1e2c9de461ac90ae7d819c8e34fc270ce2967b3d63b8a622277cdba90506072f

Analysis

max time kernel
105s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/10/2024, 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e2c9de461ac90ae7d819c8e34fc270ce2967b3d63b8a622277cdba90506072fN.exe
Size

59KB
MD5

d12b88b298bb7be18649b140c8f12250
SHA1

6a8524f669a86a71df6995adcb6109caa91b1151
SHA256

1e2c9de461ac90ae7d819c8e34fc270ce2967b3d63b8a622277cdba90506072f
SHA512

a5d993040763d19216caba2f5cd1418dfbb10e310cb4f1bf518142f98dd0b1b22e63a8d4ed2aa70662baca02e52defdb52d48fa59a3f6d26f15f22309002c101
SSDEEP

1536:L7PBolWV6+Xs7111111111111111ycrC2LRO:Xv6+Xsh11111111111111yEPRO

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nomphm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kghoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfmahkhh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kghoan32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kngaig32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcffgnnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpoppadq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlapaapg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nanhihno.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1e2c9de461ac90ae7d819c8e34fc270ce2967b3d63b8a622277cdba90506072fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klonqpbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekddkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omgfdhbq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocdnloph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkfhglen.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjnanhhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcffgnnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nomphm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdnloph.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klonqpbi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkfhglen.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lomglo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lighjd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmlnnp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mljnaocd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ollcee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kngaig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjnanhhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omgfdhbq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcfbfaao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nokcbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lighjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmlnnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mljnaocd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpoppadq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfkebkjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfkebkjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1e2c9de461ac90ae7d819c8e34fc270ce2967b3d63b8a622277cdba90506072fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lomglo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nanhihno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oeegnj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfmahkhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nokcbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlapaapg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ollcee32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oeegnj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekddkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcfbfaao.exe

Executes dropped EXE 24 IoCs

pid	Process
2348	Klonqpbi.exe
2820	Kghoan32.exe
2776	Kkfhglen.exe
2704	Kngaig32.exe
2836	Kjnanhhc.exe
2700	Lcffgnnc.exe
2536	Lomglo32.exe
2056	Liekddkh.exe
2052	Lighjd32.exe
2936	Lpcmlnnp.exe
3044	Mljnaocd.exe
1088	Mcfbfaao.exe
2168	Mpoppadq.exe
2396	Mfkebkjk.exe
820	Nfmahkhh.exe
900	Nokcbm32.exe
1808	Nomphm32.exe
1508	Nlapaapg.exe
2152	Nanhihno.exe
2240	Omgfdhbq.exe
2016	Ocdnloph.exe
2608	Ollcee32.exe
2264	Oeegnj32.exe
1224	Ockdmn32.exe

Loads dropped DLL 52 IoCs

pid	Process
1704	1e2c9de461ac90ae7d819c8e34fc270ce2967b3d63b8a622277cdba90506072fN.exe
1704	1e2c9de461ac90ae7d819c8e34fc270ce2967b3d63b8a622277cdba90506072fN.exe
2348	Klonqpbi.exe
2348	Klonqpbi.exe
2820	Kghoan32.exe
2820	Kghoan32.exe
2776	Kkfhglen.exe
2776	Kkfhglen.exe
2704	Kngaig32.exe
2704	Kngaig32.exe
2836	Kjnanhhc.exe
2836	Kjnanhhc.exe
2700	Lcffgnnc.exe
2700	Lcffgnnc.exe
2536	Lomglo32.exe
2536	Lomglo32.exe
2056	Liekddkh.exe
2056	Liekddkh.exe
2052	Lighjd32.exe
2052	Lighjd32.exe
2936	Lpcmlnnp.exe
2936	Lpcmlnnp.exe
3044	Mljnaocd.exe
3044	Mljnaocd.exe
1088	Mcfbfaao.exe
1088	Mcfbfaao.exe
2168	Mpoppadq.exe
2168	Mpoppadq.exe
2396	Mfkebkjk.exe
2396	Mfkebkjk.exe
820	Nfmahkhh.exe
820	Nfmahkhh.exe
900	Nokcbm32.exe
900	Nokcbm32.exe
1808	Nomphm32.exe
1808	Nomphm32.exe
1508	Nlapaapg.exe
1508	Nlapaapg.exe
2152	Nanhihno.exe
2152	Nanhihno.exe
2240	Omgfdhbq.exe
2240	Omgfdhbq.exe
2016	Ocdnloph.exe
2016	Ocdnloph.exe
2608	Ollcee32.exe
2608	Ollcee32.exe
2264	Oeegnj32.exe
2264	Oeegnj32.exe
1452	WerFault.exe
1452	WerFault.exe
1452	WerFault.exe
1452	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mfkebkjk.exe	Mpoppadq.exe
File created	C:\Windows\SysWOW64\Ockdmn32.exe	Oeegnj32.exe
File created	C:\Windows\SysWOW64\Lcffgnnc.exe	Kjnanhhc.exe
File opened for modification	C:\Windows\SysWOW64\Mcfbfaao.exe	Mljnaocd.exe
File created	C:\Windows\SysWOW64\Nfmahkhh.exe	Mfkebkjk.exe
File created	C:\Windows\SysWOW64\Omgfdhbq.exe	Nanhihno.exe
File created	C:\Windows\SysWOW64\Mcfbfaao.exe	Mljnaocd.exe
File created	C:\Windows\SysWOW64\Nlapaapg.exe	Nomphm32.exe
File created	C:\Windows\SysWOW64\Oeegnj32.exe	Ollcee32.exe
File opened for modification	C:\Windows\SysWOW64\Ocdnloph.exe	Omgfdhbq.exe
File opened for modification	C:\Windows\SysWOW64\Kjnanhhc.exe	Kngaig32.exe
File opened for modification	C:\Windows\SysWOW64\Lcffgnnc.exe	Kjnanhhc.exe
File opened for modification	C:\Windows\SysWOW64\Mljnaocd.exe	Lpcmlnnp.exe
File created	C:\Windows\SysWOW64\Gnfmhdpb.dll	Mljnaocd.exe
File created	C:\Windows\SysWOW64\Mpoppadq.exe	Mcfbfaao.exe
File opened for modification	C:\Windows\SysWOW64\Nanhihno.exe	Nlapaapg.exe
File opened for modification	C:\Windows\SysWOW64\Omgfdhbq.exe	Nanhihno.exe
File created	C:\Windows\SysWOW64\Doeljaja.dll	Omgfdhbq.exe
File created	C:\Windows\SysWOW64\Aonjnmnj.dll	Kghoan32.exe
File created	C:\Windows\SysWOW64\Hqebodfa.dll	Liekddkh.exe
File created	C:\Windows\SysWOW64\Nhmiqo32.dll	Nlapaapg.exe
File created	C:\Windows\SysWOW64\Nokcbm32.exe	Nfmahkhh.exe
File created	C:\Windows\SysWOW64\Kghoan32.exe	Klonqpbi.exe
File created	C:\Windows\SysWOW64\Ffeejokj.dll	Kkfhglen.exe
File created	C:\Windows\SysWOW64\Jnlnid32.dll	Kngaig32.exe
File created	C:\Windows\SysWOW64\Lomglo32.exe	Lcffgnnc.exe
File created	C:\Windows\SysWOW64\Lpcmlnnp.exe	Lighjd32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmlnnp.exe	Lighjd32.exe
File created	C:\Windows\SysWOW64\Fbofhpaj.dll	Mfkebkjk.exe
File opened for modification	C:\Windows\SysWOW64\Nomphm32.exe	Nokcbm32.exe
File created	C:\Windows\SysWOW64\Nanhihno.exe	Nlapaapg.exe
File opened for modification	C:\Windows\SysWOW64\Kghoan32.exe	Klonqpbi.exe
File created	C:\Windows\SysWOW64\Kngaig32.exe	Kkfhglen.exe
File opened for modification	C:\Windows\SysWOW64\Kngaig32.exe	Kkfhglen.exe
File created	C:\Windows\SysWOW64\Kmggpigb.dll	Kjnanhhc.exe
File created	C:\Windows\SysWOW64\Lighjd32.exe	Liekddkh.exe
File opened for modification	C:\Windows\SysWOW64\Lighjd32.exe	Liekddkh.exe
File opened for modification	C:\Windows\SysWOW64\Nfmahkhh.exe	Mfkebkjk.exe
File opened for modification	C:\Windows\SysWOW64\Ollcee32.exe	Ocdnloph.exe
File opened for modification	C:\Windows\SysWOW64\Oeegnj32.exe	Ollcee32.exe
File opened for modification	C:\Windows\SysWOW64\Mpoppadq.exe	Mcfbfaao.exe
File created	C:\Windows\SysWOW64\Jhlidkdc.dll	Klonqpbi.exe
File created	C:\Windows\SysWOW64\Liekddkh.exe	Lomglo32.exe
File created	C:\Windows\SysWOW64\Jqfcla32.dll	Lighjd32.exe
File created	C:\Windows\SysWOW64\Giedhjnn.dll	Ocdnloph.exe
File created	C:\Windows\SysWOW64\Kkfhglen.exe	Kghoan32.exe
File created	C:\Windows\SysWOW64\Pddiabfi.dll	Mcfbfaao.exe
File created	C:\Windows\SysWOW64\Aegobiom.dll	Nomphm32.exe
File created	C:\Windows\SysWOW64\Ollcee32.exe	Ocdnloph.exe
File created	C:\Windows\SysWOW64\Klonqpbi.exe	1e2c9de461ac90ae7d819c8e34fc270ce2967b3d63b8a622277cdba90506072fN.exe
File created	C:\Windows\SysWOW64\Bbfijm32.dll	Lcffgnnc.exe
File created	C:\Windows\SysWOW64\Aeeafk32.dll	Nokcbm32.exe
File created	C:\Windows\SysWOW64\Khhaomjd.dll	Oeegnj32.exe
File created	C:\Windows\SysWOW64\Kjnanhhc.exe	Kngaig32.exe
File created	C:\Windows\SysWOW64\Mljnaocd.exe	Lpcmlnnp.exe
File created	C:\Windows\SysWOW64\Fohecb32.dll	1e2c9de461ac90ae7d819c8e34fc270ce2967b3d63b8a622277cdba90506072fN.exe
File created	C:\Windows\SysWOW64\Hohegbcn.dll	Lpcmlnnp.exe
File created	C:\Windows\SysWOW64\Pfgmna32.dll	Mpoppadq.exe
File created	C:\Windows\SysWOW64\Nomphm32.exe	Nokcbm32.exe
File opened for modification	C:\Windows\SysWOW64\Ockdmn32.exe	Oeegnj32.exe
File opened for modification	C:\Windows\SysWOW64\Klonqpbi.exe	1e2c9de461ac90ae7d819c8e34fc270ce2967b3d63b8a622277cdba90506072fN.exe
File opened for modification	C:\Windows\SysWOW64\Kkfhglen.exe	Kghoan32.exe
File created	C:\Windows\SysWOW64\Eikkoh32.dll	Nanhihno.exe
File opened for modification	C:\Windows\SysWOW64\Lomglo32.exe	Lcffgnnc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1452	1224	WerFault.exe	53

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ockdmn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mljnaocd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpoppadq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlapaapg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e2c9de461ac90ae7d819c8e34fc270ce2967b3d63b8a622277cdba90506072fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klonqpbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kngaig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcffgnnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liekddkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omgfdhbq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ollcee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nokcbm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kghoan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjnanhhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpcmlnnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcfbfaao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfkebkjk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nanhihno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdnloph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oeegnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkfhglen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lomglo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lighjd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfmahkhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nomphm32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocdnloph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lomglo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mljnaocd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfkebkjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nomphm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nanhihno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nanhihno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcffgnnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocdnloph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1e2c9de461ac90ae7d819c8e34fc270ce2967b3d63b8a622277cdba90506072fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giedhjnn.dll"	Ocdnloph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhmiqo32.dll"	Nlapaapg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ollcee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	1e2c9de461ac90ae7d819c8e34fc270ce2967b3d63b8a622277cdba90506072fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1e2c9de461ac90ae7d819c8e34fc270ce2967b3d63b8a622277cdba90506072fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhlidkdc.dll"	Klonqpbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqebodfa.dll"	Liekddkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfgmna32.dll"	Mpoppadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeeafk32.dll"	Nokcbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fafeln32.dll"	Ollcee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klonqpbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnlnid32.dll"	Kngaig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liekddkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lighjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aegobiom.dll"	Nomphm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doeljaja.dll"	Omgfdhbq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohecb32.dll"	1e2c9de461ac90ae7d819c8e34fc270ce2967b3d63b8a622277cdba90506072fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klonqpbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfkebkjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlapaapg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khhaomjd.dll"	Oeegnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfmahkhh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omgfdhbq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aonjnmnj.dll"	Kghoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnfmhdpb.dll"	Mljnaocd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nokcbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kghoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kngaig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmggpigb.dll"	Kjnanhhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbfijm32.dll"	Lcffgnnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpoppadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjipeebb.dll"	Nfmahkhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kjnanhhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oeegnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kghoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcffgnnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mljnaocd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nokcbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omgfdhbq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	1e2c9de461ac90ae7d819c8e34fc270ce2967b3d63b8a622277cdba90506072fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpcmlnnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcmlnnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcfbfaao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pddiabfi.dll"	Mcfbfaao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nomphm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkfhglen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kjnanhhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lomglo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liekddkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lighjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eikkoh32.dll"	Nanhihno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfmahkhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ollcee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kngaig32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2348	1704	1e2c9de461ac90ae7d819c8e34fc270ce2967b3d63b8a622277cdba90506072fN.exe	30
PID 1704 wrote to memory of 2348	1704	1e2c9de461ac90ae7d819c8e34fc270ce2967b3d63b8a622277cdba90506072fN.exe	30
PID 1704 wrote to memory of 2348	1704	1e2c9de461ac90ae7d819c8e34fc270ce2967b3d63b8a622277cdba90506072fN.exe	30
PID 1704 wrote to memory of 2348	1704	1e2c9de461ac90ae7d819c8e34fc270ce2967b3d63b8a622277cdba90506072fN.exe	30
PID 2348 wrote to memory of 2820	2348	Klonqpbi.exe	31
PID 2348 wrote to memory of 2820	2348	Klonqpbi.exe	31
PID 2348 wrote to memory of 2820	2348	Klonqpbi.exe	31
PID 2348 wrote to memory of 2820	2348	Klonqpbi.exe	31
PID 2820 wrote to memory of 2776	2820	Kghoan32.exe	32
PID 2820 wrote to memory of 2776	2820	Kghoan32.exe	32
PID 2820 wrote to memory of 2776	2820	Kghoan32.exe	32
PID 2820 wrote to memory of 2776	2820	Kghoan32.exe	32
PID 2776 wrote to memory of 2704	2776	Kkfhglen.exe	33
PID 2776 wrote to memory of 2704	2776	Kkfhglen.exe	33
PID 2776 wrote to memory of 2704	2776	Kkfhglen.exe	33
PID 2776 wrote to memory of 2704	2776	Kkfhglen.exe	33
PID 2704 wrote to memory of 2836	2704	Kngaig32.exe	34
PID 2704 wrote to memory of 2836	2704	Kngaig32.exe	34
PID 2704 wrote to memory of 2836	2704	Kngaig32.exe	34
PID 2704 wrote to memory of 2836	2704	Kngaig32.exe	34
PID 2836 wrote to memory of 2700	2836	Kjnanhhc.exe	35
PID 2836 wrote to memory of 2700	2836	Kjnanhhc.exe	35
PID 2836 wrote to memory of 2700	2836	Kjnanhhc.exe	35
PID 2836 wrote to memory of 2700	2836	Kjnanhhc.exe	35
PID 2700 wrote to memory of 2536	2700	Lcffgnnc.exe	36
PID 2700 wrote to memory of 2536	2700	Lcffgnnc.exe	36
PID 2700 wrote to memory of 2536	2700	Lcffgnnc.exe	36
PID 2700 wrote to memory of 2536	2700	Lcffgnnc.exe	36
PID 2536 wrote to memory of 2056	2536	Lomglo32.exe	37
PID 2536 wrote to memory of 2056	2536	Lomglo32.exe	37
PID 2536 wrote to memory of 2056	2536	Lomglo32.exe	37
PID 2536 wrote to memory of 2056	2536	Lomglo32.exe	37
PID 2056 wrote to memory of 2052	2056	Liekddkh.exe	38
PID 2056 wrote to memory of 2052	2056	Liekddkh.exe	38
PID 2056 wrote to memory of 2052	2056	Liekddkh.exe	38
PID 2056 wrote to memory of 2052	2056	Liekddkh.exe	38
PID 2052 wrote to memory of 2936	2052	Lighjd32.exe	39
PID 2052 wrote to memory of 2936	2052	Lighjd32.exe	39
PID 2052 wrote to memory of 2936	2052	Lighjd32.exe	39
PID 2052 wrote to memory of 2936	2052	Lighjd32.exe	39
PID 2936 wrote to memory of 3044	2936	Lpcmlnnp.exe	40
PID 2936 wrote to memory of 3044	2936	Lpcmlnnp.exe	40
PID 2936 wrote to memory of 3044	2936	Lpcmlnnp.exe	40
PID 2936 wrote to memory of 3044	2936	Lpcmlnnp.exe	40
PID 3044 wrote to memory of 1088	3044	Mljnaocd.exe	41
PID 3044 wrote to memory of 1088	3044	Mljnaocd.exe	41
PID 3044 wrote to memory of 1088	3044	Mljnaocd.exe	41
PID 3044 wrote to memory of 1088	3044	Mljnaocd.exe	41
PID 1088 wrote to memory of 2168	1088	Mcfbfaao.exe	42
PID 1088 wrote to memory of 2168	1088	Mcfbfaao.exe	42
PID 1088 wrote to memory of 2168	1088	Mcfbfaao.exe	42
PID 1088 wrote to memory of 2168	1088	Mcfbfaao.exe	42
PID 2168 wrote to memory of 2396	2168	Mpoppadq.exe	43
PID 2168 wrote to memory of 2396	2168	Mpoppadq.exe	43
PID 2168 wrote to memory of 2396	2168	Mpoppadq.exe	43
PID 2168 wrote to memory of 2396	2168	Mpoppadq.exe	43
PID 2396 wrote to memory of 820	2396	Mfkebkjk.exe	44
PID 2396 wrote to memory of 820	2396	Mfkebkjk.exe	44
PID 2396 wrote to memory of 820	2396	Mfkebkjk.exe	44
PID 2396 wrote to memory of 820	2396	Mfkebkjk.exe	44
PID 820 wrote to memory of 900	820	Nfmahkhh.exe	45
PID 820 wrote to memory of 900	820	Nfmahkhh.exe	45
PID 820 wrote to memory of 900	820	Nfmahkhh.exe	45
PID 820 wrote to memory of 900	820	Nfmahkhh.exe	45

C:\Users\Admin\AppData\Local\Temp\1e2c9de461ac90ae7d819c8e34fc270ce2967b3d63b8a622277cdba90506072fN.exe
"C:\Users\Admin\AppData\Local\Temp\1e2c9de461ac90ae7d819c8e34fc270ce2967b3d63b8a622277cdba90506072fN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\SysWOW64\Klonqpbi.exe
  C:\Windows\system32\Klonqpbi.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\SysWOW64\Kghoan32.exe
    C:\Windows\system32\Kghoan32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\SysWOW64\Kkfhglen.exe
      C:\Windows\system32\Kkfhglen.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\SysWOW64\Kngaig32.exe
        
        C:\Windows\system32\Kngaig32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2704
      - C:\Windows\SysWOW64\Kjnanhhc.exe
        
        C:\Windows\system32\Kjnanhhc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Lcffgnnc.exe
        
        C:\Windows\system32\Lcffgnnc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Lomglo32.exe
        
        C:\Windows\system32\Lomglo32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Liekddkh.exe
        
        C:\Windows\system32\Liekddkh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Lighjd32.exe
        
        C:\Windows\system32\Lighjd32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Lpcmlnnp.exe
        
        C:\Windows\system32\Lpcmlnnp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\Mljnaocd.exe
        
        C:\Windows\system32\Mljnaocd.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Mcfbfaao.exe
        
        C:\Windows\system32\Mcfbfaao.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\Mpoppadq.exe
        
        C:\Windows\system32\Mpoppadq.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Mfkebkjk.exe
        
        C:\Windows\system32\Mfkebkjk.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Nfmahkhh.exe
        
        C:\Windows\system32\Nfmahkhh.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Windows\SysWOW64\Nokcbm32.exe
        
        C:\Windows\system32\Nokcbm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:900
        
        C:\Windows\SysWOW64\Nomphm32.exe
        
        C:\Windows\system32\Nomphm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Nlapaapg.exe
        
        C:\Windows\system32\Nlapaapg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Nanhihno.exe
        
        C:\Windows\system32\Nanhihno.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Omgfdhbq.exe
        
        C:\Windows\system32\Omgfdhbq.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Ocdnloph.exe
        
        C:\Windows\system32\Ocdnloph.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Ollcee32.exe
        
        C:\Windows\system32\Ollcee32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Oeegnj32.exe
        
        C:\Windows\system32\Oeegnj32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Ockdmn32.exe
        
        C:\Windows\system32\Ockdmn32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 140
        26⤵
        Loads dropped DLL
        Program crash
        
        PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kghoan32.exe

Filesize
59KB

MD5
ab9a9bff547a7b7bc2980b3b2438a070

SHA1
beede3b1946accc11ca90b0c50850800b623ed99

SHA256
32079321231ec160b949144b5a21c85c8181bf601653463bfff50e3c0ab83375

SHA512
ecacaf5ee7357ebb045e263b4592d00793ea439d0176a84db66be83f30ac0da0c19fd87377089ba6ef58c1854c2f5e76f88dc21fbb896ffbaa6ab0e8feba2e38

Download Submit
C:\Windows\SysWOW64\Kkfhglen.exe

Filesize
59KB

MD5
f56a5daefee2498f7af53bf5ead86744

SHA1
96975dea41519a288d1d957c6f68d8c324f58575

SHA256
2c5a58d050d4d3b6fee1af35ea4c94fb4abbf56d07f30283df3f03af88b057d6

SHA512
273cca85b84f436655efb743b8dfab8bfcc14b68fc4463e2378048d229a162764dcc7bbdfe6970ada92d9c59af7e60bca25f64c2be31fcc6d54854f24426e81a

Download Submit
C:\Windows\SysWOW64\Klonqpbi.exe

Filesize
59KB

MD5
7897fe560ccd02c5a358cd585bfaaea7

SHA1
606efea95abf9ed60e122ec5db0067d19e30eb98

SHA256
b43dd02ae4ec37ab89fcc24806e7404ea6380911eb4c29b01de2db91eb766728

SHA512
85bdc32d914105089e0cf156a3b559ff278301301caf709f1dd9970d2f245268b3b907363e76e4e5783a50ccf40fd6f4c7e280b819294804b66b1e2747e5e93b

Download Submit
C:\Windows\SysWOW64\Mfkebkjk.exe

Filesize
59KB

MD5
73226362b5de14ccd974d251e8078c36

SHA1
9b3f35177394629ec9188b6e6cf97e6ca30beb62

SHA256
8c59674c6d436d7ae9ab640acf67b3c628434a768b8913947b3e405fff2ee044

SHA512
0da6e7317fd9a78ddac09717308b4f8779a14540417a625ebe91ba1ee78b1d958cca645c6b3885ea4094e941d46f4fd68e81e2967230c7168d4fd0ea85f25065

Download Submit
C:\Windows\SysWOW64\Nanhihno.exe

Filesize
59KB

MD5
8ec1ee9e20d05372139a0820dd31fc75

SHA1
79321e2f15afe6ec7185cc1069f6b4cd849f15e3

SHA256
0053ed643d1af10924cf49af468df760e0bfd2577b3dc606b5f2b002340ee12f

SHA512
7744e6ae81e7546d4c1f3724d4ae3e274e84a37ceb8f3d8bc0aafb687155208009950d514f32e8dc5c4a94ce0235160c47430b0700dd0dcba03a5846866ed190

Download Submit
C:\Windows\SysWOW64\Nlapaapg.exe

Filesize
59KB

MD5
b052d9f956dd7168d2dd4675fe33b4cb

SHA1
b0d4a03e6226856bd8934930c2e224a67bf6193b

SHA256
af8f36af8db0ab82af9cb74d1487b55dbe29ad2eb2b7f0b249546d038fb5ee52

SHA512
9e763db653d379d485573689f1f3363762b9abacdc5abeb5bce478191f8467f011415240ed46287d3679b1f0840516cfefa1879a0c2019f446bb85ba2418589d

Download Submit
C:\Windows\SysWOW64\Nokcbm32.exe

Filesize
59KB

MD5
a0ba78d32214747200f78ad563c9743f

SHA1
efa5bc6a14fee150aa26f4d60b1330584f7c1964

SHA256
8870d1f38b347da70d04bb5d68686f0baa8547218efed5937e6240adc0fa9061

SHA512
d0353a6a6a3c966fe0d7927dad2b889fd5ede004fbad3209c136900de50f6fe738b0cdb17f57be6ae6b60686856faed81eb7749bdf2713e34a326cf8c461b576

Download Submit
C:\Windows\SysWOW64\Nomphm32.exe

Filesize
59KB

MD5
9cd0d1c67bae648daf5eef41deb34db5

SHA1
46e9047ca8c42656645911ac51375f9ae303be49

SHA256
e267112d7860c767543cdf5f27834db0f03153fe1da2ed3e1a6fc9cc3ce35b9d

SHA512
70c0714c46daaeba9fd3bd8b1d349d9e940ac3844a10e937ff7bc0fcee1ed935d74141f886c7a1d1f337e011c2024381c06574432901fdca1667898d58f192db

Download Submit
C:\Windows\SysWOW64\Ocdnloph.exe

Filesize
59KB

MD5
168f7975ef4cd6002272f932480a28a1

SHA1
3d0b37359476a61029af935dd7a10b4e4d470601

SHA256
4f652c611ac4303f56db2f775dff7a2ce3b9e8e485cbb153bbcf4bc9732ff2b5

SHA512
9704a75a5f889906e9ce0cb5c393bdb81c53b935e16677ab3b1ddb21d44f75ee2b3f2c2cd72a81c96d9f941a8fa4c595671526c380f29dc608ac3569096dea1c

Download Submit
C:\Windows\SysWOW64\Ockdmn32.exe

Filesize
59KB

MD5
8e7f4fae151ad811debf6b83585f840b

SHA1
c9357257ae050e563d3ba349736a70cfa13590f7

SHA256
4a5a8f9ac680b03008187a83d49daee586c7cdff0ba6e88d25c09a9227437316

SHA512
ec96ca75034abd8561ea1d149d710a2d47d658e7b7851974707621c94a627041e7891331769fed33b5190efdafe1f602c8e92ca683e4b91c20e66a3a01ed9e83

Download Submit
C:\Windows\SysWOW64\Oeegnj32.exe

Filesize
59KB

MD5
39435236dead34c997d7f1a0998615aa

SHA1
2232fbd33772ecfca5175a1ad9ce2f055d5981f1

SHA256
109e0112ca21338a414f1ececc45ba0bb5436c7d165df5cea8c3baa0ee8bc410

SHA512
58a6637ece4c8c6645645bfc02718f41ae156310cf6f58fef7ea56d5b84ccff5b1f7176690ed226b26be95de5590c3018ae1e97580ba70136206a58c5a32db8a

Download Submit
C:\Windows\SysWOW64\Ollcee32.exe

Filesize
59KB

MD5
dbe2c18ed153b19d2d8a77a6062462d1

SHA1
796d2d6ca536f19cda89f3e33c36758e1f8341c4

SHA256
da00d62da071765bb199fb3c1cde7878138be1dcde2697118ec3589dd90b6859

SHA512
29828e86ef7cdb3c0d4742e0b6fec43fa98e090eed232e7f89ca143d1c3ced8a9f99540b5c91f736bfe7c3d53e5bcbdc74c95abfd745d0dd5993425d9c1d637a

Download Submit
C:\Windows\SysWOW64\Omgfdhbq.exe

Filesize
59KB

MD5
373d9e4666f79779c7b7a9abd04c61f5

SHA1
bea572df62de8f7ec5825372e5dee5a2781cc7cf

SHA256
d2c2e0d022a4b2e1d7b77c3611db974cf62eb690d974c8b932b59b0431d432eb

SHA512
cfa4dcf06e2702a894ccac47ae430e8a4ed54cc4faa98466ab2b66a94201443a73f66f77499ab1c9fa10701a1c267a1f0dd499bd9283a1dcfa63bf94ff9ae56a

Download Submit
\Windows\SysWOW64\Kjnanhhc.exe

Filesize
59KB

MD5
54c844fdf5c5694dcaafd2d0a0150308

SHA1
558b94e91e0b13ccb5bfc78a0f317b91c51315b8

SHA256
3337758e05a18e82ed9eed5a2fc462a013b3afcaffe621fb5105fdeab3c554c1

SHA512
1d3293e808a0642305bc40701d032ac75403250c6c6d293512e711dc08aa7f82ccdbdf869944c5915d3d181e5804e91386d03d011c35129ca4c77455f17d1ed7

Download Submit
\Windows\SysWOW64\Kngaig32.exe

Filesize
59KB

MD5
a56c1ec121f852aecbf2aaeef1a58dbd

SHA1
9a52bd96ffeed49c3d3760297ce201382383baf3

SHA256
c8ed23fc7c726a8370077efd64c233ef786ebaf7b51f532ee5e189a4270961d4

SHA512
48ee6e7e1f77f2e7cb2cecfd6b75b158bfc09b8ee7302ed38a68812ff854db7051c1fe3f8c5b92b9a0e43a09df869ac73f4a094fd0edd7b3a10bd93aa481a48c

Download Submit
\Windows\SysWOW64\Lcffgnnc.exe

Filesize
59KB

MD5
d0bef13398db96eb3539ac5be89d728c

SHA1
658199c86422e3f37634a5b5b8f72e82629382f2

SHA256
9b9ec2df382ed0ba3c2ca2a363bb884bfb3ca947212a1abad30bfd656d6b8f5a

SHA512
ee8ebc34debd66bcb9306c28c00eaabe4b5ba6890c900351e74ee5badf905dae6c859fcb00b8e690a06dd6d3185dd98c8e5b6dced7903d3547729378f7a819e1

Download Submit
\Windows\SysWOW64\Liekddkh.exe

Filesize
59KB

MD5
56953edf81ded24c26eef6ba4cad4848

SHA1
e0bb0eb29c6ffedcb2b191f867d25ffb85c8d84d

SHA256
41dbfb3b97d2da4f2a1ca51452aa518713c6e2f245f6b46051a8fe850c1e9a30

SHA512
777b48d62d5c57b9c0a0b67bc53d629eaac0ec65dfba4ead24540d1c9754d4cbdd88fe178b6c3f68752f8038ab8e8450633ff653e68d67c7f72600d816b6887a

Download Submit
\Windows\SysWOW64\Lighjd32.exe

Filesize
59KB

MD5
a95242ec1e96aeb21d2410d6722c79dc

SHA1
3118165e3bbfd7971f9f315d87de27229bb1db6a

SHA256
75c08a0ebe41ecf5610790ead46f48a51f9a510cb3133492bfe65d11272b3f6d

SHA512
6c920f53a3260a7efa27c26df8f7f6c5645514f8a2669c9010ed23a7ce1f14334fa2831bdbec54895a037f48cd000c5746e7544b44ff48850e395d9f4e212996

Download Submit
\Windows\SysWOW64\Lomglo32.exe

Filesize
59KB

MD5
7c780420d79ef0de9347e9bac248e603

SHA1
5d58db199fc0f255881191c3e8dd6384e3e9c599

SHA256
c2418b0ec3be897c39b29f0ba8d15308841a83af365201ace201efbbc72ea5a9

SHA512
d955d01035028c4a7b89a8905762093ee8067e118974bdcb12a8569f239673526bcbc93b3e5866ef037e7ef404476b36142dc6feaa12cd3dc9e24f2ec0e77a1a

Download Submit
\Windows\SysWOW64\Lpcmlnnp.exe

Filesize
59KB

MD5
c9511bdd3d9726e82adbaa2f5e618086

SHA1
3c77789962292cb3920796abd303ad9c9b6cd1bf

SHA256
f2124728bde3d4698db371a37483318fd20fbed243cb6c00d92738d4e414b8ee

SHA512
11a2575158874ac01c0de30c00fbb55998b4881cfd281d32d45b2061109de63ecb7fab498e409b118fe814691f1c74c0147c56c8fdeb5ce95ab215562712ba76

Download Submit
\Windows\SysWOW64\Mcfbfaao.exe

Filesize
59KB

MD5
7345417258a973e39d2ad3d8a304137e

SHA1
3500ce49b518ba7b99cf4efe017c7cbc406b0bb7

SHA256
7c53803b90433e66ec2ebc5ef8a89a1539153efd2ab059068d2dbf7d8d755551

SHA512
33ea261c0eb2a7270f68de07692d070fcaa8d71eb8be20acf42374b09b1d564b8c93adb712599ba9dc3d8f8b6a7e2bb9e9e1448e3fea789a9fc0a01a73fc9e19

Download Submit
\Windows\SysWOW64\Mljnaocd.exe

Filesize
59KB

MD5
2fe2742fc48e7cde9817ec65b80558bc

SHA1
790f3885fbcc407f0ba9b3cbca3aff4653f4b626

SHA256
9797c99479a0b0fbe28da5cabc8b0edac1c89bd771805f4b33eaa0a73a7b6b85

SHA512
71538b3c98391dd4da65043ff0a27c1b9a37830bee5efb30d37c5511204a5e5daa265df6708bc3b08d939fb4ff7c5e4fd7274f6789ed1afa5efbb4f0205e409f

Download Submit
\Windows\SysWOW64\Mpoppadq.exe

Filesize
59KB

MD5
b58bc441c894b482eceffb2f60d339a9

SHA1
a73013201f36ebd61ff80deb351151fddb2a2874

SHA256
7625d685e5d5068a824030de3927af86569acd85fb3f9729d4e6f62080d8b450

SHA512
2252e591ad47e363db3748b30bf8cc61ec883862b16f45fefd4716087e2cacab2ae0dd94ba4352c0df398f0782b423a8c46dc30bda669c801c3d861637f33c51

Download Submit
\Windows\SysWOW64\Nfmahkhh.exe

Filesize
59KB

MD5
c312242c9ebe9252c64280e09d0e8813

SHA1
fa3a3ad8c77a8bc0f67718c6437fe1a3e21d1da3

SHA256
a9f71daea76d5fcac365feb538bb1142c3911129a791e0e63d4458f8a363a2c5

SHA512
75baffb0fb00bba730d715f838422a8be1d59b7ce4ba25a30192f7336c0ca9dea28078dcc02483756d04c61a53cb6a23bf0bfcf1b71cfd963624a4670620ee2a

Download Submit
memory/820-203-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/820-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/820-215-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/900-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/900-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1088-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1088-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1224-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1224-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1508-237-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1508-309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1704-12-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1704-337-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1704-13-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1704-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1808-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1808-227-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1808-236-0x00000000002C0000-0x00000000002F4000-memory.dmp

Filesize
208KB

Download
memory/2016-265-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2016-271-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2016-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2052-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2052-128-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2056-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-116-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2152-252-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2152-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2152-246-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-185-0x00000000003A0000-0x00000000003D4000-memory.dmp

Filesize
208KB

Download
memory/2168-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2240-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2240-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2264-291-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2264-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2264-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2264-295-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2348-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2348-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2348-27-0x00000000003A0000-0x00000000003D4000-memory.dmp

Filesize
208KB

Download
memory/2396-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2536-102-0x00000000003C0000-0x00000000003F4000-memory.dmp

Filesize
208KB

Download
memory/2536-108-0x00000000003C0000-0x00000000003F4000-memory.dmp

Filesize
208KB

Download
memory/2536-94-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2536-343-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-284-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2700-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2704-331-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2704-62-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/2776-48-0x0000000000230000-0x0000000000264000-memory.dmp

Filesize
208KB

Download
memory/2776-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2776-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2836-69-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2836-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2936-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2936-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2936-143-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/2936-148-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/3044-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-162-0x00000000005D0000-0x0000000000604000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads