e675d2cf1203d22ca2a9278ae9f762d3a4049ff749ef8c604a99ebc36620139c

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 18:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0a51ac36abe76b584045d2dc811b1763.exe
Size

153KB
MD5

0a51ac36abe76b584045d2dc811b1763
SHA1

efb8dc5f629deb20c199961069b1fabe3aa28911
SHA256

e675d2cf1203d22ca2a9278ae9f762d3a4049ff749ef8c604a99ebc36620139c
SHA512

7dc794516f2d71cca188532fc309f0c7c57de5e3ce2423d8327e9e0efaade39e51a02c736bcdbe9f274cf1c04b7b05b0357157596e67c5a6d3e21afd646a6b7d
SSDEEP

3072:ku2abcWv4pgHmKeAFlkJAUAEQGBcHN0OlaxP3DZyN/+oeRpxPdZFibDyxn:kBabT1n2LAHj05xP3DZyN1eRppzcexn

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0a51ac36abe76b584045d2dc811b1763.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0a51ac36abe76b584045d2dc811b1763.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	BackgroundTaskHost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe

Malware Dropper & Backdoor - Berbew 16 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x0006000000023215-30.dat	family_berbew
behavioral2/files/0x000600000002322e-121.dat	family_berbew
behavioral2/files/0x000600000002322c-119.dat	family_berbew
behavioral2/files/0x000600000002322a-111.dat	family_berbew
behavioral2/files/0x0006000000023228-103.dat	family_berbew
behavioral2/files/0x0006000000023226-94.dat	family_berbew
behavioral2/files/0x0006000000023224-87.dat	family_berbew
behavioral2/files/0x0006000000023222-80.dat	family_berbew
behavioral2/files/0x0006000000023220-71.dat	family_berbew
behavioral2/files/0x000600000002321e-62.dat	family_berbew
behavioral2/files/0x000600000002321c-55.dat	family_berbew
behavioral2/files/0x000600000002321a-46.dat	family_berbew
behavioral2/files/0x0006000000023217-39.dat	family_berbew
behavioral2/files/0x0006000000023213-23.dat	family_berbew
behavioral2/files/0x000700000002320e-15.dat	family_berbew
behavioral2/files/0x000600000001e5df-7.dat	family_berbew

Executes dropped EXE 54 IoCs

pid	Process
4140	Mnlfigcc.exe
3764	Mahbje32.exe
4436	Mpkbebbf.exe
4276	Mciobn32.exe
544	Mgekbljc.exe
1072	Mkpgck32.exe
3644	Mnocof32.exe
1636	Majopeii.exe
2960	Mdiklqhm.exe
2692	Mcklgm32.exe
668	Mgghhlhq.exe
4536	Mjeddggd.exe
1348	Mnapdf32.exe
4972	Mpolqa32.exe
4784	Mdkhapfj.exe
1448	Mcnhmm32.exe
2396	Mkepnjng.exe
4440	Mjhqjg32.exe
2864	Mncmjfmk.exe
4048	Mpaifalo.exe
2532	Mcpebmkb.exe
416	Mglack32.exe
4472	Mkgmcjld.exe
4544	Mnfipekh.exe
3168	Maaepd32.exe
3392	Mdpalp32.exe
4600	Mcbahlip.exe
2956	Mgnnhk32.exe
3284	Njljefql.exe
1020	Nnhfee32.exe
2140	Nqfbaq32.exe
3684	Ndbnboqb.exe
2472	Ngpjnkpf.exe
3200	Nklfoi32.exe
3144	Nnjbke32.exe
1828	Nafokcol.exe
3772	Nddkgonp.exe
3356	Ncgkcl32.exe
1300	Ngcgcjnc.exe
3860	Nkncdifl.exe
1620	Nnmopdep.exe
3876	Nbhkac32.exe
3156	Nqklmpdd.exe
932	Ndghmo32.exe
4120	BackgroundTaskHost.exe
2032	Ngedij32.exe
4832	Nkqpjidj.exe
1176	Njcpee32.exe
968	Nbkhfc32.exe
2872	Nqmhbpba.exe
3576	Ndidbn32.exe
4088	Ncldnkae.exe
3476	Nggqoj32.exe
5156	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	BackgroundTaskHost.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	0a51ac36abe76b584045d2dc811b1763.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	BackgroundTaskHost.exe

Program crash 1 IoCs

pid	pid_target	Process
5240	5156	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	BackgroundTaskHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	BackgroundTaskHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nnjbke32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3536 wrote to memory of 4140	3536	0a51ac36abe76b584045d2dc811b1763.exe	80
PID 3536 wrote to memory of 4140	3536	0a51ac36abe76b584045d2dc811b1763.exe	80
PID 3536 wrote to memory of 4140	3536	0a51ac36abe76b584045d2dc811b1763.exe	80
PID 4140 wrote to memory of 3764	4140	Mnlfigcc.exe	15
PID 4140 wrote to memory of 3764	4140	Mnlfigcc.exe	15
PID 4140 wrote to memory of 3764	4140	Mnlfigcc.exe	15
PID 3764 wrote to memory of 4436	3764	Mahbje32.exe	79
PID 3764 wrote to memory of 4436	3764	Mahbje32.exe	79
PID 3764 wrote to memory of 4436	3764	Mahbje32.exe	79
PID 4436 wrote to memory of 4276	4436	Mpkbebbf.exe	77
PID 4436 wrote to memory of 4276	4436	Mpkbebbf.exe	77
PID 4436 wrote to memory of 4276	4436	Mpkbebbf.exe	77
PID 4276 wrote to memory of 544	4276	Mciobn32.exe	76
PID 4276 wrote to memory of 544	4276	Mciobn32.exe	76
PID 4276 wrote to memory of 544	4276	Mciobn32.exe	76
PID 544 wrote to memory of 1072	544	Mgekbljc.exe	75
PID 544 wrote to memory of 1072	544	Mgekbljc.exe	75
PID 544 wrote to memory of 1072	544	Mgekbljc.exe	75
PID 1072 wrote to memory of 3644	1072	Mkpgck32.exe	74
PID 1072 wrote to memory of 3644	1072	Mkpgck32.exe	74
PID 1072 wrote to memory of 3644	1072	Mkpgck32.exe	74
PID 3644 wrote to memory of 1636	3644	Mnocof32.exe	73
PID 3644 wrote to memory of 1636	3644	Mnocof32.exe	73
PID 3644 wrote to memory of 1636	3644	Mnocof32.exe	73
PID 1636 wrote to memory of 2960	1636	Majopeii.exe	72
PID 1636 wrote to memory of 2960	1636	Majopeii.exe	72
PID 1636 wrote to memory of 2960	1636	Majopeii.exe	72
PID 2960 wrote to memory of 2692	2960	Mdiklqhm.exe	71
PID 2960 wrote to memory of 2692	2960	Mdiklqhm.exe	71
PID 2960 wrote to memory of 2692	2960	Mdiklqhm.exe	71
PID 2692 wrote to memory of 668	2692	Mcklgm32.exe	69
PID 2692 wrote to memory of 668	2692	Mcklgm32.exe	69
PID 2692 wrote to memory of 668	2692	Mcklgm32.exe	69
PID 668 wrote to memory of 4536	668	Mgghhlhq.exe	68
PID 668 wrote to memory of 4536	668	Mgghhlhq.exe	68
PID 668 wrote to memory of 4536	668	Mgghhlhq.exe	68
PID 4536 wrote to memory of 1348	4536	Mjeddggd.exe	67
PID 4536 wrote to memory of 1348	4536	Mjeddggd.exe	67
PID 4536 wrote to memory of 1348	4536	Mjeddggd.exe	67
PID 1348 wrote to memory of 4972	1348	Mnapdf32.exe	65
PID 1348 wrote to memory of 4972	1348	Mnapdf32.exe	65
PID 1348 wrote to memory of 4972	1348	Mnapdf32.exe	65
PID 4972 wrote to memory of 4784	4972	Mpolqa32.exe	64
PID 4972 wrote to memory of 4784	4972	Mpolqa32.exe	64
PID 4972 wrote to memory of 4784	4972	Mpolqa32.exe	64
PID 4784 wrote to memory of 1448	4784	Mdkhapfj.exe	63
PID 4784 wrote to memory of 1448	4784	Mdkhapfj.exe	63
PID 4784 wrote to memory of 1448	4784	Mdkhapfj.exe	63
PID 1448 wrote to memory of 2396	1448	Mcnhmm32.exe	62
PID 1448 wrote to memory of 2396	1448	Mcnhmm32.exe	62
PID 1448 wrote to memory of 2396	1448	Mcnhmm32.exe	62
PID 2396 wrote to memory of 4440	2396	Mkepnjng.exe	61
PID 2396 wrote to memory of 4440	2396	Mkepnjng.exe	61
PID 2396 wrote to memory of 4440	2396	Mkepnjng.exe	61
PID 4440 wrote to memory of 2864	4440	Mjhqjg32.exe	16
PID 4440 wrote to memory of 2864	4440	Mjhqjg32.exe	16
PID 4440 wrote to memory of 2864	4440	Mjhqjg32.exe	16
PID 2864 wrote to memory of 4048	2864	Mncmjfmk.exe	59
PID 2864 wrote to memory of 4048	2864	Mncmjfmk.exe	59
PID 2864 wrote to memory of 4048	2864	Mncmjfmk.exe	59
PID 4048 wrote to memory of 2532	4048	Mpaifalo.exe	17
PID 4048 wrote to memory of 2532	4048	Mpaifalo.exe	17
PID 4048 wrote to memory of 2532	4048	Mpaifalo.exe	17
PID 2532 wrote to memory of 416	2532	Mcpebmkb.exe	58

C:\Users\Admin\AppData\Local\Temp\0a51ac36abe76b584045d2dc811b1763.exe
"C:\Users\Admin\AppData\Local\Temp\0a51ac36abe76b584045d2dc811b1763.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Windows\SysWOW64\Mnlfigcc.exe
  C:\Windows\system32\Mnlfigcc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4140

C:\Windows\SysWOW64\Mahbje32.exe
C:\Windows\system32\Mahbje32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3764
- C:\Windows\SysWOW64\Mpkbebbf.exe
  C:\Windows\system32\Mpkbebbf.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4436

C:\Windows\SysWOW64\Mncmjfmk.exe
C:\Windows\system32\Mncmjfmk.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\SysWOW64\Mpaifalo.exe
  C:\Windows\system32\Mpaifalo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4048

C:\Windows\SysWOW64\Mcpebmkb.exe
C:\Windows\system32\Mcpebmkb.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\SysWOW64\Mglack32.exe
  C:\Windows\system32\Mglack32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:416

C:\Windows\SysWOW64\Ngpjnkpf.exe
C:\Windows\system32\Ngpjnkpf.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2472
- C:\Windows\SysWOW64\Nklfoi32.exe
  C:\Windows\system32\Nklfoi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:3200

C:\Windows\SysWOW64\Nnjbke32.exe
C:\Windows\system32\Nnjbke32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3144
- C:\Windows\SysWOW64\Nafokcol.exe
  C:\Windows\system32\Nafokcol.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:1828

C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3772
- C:\Windows\SysWOW64\Ncgkcl32.exe
  C:\Windows\system32\Ncgkcl32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:3356

C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3860
- C:\Windows\SysWOW64\Nnmopdep.exe
  C:\Windows\system32\Nnmopdep.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  PID:1620

C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3876
- C:\Windows\SysWOW64\Nqklmpdd.exe
  C:\Windows\system32\Nqklmpdd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  PID:3156

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1176
- C:\Windows\SysWOW64\Nbkhfc32.exe
  C:\Windows\system32\Nbkhfc32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:968

C:\Windows\SysWOW64\Nggqoj32.exe
C:\Windows\system32\Nggqoj32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3476
- C:\Windows\SysWOW64\Nkcmohbg.exe
  C:\Windows\system32\Nkcmohbg.exe
  2⤵
  - Executes dropped EXE
  PID:5156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 5156 -ip 5156
1⤵
PID:5212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5156 -s 408
1⤵
- Program crash
PID:5240

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4088

C:\Windows\SysWOW64\Ndidbn32.exe
C:\Windows\system32\Ndidbn32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3576

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2872

C:\Windows\SysWOW64\Nkqpjidj.exe
C:\Windows\system32\Nkqpjidj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4832

C:\Windows\SysWOW64\Ngedij32.exe
C:\Windows\system32\Ngedij32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2032

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
1⤵
PID:4120

C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:932

C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1300

C:\Windows\SysWOW64\Ndbnboqb.exe
C:\Windows\system32\Ndbnboqb.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3684

C:\Windows\SysWOW64\Nqfbaq32.exe
C:\Windows\system32\Nqfbaq32.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:2140

C:\Windows\SysWOW64\Nnhfee32.exe
C:\Windows\system32\Nnhfee32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1020

C:\Windows\SysWOW64\Njljefql.exe
C:\Windows\system32\Njljefql.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:3284

C:\Windows\SysWOW64\Mgnnhk32.exe
C:\Windows\system32\Mgnnhk32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2956

C:\Windows\SysWOW64\Mcbahlip.exe
C:\Windows\system32\Mcbahlip.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4600

C:\Windows\SysWOW64\Mdpalp32.exe
C:\Windows\system32\Mdpalp32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3392

C:\Windows\SysWOW64\Maaepd32.exe
C:\Windows\system32\Maaepd32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3168

C:\Windows\SysWOW64\Mnfipekh.exe
C:\Windows\system32\Mnfipekh.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4544

C:\Windows\SysWOW64\Mkgmcjld.exe
C:\Windows\system32\Mkgmcjld.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4472

C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4440

C:\Windows\SysWOW64\Mkepnjng.exe
C:\Windows\system32\Mkepnjng.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2396

C:\Windows\SysWOW64\Mcnhmm32.exe
C:\Windows\system32\Mcnhmm32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\Mdkhapfj.exe
C:\Windows\system32\Mdkhapfj.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4784

C:\Windows\SysWOW64\Mpolqa32.exe
C:\Windows\system32\Mpolqa32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4972

C:\Windows\SysWOW64\Mnapdf32.exe
C:\Windows\system32\Mnapdf32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\Mjeddggd.exe
C:\Windows\system32\Mjeddggd.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536

C:\Windows\SysWOW64\Mgghhlhq.exe
C:\Windows\system32\Mgghhlhq.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4120

C:\Windows\SysWOW64\Mcklgm32.exe
C:\Windows\system32\Mcklgm32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\SysWOW64\Mdiklqhm.exe
C:\Windows\system32\Mdiklqhm.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\SysWOW64\Majopeii.exe
C:\Windows\system32\Majopeii.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3644

C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\Mgekbljc.exe
C:\Windows\system32\Mgekbljc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\SysWOW64\Mciobn32.exe
C:\Windows\system32\Mciobn32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mahbje32.exe

Filesize
153KB

MD5
f96b12f1faed4123b61a29fe38be819a

SHA1
cc80c3072c3d7651b07df599738e4af65702edb2

SHA256
5d80eabd968af6ec03d15b20b934ebd1c7b3748ef09ff6ccdfeedae681addd38

SHA512
adf606342a68fc9b2871abaf83be6eb2dbd9f9d611baab3cb13f034f137748b51c2b4d6e7856a838490fa3a39cbf75289750a95897d4fba3829a5d26e26e19d1

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
153KB

MD5
60b148422e17d6e3e52600bf0efebab1

SHA1
b3cf10389f9e2d4db535f5d979e4e6e02504ff24

SHA256
ded0b847eedf032c129f8bc55366db8ab1596893697a034b91a2232b5e1d370f

SHA512
b8780268ac32f9097a0bd04fffeb040c7be3019d7ad7644e482c3defe7d3afcd5720334fff5ea68ce1225612bd0122463b6ea9e89f991e20de016e4dad5fccc8

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
153KB

MD5
90fe35b3b929aa956f62aaa9e090840e

SHA1
831bb418914015a0bf92bcd187a9372d802c3b0f

SHA256
950b49a780dde8b8de43d9cfb110458896ade292189713bc0f3fe4eab10a5950

SHA512
7aeb5fc082555263b8d97fbc56e27239b9922215bbe538b1b094f83b08ff31063802cc44f912e6ece515deab71875184fcd643a8513c71452246e4e08da629df

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
153KB

MD5
d5eac790cf323de3bb28170a9503bac1

SHA1
2aa31e723a7045ca87c1829f7a757c0062eeb408

SHA256
826572387cc763651a24ccbeaaa9968d3b384a474d599675ba63365315de26ae

SHA512
a635ffad2940644611b3253867b4569bb744cf4c83a2109caaed01f0a53c69146fc5003f062c3d597b441027863317fd5915b72ed9272527d15691538da5c87b

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
95KB

MD5
8c36fa905686a9534d5795e99045fca1

SHA1
cd1aba5fe0ac3826180fad5d01e1c6b75fb0a0b2

SHA256
42e2f967bfff0b32df04940f3ae94d412ce7b5d79af9c9690657d0fd1b01e88d

SHA512
0233adf2aa49d89b2a0173b98243e1826a3190df57054f6a0c1d4740f5a14034982e117f1413adda953f8284a839a4ce4ccee56d413f17dee90c3255aaf9eedb

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
153KB

MD5
4d85695c71edcd19d61c6bc2169d8830

SHA1
ebdd10f1a2fdd5ba97797668b45ec918146d00ff

SHA256
8e638b0701fff293c6a247afeccde5dbd4cf990ff1f3a7b88af7d97d08339fd3

SHA512
8f3be6ef4d9dd20b455cbd9c8159b4302831a9f6b51e04b9417cee91cc9b2e51343d4662f8ef6a0662bce0a84364574e88899914e42acb28b2ed5be460019e42

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
153KB

MD5
b97227e8078375bd9299493038974270

SHA1
c3ccc040b938ba2104c3540781c396ffa2e5230d

SHA256
582977ee6f822e6a38a2624c9ae56c3901bf2d0513eebc0e146c5a4f6cee7411

SHA512
d2fcbc3c676eea528c9df068fb4b832e3e5cea77afb061cdcf7d684a7485bbbfdb65b57e5d632c9ebb40a54c8a88a677f91630fc17b370d5ba42ebb1f76e2596

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
153KB

MD5
b0c853ad3ea94bc45eb93c145a09cbd3

SHA1
59a39d8a7fb6c091f8f7bdfc18102d03abd5b2d6

SHA256
3e6a6fba619e867900a7a1eb7c596d521679fc260b60fd8fbefbb260bd48ba12

SHA512
b71fe768fc38fd4428ef6d08719806ab98e1a0403b66473acbd84ba43f63b3ad92d6a6f3a37a7ad86c2dea4e9556c96a91e99b1d436ae24c6eab11c93e433958

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
153KB

MD5
ce4b43e1d6af5faf6c632a4d771975b0

SHA1
c414be858decf68b9d1d6b55fe1f1a64ec1f717b

SHA256
88f104cf57ff6d2b58d70bb947d91bad15371c218556db6027d9967c2bfd7fee

SHA512
71d1d3a73c1247f829cf82c12dc955299a8a63d92d06840515482a2e27fe8d4fc95b5e0b68265269a281b5dbbb93c0e54a4f5524fa509eaa729c71a55c6e43fe

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
153KB

MD5
cfd71b18d5774eb524cfd72197f067a5

SHA1
59de42907ee5cad92b494d3ef5b6d7233f5b06df

SHA256
4f58f1b87d77ed2b75d4f95ba9de2a5cfc6630ffbcf07f9f47a9631925c745c2

SHA512
35dd95bd0eba3a361ec7a29385c0c1d40ce2e69bb79301df36579f503bcd1508de98e91a154e02e8e3d8312955200ea0d4b077e562269020df6783af64b80a16

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
153KB

MD5
ba7ac30c536fc3e9ba7238f2d91d2a4c

SHA1
41fc5bb0698faa4efbf51a208c087c92da63a89e

SHA256
75eceb92c04728147af87ef48b638db2b424fc0a295b3460f7f442ad7b494347

SHA512
bfa140240f0b9ab2408f102e37b82bfa4aca885079d45f63c2e81f08c0f9cf2c1b72e7dae35182964430e92e7f40fddeb80549c7533af508c3b268f3aac8a48e

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
153KB

MD5
63a260975c36c11f174ac252d43558d9

SHA1
963b370a2ade8855b12397faa5214efab3585ba7

SHA256
77eeb828e94a048e79cdc96b1b4fd9dc9a2b65cb743cc2c8be3dd7b70fb003b5

SHA512
ec31a4b21570d4e0cffa08ba533bba0278de6f72853cea46660c1a15961505b9bd9a47578aeab4402b0c639d05167f5aa162218ed85cd7da0d67ca428a9c9efc

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
153KB

MD5
898710f8fd0391a051c0f3a3b134906a

SHA1
afb5d5af710fdb2a30ac20f44d6b2f3a078484b2

SHA256
c11056c5aac35231a91774e77339a9dc6331ce9b3c2423e037a0c1014f6669f7

SHA512
c4b3da7e883c8ca6be75f3a3723608353a74cc79c8887e300f07009b9c476c15331bc0de001a16749904a0ca44755defdd37b52c20dae11ac2e29f74bc37fa36

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
153KB

MD5
5f2ec0e6e6ac6f9e9909499602957901

SHA1
93b4102e2b8c9f3bf849abc85f583abbb152275b

SHA256
985f645abdea16ee92a9bdbaa0164b39ea79e79cf0ae1083bd8c4fe790dfff97

SHA512
236aff9aabb825edd7a2c8d97694163ca8607d475ac4fc43550f1ba36deff542d1855570970d6ccfc47b99b4a1e76aa7cf2d88b75cf8eb2f9f5020458cf36224

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
153KB

MD5
62305906a7fe7a61a2ee0ad423a8d859

SHA1
2ece3655cc8285564b93b578857b2598b1386089

SHA256
dc90a707f39f75ffb9cefe9a5b72ef17bb728487480ed25c632745560fccbc74

SHA512
5763d98ca1001d34f1bf128dcddf562e42fc419cdd8b30209d473d46809507c23b9115b3db7557391c7562da135d178e760bbe2931f5d2122db0069fbccd54f4

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
153KB

MD5
07d45b93eb8df76804055bce1437e92e

SHA1
09004a22384738ecb93b357654744f5355592142

SHA256
4ba7aa6f4c3fa4409a4bb126c0fbede1b79561ac4e35302bd32738a80c6cbb8b

SHA512
d75d4a2fdf5ba3f59c328db66499f9938eb0d6e1419cdb08c22c55a7fa71d11fdd1206340b9e9d9be30ce876dc573556540dec7f90303242f0ed101fc5bbc541

Download Submit
memory/416-176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/544-44-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/668-88-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/932-396-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/932-328-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/968-358-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/968-391-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1020-240-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1072-47-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1176-392-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1176-352-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1300-302-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1348-104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1448-128-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1620-310-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1636-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1828-280-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2032-340-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2032-394-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2140-248-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2396-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2472-262-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2532-174-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2692-79-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2864-156-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2872-390-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2872-364-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2956-224-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2960-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3144-278-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3156-397-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3156-326-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3168-200-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3200-268-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3284-236-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3356-296-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3392-208-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3476-386-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3536-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3576-375-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3644-60-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3684-256-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3764-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3772-290-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3860-306-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3876-316-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4048-163-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4088-389-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4088-376-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4120-395-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4120-334-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4140-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4276-31-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4436-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4440-148-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4472-184-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4536-100-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4544-191-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4600-215-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4784-124-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4832-393-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4832-346-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4972-112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5156-388-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads