132-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/3284-138-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/636-144-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/2988-150-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/4532-156-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/4504-162-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/116-168-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/4872-174-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/2780-180-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/4316-186-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/2308-192-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/3412-198-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/1852-203-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/460-207-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/976-211-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/60-215-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/4064-219-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/2140-223-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/2716-227-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/4284-231-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/3144-235-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/1280-239-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/4948-243-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/388-247-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/4196-251-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/1372-255-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/4744-259-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/4580-263-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral2/memory/4088-267-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d7a787355d2f1ecb90885df072efcef_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l5sQJ6dEKgZhXkV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mvS2ibF3pGaJdKf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s7dEL8gRZhCkVlN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	p0ycS1ibDoGaHsK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YjYCwkIVrOtAuSi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZYCekIBrzNx1v2b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VL9gTZqjYeIrOyA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Q6dEK8gRZhXkVlB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YwjUVelIBz0c1v3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grlOBtxP0c1b3n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SJ7dEL8gTqYwIrO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zrzONyxA1v2b4m5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dD2onF4am5W7E8T.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rBrzPNycAuDoFpH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	G0ycS1ivDoGaHsK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rbD3pnG5aHdKfLh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fpmG5sQJ7E8RqYw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e3onG4aQHsKfLgX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	W5aQJ6dEKfZhXjV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C5aQH6dWKfLhXj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tpnG4aQH6W7R9Tq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ACekBzDob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yqjUCekIBzNx1v2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hucS2ibF3n5Q6W8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FpnG5aQJ6W8R9Tw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IJ7dEK8gRqYwUrO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SRL9hTXqjClBzNc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sJ6dWK8fR9TwUe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GaQJ6dEK8R.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	r4aQH6dWKfLhXjC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BS2ibF3pn5Q6W8R.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WONtxA0uc2b3n5Q.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	obF4pmH5sJ7E8Rq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x4amH6sWKfLgXj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZibD3pnG4Q6W7R9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YUVelOBtz0c1v3n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PsQJ6dEK8R9YwU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eUVrlONtx0c2b3n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YP0ycA1iv3n4m.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WRZ9hYXwjVlBz0c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	klONtxP0uSiDpGa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iBtxP0ucSi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	q9hYXwkUVlBx0c1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SNycA1ivDo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qbD3pnG5aHdKfLh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wOBtxP0yc1b3n4Q.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GH6dWK8fR9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sRZqhYXwkVlBx0c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rWJ7fEL9gZjCkVz.exe

Suspicious use of SetWindowsHookEx 49 IoCs

pid	Process
1464	0d7a787355d2f1ecb90885df072efcef_JaffaCakes118.exe
1436	tpnG4aQH6W7R9Tq.exe
536	ACekBzDob.exe
2352	ZYCekIBrzNx1v2b.exe
780	VL9gTZqjYeIrOyA.exe
3640	dD2onF4am5W7E8T.exe
2308	rBrzPNycAuDoFpH.exe
4556	yqjUCekIBzNx1v2.exe
4228	x4amH6sWKfLgXj.exe
4064	YP0ycA1iv3n4m.exe
4592	qbD3pnG5aHdKfLh.exe
4960	ZibD3pnG4Q6W7R9.exe
4860	wOBtxP0yc1b3n4Q.exe
1960	WRZ9hYXwjVlBz0c.exe
400	hucS2ibF3n5Q6W8.exe
3496	klONtxP0uSiDpGa.exe
3248	iBtxP0ucSi.exe
4896	Q6dEK8gRZhXkVlB.exe
3904	GaQJ6dEK8R.exe
5112	FpnG5aQJ6W8R9Tw.exe
3840	GH6dWK8fR9.exe
3284	r4aQH6dWKfLhXjC.exe
636	e3onG4aQHsKfLgX.exe
2988	G0ycS1ivDoGaHsK.exe
4532	YwjUVelIBz0c1v3.exe
4504	rbD3pnG5aHdKfLh.exe
116	grlOBtxP0c1b3n.exe
4872	q9hYXwkUVlBx0c1.exe
2780	W5aQJ6dEKfZhXjV.exe
4316	BS2ibF3pn5Q6W8R.exe
2308	C5aQH6dWKfLhXj.exe
3412	sRZqhYXwkVlBx0c.exe
1852	l5sQJ6dEKgZhXkV.exe
460	mvS2ibF3pGaJdKf.exe
976	WONtxA0uc2b3n5Q.exe
60	s7dEL8gRZhCkVlN.exe
4064	fpmG5sQJ7E8RqYw.exe
2140	PsQJ6dEK8R9YwU.exe
2716	YjYCwkIVrOtAuSi.exe
4284	SJ7dEL8gTqYwIrO.exe
3144	obF4pmH5sJ7E8Rq.exe
1280	zrzONyxA1v2b4m5.exe
4948	rWJ7fEL9gZjCkVz.exe
388	SNycA1ivDo.exe
4196	SRL9hTXqjClBzNc.exe
1372	p0ycS1ibDoGaHsK.exe
4744	YUVelOBtz0c1v3n.exe
4580	sJ6dWK8fR9TwUe.exe
4088	eUVrlONtx0c2b3n.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 1436	1464	0d7a787355d2f1ecb90885df072efcef_JaffaCakes118.exe	82
PID 1464 wrote to memory of 1436	1464	0d7a787355d2f1ecb90885df072efcef_JaffaCakes118.exe	82
PID 1464 wrote to memory of 1436	1464	0d7a787355d2f1ecb90885df072efcef_JaffaCakes118.exe	82
PID 1436 wrote to memory of 536	1436	tpnG4aQH6W7R9Tq.exe	83
PID 1436 wrote to memory of 536	1436	tpnG4aQH6W7R9Tq.exe	83
PID 1436 wrote to memory of 536	1436	tpnG4aQH6W7R9Tq.exe	83
PID 536 wrote to memory of 2352	536	ACekBzDob.exe	84
PID 536 wrote to memory of 2352	536	ACekBzDob.exe	84
PID 536 wrote to memory of 2352	536	ACekBzDob.exe	84
PID 2352 wrote to memory of 780	2352	ZYCekIBrzNx1v2b.exe	85
PID 2352 wrote to memory of 780	2352	ZYCekIBrzNx1v2b.exe	85
PID 2352 wrote to memory of 780	2352	ZYCekIBrzNx1v2b.exe	85
PID 780 wrote to memory of 3640	780	VL9gTZqjYeIrOyA.exe	88
PID 780 wrote to memory of 3640	780	VL9gTZqjYeIrOyA.exe	88
PID 780 wrote to memory of 3640	780	VL9gTZqjYeIrOyA.exe	88
PID 3640 wrote to memory of 2308	3640	dD2onF4am5W7E8T.exe	91
PID 3640 wrote to memory of 2308	3640	dD2onF4am5W7E8T.exe	91
PID 3640 wrote to memory of 2308	3640	dD2onF4am5W7E8T.exe	91
PID 2308 wrote to memory of 4556	2308	rBrzPNycAuDoFpH.exe	93
PID 2308 wrote to memory of 4556	2308	rBrzPNycAuDoFpH.exe	93
PID 2308 wrote to memory of 4556	2308	rBrzPNycAuDoFpH.exe	93
PID 4556 wrote to memory of 4228	4556	yqjUCekIBzNx1v2.exe	96
PID 4556 wrote to memory of 4228	4556	yqjUCekIBzNx1v2.exe	96
PID 4556 wrote to memory of 4228	4556	yqjUCekIBzNx1v2.exe	96
PID 4228 wrote to memory of 4064	4228	x4amH6sWKfLgXj.exe	97
PID 4228 wrote to memory of 4064	4228	x4amH6sWKfLgXj.exe	97
PID 4228 wrote to memory of 4064	4228	x4amH6sWKfLgXj.exe	97
PID 4064 wrote to memory of 4592	4064	YP0ycA1iv3n4m.exe	99
PID 4064 wrote to memory of 4592	4064	YP0ycA1iv3n4m.exe	99
PID 4064 wrote to memory of 4592	4064	YP0ycA1iv3n4m.exe	99
PID 4592 wrote to memory of 4960	4592	qbD3pnG5aHdKfLh.exe	100
PID 4592 wrote to memory of 4960	4592	qbD3pnG5aHdKfLh.exe	100
PID 4592 wrote to memory of 4960	4592	qbD3pnG5aHdKfLh.exe	100
PID 4960 wrote to memory of 4860	4960	ZibD3pnG4Q6W7R9.exe	101
PID 4960 wrote to memory of 4860	4960	ZibD3pnG4Q6W7R9.exe	101
PID 4960 wrote to memory of 4860	4960	ZibD3pnG4Q6W7R9.exe	101
PID 4860 wrote to memory of 1960	4860	wOBtxP0yc1b3n4Q.exe	102
PID 4860 wrote to memory of 1960	4860	wOBtxP0yc1b3n4Q.exe	102
PID 4860 wrote to memory of 1960	4860	wOBtxP0yc1b3n4Q.exe	102
PID 1960 wrote to memory of 400	1960	WRZ9hYXwjVlBz0c.exe	103
PID 1960 wrote to memory of 400	1960	WRZ9hYXwjVlBz0c.exe	103
PID 1960 wrote to memory of 400	1960	WRZ9hYXwjVlBz0c.exe	103
PID 400 wrote to memory of 3496	400	hucS2ibF3n5Q6W8.exe	104
PID 400 wrote to memory of 3496	400	hucS2ibF3n5Q6W8.exe	104
PID 400 wrote to memory of 3496	400	hucS2ibF3n5Q6W8.exe	104
PID 3496 wrote to memory of 3248	3496	klONtxP0uSiDpGa.exe	105
PID 3496 wrote to memory of 3248	3496	klONtxP0uSiDpGa.exe	105
PID 3496 wrote to memory of 3248	3496	klONtxP0uSiDpGa.exe	105
PID 3248 wrote to memory of 4896	3248	iBtxP0ucSi.exe	106
PID 3248 wrote to memory of 4896	3248	iBtxP0ucSi.exe	106
PID 3248 wrote to memory of 4896	3248	iBtxP0ucSi.exe	106
PID 4896 wrote to memory of 3904	4896	Q6dEK8gRZhXkVlB.exe	107
PID 4896 wrote to memory of 3904	4896	Q6dEK8gRZhXkVlB.exe	107
PID 4896 wrote to memory of 3904	4896	Q6dEK8gRZhXkVlB.exe	107
PID 3904 wrote to memory of 5112	3904	GaQJ6dEK8R.exe	109
PID 3904 wrote to memory of 5112	3904	GaQJ6dEK8R.exe	109
PID 3904 wrote to memory of 5112	3904	GaQJ6dEK8R.exe	109
PID 5112 wrote to memory of 3840	5112	FpnG5aQJ6W8R9Tw.exe	110
PID 5112 wrote to memory of 3840	5112	FpnG5aQJ6W8R9Tw.exe	110
PID 5112 wrote to memory of 3840	5112	FpnG5aQJ6W8R9Tw.exe	110
PID 3840 wrote to memory of 3284	3840	GH6dWK8fR9.exe	111
PID 3840 wrote to memory of 3284	3840	GH6dWK8fR9.exe	111
PID 3840 wrote to memory of 3284	3840	GH6dWK8fR9.exe	111
PID 3284 wrote to memory of 636	3284	r4aQH6dWKfLhXjC.exe	112

C:\Users\Admin\AppData\Local\Temp\0d7a787355d2f1ecb90885df072efcef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0d7a787355d2f1ecb90885df072efcef_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Windows\SysWOW64\tpnG4aQH6W7R9Tq.exe
  C:\Windows\system32\tpnG4aQH6W7R9Tq.exe 5985C:\Users\Admin\AppData\Local\Temp\0d7a787355d2f1ecb90885df072efcef_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Windows\SysWOW64\ACekBzDob.exe
    C:\Windows\system32\ACekBzDob.exe 5985C:\Windows\SysWOW64\tpnG4aQH6W7R9Tq.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Windows\SysWOW64\ZYCekIBrzNx1v2b.exe
      C:\Windows\system32\ZYCekIBrzNx1v2b.exe 5985C:\Windows\SysWOW64\ACekBzDob.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2352
    - - C:\Windows\SysWOW64\VL9gTZqjYeIrOyA.exe
        
        C:\Windows\system32\VL9gTZqjYeIrOyA.exe 5985C:\Windows\SysWOW64\ZYCekIBrzNx1v2b.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:780
      - C:\Windows\SysWOW64\dD2onF4am5W7E8T.exe
        
        C:\Windows\system32\dD2onF4am5W7E8T.exe 5985C:\Windows\SysWOW64\VL9gTZqjYeIrOyA.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\SysWOW64\rBrzPNycAuDoFpH.exe
        
        C:\Windows\system32\rBrzPNycAuDoFpH.exe 5985C:\Windows\SysWOW64\dD2onF4am5W7E8T.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\yqjUCekIBzNx1v2.exe
        
        C:\Windows\system32\yqjUCekIBzNx1v2.exe 5985C:\Windows\SysWOW64\rBrzPNycAuDoFpH.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\x4amH6sWKfLgXj.exe
        
        C:\Windows\system32\x4amH6sWKfLgXj.exe 5985C:\Windows\SysWOW64\yqjUCekIBzNx1v2.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\SysWOW64\YP0ycA1iv3n4m.exe
        
        C:\Windows\system32\YP0ycA1iv3n4m.exe 5985C:\Windows\SysWOW64\x4amH6sWKfLgXj.exe
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\qbD3pnG5aHdKfLh.exe
        
        C:\Windows\system32\qbD3pnG5aHdKfLh.exe 5985C:\Windows\SysWOW64\YP0ycA1iv3n4m.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\ZibD3pnG4Q6W7R9.exe
        
        C:\Windows\system32\ZibD3pnG4Q6W7R9.exe 5985C:\Windows\SysWOW64\qbD3pnG5aHdKfLh.exe
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\wOBtxP0yc1b3n4Q.exe
        
        C:\Windows\system32\wOBtxP0yc1b3n4Q.exe 5985C:\Windows\SysWOW64\ZibD3pnG4Q6W7R9.exe
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\WRZ9hYXwjVlBz0c.exe
        
        C:\Windows\system32\WRZ9hYXwjVlBz0c.exe 5985C:\Windows\SysWOW64\wOBtxP0yc1b3n4Q.exe
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\hucS2ibF3n5Q6W8.exe
        
        C:\Windows\system32\hucS2ibF3n5Q6W8.exe 5985C:\Windows\SysWOW64\WRZ9hYXwjVlBz0c.exe
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\klONtxP0uSiDpGa.exe
        
        C:\Windows\system32\klONtxP0uSiDpGa.exe 5985C:\Windows\SysWOW64\hucS2ibF3n5Q6W8.exe
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\SysWOW64\iBtxP0ucSi.exe
        
        C:\Windows\system32\iBtxP0ucSi.exe 5985C:\Windows\SysWOW64\klONtxP0uSiDpGa.exe
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\SysWOW64\Q6dEK8gRZhXkVlB.exe
        
        C:\Windows\system32\Q6dEK8gRZhXkVlB.exe 5985C:\Windows\SysWOW64\iBtxP0ucSi.exe
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\GaQJ6dEK8R.exe
        
        C:\Windows\system32\GaQJ6dEK8R.exe 5985C:\Windows\SysWOW64\Q6dEK8gRZhXkVlB.exe
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\SysWOW64\FpnG5aQJ6W8R9Tw.exe
        
        C:\Windows\system32\FpnG5aQJ6W8R9Tw.exe 5985C:\Windows\SysWOW64\GaQJ6dEK8R.exe
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\GH6dWK8fR9.exe
        
        C:\Windows\system32\GH6dWK8fR9.exe 5985C:\Windows\SysWOW64\FpnG5aQJ6W8R9Tw.exe
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\SysWOW64\r4aQH6dWKfLhXjC.exe
        
        C:\Windows\system32\r4aQH6dWKfLhXjC.exe 5985C:\Windows\SysWOW64\GH6dWK8fR9.exe
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\SysWOW64\e3onG4aQHsKfLgX.exe
        
        C:\Windows\system32\e3onG4aQHsKfLgX.exe 5985C:\Windows\SysWOW64\r4aQH6dWKfLhXjC.exe
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:636
        
        C:\Windows\SysWOW64\G0ycS1ivDoGaHsK.exe
        
        C:\Windows\system32\G0ycS1ivDoGaHsK.exe 5985C:\Windows\SysWOW64\e3onG4aQHsKfLgX.exe
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2988
        
        C:\Windows\SysWOW64\YwjUVelIBz0c1v3.exe
        
        C:\Windows\system32\YwjUVelIBz0c1v3.exe 5985C:\Windows\SysWOW64\G0ycS1ivDoGaHsK.exe
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4532
        
        C:\Windows\SysWOW64\rbD3pnG5aHdKfLh.exe
        
        C:\Windows\system32\rbD3pnG5aHdKfLh.exe 5985C:\Windows\SysWOW64\YwjUVelIBz0c1v3.exe
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4504
        
        C:\Windows\SysWOW64\grlOBtxP0c1b3n.exe
        
        C:\Windows\system32\grlOBtxP0c1b3n.exe 5985C:\Windows\SysWOW64\rbD3pnG5aHdKfLh.exe
        27⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:116
        
        C:\Windows\SysWOW64\q9hYXwkUVlBx0c1.exe
        
        C:\Windows\system32\q9hYXwkUVlBx0c1.exe 5985C:\Windows\SysWOW64\grlOBtxP0c1b3n.exe
        28⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4872
        
        C:\Windows\SysWOW64\W5aQJ6dEKfZhXjV.exe
        
        C:\Windows\system32\W5aQJ6dEKfZhXjV.exe 5985C:\Windows\SysWOW64\q9hYXwkUVlBx0c1.exe
        29⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2780
        
        C:\Windows\SysWOW64\BS2ibF3pn5Q6W8R.exe
        
        C:\Windows\system32\BS2ibF3pn5Q6W8R.exe 5985C:\Windows\SysWOW64\W5aQJ6dEKfZhXjV.exe
        30⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4316
        
        C:\Windows\SysWOW64\C5aQH6dWKfLhXj.exe
        
        C:\Windows\system32\C5aQH6dWKfLhXj.exe 5985C:\Windows\SysWOW64\BS2ibF3pn5Q6W8R.exe
        31⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2308
        
        C:\Windows\SysWOW64\sRZqhYXwkVlBx0c.exe
        
        C:\Windows\system32\sRZqhYXwkVlBx0c.exe 5985C:\Windows\SysWOW64\C5aQH6dWKfLhXj.exe
        32⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3412
        
        C:\Windows\SysWOW64\l5sQJ6dEKgZhXkV.exe
        
        C:\Windows\system32\l5sQJ6dEKgZhXkV.exe 5985C:\Windows\SysWOW64\sRZqhYXwkVlBx0c.exe
        33⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1852
        
        C:\Windows\SysWOW64\mvS2ibF3pGaJdKf.exe
        
        C:\Windows\system32\mvS2ibF3pGaJdKf.exe 5985C:\Windows\SysWOW64\l5sQJ6dEKgZhXkV.exe
        34⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:460
        
        C:\Windows\SysWOW64\WONtxA0uc2b3n5Q.exe
        
        C:\Windows\system32\WONtxA0uc2b3n5Q.exe 5985C:\Windows\SysWOW64\mvS2ibF3pGaJdKf.exe
        35⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:976
        
        C:\Windows\SysWOW64\s7dEL8gRZhCkVlN.exe
        
        C:\Windows\system32\s7dEL8gRZhCkVlN.exe 5985C:\Windows\SysWOW64\WONtxA0uc2b3n5Q.exe
        36⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:60
        
        C:\Windows\SysWOW64\fpmG5sQJ7E8RqYw.exe
        
        C:\Windows\system32\fpmG5sQJ7E8RqYw.exe 5985C:\Windows\SysWOW64\s7dEL8gRZhCkVlN.exe
        37⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4064
        
        C:\Windows\SysWOW64\PsQJ6dEK8R9YwU.exe
        
        C:\Windows\system32\PsQJ6dEK8R9YwU.exe 5985C:\Windows\SysWOW64\fpmG5sQJ7E8RqYw.exe
        38⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2140
        
        C:\Windows\SysWOW64\YjYCwkIVrOtAuSi.exe
        
        C:\Windows\system32\YjYCwkIVrOtAuSi.exe 5985C:\Windows\SysWOW64\PsQJ6dEK8R9YwU.exe
        39⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2716
        
        C:\Windows\SysWOW64\SJ7dEL8gTqYwIrO.exe
        
        C:\Windows\system32\SJ7dEL8gTqYwIrO.exe 5985C:\Windows\SysWOW64\YjYCwkIVrOtAuSi.exe
        40⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4284
        
        C:\Windows\SysWOW64\obF4pmH5sJ7E8Rq.exe
        
        C:\Windows\system32\obF4pmH5sJ7E8Rq.exe 5985C:\Windows\SysWOW64\SJ7dEL8gTqYwIrO.exe
        41⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3144
        
        C:\Windows\SysWOW64\zrzONyxA1v2b4m5.exe
        
        C:\Windows\system32\zrzONyxA1v2b4m5.exe 5985C:\Windows\SysWOW64\obF4pmH5sJ7E8Rq.exe
        42⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1280
        
        C:\Windows\SysWOW64\rWJ7fEL9gZjCkVz.exe
        
        C:\Windows\system32\rWJ7fEL9gZjCkVz.exe 5985C:\Windows\SysWOW64\zrzONyxA1v2b4m5.exe
        43⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4948
        
        C:\Windows\SysWOW64\SNycA1ivDo.exe
        
        C:\Windows\system32\SNycA1ivDo.exe 5985C:\Windows\SysWOW64\rWJ7fEL9gZjCkVz.exe
        44⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:388
        
        C:\Windows\SysWOW64\SRL9hTXqjClBzNc.exe
        
        C:\Windows\system32\SRL9hTXqjClBzNc.exe 5985C:\Windows\SysWOW64\SNycA1ivDo.exe
        45⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4196
        
        C:\Windows\SysWOW64\p0ycS1ibDoGaHsK.exe
        
        C:\Windows\system32\p0ycS1ibDoGaHsK.exe 5985C:\Windows\SysWOW64\SRL9hTXqjClBzNc.exe
        46⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1372
        
        C:\Windows\SysWOW64\YUVelOBtz0c1v3n.exe
        
        C:\Windows\system32\YUVelOBtz0c1v3n.exe 5985C:\Windows\SysWOW64\p0ycS1ibDoGaHsK.exe
        47⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4744
        
        C:\Windows\SysWOW64\sJ6dWK8fR9TwUe.exe
        
        C:\Windows\system32\sJ6dWK8fR9TwUe.exe 5985C:\Windows\SysWOW64\YUVelOBtz0c1v3n.exe
        48⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4580
        
        C:\Windows\SysWOW64\eUVrlONtx0c2b3n.exe
        
        C:\Windows\system32\eUVrlONtx0c2b3n.exe 5985C:\Windows\SysWOW64\sJ6dWK8fR9TwUe.exe
        49⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4088
        
        C:\Windows\SysWOW64\IJ7dEK8gRqYwUrO.exe
        
        C:\Windows\system32\IJ7dEK8gRqYwUrO.exe 5985C:\Windows\SysWOW64\eUVrlONtx0c2b3n.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\tpnG4aQH6W7R9Tq.exe

Filesize
2.3MB

MD5
0d7a787355d2f1ecb90885df072efcef

SHA1
ace88584859f06e03040b4851fd7a0871f3dc5e9

SHA256
a92e969b52c1c84ca99a949c3f92e74a725030feec886aafc6d2e2aedc20886c

SHA512
395ad105056928bead911a095c150f0972f678115931539549a013cef62edeab2fd7afcad68a738fb6702034262dae56f0b9fe3e5b25bb2ab5aab12c4bfba21b

Download Submit
memory/60-215-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/116-168-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/388-247-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/400-96-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/460-207-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/536-19-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/536-25-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/636-144-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/780-36-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/976-211-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/1280-239-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/1372-255-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/1436-11-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/1436-17-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/1436-10-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/1464-8-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/1464-2-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/1464-1-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/1852-203-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/1960-90-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/2140-223-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/2308-192-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/2308-48-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/2352-30-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/2716-227-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/2780-180-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/2988-150-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/3144-235-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/3248-108-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/3284-138-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/3412-198-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/3496-102-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/3640-42-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/3840-132-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/3904-120-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/4064-66-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/4064-219-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/4088-267-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/4196-251-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/4228-60-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/4284-231-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/4316-186-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/4504-162-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/4532-156-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/4556-54-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/4580-263-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/4592-72-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/4744-259-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/4860-84-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/4872-174-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/4896-114-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/4948-243-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/4960-78-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/5112-126-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads