4a553c4f8c090641dcbe87f8fbc540207d55184573f844faf5dd9b22ed6d2b9a

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 21:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4a553c4f8c090641dcbe87f8fbc540207d55184573f844faf5dd9b22ed6d2b9a.exe
Size

96KB
MD5

8d86aebf3e893f114b400b37416da9e3
SHA1

400de0b68e8de06398017c142940ec4a9b2a500f
SHA256

4a553c4f8c090641dcbe87f8fbc540207d55184573f844faf5dd9b22ed6d2b9a
SHA512

d2a4abfd97f81e9b50ca8465ee0762a431682508c1433fe57423dc2c41c9d6df3e1ff69dadc533703c284fdd0df291bf38563626bef019ae8703bae5739b6830
SSDEEP

1536:T2UojXC5xaOo6HOB3Y7rNlDpkU5jB6W6pHSCfRgDZV9dm8PhJpAox+R9hrUQVoMA:i9qTflk26pHDfaDZbHZMooR9hr1Rhk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	4a553c4f8c090641dcbe87f8fbc540207d55184573f844faf5dd9b22ed6d2b9a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4a553c4f8c090641dcbe87f8fbc540207d55184573f844faf5dd9b22ed6d2b9a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdmegp32.exe

Executes dropped EXE 29 IoCs

pid	Process
4592	Mpkbebbf.exe
1560	Mciobn32.exe
4168	Mjcgohig.exe
3456	Mnocof32.exe
1724	Mdiklqhm.exe
3344	Mcklgm32.exe
1524	Mjeddggd.exe
4448	Mpolqa32.exe
3348	Mcnhmm32.exe
4836	Mkepnjng.exe
1344	Maohkd32.exe
4000	Mdmegp32.exe
4144	Mkgmcjld.exe
4040	Maaepd32.exe
3400	Mdpalp32.exe
4820	Nkjjij32.exe
3044	Nqfbaq32.exe
4784	Ngpjnkpf.exe
536	Njogjfoj.exe
872	Nafokcol.exe
4968	Nddkgonp.exe
2616	Ngcgcjnc.exe
3268	Nnmopdep.exe
2044	Ndghmo32.exe
1480	Ngedij32.exe
4660	Nnolfdcn.exe
4392	Nqmhbpba.exe
2432	Ncldnkae.exe
2120	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	4a553c4f8c090641dcbe87f8fbc540207d55184573f844faf5dd9b22ed6d2b9a.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	4a553c4f8c090641dcbe87f8fbc540207d55184573f844faf5dd9b22ed6d2b9a.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mpkbebbf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4980	2120	WerFault.exe	113

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	4a553c4f8c090641dcbe87f8fbc540207d55184573f844faf5dd9b22ed6d2b9a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	4a553c4f8c090641dcbe87f8fbc540207d55184573f844faf5dd9b22ed6d2b9a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	4a553c4f8c090641dcbe87f8fbc540207d55184573f844faf5dd9b22ed6d2b9a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	4a553c4f8c090641dcbe87f8fbc540207d55184573f844faf5dd9b22ed6d2b9a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 4592	3940	4a553c4f8c090641dcbe87f8fbc540207d55184573f844faf5dd9b22ed6d2b9a.exe	82
PID 3940 wrote to memory of 4592	3940	4a553c4f8c090641dcbe87f8fbc540207d55184573f844faf5dd9b22ed6d2b9a.exe	82
PID 3940 wrote to memory of 4592	3940	4a553c4f8c090641dcbe87f8fbc540207d55184573f844faf5dd9b22ed6d2b9a.exe	82
PID 4592 wrote to memory of 1560	4592	Mpkbebbf.exe	83
PID 4592 wrote to memory of 1560	4592	Mpkbebbf.exe	83
PID 4592 wrote to memory of 1560	4592	Mpkbebbf.exe	83
PID 1560 wrote to memory of 4168	1560	Mciobn32.exe	84
PID 1560 wrote to memory of 4168	1560	Mciobn32.exe	84
PID 1560 wrote to memory of 4168	1560	Mciobn32.exe	84
PID 4168 wrote to memory of 3456	4168	Mjcgohig.exe	85
PID 4168 wrote to memory of 3456	4168	Mjcgohig.exe	85
PID 4168 wrote to memory of 3456	4168	Mjcgohig.exe	85
PID 3456 wrote to memory of 1724	3456	Mnocof32.exe	86
PID 3456 wrote to memory of 1724	3456	Mnocof32.exe	86
PID 3456 wrote to memory of 1724	3456	Mnocof32.exe	86
PID 1724 wrote to memory of 3344	1724	Mdiklqhm.exe	87
PID 1724 wrote to memory of 3344	1724	Mdiklqhm.exe	87
PID 1724 wrote to memory of 3344	1724	Mdiklqhm.exe	87
PID 3344 wrote to memory of 1524	3344	Mcklgm32.exe	88
PID 3344 wrote to memory of 1524	3344	Mcklgm32.exe	88
PID 3344 wrote to memory of 1524	3344	Mcklgm32.exe	88
PID 1524 wrote to memory of 4448	1524	Mjeddggd.exe	89
PID 1524 wrote to memory of 4448	1524	Mjeddggd.exe	89
PID 1524 wrote to memory of 4448	1524	Mjeddggd.exe	89
PID 4448 wrote to memory of 3348	4448	Mpolqa32.exe	90
PID 4448 wrote to memory of 3348	4448	Mpolqa32.exe	90
PID 4448 wrote to memory of 3348	4448	Mpolqa32.exe	90
PID 3348 wrote to memory of 4836	3348	Mcnhmm32.exe	91
PID 3348 wrote to memory of 4836	3348	Mcnhmm32.exe	91
PID 3348 wrote to memory of 4836	3348	Mcnhmm32.exe	91
PID 4836 wrote to memory of 1344	4836	Mkepnjng.exe	93
PID 4836 wrote to memory of 1344	4836	Mkepnjng.exe	93
PID 4836 wrote to memory of 1344	4836	Mkepnjng.exe	93
PID 1344 wrote to memory of 4000	1344	Maohkd32.exe	94
PID 1344 wrote to memory of 4000	1344	Maohkd32.exe	94
PID 1344 wrote to memory of 4000	1344	Maohkd32.exe	94
PID 4000 wrote to memory of 4144	4000	Mdmegp32.exe	95
PID 4000 wrote to memory of 4144	4000	Mdmegp32.exe	95
PID 4000 wrote to memory of 4144	4000	Mdmegp32.exe	95
PID 4144 wrote to memory of 4040	4144	Mkgmcjld.exe	96
PID 4144 wrote to memory of 4040	4144	Mkgmcjld.exe	96
PID 4144 wrote to memory of 4040	4144	Mkgmcjld.exe	96
PID 4040 wrote to memory of 3400	4040	Maaepd32.exe	98
PID 4040 wrote to memory of 3400	4040	Maaepd32.exe	98
PID 4040 wrote to memory of 3400	4040	Maaepd32.exe	98
PID 3400 wrote to memory of 4820	3400	Mdpalp32.exe	99
PID 3400 wrote to memory of 4820	3400	Mdpalp32.exe	99
PID 3400 wrote to memory of 4820	3400	Mdpalp32.exe	99
PID 4820 wrote to memory of 3044	4820	Nkjjij32.exe	100
PID 4820 wrote to memory of 3044	4820	Nkjjij32.exe	100
PID 4820 wrote to memory of 3044	4820	Nkjjij32.exe	100
PID 3044 wrote to memory of 4784	3044	Nqfbaq32.exe	101
PID 3044 wrote to memory of 4784	3044	Nqfbaq32.exe	101
PID 3044 wrote to memory of 4784	3044	Nqfbaq32.exe	101
PID 4784 wrote to memory of 536	4784	Ngpjnkpf.exe	103
PID 4784 wrote to memory of 536	4784	Ngpjnkpf.exe	103
PID 4784 wrote to memory of 536	4784	Ngpjnkpf.exe	103
PID 536 wrote to memory of 872	536	Njogjfoj.exe	104
PID 536 wrote to memory of 872	536	Njogjfoj.exe	104
PID 536 wrote to memory of 872	536	Njogjfoj.exe	104
PID 872 wrote to memory of 4968	872	Nafokcol.exe	105
PID 872 wrote to memory of 4968	872	Nafokcol.exe	105
PID 872 wrote to memory of 4968	872	Nafokcol.exe	105
PID 4968 wrote to memory of 2616	4968	Nddkgonp.exe	106

C:\Users\Admin\AppData\Local\Temp\4a553c4f8c090641dcbe87f8fbc540207d55184573f844faf5dd9b22ed6d2b9a.exe
"C:\Users\Admin\AppData\Local\Temp\4a553c4f8c090641dcbe87f8fbc540207d55184573f844faf5dd9b22ed6d2b9a.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Windows\SysWOW64\Mpkbebbf.exe
  C:\Windows\system32\Mpkbebbf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Windows\SysWOW64\Mciobn32.exe
    C:\Windows\system32\Mciobn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1560
  - - C:\Windows\SysWOW64\Mjcgohig.exe
      C:\Windows\system32\Mjcgohig.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4168
    - - C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3456
      - C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3344
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2044
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        30⤵
        Executes dropped EXE
        
        PID:2120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 420
        31⤵
        Program crash
        
        PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2120 -ip 2120
1⤵
PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Maaepd32.exe

Filesize
96KB

MD5
9f53cd19860388f7851bdaa6e0c0cac2

SHA1
ac921e0332765a826efbf1f006b7419953c4fd2f

SHA256
f7ba2a3bcf28a86a1b17eafdeec02b938bc69ec7859d7261109f246a98e64879

SHA512
6a5270734073fcabfa1d26d446f22651345235b2b99454458b775e4f7db52f5f40af2877ad3faa1f733b43b770041edaf30e5256df1856da9a17a43247a31bd1

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
96KB

MD5
aff082bb885ec2f0d1e698f176e4572b

SHA1
8868476c2cb3f8e1d23539402a382920199d7646

SHA256
1c3cc68930ef9949095121717539e604304c446927dbaba36aa55ed45d611042

SHA512
84b176516a1018c16dd83ac6e7bc778ec7f801fb471314dbab98cdce055624823af03616c92d624277f2a97213e0f0282900f311409ebd77d9f7510d345a8754

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
96KB

MD5
d943d31a19cca2354fd5fac10bf2b0c5

SHA1
1c55464ed076ef68b2eeed836b803522748a9bfa

SHA256
7e6e91da0edc22711fc0599fc257f6c6af22cb519cf3f2e20aeead6bf97bd7f2

SHA512
6fc36e585d500140bbd34f424495a30a4cbd210fc80b5ed136ddfcf2127638ad7c88a64425f00dadae97c8436ddca08c22fdb76ca9a640f257b1d067b5bda76e

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
96KB

MD5
08d195ec5832c770c26c621603a3013c

SHA1
8975ebb2970280fcfa06200a8aa877013ce401a7

SHA256
f21d5a8443a543db3e290007f6a9b7fcb85ce62c7abf25a19b4c169b87d25f59

SHA512
b897f162f29b577b6d66172b6313ef4332583c49ec56712f489d170fdd568399783be8599a85da78ea41139252aeb68786e7d2a88e2ebcf96b6d7b06442ad3b9

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
96KB

MD5
316cc8bfd17b68fc06a7a53d68765d98

SHA1
bc8886b8ce4b80ffbc56479f15e67f0f338114b5

SHA256
f694feee7973bad39c9484a4c6a45a0db0f6f9d38bed54e90ef842cf3f33c89e

SHA512
9e66a43da134d31288d065dbebcaeb86dd6644d3c652524886e7c637fcfbd44139c86d361725372fbbea7352f9007090f0e25121a930cdfbc528548446c488b5

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
96KB

MD5
ad7ee92cfeeac2f0d6fa4bf85ecb15e5

SHA1
bbda03f4669f93869e722f781b51ae9fbbca6ce2

SHA256
37874b388072c25ebed26c2b7bab9b0ef3887a46b040c98f006fb2795d8df6d2

SHA512
6184448483c41052e7c28d79504182741fc7e3dc34dfcdb10a501592a5fee03609c356220b1d6012cbd58bdbe1bf452e2bb0187edcb347388e84a30530d4b6bc

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
96KB

MD5
f1c215d09a37c5a0d31e4e97edab246b

SHA1
22ba4ffde520b3461b9bb8fb610c5f401d075f5d

SHA256
536a4b21f23637cbad0d268713ac7ac0fecbeab289c674530fd207b210046fe7

SHA512
fa681b8daef168323f821eabe410c30165ede38796ed64daaee59b76968f108c07578615f8803c3d12b41d0a6be094e3b4fe66ec31056c5a52475bf1fee68fc9

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
96KB

MD5
d0272ac52f7ac03212f19a4894f9030e

SHA1
21e82e2a8880a15d64ca9aca66dba0f468787bf5

SHA256
da6e19fb1936e6c2d43abe2465641329fa197bff5197141173cdc637478a640d

SHA512
2716a43a72eb7f119603f58af92dfef30c07a3d488574162ace58a78895082d787deabaa426887ed5b5f7ec4169ffa2b199bfccd4c795856826ca1550fc629df

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
96KB

MD5
1809bf71efddf365d6766fdd911653db

SHA1
d4d56309f875ed6037b33cd32413f20fa3ce6ee8

SHA256
f0cd84bccf301456b20181507b8080623db81bb51369fdfb3b89b14b595d5598

SHA512
ffa4c75d4b04667b5f132745ecde008d630fe8cc06110097961a3163a383f09f03b04239df630db985b2482d80ff33abde44fa0d5dad4495f0a833b9374609ae

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
96KB

MD5
c490c23a2ff27e974ec56112155264f4

SHA1
df73cd38d6db6df24ebcc0fe743c8820eb19af71

SHA256
98b151cd3de34b73947e34c5da497e7bcf14ec582932189f878158b653ec7d1b

SHA512
b6e49cedde77243106b50abb749f072eab1d1d104a544cd3c21aecae9f46b7631d2b03044b54c5b24a49a8d8b3010452c6df1cdcf3da6d9c43c472fea503882f

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
96KB

MD5
4ade5f2080691e697e6f1ff5c49077c0

SHA1
25ee0984cf44c4ac5d42fb6dbceb2130fdc4caa4

SHA256
98744833976f6466d0bd16a57ed99b19049db310336a3d2f18fa9f2f7ea66cbf

SHA512
3a1c33d9f7c05be8dfb947fda7aa0237a6fdbf7014c62dc1a55fa7e5125f84ae4876e7b8e37de6c4063973bc88ee4454b71505dfcc8de01279260508b67613eb

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
96KB

MD5
79efe08c40fdaa928d59a4e6e6724f50

SHA1
4bcdca50fc1f4a9633c9de77e69980fa6f2ebe0b

SHA256
d58473e240fe1c54edc59e54de1fd5973dffe3e79c1920139adeb5fc771ab169

SHA512
7a1a4f7ec6ed734f2002b49c5d4ced561f90db64cd9fd84935be25f670180ffbda4e331b665df272ec2ca116d004048fe99f9ae969b56992a07902206156e572

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
96KB

MD5
38472265d340c1c488bb95ccb026be32

SHA1
d1015d6f8374da1a7ad5b7f3b6a757641186788e

SHA256
b3fb119086be7e0e609f12af98a36c35d2d552f37f59c4fbf48279119598780f

SHA512
f90efec198bc66beea2981d82e7992b629e05283f4ac4d1eb1736888351dfec233d80fa041672b1928f3a4618b0250ed3c7ce0305c6fbc709c26a04fb56e60bd

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
96KB

MD5
f3dc25d9d4659a99626b63c52304f6fb

SHA1
ca286dcd5d2785f387a1c39ff464dfa2623e2d93

SHA256
ec465e497bc275aaca9c00ee98f32a258857c2635e7d630b3ed68cbf3a0c7310

SHA512
e7e758062eb37760b828e3bdc8eb81063656c199d4fe9abe184c28997a9af650dc8d6cc8769d492e4d0545b2a748225d7df85286845a6164810a9da2a2ed17fc

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
96KB

MD5
f3945e50c83c740d705745d0cc105ea7

SHA1
35485fe8f6f597e9ba85ba69205761ed2ea8dc7c

SHA256
aa5400f02a231a5f2c5e72add169e96fd3de1101e6ab190864f68ea9a9898c12

SHA512
d63d5fbcbe0b5bbaa1b7efda8fe9ec5ae7074351361abe6aa1de560f2c44157656cb03f1c25b3133d1e7c1bc5fa78f24b4786d9a5c2ce299b2bbc91947cf35ca

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
96KB

MD5
00c4660a936e08f73a435e31bacb8056

SHA1
0e1738d7fc9cab6fea6a1d7f81d4e7cdfcbe9d0e

SHA256
4be4bfdc03572a146ab284127bb16c332c2bb55923c6ab13309dc43407afff28

SHA512
b1bf69d5da9106531179c8dbc22e21461ac2e6783d4d7630d0a74510561015b60795302e0faa9e494fb3375a417cb2e55bea3dc89d01b5513e90b2a595812b21

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
96KB

MD5
2d63ede94aba2704695207c673044c78

SHA1
aab7fce3cc3d488ac37eabcdaf26abb54f3ffbea

SHA256
242c4029d7f14df4b3622557e9fd7f2799ecf20c6875283188db174f6b4bee09

SHA512
056675dc012594d530680a6909c2185c9b15c73937a8872283488e4fdb70b8ed323afafbbd122fa7d8244e92b880f088dfa8c1639cfdfcb29427ea897787242f

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
96KB

MD5
2c77a5fa9c5fc290225bde52c0a3d459

SHA1
0f085d923a340bdadaee7cc33a2bf609c86247dd

SHA256
bbcbdf8fbfdce9b6969d26fd613ef131d16aeb16ac3c4ef75d98ee9c33794065

SHA512
2ca32ac8645e074569cc2f9bad18c427ddcc837b14c8840617466caa8bf0dfe3fe0250ccf60470732b8fe8d6f137427b9d0af80c281f60b0e4ef57a15f6d3871

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
96KB

MD5
08056bee4b71d7ccc1dedc2386cc5887

SHA1
80f06c276348b72ce3d7a3ceccf103dcd68a346e

SHA256
06e51042423eff23a744512e88aed3f75ae3860b6a51e3703e8f36799f63dc9b

SHA512
0ec467b03acc21aeda338e7f221a2df7c74ed53287b7fd217afc5fdb344fd84d923afab7a2b9a78799db4910c5487fd03e67e0ed5fee3ef3bf988e3688ab62cc

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
96KB

MD5
1dafd351a052953efcbd761f2e9ac9bc

SHA1
08ee794ee52bfc6b23bd213023bf1469c378985b

SHA256
e1b35ad33a7d479767bc178bce5ad1ae288040a750b6a8be8e3f655ffb352a60

SHA512
98f27ff9a295609953620e3846e33a403c5ea28f369d623938085980d64a9eb28296a8a67858164c1010b10272007e58978753396f9b06c326b14a4932bbe995

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
96KB

MD5
baaa48691f723b0b05d41e11610f0cf7

SHA1
6df93ec9307134510e4b72743fa517cf347d6e8c

SHA256
7e507228face9b0f7297ef8aad5c1b824930490401d031db915e8ca9e2646436

SHA512
f18b9bf8beb3301fd142a3260976884a3d133f0c66144d014f40aff57b6c56b372428d2eece65cf136b9e378d6757ecd3e95d134893f95099cb9e2e32e8ef358

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
96KB

MD5
22b25810528eb817c3f211a77292831e

SHA1
769b61d44804b05d8ef2de93cd7e71d09d701c88

SHA256
b452c300b0968ca090014ba2188bc8738b82effa35dc74836e05b2c60ea9e6df

SHA512
5aada0889427d1ff12fc2f6f73c0bcc7c93c8123c461bebb8ec53b09a5cdb855654a73cb101234a241fa2e4490001e73e9cdaf97d0bf26ea29fbe480c817a22a

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
96KB

MD5
4ab9195fc540c1b06b92861cc72a561f

SHA1
77756b256a97eb6ffe79d14de3fbf2c44d8a69b1

SHA256
f8a9e96dc14fd90aa5a66b55d6129f580eb96a93ec04c8244eab35c4b37802bb

SHA512
cdcce1fbab0f7e1d882afebbe2b3119e6b1649109290b6d69e217a7d40ec5af93e2dd729c13f7d416191fb2568145466fce769c820646b955d5abca6c10a2b13

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
96KB

MD5
26c1d5f3476447b6b68279284e0ea80b

SHA1
2d41095a1a1dfee96506156bed210d68c14e54b4

SHA256
c363d1061ddaa29551e37f8fa4f904608416529c0b5696fce392383192ad67ed

SHA512
fd6484a0cc10c162215ec5c9f8b94264403cd1b5d7901c098b4353ed730ed46af095b5f6cac4ad3d2e105af5c4a14855eeeb6457fb402e8cff39a0ca7cbb1a31

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
96KB

MD5
c54c15690b3c57b2ac65591911b8ab62

SHA1
8ca56c308057896b366f66381b24491992959132

SHA256
d32c0e3fb87cdc6489634ecfe60984d009876fed867633129d9d5ba4d9c898d3

SHA512
d8eebc03d139578e8bc392ab43bb5f5cf1a056fa8d3175264c238632734eb265c66654075eca006890322fb03c555365f5617ea94d86ef01b38f38d2764c4516

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
96KB

MD5
cb53b06e9d0bb77b643e5ec6f2d11e30

SHA1
d8eca1a17c92af2f11d7ffadb399bf864c7d43eb

SHA256
c218421cd325580365b75eef6ac4f660cd4abf516c78775675c330b82f3a37e6

SHA512
60be48d8971601087afe3b7bb71e07b17d5289589298aff98fb95571d665778db29592d2d615c562a2afb752f88db7df0a99edcb764250716b1756d2d40fb969

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
96KB

MD5
2f5de0865c2a1bcb5ed679a0f4fcff47

SHA1
d35c7ab8ab22a1091e80448ed47e323c420e3d1d

SHA256
05a8c5b26b235c3a970db7593ed2afbf66aaedd5fd0d4a249ad01f6031b924b2

SHA512
c67f0aca8b7d4208c5c1f3a11fec5829e443f310fe3cab168c7c6d353395ebb263b53454f623ca1e15950653960c08b74bb746cff342f46f3e493c9ed5fe51b7

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
96KB

MD5
d595bd6bb8cac6a540b9b3706e2f176e

SHA1
0b493875c8f5806e1d899d8a06c4727cc2e2a895

SHA256
c5eff3a8abd32c9a4bbe9ab7ec46154fa7cf2fd6f656f6e272ca56cab4af2e8c

SHA512
7d7305e8cc7573c30b07e4e02bb7e9bc122c29656d94f60dfaa131670b5e7cb61d2a15b92b6f5e31acf3dae84dd0ea5a94bf9c230713704d8f3e63733cacf14d

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
96KB

MD5
78d36f3584551464a154c52639a1025d

SHA1
69ff0563fd12bd4b2944311cad804592bdfcbbd8

SHA256
fa8965a020544e2909e3dab3686fb7268a2335c4ccb5a08a6c9eef64a94058d3

SHA512
5fc02f5d099456de9460c50df8db20a04ddd2b498639658fd7bbe7c1b09e2ad33c4d786c98e693b66bbb2ce523ae09ba9d0fa6653d7963974034df5a974c41a6

Download Submit
C:\Windows\SysWOW64\Ockcknah.dll

Filesize
7KB

MD5
d1695aa46f3b5822e3e790557f933b1c

SHA1
f555a8e617313a5738f54c05e9e97d2c616371a0

SHA256
2feaf70ad486dd96f6757105249cce3fab4a26ea4ddb1612f954de04f729dd6f

SHA512
b0bceacce5da5db177179e3298e4422668555ad98ff66e780a6caed4ee31db453e03085847f17afe68d051b3085a42c12f49a7e9c6ec05529d4d166092d30d4c

Download Submit
memory/536-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/536-242-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/872-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/872-241-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1344-87-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1344-250-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1480-236-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1480-199-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1524-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1524-254-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1560-257-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1560-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1724-255-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1724-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2044-237-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2044-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2120-233-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2120-231-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2432-234-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2432-227-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2616-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2616-239-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3044-244-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3044-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3268-238-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3268-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3344-52-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3348-252-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3348-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3400-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3400-246-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3456-36-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3940-259-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3940-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4000-249-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4000-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4040-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4040-247-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4144-103-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4144-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4168-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4168-256-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4392-221-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4448-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4448-253-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4592-258-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4592-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4660-207-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4660-235-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4784-243-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4784-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4820-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4820-245-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4836-251-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4836-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4968-168-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4968-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads