4f3f0f9680349844c44e8cb0500a93ec1f520152bb3555ac94be17658b8ebbff

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 21:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f3f0f9680349844c44e8cb0500a93ec1f520152bb3555ac94be17658b8ebbff.exe
Size

390KB
MD5

5c083ed5f43b7be19a9875dd844a3c80
SHA1

e959dee575c9b1b58b0a19bf648c7fd003dfc071
SHA256

4f3f0f9680349844c44e8cb0500a93ec1f520152bb3555ac94be17658b8ebbff
SHA512

c6079e5ee1a490c252b52d0bbbefb963f30c2124d90db9dcf9bab3a449bfa99fc3a81eb372b565245af6d3b4f89c7f072310e632542eb27ac68bd5cc1589b372
SSDEEP

3072:DVrmkSr7A6p6+bWQALHLQGAZzasJR/X4a+SFkVsYtTHTMT5NeVWmjjGF:DVykKp6CbArLAZ26RQSFSTHAjhV

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4f3f0f9680349844c44e8cb0500a93ec1f520152bb3555ac94be17658b8ebbff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4f3f0f9680349844c44e8cb0500a93ec1f520152bb3555ac94be17658b8ebbff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe

Executes dropped EXE 28 IoCs

pid	Process
1540	Kinemkko.exe
4368	Kgbefoji.exe
4884	Kcifkp32.exe
1684	Kibnhjgj.exe
540	Kkbkamnl.exe
4172	Lcmofolg.exe
3036	Laopdgcg.exe
1092	Lgkhlnbn.exe
4808	Lcbiao32.exe
3024	Lnhmng32.exe
4716	Lklnhlfb.exe
2508	Lphfpbdi.exe
464	Mpkbebbf.exe
3596	Mkpgck32.exe
2228	Mnocof32.exe
1280	Mkbchk32.exe
208	Mcnhmm32.exe
3660	Mncmjfmk.exe
516	Mcpebmkb.exe
1996	Mpdelajl.exe
1624	Nkjjij32.exe
2032	Nqfbaq32.exe
2472	Nklfoi32.exe
3700	Ncgkcl32.exe
3368	Nqklmpdd.exe
2888	Ngedij32.exe
548	Njcpee32.exe
3712	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kgbefoji.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Kgbefoji.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	4f3f0f9680349844c44e8cb0500a93ec1f520152bb3555ac94be17658b8ebbff.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Bdiihjon.dll	4f3f0f9680349844c44e8cb0500a93ec1f520152bb3555ac94be17658b8ebbff.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Kinemkko.exe	4f3f0f9680349844c44e8cb0500a93ec1f520152bb3555ac94be17658b8ebbff.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nklfoi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3840	3712	WerFault.exe	111

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	4f3f0f9680349844c44e8cb0500a93ec1f520152bb3555ac94be17658b8ebbff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kinemkko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	4f3f0f9680349844c44e8cb0500a93ec1f520152bb3555ac94be17658b8ebbff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	4f3f0f9680349844c44e8cb0500a93ec1f520152bb3555ac94be17658b8ebbff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	4f3f0f9680349844c44e8cb0500a93ec1f520152bb3555ac94be17658b8ebbff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 1540	1984	4f3f0f9680349844c44e8cb0500a93ec1f520152bb3555ac94be17658b8ebbff.exe	81
PID 1984 wrote to memory of 1540	1984	4f3f0f9680349844c44e8cb0500a93ec1f520152bb3555ac94be17658b8ebbff.exe	81
PID 1984 wrote to memory of 1540	1984	4f3f0f9680349844c44e8cb0500a93ec1f520152bb3555ac94be17658b8ebbff.exe	81
PID 1540 wrote to memory of 4368	1540	Kinemkko.exe	82
PID 1540 wrote to memory of 4368	1540	Kinemkko.exe	82
PID 1540 wrote to memory of 4368	1540	Kinemkko.exe	82
PID 4368 wrote to memory of 4884	4368	Kgbefoji.exe	83
PID 4368 wrote to memory of 4884	4368	Kgbefoji.exe	83
PID 4368 wrote to memory of 4884	4368	Kgbefoji.exe	83
PID 4884 wrote to memory of 1684	4884	Kcifkp32.exe	84
PID 4884 wrote to memory of 1684	4884	Kcifkp32.exe	84
PID 4884 wrote to memory of 1684	4884	Kcifkp32.exe	84
PID 1684 wrote to memory of 540	1684	Kibnhjgj.exe	86
PID 1684 wrote to memory of 540	1684	Kibnhjgj.exe	86
PID 1684 wrote to memory of 540	1684	Kibnhjgj.exe	86
PID 540 wrote to memory of 4172	540	Kkbkamnl.exe	88
PID 540 wrote to memory of 4172	540	Kkbkamnl.exe	88
PID 540 wrote to memory of 4172	540	Kkbkamnl.exe	88
PID 4172 wrote to memory of 3036	4172	Lcmofolg.exe	89
PID 4172 wrote to memory of 3036	4172	Lcmofolg.exe	89
PID 4172 wrote to memory of 3036	4172	Lcmofolg.exe	89
PID 3036 wrote to memory of 1092	3036	Laopdgcg.exe	90
PID 3036 wrote to memory of 1092	3036	Laopdgcg.exe	90
PID 3036 wrote to memory of 1092	3036	Laopdgcg.exe	90
PID 1092 wrote to memory of 4808	1092	Lgkhlnbn.exe	91
PID 1092 wrote to memory of 4808	1092	Lgkhlnbn.exe	91
PID 1092 wrote to memory of 4808	1092	Lgkhlnbn.exe	91
PID 4808 wrote to memory of 3024	4808	Lcbiao32.exe	93
PID 4808 wrote to memory of 3024	4808	Lcbiao32.exe	93
PID 4808 wrote to memory of 3024	4808	Lcbiao32.exe	93
PID 3024 wrote to memory of 4716	3024	Lnhmng32.exe	94
PID 3024 wrote to memory of 4716	3024	Lnhmng32.exe	94
PID 3024 wrote to memory of 4716	3024	Lnhmng32.exe	94
PID 4716 wrote to memory of 2508	4716	Lklnhlfb.exe	95
PID 4716 wrote to memory of 2508	4716	Lklnhlfb.exe	95
PID 4716 wrote to memory of 2508	4716	Lklnhlfb.exe	95
PID 2508 wrote to memory of 464	2508	Lphfpbdi.exe	96
PID 2508 wrote to memory of 464	2508	Lphfpbdi.exe	96
PID 2508 wrote to memory of 464	2508	Lphfpbdi.exe	96
PID 464 wrote to memory of 3596	464	Mpkbebbf.exe	97
PID 464 wrote to memory of 3596	464	Mpkbebbf.exe	97
PID 464 wrote to memory of 3596	464	Mpkbebbf.exe	97
PID 3596 wrote to memory of 2228	3596	Mkpgck32.exe	98
PID 3596 wrote to memory of 2228	3596	Mkpgck32.exe	98
PID 3596 wrote to memory of 2228	3596	Mkpgck32.exe	98
PID 2228 wrote to memory of 1280	2228	Mnocof32.exe	99
PID 2228 wrote to memory of 1280	2228	Mnocof32.exe	99
PID 2228 wrote to memory of 1280	2228	Mnocof32.exe	99
PID 1280 wrote to memory of 208	1280	Mkbchk32.exe	100
PID 1280 wrote to memory of 208	1280	Mkbchk32.exe	100
PID 1280 wrote to memory of 208	1280	Mkbchk32.exe	100
PID 208 wrote to memory of 3660	208	Mcnhmm32.exe	101
PID 208 wrote to memory of 3660	208	Mcnhmm32.exe	101
PID 208 wrote to memory of 3660	208	Mcnhmm32.exe	101
PID 3660 wrote to memory of 516	3660	Mncmjfmk.exe	102
PID 3660 wrote to memory of 516	3660	Mncmjfmk.exe	102
PID 3660 wrote to memory of 516	3660	Mncmjfmk.exe	102
PID 516 wrote to memory of 1996	516	Mcpebmkb.exe	103
PID 516 wrote to memory of 1996	516	Mcpebmkb.exe	103
PID 516 wrote to memory of 1996	516	Mcpebmkb.exe	103
PID 1996 wrote to memory of 1624	1996	Mpdelajl.exe	104
PID 1996 wrote to memory of 1624	1996	Mpdelajl.exe	104
PID 1996 wrote to memory of 1624	1996	Mpdelajl.exe	104
PID 1624 wrote to memory of 2032	1624	Nkjjij32.exe	105

C:\Users\Admin\AppData\Local\Temp\4f3f0f9680349844c44e8cb0500a93ec1f520152bb3555ac94be17658b8ebbff.exe
"C:\Users\Admin\AppData\Local\Temp\4f3f0f9680349844c44e8cb0500a93ec1f520152bb3555ac94be17658b8ebbff.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\SysWOW64\Kinemkko.exe
  C:\Windows\system32\Kinemkko.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\SysWOW64\Kgbefoji.exe
    C:\Windows\system32\Kgbefoji.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4368
  - - C:\Windows\SysWOW64\Kcifkp32.exe
      C:\Windows\system32\Kcifkp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4884
    - - C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1684
      - C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3700
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3368
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        29⤵
        Executes dropped EXE
        
        PID:3712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 400
        30⤵
        Program crash
        
        PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3712 -ip 3712
1⤵
PID:184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
390KB

MD5
334f45089d9eeb15ff32f419bf39bfa0

SHA1
7757e23e293d42fe6af9d2c3e56382a335a996fc

SHA256
dd83b8f634bf8b6a875357b34e920578cbf84cf06aadd19a929d48c13df5fc6d

SHA512
ac0e66c7802e65b2056c9caac1055812d5cec631d542cc464eab1a46758360d75c5b3a2b5ccd9ccea1c1769c4f25017330a51be5b1c6ce97431a125cf9fe4b74

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
390KB

MD5
0a303ded51ebc08dd3a042982c1d6f72

SHA1
3e6e69685079da5a938658f454e6414624f76c4f

SHA256
3f92c5f1dddb8487742742ec2cb2a76eae1e364d0922c65c44ecac92711ad10b

SHA512
938bb43eb381c97238c083d7cf7c13ccbb9ac332f3155b7b6918b28d52e93e423106931cccb8cd3dec039b13ffd0026396fa9fc967986d704d0e9a71012804eb

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
390KB

MD5
ec592f05abc80c67b38d8ba5c177c33f

SHA1
59f45ffaae377ed64f48100c3bd41137a0c82337

SHA256
01d4dea16ad49efcf8d7e891372b759d7d275d9de30964c7e02080f60a3f4697

SHA512
8cd6a8cb5afc89c310e85f6ae8407a8bce01a233403df56fa1ab1f0cff408ca604596185cc6e22803051316e4e0eeffe4ab70244d3f8296158709a8739469741

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
390KB

MD5
5399065c41fe29c1f1f99c25246cbf96

SHA1
b305f0d30ef16dd40ded4bd8f8878746318295fe

SHA256
6ee0cf688a9559e0a38ccaecf87350e7bb6de04302b815e3d63ebea8adfeae1d

SHA512
54d8b2b1cbe4886e00fee54f9d17c4128c9597dbc8bff8267dbb7aa0f706a7f2a73b9f4fe4542510afc3190cabe24564004d167714b3a5173669e537706cfde8

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
390KB

MD5
3a5b2db3359166924cd82f6327d374b0

SHA1
6de1c676bb24d9c35186e824e969df75f7768bf7

SHA256
4de45b759513a2e22ced9dd88b2d0754d27905b89753e5c850adae8eec579cf2

SHA512
d756bdffe5279c92d6ba7f3d3f5c460b21e60c9635020d9ac1389d165bc3c3e3bec6f06ea78891a5d1cad3b205a51ce6301ce68e3e9afb6024bacda4a30263bd

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
390KB

MD5
138a592344dde0a8433d6ed3725c1b05

SHA1
dd12504d9749c37e2350e532f6e78bc2f460d6e5

SHA256
e10c5f239f54fe160cbc16c9ed0f3737a174bbf05779123b27e1602f0e171644

SHA512
5dd7bb4d49db49fde233dd49c77d5a57b81b1d87178947a73c5c165a2719c4e2f1297a7b967e3c0a6171f5fde5fa535e71f3f2d4f45180a71ad9a50509b40887

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
390KB

MD5
bc4d71ea15d600d1e39b3e9daa22d042

SHA1
c6297218ecf58719329e874f4c116d3f59e9f834

SHA256
d21b860f91a960d98c9ab770323f098ed21fd16646f54d826cd56df8ae6967dc

SHA512
c303802bc18285e1bbaf0b4a5001774c829b84f4f100e8e565498db875c62eb8da50961f0e7b202e7e65974bdb00863c1b83caf00871e302d9ab7a53ea482f11

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
390KB

MD5
21c89fd019e7b7fa2ecf558b6ddc6b1a

SHA1
6a7fdf0a18fac98c4eba96de21229a98be808de1

SHA256
2a2bb792843f7411db0209a79fa2af85ddcae42cc00d60891db6736a89edd8ff

SHA512
01b51f72d429d5fe077a47934cc4be1a72a98d4f5e5996a8f7524d0c073017edede0910492987801f45d5c6e551baed5f7b063e3f55ae9144437d0f08dfdb331

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
390KB

MD5
1f78e0caed4287950577b007aad1713c

SHA1
b8bdb7132dc15f3318201ddb5c27e343c8fcb9c2

SHA256
647baf3a71b3c9fdffb31c98e74de366832d884062e6281b51d0462394cc4902

SHA512
6b9a24925ddedb9b3a346c0ad75448f2b66816019295cdc9260d8043c07b8906872885ce1c894ab088b2335a72bcc680276a33d5c539a6b5ff3fec2185e2277b

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
390KB

MD5
bd74d58b24ec99477a168d0fa8c7062c

SHA1
ff9cbf52c626d9a3a8ef74a08f4186780a19d549

SHA256
ba46795d5d1c0d1f5ebaf7db1b3ea42b644ac0708cd9771ed6b72cda623d36f9

SHA512
bd94199c2861d270c14090867cc5f8bf9fed93a58bc4da11c7526df3d7b837aad036ab3568664451757d2af0bd085c08b85148d55bdfca0b9360ba6726372afd

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
390KB

MD5
2530dca14c7919cf2a909fbebf50648a

SHA1
668504fa486ce70e887e08b20de295f8b6a01f83

SHA256
019dc6b2d9bbb8651e733967aba8b0fc8890e8fd3d256e1e534b00e80dcafe1f

SHA512
ca6045626a85b01b66f56882b07c9aa3be8b4334de84ca5d4f118ff99a0b7e44ad2cf07b3df07dc5e5a3ccdf215a526c395ebc42e35e4f10819cb110a1595cb0

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
390KB

MD5
d494f0c70fe2d723f8b1b9855ef1ab68

SHA1
68db2767249c1d9edde8b92027c123ca6978e9da

SHA256
997a817c207d0160961979fe742a20e85cd46a4a64cb352bfab85a086391017d

SHA512
29263a4cb3f632d6e87d5585b921570db9102dc27dd3cd50fa1c442b7da44c913f5fbabe9d8a099ae6686e8ce14371191160e75b1a90bc45da6c37d808285231

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
390KB

MD5
fbfea1321153da8e9b14fefe2369241e

SHA1
efdae5017e47fa4787e1b304f82f6ff315c6cee2

SHA256
0fca03822f8b9570e110faba0e1228baac663e26a205c32718b2525866ac8535

SHA512
007b0d5aa5a0b3ce85989d336b362364ab1fc5b23703b08650174af067e8b4a97bb0056353976aab4ee6522566c8aca91f9bc23daa6b5df5ae19ba7d040f28de

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
390KB

MD5
fdf1741a9ab4ff7030673ddb044e02cd

SHA1
e2f9d66cb64dafb87059a84ba430ba1ff2f8630d

SHA256
c3348f7781db0f9fb15fbc9d359acbb6367e6144ff2273103f70bd9640f9b98a

SHA512
4e9805bbb1ef13569ebb6f280a9aa4e9d97e27fa826a5535595a12e5c7c4553dfcf486d0b694e56285dbaf1c22b1164cf1a0fb0167e8ec1144c63030843b6b2d

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
390KB

MD5
39475fff0e0b6209e5a9010708275a7b

SHA1
31bd76e3c3a5e2b4b781b621dddeedc2680011d3

SHA256
d49aa85829fd72596e26e6d88c96a43d3849eec5df891a2285c560d02eab88a7

SHA512
f26f921a7e443a941cdea4e2eadfd570cfbac8e76b2d5157114ba8bab7de07edfcb5012aad87b2679e356082b2658e7f36d039fd225d0b40ab9c0fb74d11ad92

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
390KB

MD5
b049a60d3eea2f39a8345795d9b62302

SHA1
00023acf1deeef5865f4786d210e98bc35654844

SHA256
9a859105cb10ee714c65385677926b40369ad1ae9c50eca4bc9ee6064cc76611

SHA512
1e468095d01ff9028ae92e59af13da6240ba1fdba042d36550af2f72de12d58605aaac5bea3b0e22047347eb55205a1f24fc50a4a3707fee31bb76a8139a83a0

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
390KB

MD5
738f6b7da2e4549ce31d7ecd0ecbacfe

SHA1
a2fdea625081de91805f987c2af34b939c596ca3

SHA256
26c8f8e6877b73d396fa736a332f9e1056c0b091eda0c3e87b8d57ad12ef8b35

SHA512
fc48e884805c6aa310c964851b71dafb2fda1c82334a6d65a9903fc7c5644ed563deb65e4e5c93bf404263d65782a6ce2ecf9cfd1fe1f4d0c7935ea262f2f214

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
390KB

MD5
a1b8f4105dc3d004b7b4c6ba306df61b

SHA1
46530ad27d844bb2ebdc9734707b625eded1ea81

SHA256
0d019639add0f36d9c6bf9bd5a56dd1b1189dbd2ec814807e0ccb37b7dfd5f5e

SHA512
9f6a37639959ca682a72cc75726328515cca74950eb366e8b3de8d5b080063f82969975edfa0ad15d6e5697c3fbe2b44b5908b3144c111868b2b14c7617549d4

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
390KB

MD5
d265afc2a5e8ea8916a231a2b740a77b

SHA1
ba011c4e4b90564e85e3b360c38068fc6ec5f6d0

SHA256
2a620485d88d296bcc4cf31cca1adaa6958d02e3a7babf2024a09b650dfe678a

SHA512
7361084c89cfe28af48bd1854dc04a29e11e0c230be15120154d2a0d698b56b99b3e4c04f5fd47cf88793eea8d317e66fc19683c53222c4ff1108dcc66e351d0

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
390KB

MD5
11d912144ba7cbdfeb3f556ce4029c6f

SHA1
30548b85632e5788e583754ad8bbb8698b42e186

SHA256
de4e58e562d11eab264436edcd6f115fa3429871bae9a69ec3c80f64643306ae

SHA512
5b2ecb604657a8ce1541466c53eeac957d112de3d0015103d5b2edfca602d025f6443e4e53b946acddf1bd8bbe6d0afb6b814c481feb52ab333b836d3901c256

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
390KB

MD5
94564de59ba871f2510bec768fdfca3d

SHA1
db01fac476c417fdd162087f0d71dce05a776050

SHA256
fb4e9bde32ec526dc236e43cc0d62a1f26f9c41dca56c5a05f8b9a3265aa948d

SHA512
64ff31d397281ccc5d555367d2af72e3a960ab6739e71012b1a6f252ea5ed9c33379f2224a346d07fc6387f9c160b0eb4da39e1f26a8bd02d49c68fd7b61db22

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
390KB

MD5
cf8c97b678c85368dd0e909839fdd89b

SHA1
57fbae62b3ab81c7554ae3193c38b3b19be42ba8

SHA256
65b61f046eac3c3e19ef4e8247a023d84c6d83c5fb4e5510d53ade27fa17d701

SHA512
5bd6f7027bbf691bfbf8201ba30ca69bf673c48e229c4ce87a97f1db5e75d5622488ff90f57fbafd7565429d0ad319a534c60ee657a734dc85a4633ca6d57d2b

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
390KB

MD5
dc1bee9337fdbea466b2ea475f900f9e

SHA1
525f757c95983c283ac2c1b838e74c6585f29ff6

SHA256
2beed512d59693696de7820b6225dd2e61244be18accf450d8ae023bccfc2324

SHA512
dbb7b59997784657cf9443307e25082f782e7525a22a94a93589bc76a7e96473db507b0bba83aba859219a2ba5bc017f7a3e87299264945a7057636c8133b002

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
390KB

MD5
a71a10bfaf73c6dc0cfb1d64592d0c6d

SHA1
a5af8ac17cda06ea5f20c3c4774fd6d8584daddd

SHA256
ae37eadec2e54e0f8acd4f17c3d88a42c736b68eb4679232fc3a05a30468a87e

SHA512
76151daa39aa71e490f37ff21814c20a0e5084c2dca4198e0d9b78c6f5b252df4a6310bc1288fa2275f4fe44d3c27ebd2cff2173c4e7a570307c217780d93970

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
390KB

MD5
4ca3e3b06d23ff48d90d5f05afc40baf

SHA1
f56e89ff376f0e186b7e2be766e4b29888ef3e68

SHA256
a5de977aaf425f05863adb5d08bce19c770eb68c449e7067af6711048f0dd7a7

SHA512
eb58aa4200867cacfd42a00d618a9f24b12f2318614049940c152f0cc3e49c341f48eb47abf8a7211ab3172efbd70243970958a9444b64d314ca0bcd7b13a8ca

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
390KB

MD5
93ee9014f18d23ed1f484dd8e840bab9

SHA1
ef3a773568eefdf48fbc4d3ab66e27ceaab5fac1

SHA256
077812d6f809de17e132aa374b2ab3f23863c07aaf4ffa90f89b7397166983b2

SHA512
67f062a2cea611751ae7528b33795dfaeffca7d97116a5b823b6aa67e15f92901001e285464d94068db28546b6d4f38e3144655cc664e799869320d00a3ffe9e

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
390KB

MD5
1830e72c4dbf15035e16d242f3d44c54

SHA1
742c85839447551008f276650aefac5e0d55a8c2

SHA256
9f3b79fc925507d1db698c5127ebff88753a14fc1e793c8a4c603c20d32961a3

SHA512
7aa1fb467b84321d65b49289eec4e0d1d4cb698539db477c8b4924263d590a9e39566d8794619c07bee95277bcda97cefb355ffdf06147f9d836d69446f3d27d

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
390KB

MD5
ca9269e8bc79d285a4e6c40b195cf45b

SHA1
d4638b1a59d8c18ad1ae3d4832e1322a577440fb

SHA256
9825476ddd7e6cf26a6adfdce9b7b5d1b5b6853fda459b36cc926f74ab3c6639

SHA512
31ce141edc66514a310c77fac21d1578fd5f713a200503c2d444ffd6526ef5d764bbd6034801865673f39a899671a70196820aef26b5f6730f0aab7e2837ea28

Download Submit
memory/208-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/208-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/516-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/516-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/540-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/540-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1092-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1092-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1280-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1280-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1984-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2508-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2508-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2888-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3368-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3368-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3660-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3660-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3712-227-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3712-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4368-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4368-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4716-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4716-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads