23316c3c06e9701a0999a918c5bba97d8a0ecc210af758442c2a5e100f9e472c

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05/01/2024, 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0886965890b320b291a2147b085bff4.exe
Size

96KB
MD5

f0886965890b320b291a2147b085bff4
SHA1

89bf747ff65640ddb55a59b80f1a29083caffa16
SHA256

23316c3c06e9701a0999a918c5bba97d8a0ecc210af758442c2a5e100f9e472c
SHA512

d59dc361f90998b60986be56e2ea53aafb9440c06adb68cb8d0d2e3f8db8ec6e00ece57a99731d43499af04f5dacfcbd0b07ed218ab6d2c7013357eb6fa67974
SSDEEP

1536:LSnK68QNo2VqCXfV2kuMFWH7N78CEGgZ1ap9TFyRQ+ER5R45WtqV9R2R462izMgG:LSvfo2VhXfIB8Ln1avTFye+EHrtG9MWX

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mponel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdcpdp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kohkfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Keednado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgjfkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmneda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngkogj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lndohedg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpekon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpjdjmfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mmneda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kohkfj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhkpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keednado.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpjdjmfp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhaikn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	f0886965890b320b291a2147b085bff4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kaldcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mponel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngkogj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kocbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kofopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kebgia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nhaikn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lndohedg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lphhenhc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlcnda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilfcpqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kilfcpqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Moidahcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nplmop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kebgia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lanaiahq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nlcnda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f0886965890b320b291a2147b085bff4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kocbkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgjfkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphhenhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mlhkpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meijhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Meijhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mapjmehi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkhofjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nplmop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kofopj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaldcb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lanaiahq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mmihhelk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpekon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mapjmehi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmihhelk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moidahcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkhofjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdcpdp32.exe

Executes dropped EXE 28 IoCs

pid	Process
2680	Kocbkk32.exe
2924	Kilfcpqm.exe
2720	Kofopj32.exe
2888	Kebgia32.exe
2644	Kohkfj32.exe
1252	Keednado.exe
2040	Kaldcb32.exe
2892	Lanaiahq.exe
2996	Lgjfkk32.exe
1924	Lndohedg.exe
1036	Lpekon32.exe
1640	Lphhenhc.exe
540	Lpjdjmfp.exe
308	Mmneda32.exe
1776	Meijhc32.exe
2208	Mponel32.exe
2440	Mapjmehi.exe
956	Mkhofjoj.exe
1120	Mlhkpm32.exe
1772	Mmihhelk.exe
1400	Mdcpdp32.exe
1840	Moidahcn.exe
880	Nhaikn32.exe
1396	Nplmop32.exe
2016	Ngfflj32.exe
884	Nlcnda32.exe
2300	Ngkogj32.exe
1448	Nlhgoqhh.exe

Loads dropped DLL 60 IoCs

pid	Process
2088	f0886965890b320b291a2147b085bff4.exe
2088	f0886965890b320b291a2147b085bff4.exe
2680	Kocbkk32.exe
2680	Kocbkk32.exe
2924	Kilfcpqm.exe
2924	Kilfcpqm.exe
2720	Kofopj32.exe
2720	Kofopj32.exe
2888	Kebgia32.exe
2888	Kebgia32.exe
2644	Kohkfj32.exe
2644	Kohkfj32.exe
1252	Keednado.exe
1252	Keednado.exe
2040	Kaldcb32.exe
2040	Kaldcb32.exe
2892	Lanaiahq.exe
2892	Lanaiahq.exe
2996	Lgjfkk32.exe
2996	Lgjfkk32.exe
1924	Lndohedg.exe
1924	Lndohedg.exe
1036	Lpekon32.exe
1036	Lpekon32.exe
1640	Lphhenhc.exe
1640	Lphhenhc.exe
540	Lpjdjmfp.exe
540	Lpjdjmfp.exe
308	Mmneda32.exe
308	Mmneda32.exe
1776	Meijhc32.exe
1776	Meijhc32.exe
2208	Mponel32.exe
2208	Mponel32.exe
2440	Mapjmehi.exe
2440	Mapjmehi.exe
956	Mkhofjoj.exe
956	Mkhofjoj.exe
1120	Mlhkpm32.exe
1120	Mlhkpm32.exe
1772	Mmihhelk.exe
1772	Mmihhelk.exe
1400	Mdcpdp32.exe
1400	Mdcpdp32.exe
1840	Moidahcn.exe
1840	Moidahcn.exe
880	Nhaikn32.exe
880	Nhaikn32.exe
1396	Nplmop32.exe
1396	Nplmop32.exe
2016	Ngfflj32.exe
2016	Ngfflj32.exe
884	Nlcnda32.exe
884	Nlcnda32.exe
2300	Ngkogj32.exe
2300	Ngkogj32.exe
2712	WerFault.exe
2712	WerFault.exe
2712	WerFault.exe
2712	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kofopj32.exe	Kilfcpqm.exe
File created	C:\Windows\SysWOW64\Gnddig32.dll	Lpekon32.exe
File created	C:\Windows\SysWOW64\Gkcfcoqm.dll	Lphhenhc.exe
File opened for modification	C:\Windows\SysWOW64\Mmihhelk.exe	Mlhkpm32.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Ngkogj32.exe
File created	C:\Windows\SysWOW64\Kmfoak32.dll	Kebgia32.exe
File created	C:\Windows\SysWOW64\Kaldcb32.exe	Keednado.exe
File opened for modification	C:\Windows\SysWOW64\Kaldcb32.exe	Keednado.exe
File created	C:\Windows\SysWOW64\Lnlmhpjh.dll	Mapjmehi.exe
File created	C:\Windows\SysWOW64\Aeaceffc.dll	Mmihhelk.exe
File opened for modification	C:\Windows\SysWOW64\Nlcnda32.exe	Ngfflj32.exe
File created	C:\Windows\SysWOW64\Mkoleq32.dll	Kilfcpqm.exe
File created	C:\Windows\SysWOW64\Keednado.exe	Kohkfj32.exe
File created	C:\Windows\SysWOW64\Lanaiahq.exe	Kaldcb32.exe
File created	C:\Windows\SysWOW64\Lgjfkk32.exe	Lanaiahq.exe
File opened for modification	C:\Windows\SysWOW64\Lpjdjmfp.exe	Lphhenhc.exe
File opened for modification	C:\Windows\SysWOW64\Nplmop32.exe	Nhaikn32.exe
File opened for modification	C:\Windows\SysWOW64\Lpekon32.exe	Lndohedg.exe
File opened for modification	C:\Windows\SysWOW64\Meijhc32.exe	Mmneda32.exe
File created	C:\Windows\SysWOW64\Daifmohp.dll	Mmneda32.exe
File created	C:\Windows\SysWOW64\Mponel32.exe	Meijhc32.exe
File opened for modification	C:\Windows\SysWOW64\Mdcpdp32.exe	Mmihhelk.exe
File opened for modification	C:\Windows\SysWOW64\Kilfcpqm.exe	Kocbkk32.exe
File created	C:\Windows\SysWOW64\Bohnbn32.dll	Keednado.exe
File created	C:\Windows\SysWOW64\Lndohedg.exe	Lgjfkk32.exe
File opened for modification	C:\Windows\SysWOW64\Mkhofjoj.exe	Mapjmehi.exe
File opened for modification	C:\Windows\SysWOW64\Mlhkpm32.exe	Mkhofjoj.exe
File created	C:\Windows\SysWOW64\Mgecadnb.dll	Mkhofjoj.exe
File created	C:\Windows\SysWOW64\Nlcnda32.exe	Ngfflj32.exe
File created	C:\Windows\SysWOW64\Ogjgkqaa.dll	Ngfflj32.exe
File created	C:\Windows\SysWOW64\Jhcfhi32.dll	Lpjdjmfp.exe
File created	C:\Windows\SysWOW64\Mdcpdp32.exe	Mmihhelk.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Ngkogj32.exe
File created	C:\Windows\SysWOW64\Ciopcmhp.dll	f0886965890b320b291a2147b085bff4.exe
File created	C:\Windows\SysWOW64\Lpekon32.exe	Lndohedg.exe
File opened for modification	C:\Windows\SysWOW64\Lphhenhc.exe	Lpekon32.exe
File created	C:\Windows\SysWOW64\Ecfmdf32.dll	Mponel32.exe
File created	C:\Windows\SysWOW64\Mlhkpm32.exe	Mkhofjoj.exe
File created	C:\Windows\SysWOW64\Mjkacaml.dll	Mdcpdp32.exe
File opened for modification	C:\Windows\SysWOW64\Ngkogj32.exe	Nlcnda32.exe
File created	C:\Windows\SysWOW64\Kmikde32.dll	Kofopj32.exe
File opened for modification	C:\Windows\SysWOW64\Lndohedg.exe	Lgjfkk32.exe
File created	C:\Windows\SysWOW64\Opdnhdpo.dll	Lgjfkk32.exe
File created	C:\Windows\SysWOW64\Meijhc32.exe	Mmneda32.exe
File opened for modification	C:\Windows\SysWOW64\Mponel32.exe	Meijhc32.exe
File created	C:\Windows\SysWOW64\Nkeghkck.dll	Mlhkpm32.exe
File created	C:\Windows\SysWOW64\Moidahcn.exe	Mdcpdp32.exe
File created	C:\Windows\SysWOW64\Kohkfj32.exe	Kebgia32.exe
File opened for modification	C:\Windows\SysWOW64\Keednado.exe	Kohkfj32.exe
File created	C:\Windows\SysWOW64\Malllmgi.dll	Kaldcb32.exe
File opened for modification	C:\Windows\SysWOW64\Mapjmehi.exe	Mponel32.exe
File created	C:\Windows\SysWOW64\Kilfcpqm.exe	Kocbkk32.exe
File created	C:\Windows\SysWOW64\Mmdcie32.dll	Lanaiahq.exe
File created	C:\Windows\SysWOW64\Incbogkn.dll	Nhaikn32.exe
File created	C:\Windows\SysWOW64\Ngfflj32.exe	Nplmop32.exe
File opened for modification	C:\Windows\SysWOW64\Kocbkk32.exe	f0886965890b320b291a2147b085bff4.exe
File created	C:\Windows\SysWOW64\Kebgia32.exe	Kofopj32.exe
File opened for modification	C:\Windows\SysWOW64\Kohkfj32.exe	Kebgia32.exe
File opened for modification	C:\Windows\SysWOW64\Lanaiahq.exe	Kaldcb32.exe
File created	C:\Windows\SysWOW64\Mkhofjoj.exe	Mapjmehi.exe
File opened for modification	C:\Windows\SysWOW64\Moidahcn.exe	Mdcpdp32.exe
File created	C:\Windows\SysWOW64\Hljdna32.dll	Nplmop32.exe
File created	C:\Windows\SysWOW64\Ddbddikd.dll	Kohkfj32.exe
File opened for modification	C:\Windows\SysWOW64\Lgjfkk32.exe	Lanaiahq.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2712	1448	WerFault.exe	55

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mponel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nhaikn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddbddikd.dll"	Kohkfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kaldcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kklcab32.dll"	Nlcnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkoleq32.dll"	Kilfcpqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mapjmehi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgecadnb.dll"	Mkhofjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjgkqaa.dll"	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngkogj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lanaiahq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kohkfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mlhkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkeghkck.dll"	Mlhkpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mmihhelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mmihhelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hljdna32.dll"	Nplmop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nlcnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcipd32.dll"	Kocbkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	f0886965890b320b291a2147b085bff4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	f0886965890b320b291a2147b085bff4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kofopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfoak32.dll"	Kebgia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpekon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daifmohp.dll"	Mmneda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mponel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	f0886965890b320b291a2147b085bff4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdcpdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdcpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Keednado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgjfkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpekon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkcfcoqm.dll"	Lphhenhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nlcnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kocbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdcie32.dll"	Lanaiahq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opdnhdpo.dll"	Lgjfkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mmneda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkhofjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nhaikn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kofopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lndohedg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Meijhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeaceffc.dll"	Mmihhelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Moidahcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nplmop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Keednado.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mapjmehi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	f0886965890b320b291a2147b085bff4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Effqclic.dll"	Meijhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkhofjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nplmop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Ngkogj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpjdjmfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kebgia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kaldcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mlhkpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	f0886965890b320b291a2147b085bff4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kebgia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnddig32.dll"	Lpekon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Meijhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopcmhp.dll"	f0886965890b320b291a2147b085bff4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2680	2088	f0886965890b320b291a2147b085bff4.exe	24
PID 2088 wrote to memory of 2680	2088	f0886965890b320b291a2147b085bff4.exe	24
PID 2088 wrote to memory of 2680	2088	f0886965890b320b291a2147b085bff4.exe	24
PID 2088 wrote to memory of 2680	2088	f0886965890b320b291a2147b085bff4.exe	24
PID 2680 wrote to memory of 2924	2680	Kocbkk32.exe	15
PID 2680 wrote to memory of 2924	2680	Kocbkk32.exe	15
PID 2680 wrote to memory of 2924	2680	Kocbkk32.exe	15
PID 2680 wrote to memory of 2924	2680	Kocbkk32.exe	15
PID 2924 wrote to memory of 2720	2924	Kilfcpqm.exe	16
PID 2924 wrote to memory of 2720	2924	Kilfcpqm.exe	16
PID 2924 wrote to memory of 2720	2924	Kilfcpqm.exe	16
PID 2924 wrote to memory of 2720	2924	Kilfcpqm.exe	16
PID 2720 wrote to memory of 2888	2720	Kofopj32.exe	19
PID 2720 wrote to memory of 2888	2720	Kofopj32.exe	19
PID 2720 wrote to memory of 2888	2720	Kofopj32.exe	19
PID 2720 wrote to memory of 2888	2720	Kofopj32.exe	19
PID 2888 wrote to memory of 2644	2888	Kebgia32.exe	17
PID 2888 wrote to memory of 2644	2888	Kebgia32.exe	17
PID 2888 wrote to memory of 2644	2888	Kebgia32.exe	17
PID 2888 wrote to memory of 2644	2888	Kebgia32.exe	17
PID 2644 wrote to memory of 1252	2644	Kohkfj32.exe	18
PID 2644 wrote to memory of 1252	2644	Kohkfj32.exe	18
PID 2644 wrote to memory of 1252	2644	Kohkfj32.exe	18
PID 2644 wrote to memory of 1252	2644	Kohkfj32.exe	18
PID 1252 wrote to memory of 2040	1252	Keednado.exe	20
PID 1252 wrote to memory of 2040	1252	Keednado.exe	20
PID 1252 wrote to memory of 2040	1252	Keednado.exe	20
PID 1252 wrote to memory of 2040	1252	Keednado.exe	20
PID 2040 wrote to memory of 2892	2040	Kaldcb32.exe	21
PID 2040 wrote to memory of 2892	2040	Kaldcb32.exe	21
PID 2040 wrote to memory of 2892	2040	Kaldcb32.exe	21
PID 2040 wrote to memory of 2892	2040	Kaldcb32.exe	21
PID 2892 wrote to memory of 2996	2892	Lanaiahq.exe	22
PID 2892 wrote to memory of 2996	2892	Lanaiahq.exe	22
PID 2892 wrote to memory of 2996	2892	Lanaiahq.exe	22
PID 2892 wrote to memory of 2996	2892	Lanaiahq.exe	22
PID 2996 wrote to memory of 1924	2996	Lgjfkk32.exe	23
PID 2996 wrote to memory of 1924	2996	Lgjfkk32.exe	23
PID 2996 wrote to memory of 1924	2996	Lgjfkk32.exe	23
PID 2996 wrote to memory of 1924	2996	Lgjfkk32.exe	23
PID 1924 wrote to memory of 1036	1924	Lndohedg.exe	33
PID 1924 wrote to memory of 1036	1924	Lndohedg.exe	33
PID 1924 wrote to memory of 1036	1924	Lndohedg.exe	33
PID 1924 wrote to memory of 1036	1924	Lndohedg.exe	33
PID 1036 wrote to memory of 1640	1036	Lpekon32.exe	39
PID 1036 wrote to memory of 1640	1036	Lpekon32.exe	39
PID 1036 wrote to memory of 1640	1036	Lpekon32.exe	39
PID 1036 wrote to memory of 1640	1036	Lpekon32.exe	39
PID 1640 wrote to memory of 540	1640	Lphhenhc.exe	40
PID 1640 wrote to memory of 540	1640	Lphhenhc.exe	40
PID 1640 wrote to memory of 540	1640	Lphhenhc.exe	40
PID 1640 wrote to memory of 540	1640	Lphhenhc.exe	40
PID 540 wrote to memory of 308	540	Lpjdjmfp.exe	41
PID 540 wrote to memory of 308	540	Lpjdjmfp.exe	41
PID 540 wrote to memory of 308	540	Lpjdjmfp.exe	41
PID 540 wrote to memory of 308	540	Lpjdjmfp.exe	41
PID 308 wrote to memory of 1776	308	Mmneda32.exe	42
PID 308 wrote to memory of 1776	308	Mmneda32.exe	42
PID 308 wrote to memory of 1776	308	Mmneda32.exe	42
PID 308 wrote to memory of 1776	308	Mmneda32.exe	42
PID 1776 wrote to memory of 2208	1776	Meijhc32.exe	43
PID 1776 wrote to memory of 2208	1776	Meijhc32.exe	43
PID 1776 wrote to memory of 2208	1776	Meijhc32.exe	43
PID 1776 wrote to memory of 2208	1776	Meijhc32.exe	43

C:\Users\Admin\AppData\Local\Temp\f0886965890b320b291a2147b085bff4.exe
"C:\Users\Admin\AppData\Local\Temp\f0886965890b320b291a2147b085bff4.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\SysWOW64\Kocbkk32.exe
  C:\Windows\system32\Kocbkk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2680

C:\Windows\SysWOW64\Kilfcpqm.exe
C:\Windows\system32\Kilfcpqm.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\SysWOW64\Kofopj32.exe
  C:\Windows\system32\Kofopj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\Kebgia32.exe
    C:\Windows\system32\Kebgia32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2888

C:\Windows\SysWOW64\Kohkfj32.exe
C:\Windows\system32\Kohkfj32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\SysWOW64\Keednado.exe
  C:\Windows\system32\Keednado.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Windows\SysWOW64\Kaldcb32.exe
    C:\Windows\system32\Kaldcb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\SysWOW64\Lanaiahq.exe
      C:\Windows\system32\Lanaiahq.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2892
    - - C:\Windows\SysWOW64\Lgjfkk32.exe
        
        C:\Windows\system32\Lgjfkk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2996
      - C:\Windows\SysWOW64\Lndohedg.exe
        
        C:\Windows\system32\Lndohedg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Lpekon32.exe
        
        C:\Windows\system32\Lpekon32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Lphhenhc.exe
        
        C:\Windows\system32\Lphhenhc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Lpjdjmfp.exe
        
        C:\Windows\system32\Lpjdjmfp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Mmneda32.exe
        
        C:\Windows\system32\Mmneda32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:308
        
        C:\Windows\SysWOW64\Meijhc32.exe
        
        C:\Windows\system32\Meijhc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\Mponel32.exe
        
        C:\Windows\system32\Mponel32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Mapjmehi.exe
        
        C:\Windows\system32\Mapjmehi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Mkhofjoj.exe
        
        C:\Windows\system32\Mkhofjoj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:956
        
        C:\Windows\SysWOW64\Mlhkpm32.exe
        
        C:\Windows\system32\Mlhkpm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1120
        
        C:\Windows\SysWOW64\Mmihhelk.exe
        
        C:\Windows\system32\Mmihhelk.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Mdcpdp32.exe
        
        C:\Windows\system32\Mdcpdp32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1400
        
        C:\Windows\SysWOW64\Moidahcn.exe
        
        C:\Windows\system32\Moidahcn.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1840
        
        C:\Windows\SysWOW64\Nhaikn32.exe
        
        C:\Windows\system32\Nhaikn32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Nplmop32.exe
        
        C:\Windows\system32\Nplmop32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1396

C:\Windows\SysWOW64\Ngfflj32.exe
C:\Windows\system32\Ngfflj32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2016
- C:\Windows\SysWOW64\Nlcnda32.exe
  C:\Windows\system32\Nlcnda32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  PID:884
- - C:\Windows\SysWOW64\Ngkogj32.exe
    C:\Windows\system32\Ngkogj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    PID:2300
  - - C:\Windows\SysWOW64\Nlhgoqhh.exe
      C:\Windows\system32\Nlhgoqhh.exe
      4⤵
      Executes dropped EXE
      PID:1448
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 140
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kebgia32.exe

Filesize
96KB

MD5
e21d1468d8e9336464ee35f9b1ef8789

SHA1
cc3cdade6a1c0ca091f8fef9b69ca6c3aaf94b9a

SHA256
506d7a1cf9bf4bf11b034f804e4d1ea6995c6d5fbb1e7ad310010d203fa4a60a

SHA512
0275f68b9160b7fd58d4a1c2124d4a03f4fc6d69357f7a37a3a79ce4d701926ab4bff15b99ec1acb1d256cae9d85f83f246f77b94cbd244b784e14fce370dc79

Download Submit
C:\Windows\SysWOW64\Kilfcpqm.exe

Filesize
96KB

MD5
784a1ffaf5891e10cfa5e89ba62bece3

SHA1
7b3ad8e487784480dd732a2a5b1d17f8091d90e6

SHA256
b19f502b1dd1e8c1ca2597a7a06c3163d2df5b2ed4ba75d15f8e2886f2b1d2be

SHA512
d8f7b71480ff85e7f4a9770cf3563530e97beedcf6a957db0d397ec3cbe276d82b8ea9047ac46cf2a4e97e4f94adffb5794bfa47cb3ef8c6dc96a436a05cb1b1

Download Submit
C:\Windows\SysWOW64\Kmfoak32.dll

Filesize
7KB

MD5
f1837de3f0ab4dff4f6fb2503adb4171

SHA1
4c655d043d8a0f2f7c2bf6b340396dd6c16e78a6

SHA256
674748e33279a85ec4bcb5d043f40cd6e95478c5871ea8ec5a4f73de58f0f851

SHA512
62cf04eb3d0914ccac4e31b3b4f4f17e4e5a47162a99342ca1889afd38895c53bae4d2cdc4cd5396ed4e57f1fafead3d4c7bd99fcb4a1d4b5e40d9b580de567f

Download Submit
C:\Windows\SysWOW64\Kocbkk32.exe

Filesize
64KB

MD5
33aa0196b917d67031969ed6412da117

SHA1
19e3f8e2c896a360c61fa1cb018a21ea7dd41b25

SHA256
81d6c4cb727cb5639db3230a5a2ea696eb9fbf01c1f281563cedc77636bdb747

SHA512
351a56d47b19eaa78c8c4a9a3ec42a22fef1f5c4206653704462ffa62156a7622586e22784d47977aa22bd1fe6da8863d3a62f5cb40a1d08807c0c23a180dfd1

Download Submit
C:\Windows\SysWOW64\Kocbkk32.exe

Filesize
96KB

MD5
9dc7c08684cd619755f9eda0108c8832

SHA1
20a885940f54632a4dd9da4316fdde6b4c769bd6

SHA256
01af75f9742a203c10847da98900426a6e427922f3721abf3b42fd79004f6a8b

SHA512
9d8487319d931ecdd661ce5366e0de93b6748c2d33b8ae17dbcb5e24442c7272aa91265ef729b4f53ff3ec1395c0505bb8317bae6bfeb709912f754dceee4313

Download Submit
C:\Windows\SysWOW64\Kofopj32.exe

Filesize
96KB

MD5
9782d242911a86adaa0e4b16c63a91b5

SHA1
e8366de432f27883255b8033df6d55193969e419

SHA256
c4475023a887cc09b6e5bfc67069ec5426bbfdfd4370c8d929bbb329abb9c46a

SHA512
a5e61d1036ea209617ff519e666b133ea78c2a3d422ce7cd5ec7b342386b21cb2425940f487f4e7e98b418e0cee14e0cc1861a145cd3e23fdb665fc2e1769ebd

Download Submit
C:\Windows\SysWOW64\Lgjfkk32.exe

Filesize
96KB

MD5
75223f842d49dc6614498ee0263ae489

SHA1
033c3fdb1274331631d5474e5948352d0a74aea3

SHA256
9dc77f3ef1c29ed32cc1dcc11f8026da43ea9b9639c04f6589ead9fc3d3ac5cc

SHA512
7d1e909e5fc606e6f5f58118219b4f90316d3190d32f4a0c7fe0c46f71a0d0fb0c283ee2501f461b0d678fd82b81c630d1bb1f545d2cee1911e5d02e2855d020

Download Submit
C:\Windows\SysWOW64\Lndohedg.exe

Filesize
96KB

MD5
5fc5b6429643417016e8e244d0f76f64

SHA1
06f093f384673c7035849402f6d6715900bb96ce

SHA256
32b10ad60d5bc4c471f92cd8525168337d0de6c251238b3133068856131ab75b

SHA512
021fcaea837ced0dd5a6efd4f803ba54efd78f08bf24eb374e929308acab8cd4a1121a5b2b455e55eb782c7d6b785e5ba907d6ef7666b93aa3e03466c606164b

Download Submit
C:\Windows\SysWOW64\Lpjdjmfp.exe

Filesize
96KB

MD5
abffd5110c8064e991148040b80b2ea9

SHA1
e62d62940a92d9b0f78547ba7c74e2dbc7cd16fb

SHA256
b273dad00aa164b6085fe894fc7df15337390004c6f1a994ea5aa9e96b01d50b

SHA512
82cd678d298ea804c5aa4cf344a555cfc6557fa6612eb6691b0d4e0a819ba6134e1074d8993a53fff897b205bdbd193d326a2acc9691e23a78213da6d06eff9c

Download Submit
C:\Windows\SysWOW64\Mapjmehi.exe

Filesize
96KB

MD5
8ca922fabdfdc79749d834fbb2f653a0

SHA1
96ce1db2047f0d62ad2e8aeecef37fb3d8feb25e

SHA256
a17f712cac6c5326dc7aedefd95cf03d45b6826028ceef25a12ce115565d8c52

SHA512
c79d550b5ca641aafb4a84f1fd268ea9ee9f980f686fa58d129933573c83faf0b72ec3743d954b64ac262761a6f372023fe7e8bf48ff5e4158fc8fe1f0bc670d

Download Submit
C:\Windows\SysWOW64\Mdcpdp32.exe

Filesize
96KB

MD5
1162efe26c19af3086f8f454486b008d

SHA1
8e95cfce99721158cca4754068a333da4db520df

SHA256
400aea97fc6d8ad9c1db64f0a3390e2ed3fefa0674e1a9f3b38a3aec468a94f5

SHA512
e41c5694762519d1c33fc21ee33c3c4b5585c7714f0dcc4d718609e3b9120f105cb25adc76c462414961f996d0ad70dc91e0025e79839d6caac850d4dba91154

Download Submit
C:\Windows\SysWOW64\Mkhofjoj.exe

Filesize
96KB

MD5
b83558d502948e26371327b10e0fe345

SHA1
5166f7e753c61492e75a87643e9894166ffa4055

SHA256
c5cd43b7d9ac01745ba67e39e8f831f1c110bd20f3642f2ce2a00d689e27909d

SHA512
60341e63c7db58abeb7f75b0c50d03ce4dda56b79025119a72c1e5df91dad3815c6e9a7079f1377ddb2c1c2da7abd57df3363b10a93ebbc075dde4d46dfe940b

Download Submit
C:\Windows\SysWOW64\Mlhkpm32.exe

Filesize
96KB

MD5
c0f167b01ec676b260c9ae82df26436d

SHA1
5e972d049c3a5406bc73b44b632e28e28dc832e2

SHA256
b66a926aea0dde32caa706e1ecedb0968e76a5a45159e490347ca3bfe7514d7e

SHA512
e304da7450e02e15657bee53f6b162b1f5d9c95e27423c37c8cd83aa8f08c4eb89503b15dfa0d7407631f82ded77da9d9dc008c29e9f50987dc30d875d2d3205

Download Submit
C:\Windows\SysWOW64\Mmihhelk.exe

Filesize
96KB

MD5
8a056af84741126f72fa57dd7986a7c4

SHA1
b33f05aaec46a18265d11a864286790c3b930f67

SHA256
e11d5dd33f8956a8ec35be4f66082b0dc768e2296118fca32b8f23d3bb747fde

SHA512
95caad0cb10a0fa798001a1a564580876dd0187f6431b3d7975c5d092bb75e08ff8e9f9d820be308197e5d60693f0038e3500c5f7dbd1e670e7a176249164ef5

Download Submit
C:\Windows\SysWOW64\Moidahcn.exe

Filesize
96KB

MD5
c735529a4732ca91c06b053795aeba2d

SHA1
6e8ee817d284b6e25a4d46e1b3cbb23b8d38051f

SHA256
0ac0c6bb8ad49ddf672d2b169f1f6aeb44af9c28b130a2925d73f9ec28d573a7

SHA512
7f2b88d27d1c032df7a417ef50047e7387b7be3c3bbb288527cd483c226de11a405a1dbd0163719a91991944bb97bb01dd4eaf12e2ff2f06785c7a7bac2862a4

Download Submit
C:\Windows\SysWOW64\Mponel32.exe

Filesize
96KB

MD5
5a2dc70b6ecd5ed3ba0c0a8f5dfe5f28

SHA1
37919214c387458eb5da98c4a74d24fde16bc031

SHA256
5f5804cad5697614aedb86472488033ea120b88ddd0f342a908404095c429218

SHA512
9ce586c4cd5e7e1474e7801d214180696359196b714e88368f1fb9e9509ff948d7e719b72bcb05381b755eb31f78620c67b2825dc81b25a91cb312bfbb2c595c

Download Submit
C:\Windows\SysWOW64\Ngfflj32.exe

Filesize
96KB

MD5
513c57ce98bd2c78bbdafcc59781f93a

SHA1
c53e26bf91f8772a070c104f919457aa1870ffea

SHA256
c222e6abaad7371f62d77e5c1da9d7748f34085a36bb143508bf943cff3cd0fd

SHA512
39478767bdec276c6e5209a9b7362d7bdc674864781330c3633db1b6fccfa8251464d58d121d5466af68b20cbc8dcafb478ed67e3cb536626833fee7f88af710

Download Submit
C:\Windows\SysWOW64\Ngkogj32.exe

Filesize
96KB

MD5
a8268b27c11b180677ca75e0829685b7

SHA1
feee3471fa568666055f21134597be755ecd1452

SHA256
3f5e7db5fb55183640a90071561cb4921d03b07c8fcb7c712a56cd476e57048c

SHA512
16b1bc013a3c9ad22d8aeb7881a7d91aa8a9478ddb926d1d864b29ac125107760509cead2007d69d2174dd3dfd3bf6041fb1d0f23eb8e84fbaffe37ee758766a

Download Submit
C:\Windows\SysWOW64\Nhaikn32.exe

Filesize
96KB

MD5
c85289779b5d05035572083a2453c1e8

SHA1
162256854122da830a5312f8d18d7b77d99e4db9

SHA256
b3a8121f5a330d5eab7c0a363cc3e70c8b27cabb6864a71c4504f6e7df146649

SHA512
90c6217877691dfa94b2cecbf09ba6b870244ca703352d0d16d2ac0bc8036b04b7833dca683ac90bab8008e5645730548edc2b0dee3f008a90d44406acc9e4ef

Download Submit
C:\Windows\SysWOW64\Nlcnda32.exe

Filesize
96KB

MD5
908bf3365462389087b9d04e22868fa1

SHA1
efbc8448e80d92a109802ebd8295c8c79216862b

SHA256
a25e441ce4223e90ea5cb5e7dada04f971a987dde5db97f4118e7a37c372e323

SHA512
c9918e7ab6997ffbd8045035bebbbe03cdc9f02f40c002f740f59a46fce8f46d9f7fd114c364f9cf6b74bf925112763671efba6bc89d6f18a61073c9bc629e5e

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
96KB

MD5
e6945196f2b3fd30276ae074a39ae32c

SHA1
0be71a4a6df7174923df84e02b59f47bcc843240

SHA256
455b3155eb5f1d367af203f352eea97f1bb753b4122154067aaa1191e055b7f8

SHA512
8c4aa36fc234cfbb5766c226fe81a526c320672832a699f1549cd46cad8df5b559070edfc02d12ca5a220fbc369a00b4871e55e28ec6bb4b97f25be58b155e96

Download Submit
C:\Windows\SysWOW64\Nplmop32.exe

Filesize
96KB

MD5
c38c81188097b06715a826c00df5c1f0

SHA1
4f324727c132827187935ee4b476119d9191683e

SHA256
0d2c1d560f98b6807462cd26d3cc9256f599219c2d4425dbc75981c11e0f542d

SHA512
84f9b59504fd0e953f69da555fb533b67acdb290373413e8332d9c47cd6b77681f15e66b1249030bff71c2571648675d07b203d3d5da0edcf1d7ef4e2712ceb2

Download Submit
\Windows\SysWOW64\Kaldcb32.exe

Filesize
96KB

MD5
73129aafc0fcc6cd354a540e0e62187d

SHA1
931e68fd2f84654d84bbaf6861e96bf8a6ac7a1d

SHA256
f5b5a3ae598185ef907468d406c0b914c8b0b2fcf791e88487bf9a819b7b937e

SHA512
1acb8126ac1aa773f981ab5118ce645a8d3958e894928d47721d6efcad5fd339ca0cbdf0bd26e691d2e96e9c35703732cd91949a9efd6a413e5656b7cc0e5560

Download Submit
\Windows\SysWOW64\Keednado.exe

Filesize
96KB

MD5
147f8a61bb476181c2e45b9cecbf33e9

SHA1
70f9fcfba2ec899de9a5045ddab5e182641d7fbe

SHA256
75283c9a07c6d9725a690e237696e392bda8732355ddc410be27759f7124f79c

SHA512
a7b6d120d692033aa81938110cff7692939ff79007795b8e00d22ed161d3cec0430dab343f4dc4c7e4f9c6ef5bea74fd5f1ef3cc089f79c701f682b9afab4e94

Download Submit
\Windows\SysWOW64\Kilfcpqm.exe

Filesize
45KB

MD5
1895919524d8544fd9d3585c2351cb4f

SHA1
dfa44a7d964819e98d9f67da3dac0ba5cbfeacf0

SHA256
78dabcb1a627053eb81912e7b6478ddba8d4f54bec09a0de7fb2854b8604dda2

SHA512
62e8f1c4c76a0ae246ed37943a02373abc9bdf9a1c448c2244a7f5e8238704eba7742f17d6deca100c3be162f299bed61b0d47bbb97493475adc4af23efdd93b

Download Submit
\Windows\SysWOW64\Kocbkk32.exe

Filesize
31KB

MD5
dddadfd095f245084fbab8ea80280c43

SHA1
123f84078fbefad1fa76a303276e47b55ccd16c2

SHA256
10be82204f64b27f265996821c12b0061c8e86201c58a44322fd3198700831a8

SHA512
50ac1742d2ac22a6db8b39a90d4624f125027f9f979ba3f978690be38dbdf82f7d7a4371e8288bd7cc82e3f1a92545e6a716f99346e249e723e07555d6d0b86c

Download Submit
\Windows\SysWOW64\Kohkfj32.exe

Filesize
96KB

MD5
8ff91fd88aed90cab065c520fe17fd41

SHA1
1ca703016051b9577c7bbb38e74880fe00572889

SHA256
a4b15e5d02bd7a49eebb4a810c02967a902a218b13186d2dd0c7731618e56318

SHA512
f80faea9268806bcd90e62526087c2455be8abfd2d7aa3f068f6f16f45ff4a6f52542f15f7662e8f2dde24745b8a9fe8108845e6bc792f9932f67a882865006f

Download Submit
\Windows\SysWOW64\Lanaiahq.exe

Filesize
96KB

MD5
7c658ae066f929406799dac162ceef3f

SHA1
a4b96f7a8ea2377b106fe0194aeec45b23c2d349

SHA256
e1eb7e4d6e94e1b93ed339d4205894a7397703ffbc78034d8aa482606de1e360

SHA512
38e46f9c707db77575839b5e6d8ca2f56a1f9e2e7ccf4308771540ca12bfc558d32a80b74734a7c3b6c1494a8d7c7c4141cf9a6e192c0f08a82e02166f81e56b

Download Submit
\Windows\SysWOW64\Lpekon32.exe

Filesize
96KB

MD5
ef197837609a3ea5cdc72c89ff82fe2c

SHA1
f732e58a9f12e70ff2d9b6e74318a262c8665897

SHA256
9b6a5f45b76856d6dc18b7eb0939bd1a694c989bd71490e367a1b0a727103c47

SHA512
ed08d19129712befcbe89a3b04a680656595d2ed67ab9560ede6d18404524672867ef897ec4cb62f1e8fc360758f94082eb492ce15aa2a7b8daaf3142a4446d6

Download Submit
\Windows\SysWOW64\Lphhenhc.exe

Filesize
96KB

MD5
2861dd36cc11892060207185886b4e81

SHA1
0fa0ab6f94b7536d761d8d7bde81a9ebb7261791

SHA256
5da3c186bb4d2e27ad5b16f088677285c9aa1155377354a0cce1d08346d3eca6

SHA512
d3157614f5b153200fe0971b6a662fae4fc6abc8eda8c511af5affb280e335f95655492416d1dbaab93f515a4d2689761c890bc09a4710cb37414c61610b6b4b

Download Submit
\Windows\SysWOW64\Meijhc32.exe

Filesize
96KB

MD5
4d04c9552dc306dc54d5fc0c70100295

SHA1
b5a5e9c054c1db132a8876b2780fd67f1ebba33f

SHA256
a818f44135d64678a8b9241795e2356e9c0d6db6519d1a899765b4913c94af0a

SHA512
a723939b9d116f20affe44013b545e5db57caf4c16a94c8b150f752e3ea365379445e71448e97c6e87f84680f8341d95e5e4cc214e19268395994c304684ee31

Download Submit
\Windows\SysWOW64\Mmneda32.exe

Filesize
96KB

MD5
acc50db7eeda4edf42b479567a87ccc5

SHA1
744f8c3b098da1277527657abb57d5130c626fa1

SHA256
24803eaeef078ae58258950b764890d54bcaafe7f691ac2f7d71e53086c5b1d8

SHA512
9c424879dfa2e9431d23fd6b69832cbb552c543fcfbb286672ccc5645736de716b599c09ac87aa4005e853d9ec8d53d0f3668d4d3ad6ad1d3f4fbcbc65de2678

Download Submit
memory/540-179-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/540-183-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/880-299-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/880-300-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/880-340-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/884-321-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/884-343-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/884-330-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/956-334-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/956-251-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/956-333-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1036-155-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1036-147-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1036-161-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1120-335-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1120-273-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1120-264-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1252-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1252-92-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1396-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1396-305-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1396-341-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1400-289-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1400-337-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1400-284-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1448-345-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1640-174-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1772-336-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1772-274-0x0000000000230000-0x0000000000271000-memory.dmp

Filesize
260KB

Download
memory/1772-276-0x0000000000230000-0x0000000000271000-memory.dmp

Filesize
260KB

Download
memory/1776-201-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1840-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1840-338-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1840-339-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1924-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2016-307-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2016-312-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2016-342-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2040-99-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2088-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2088-346-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2088-13-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/2088-6-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/2208-220-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2300-331-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/2300-332-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/2300-344-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2440-242-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2440-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2440-233-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2644-66-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2644-74-0x00000000003B0000-0x00000000003F1000-memory.dmp

Filesize
260KB

Download
memory/2644-351-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2680-21-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2680-347-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2720-48-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2720-349-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2888-350-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2892-120-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/2892-107-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2924-348-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2924-27-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2924-35-0x00000000003B0000-0x00000000003F1000-memory.dmp

Filesize
260KB

Download
memory/2996-126-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads