de3475523facfa8617cd172c8d6b2502735e0b2608e93460f1bc6b2842daf10b

Analysis

max time kernel
0s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10/01/2024, 18:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f39986b56901bace050765e12755744c.exe
Size

99KB
MD5

f39986b56901bace050765e12755744c
SHA1

d227edf88f6fec0df59de1fe33a161ec476e8d3f
SHA256

de3475523facfa8617cd172c8d6b2502735e0b2608e93460f1bc6b2842daf10b
SHA512

c02174b4e08a30bdfea45636e1305be2f7478d5a6c8ec17198ac524bbd7b1ee31148b1755817772332efc9470fed4cab20be6a9ba4349d2b5a71d55ea620b653
SSDEEP

3072:7e3AeJpj3pbweF25PGeyfLpwoTRBmDRGGurhUI:79YjSdxm7UI

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f39986b56901bace050765e12755744c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	f39986b56901bace050765e12755744c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnjjdgee.exe

Executes dropped EXE 11 IoCs

pid	Process
2988	Ldohebqh.exe
4492	Lgneampk.exe
3408	Lilanioo.exe
1684	Laciofpa.exe
1704	Lpfijcfl.exe
3936	Lcdegnep.exe
1028	Lklnhlfb.exe
2732	Lnjjdgee.exe
4972	Lphfpbdi.exe
3944	Lcgblncm.exe
4208	Lknjmkdo.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	f39986b56901bace050765e12755744c.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	f39986b56901bace050765e12755744c.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	f39986b56901bace050765e12755744c.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1080	4988	WerFault.exe	21

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	f39986b56901bace050765e12755744c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	f39986b56901bace050765e12755744c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	f39986b56901bace050765e12755744c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	f39986b56901bace050765e12755744c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	f39986b56901bace050765e12755744c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	f39986b56901bace050765e12755744c.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 2988	1132	f39986b56901bace050765e12755744c.exe	60
PID 1132 wrote to memory of 2988	1132	f39986b56901bace050765e12755744c.exe	60
PID 1132 wrote to memory of 2988	1132	f39986b56901bace050765e12755744c.exe	60
PID 2988 wrote to memory of 4492	2988	Ldohebqh.exe	59
PID 2988 wrote to memory of 4492	2988	Ldohebqh.exe	59
PID 2988 wrote to memory of 4492	2988	Ldohebqh.exe	59
PID 4492 wrote to memory of 3408	4492	Lgneampk.exe	58
PID 4492 wrote to memory of 3408	4492	Lgneampk.exe	58
PID 4492 wrote to memory of 3408	4492	Lgneampk.exe	58
PID 3408 wrote to memory of 1684	3408	Lilanioo.exe	57
PID 3408 wrote to memory of 1684	3408	Lilanioo.exe	57
PID 3408 wrote to memory of 1684	3408	Lilanioo.exe	57
PID 1684 wrote to memory of 1704	1684	Laciofpa.exe	56
PID 1684 wrote to memory of 1704	1684	Laciofpa.exe	56
PID 1684 wrote to memory of 1704	1684	Laciofpa.exe	56
PID 1704 wrote to memory of 3936	1704	Lpfijcfl.exe	55
PID 1704 wrote to memory of 3936	1704	Lpfijcfl.exe	55
PID 1704 wrote to memory of 3936	1704	Lpfijcfl.exe	55
PID 3936 wrote to memory of 1028	3936	Lcdegnep.exe	54
PID 3936 wrote to memory of 1028	3936	Lcdegnep.exe	54
PID 3936 wrote to memory of 1028	3936	Lcdegnep.exe	54
PID 1028 wrote to memory of 2732	1028	Lklnhlfb.exe	53
PID 1028 wrote to memory of 2732	1028	Lklnhlfb.exe	53
PID 1028 wrote to memory of 2732	1028	Lklnhlfb.exe	53
PID 2732 wrote to memory of 4972	2732	Lnjjdgee.exe	52
PID 2732 wrote to memory of 4972	2732	Lnjjdgee.exe	52
PID 2732 wrote to memory of 4972	2732	Lnjjdgee.exe	52
PID 4972 wrote to memory of 3944	4972	Lphfpbdi.exe	51
PID 4972 wrote to memory of 3944	4972	Lphfpbdi.exe	51
PID 4972 wrote to memory of 3944	4972	Lphfpbdi.exe	51
PID 3944 wrote to memory of 4208	3944	Lcgblncm.exe	13
PID 3944 wrote to memory of 4208	3944	Lcgblncm.exe	13
PID 3944 wrote to memory of 4208	3944	Lcgblncm.exe	13

C:\Users\Admin\AppData\Local\Temp\f39986b56901bace050765e12755744c.exe
"C:\Users\Admin\AppData\Local\Temp\f39986b56901bace050765e12755744c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Windows\SysWOW64\Ldohebqh.exe
  C:\Windows\system32\Ldohebqh.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2988

C:\Windows\SysWOW64\Lknjmkdo.exe
C:\Windows\system32\Lknjmkdo.exe
1⤵
- Executes dropped EXE
PID:4208
- C:\Windows\SysWOW64\Mnlfigcc.exe
  C:\Windows\system32\Mnlfigcc.exe
  2⤵
  PID:544

C:\Windows\SysWOW64\Mdmegp32.exe
C:\Windows\system32\Mdmegp32.exe
1⤵
PID:1848
- C:\Windows\SysWOW64\Mkgmcjld.exe
  C:\Windows\system32\Mkgmcjld.exe
  2⤵
  PID:4424

C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
1⤵
PID:3056
- C:\Windows\SysWOW64\Nkncdifl.exe
  C:\Windows\system32\Nkncdifl.exe
  2⤵
  PID:1380

C:\Windows\SysWOW64\Nkqpjidj.exe
C:\Windows\system32\Nkqpjidj.exe
1⤵
PID:3396
- C:\Windows\SysWOW64\Nnolfdcn.exe
  C:\Windows\system32\Nnolfdcn.exe
  2⤵
  PID:4864
- - C:\Windows\SysWOW64\Nkcmohbg.exe
    C:\Windows\system32\Nkcmohbg.exe
    3⤵
    PID:4988
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 412
      4⤵
      Program crash
      PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4988 -ip 4988
1⤵
PID:3220

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
1⤵
PID:1920

C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
1⤵
PID:4156

C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
1⤵
PID:2420

C:\Windows\SysWOW64\Nqiogp32.exe
C:\Windows\system32\Nqiogp32.exe
1⤵
PID:4280

C:\Windows\SysWOW64\Nnjbke32.exe
C:\Windows\system32\Nnjbke32.exe
1⤵
PID:1248

C:\Windows\SysWOW64\Ngpjnkpf.exe
C:\Windows\system32\Ngpjnkpf.exe
1⤵
PID:2536

C:\Windows\SysWOW64\Ndbnboqb.exe
C:\Windows\system32\Ndbnboqb.exe
1⤵
PID:3464

C:\Windows\SysWOW64\Nacbfdao.exe
C:\Windows\system32\Nacbfdao.exe
1⤵
PID:464

C:\Windows\SysWOW64\Nkjjij32.exe
C:\Windows\system32\Nkjjij32.exe
1⤵
PID:2016

C:\Windows\SysWOW64\Mdpalp32.exe
C:\Windows\system32\Mdpalp32.exe
1⤵
PID:1700

C:\Windows\SysWOW64\Maaepd32.exe
C:\Windows\system32\Maaepd32.exe
1⤵
PID:5104

C:\Windows\SysWOW64\Maohkd32.exe
C:\Windows\system32\Maohkd32.exe
1⤵
PID:2636

C:\Windows\SysWOW64\Mncmjfmk.exe
C:\Windows\system32\Mncmjfmk.exe
1⤵
PID:1528

C:\Windows\SysWOW64\Mkepnjng.exe
C:\Windows\system32\Mkepnjng.exe
1⤵
PID:2192

C:\Windows\SysWOW64\Mcnhmm32.exe
C:\Windows\system32\Mcnhmm32.exe
1⤵
PID:3596

C:\Windows\SysWOW64\Mamleegg.exe
C:\Windows\system32\Mamleegg.exe
1⤵
PID:2488

C:\Windows\SysWOW64\Mjeddggd.exe
C:\Windows\system32\Mjeddggd.exe
1⤵
PID:3536

C:\Windows\SysWOW64\Mgghhlhq.exe
C:\Windows\system32\Mgghhlhq.exe
1⤵
PID:4296

C:\Windows\SysWOW64\Mdiklqhm.exe
C:\Windows\system32\Mdiklqhm.exe
1⤵
PID:2572

C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
1⤵
PID:856

C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
1⤵
PID:976

C:\Windows\SysWOW64\Mciobn32.exe
C:\Windows\system32\Mciobn32.exe
1⤵
PID:1444

C:\Windows\SysWOW64\Mpkbebbf.exe
C:\Windows\system32\Mpkbebbf.exe
1⤵
PID:3856

C:\Windows\SysWOW64\Lcgblncm.exe
C:\Windows\system32\Lcgblncm.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3944

C:\Windows\SysWOW64\Lphfpbdi.exe
C:\Windows\system32\Lphfpbdi.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4972

C:\Windows\SysWOW64\Lnjjdgee.exe
C:\Windows\system32\Lnjjdgee.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\SysWOW64\Lklnhlfb.exe
C:\Windows\system32\Lklnhlfb.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\SysWOW64\Lcdegnep.exe
C:\Windows\system32\Lcdegnep.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3936

C:\Windows\SysWOW64\Lpfijcfl.exe
C:\Windows\system32\Lpfijcfl.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\Laciofpa.exe
C:\Windows\system32\Laciofpa.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\Lilanioo.exe
C:\Windows\system32\Lilanioo.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3408

C:\Windows\SysWOW64\Lgneampk.exe
C:\Windows\system32\Lgneampk.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laciofpa.exe

Filesize
99KB

MD5
1a6a5a0e8817bfd72578cade25c511d0

SHA1
f5468280cd3b5cab9cb0c821177812bb50ba10dc

SHA256
3f6021d7f9df073dc50494b8bfef8411c444d2fdf53e8ff57db9cc672f803980

SHA512
41def83d82e607d31e51b70d12e0e02c24cec04304218c6fcf47c8dd3409d5f1c42b44c497a60aa9e477426a16b81c5a704c1b721d5de7af08cd3f7b06b32761

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
99KB

MD5
6d9c7223acf64b64acc3e249030440ed

SHA1
3a1f93d7efa9ec1cdd59db17bdc9d629d7e96066

SHA256
28b24ef469c3eb0690be59936e30d8d537e411279b292d447d6cf6c895b67cfd

SHA512
a88577b1d60c535314617e2e4a6535cc49597a640a36c6044951c891daea2101ab58d410462e93de26f497034792e9f8df780155772315e7c5cd9dd3da6fbe57

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
99KB

MD5
5468259a8ff8a1c28d112877f29e5d6a

SHA1
639c10db94b8943a66899fcee2c8286b00cb64c8

SHA256
be7b5658867844e79e51281035349e0491945acfbcee5c5f40e1f010f707e2cb

SHA512
8999a74a0ba539b7cb50edf4fdbec78e743e36ebe608f9fd7f9d2485eca0a483bc60a52b9f7782fac81d2f4809f199c577a4ca666b4069e103ec89c3f89aa662

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
25KB

MD5
3bf4628e55790500170e6cc00d108de7

SHA1
79e46e7fada779e415ba6ac75fdfc8b59e2aab8a

SHA256
83ba0c6f5b4b22d874428a1be16f273e327702cfb3e9ad256c89ef9963ef6268

SHA512
4aae55438ffc7f86df7b61f853a3e1af749a6ec63f7cf71a46016ec4199d5048b55c1ca57d56a7335391a5c03bfff22ffe53a0550887450eeead18e97a755619

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
99KB

MD5
ba07529c514417ce2ffd4fea790176eb

SHA1
60ec668ddaaa3a753056c9e9efc26d93e1bdcbac

SHA256
c3c4f7e40da18ea1c312359ec65b326b2229368b9f52e076845ffbf69119da61

SHA512
2269bed11259da9c007c45f2ff19ed6b0ecee46524e70c107083ac05bc373a54a4bd3b7d609244f5c2d892ae7a7bb2ea054a01dd191467652a148733eb1a2c03

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
99KB

MD5
663326b75264a7e918abf892fb4a9384

SHA1
1d0eb37529d70955f96c042703ef1c27ef4dce69

SHA256
1805b4402a93efba7044ff267a67be2ae56675edb79015527d0dad71053b4e6a

SHA512
5980996dc4b94c972d2212aca6b2c68b696fdbcca2f8870a8367ec2f59844f640002805db96fca7d01b2f429eda5610f0f638b008c76a7d1aad68494717ac4c0

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
99KB

MD5
f5bde539ac1a684fee1965f802cb3830

SHA1
138db494733c7769b4b859571e54ffeea9badef3

SHA256
bf46369b751ced670cdf1cb2709e29281a2e5dcd1ccfa3aad9fba114a04ad6c0

SHA512
01d6289512b5aad409b4e4ca53d51c4aa9496a543766afe8557587127d186575e27a90766a996c5b15f7de02eb71e173ab254b994e502fdce569e811e1a4575f

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
99KB

MD5
0551bcc9465a4ada51ea8656d6e60ff6

SHA1
4ee4e88211af8b0c148e856062b0a278e5200484

SHA256
8ccd9a70dc95418f1396a2fcb19cf49610f45eaffdaf0b3162c8d8f97d7d80cb

SHA512
88b483dab5746f974a669b7dd70c314a60c86339cf107a87c5c531fde886fc0c6f4dc6990fdd641a8d0f750fdc0baebc57e2c8740d28f7a87bc16fe92fc5c815

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
99KB

MD5
a9aec2b4ccf302fae399929ee20b34a8

SHA1
2dfa7028472b61663d1f0c8f493a68b7f85951fc

SHA256
5a3a7d5c133f1bf3c8f8b4ef41dd90827df4041907ce9388acb7aa77910f59b5

SHA512
a83519dea5ec9e7c4ffdbd741134c7bb6a6fb0978e4c4601d2d7053ac809998d74e5dd6198d7f51617df392eec654e06b6e1cb3c6992a703c06089f8b1015f21

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
99KB

MD5
51d4b7bb818fa575671b285a7a768555

SHA1
491fd2496e1dc376a70a05fb43c63a5013731c89

SHA256
65e3831657c912dc58bbfe1767560b4c4585303af86bfa87604e5e7b88ebf3ef

SHA512
5ac91ea1e94abb7812f74f2110e945135dfe1c1df70240a75007d1de0b0fcc56a46b5aa4293d0275be122c533cdb76caaf4294d776059d25c021091fa6b2dfa7

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
99KB

MD5
4a54f446c80e976771adbd1586c2a4d7

SHA1
7ced3d347ac1b3772e0c12b2316e415b04250c68

SHA256
1ce9fa879d92e10c25640c97a6b69a444386b3f632329f8b83e7bb31d1391183

SHA512
da53f2508bec85e2c580a55bce84e219c18e3e1d65b5377785a6ed762164128c6b5dcebb2499d4f3d6a1d4dd852a4c83c700a41df45e1199feb3f1ca60e934b2

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
99KB

MD5
1050aef3ad74543c71c5c0b0fb2a336a

SHA1
2e24e5f0eb4813a5f79d75b9f7342db30bce583e

SHA256
21c935ea820f9e9dc2298b1a8cb7d61c5f665acec623f71521cd0d8c3019a19e

SHA512
e02f70e136c79fb917532f85399528ef001446863d6e767832ccfb45b90bb2f176e8761b0f0c7b1da38c33ae6b86b4141b6b6232468c7b83ce551c5998fbf747

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
99KB

MD5
efe266a2b02b39c38a82288582b57d22

SHA1
1848182ca058f02d651a19281bd9913a02e64e09

SHA256
0b759644dabc69a03ce58e080450fef7167a778bb8b916808785ef1afaba22d8

SHA512
2c126ed40417d46a6e7736489426c12812a7b19de0fa371941dbcf2d140648e2986c6cd5d5ff1554f09b222a3a20bccc33c44fa43d4f2bc8d7949417cb4507e2

Download Submit
C:\Windows\SysWOW64\Mbaohn32.dll

Filesize
7KB

MD5
41493a2d5a7147e762b02d50f29175a8

SHA1
66b8dc5e50f8e1981e7f71824564b6d0c03bb232

SHA256
927252ca59c18b1f4b3313f6fc350b208a6e7cc098915d503c6ac8690e55213c

SHA512
49ec7239cc74aee1efa263c5fdb6d4bc592a8d526d04f0953b7470b5a675b7dba13a82b07db552c69cde813b659216690e1782ddee97273cd2c577fb4f7d1aa0

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
99KB

MD5
cf7ad7b598dd246e6668187c311bb508

SHA1
9b60712dd515f1189a9b8c33f43d82b919a9c304

SHA256
c2ea9d1be8a6be3f8d69585d6b8849d5d69d80b50ec8ad54199a75cadf4b145b

SHA512
9dccbdc12b4603e7e3447b2a04cc96fe2aaf6fa651f6186acef23b864c4921ee21949ea396bee3747b29450f238a68dcde1b9fd8bc16ca4057963b0ce2fa51f6

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
99KB

MD5
e3476bae788880197e96a5bed8cc1c27

SHA1
9de3b88b2f886a82369ff073a560c95cddc8594f

SHA256
ffbfa572a39fec61b60e3d8b3c701fa67dcc2ccfe1aab0435f062d5780ab42b7

SHA512
72c081a3611cd1ad8e7dee16e26ba9575a8203c573b40ff32c4ff0e25b40800b2f742d1f0ecb2943f99c909266c01505f03791cf89e93bdb54c849341f574916

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
99KB

MD5
f864792b35b7534dc9b0429a5bb6e8c8

SHA1
e377888a70f251506e182ef2e0ebb7a63619226b

SHA256
6dcb57aabc7a805b494c302a885dc4eb56414c8b5a381db363d642aa77ffa0d5

SHA512
ecd3e586bb603c252701ed02198245a39d3f6ff0b6cd6987b183e41f48e9c9c041ec1ac688f6bae7d21539cb8f1c27f4fa7707daeeb88af99b50ffc13791f70a

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
99KB

MD5
29fe8a07d9af7c7c9de725999e1fd485

SHA1
3d7c493ffb8e98dc226881306e00bffefa3db0ea

SHA256
35bc77c468bc8040be71c9f385a66eba209f7118b68e826a686d5f90ba62dfbc

SHA512
e1e81b8f919d3d4448f339e245c50c2509404abf05acbafebad93902d0989ea1420d85347fe3ea2beba117248d43e9efb09e012af8051f6ba932f8d6029a8d72

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
99KB

MD5
9ad651fb5431ef9f9c177cfaf65e4cf1

SHA1
e49bd7039cea15fd28ab5f697b213091aa109221

SHA256
0310acf7198f4dec8284986235c95bb55d75208dc7b4b96e35afbc482bad1633

SHA512
72662a778dbdfc8227178d77daa223c23a5a848a24a2dbd0842e68f6aee2fa3d315bd5c9350f2c1ea82892ca787ecbabf2ccb5d2d196b1f74314715f3e4934d3

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
99KB

MD5
e03756ad1114d93201ac947b9316e5a8

SHA1
cc06dbec9157b5d657551add3cfe823c31b31c9b

SHA256
b813430ba5594677ba8c4f1a867c19359f8f8f718f163033b5a6820c3c3dc8c0

SHA512
1d0eacbb440c4efeed2604029d23ebcf95b429c45268edf5575cc4a88eddaa736a09ec9c05e5e2cc354c2455d1b0b3c42ed47c3032d95040f4e104ca7613848d

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
99KB

MD5
770cbbda6808b04ec7f1296152e5786f

SHA1
578f3f01994b5803705ff4b0818797998d6492f0

SHA256
73f8f098ed8354943a73ecbf1bb6b310a36a4c39a81667de61df7de215cfc132

SHA512
0d7ffe6db31b5e2c130cfd755dddab9ceeb2f67cc2133b5803dcc9dd9ec0a27d33b525527745b831f82ce5ff3bef66f24dcbc2504e71a067a00340b7e3c75add

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
99KB

MD5
fb3ad763e82cc8075f78bf465754070b

SHA1
b15f5701ba304fe4a22f746c4814a4099ce4c64a

SHA256
44da9a59cadb678704a64798a335c30a0cf653b2fcaa5a2849c1d44e090f4b15

SHA512
af0394e422616a03f3b01b28395974770aa7b7214a5abd8a03c14041ae61624ed40bcdb54133337b426dd6be44ef1c98f6fac368ead9b14fc685d1d54440f813

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
99KB

MD5
29d60419630248491278f67456921f33

SHA1
0b32768d8ef152e606ad4748f1a9f4b58fc59c74

SHA256
93e2449742fe91d630913d6b86e971932d0f94a176884a7c2dd4cb3520bee356

SHA512
86ec1be85fe9b88c0ed5a3c96938004f6fcb687ee98b3f411cdf92d388c13db020911173ee60cb5d395f161ea8a56799ac318c1f481d2505657e101dacc555e5

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
99KB

MD5
d8bcce9b08be7e26bb05e475985c5cd8

SHA1
a8483738ecdd0961b64005281ba337a7522dcef9

SHA256
d3dcad70559b2610ed2c4a1c41e1141184366ef9b0d0e15ece80ec3d90c4ce6d

SHA512
84be7fdea5207eaad08e290c01597f0ab2a97e611dd12430d38d72544a40b558caaeb4d6df72ce161157eb07b16dc4f92d24517a045d1cdccb30a731fd31d3b2

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
99KB

MD5
860164dbec3ca1e693aa9b0364a25e69

SHA1
ee3557589f34cf9fa878a19e1f8b3464d0d173b1

SHA256
dcc3a0cc9038593a8317fbc9f76ae604cd2f3403507981c2267f66e049a21602

SHA512
4814bfa30041c4daa3e4222c857ecc827988c81c72164622df5d5bca007a967e11f6c3da21a20c1123ff916aad16f9fe03a626ad343893116071b6c981cce5ea

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
99KB

MD5
c25aa5a7ac5db8ae51ab055b0ffa7dd3

SHA1
e5af4f499c2a4563474ca8e2026a5180ae0a5386

SHA256
0a22f9696817211fbc30ac84fcbaf233235a58247ade11f54546f19d6c62dbef

SHA512
5f636bd29a5e883c4c7678083bd927416ab27a440e530bdfa91c4808533f9565d96ae5a8328a0047f54ac6f8a81788186601fb8230990149271a4bb8252f76b3

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
99KB

MD5
ee9fbfcf04df2cb8ff2a1f3d2ffea216

SHA1
7fd34be6905cc8bbfe43341b5b1a2e43a3ed8496

SHA256
4fd86ef1fea91160aac45d0515a4f5d67813fe85137fcab1e6089c8f49e9bb4b

SHA512
4f804708d22ca8eb9b09d6f148005568652d940256f2d935c1504189685515594c4c3e3a3ea606b469e5912164fd281dc7d499be8d3422445ef54cd60b33d63e

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
99KB

MD5
05b760248412187f7c811729fcd72131

SHA1
f784dfd44ce6a4d976a0718b2fc74338160de361

SHA256
bf1605e9b4ee980ddf06c75549bd95f48a654a34611557c5161180aaa8c89648

SHA512
ea65447a6a543af0f87eb913872dea1586b128b79fd358972d9463e0a29fed26788485abd8fcaf03bd7a571eab0f664abcd47b86b899348f54418c57ed92d0c1

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
99KB

MD5
5d40b017096a19295f21ca3a7c9aa026

SHA1
2c7e52b1a60b5161f497f3436778d79a61f46b1f

SHA256
6c69fc2c2e327165417c615b59b640430d7842fadaab8b943c4209c73bc31f55

SHA512
1110d4e06c72183834964b83496aa3ae1bc0da407901ad6ee33a4ebb677e512ced01c82bf1a1cf7f53ef985fb210e60946f3876fa2c9a2a1d59df451fb34392f

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
99KB

MD5
4b90ec7c495bd387c35d3d188a35ccc1

SHA1
0ce595f9453d510c6d9c965434d304e8ac3791d9

SHA256
6431746ae6dd0c651e58a6c702e2b87bb1915ccf9b41036dede8b7f66a1205a2

SHA512
02f0f8e5f4ba6824a51e43b104fc0ec4dc40273e8292eafdb769f049ea220969f361776a3c3b2f3c176bbee60085e18105ea163a51f5d5a6feae945690173ebc

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
99KB

MD5
571a025b12c4112a28b4ac271d185f3a

SHA1
29022c5906a999578032d4a75aa6857e8341beaa

SHA256
9f9976349876c7856443c3c2bd3f417fcb74b156a6ada777bf43919687681224

SHA512
3b1d9369a73ff7296df4ee22416fba56345cb56bde5f909b69b464b7ed3112fc1a3abc98a8334b4a8bd1342a2b28b21912a0e50038a401667138ac61d9f59ed0

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
99KB

MD5
e1d704d8a87bc16e90c0b65ca2683c6b

SHA1
7fbde3fdf16db0de53614488ffd3c31ef2fc8b05

SHA256
9b3f6dc55747b23d98ddcd26788a935912b387f684884dda079e9d476b969549

SHA512
6fd0c21eb5f93597c748a8f1250828a32a46f2000b78afc7bc402780e724fc9db650ebfee904d342848ff1d2452e16941c6566037903050601198d757a988d8d

Download Submit
memory/464-327-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/464-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/544-99-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/544-186-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/856-134-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/856-219-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/976-126-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/976-210-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1028-143-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1028-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1132-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1132-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1248-281-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1380-306-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1444-121-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1528-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1528-195-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1684-116-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1684-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1700-242-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1704-125-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1704-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1848-212-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1848-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1920-321-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2016-247-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2016-320-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2192-272-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2192-190-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2420-313-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2488-169-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2488-255-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2536-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2572-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2572-233-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2636-203-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2636-287-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2732-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2732-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2988-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2988-89-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3056-299-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3408-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3408-107-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3464-265-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3536-245-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3536-162-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3596-263-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3596-178-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3856-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3936-133-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3936-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3944-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4156-314-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4208-94-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4280-291-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4296-158-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4424-301-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4424-221-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4492-98-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4492-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4972-77-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4972-153-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5104-237-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads