248f2327f3b2d5362ba6473858b0ad13c91721ffe83185f7eb0b386b629329c4

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 19:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

248f2327f3b2d5362ba6473858b0ad13c91721ffe83185f7eb0b386b629329c4.exe
Size

98KB
MD5

b9d8187d82b70f265ee5d9e7941f4e91
SHA1

ee663541181c015f7022109863fa510ad9f9c834
SHA256

248f2327f3b2d5362ba6473858b0ad13c91721ffe83185f7eb0b386b629329c4
SHA512

ac147a50798cd3fef3161664685ac5aeb9708fd5f7c62d97805bdc2f09903e7241c0e75a7d77b4a98ab7837eb9f172ac4fc78556480af41929c1410db666611c
SSDEEP

3072:B9vdcJuglebIFAnMECeFKPD375lHzpa1P:F+uYynMECeYr75lHzpaF

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	248f2327f3b2d5362ba6473858b0ad13c91721ffe83185f7eb0b386b629329c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	248f2327f3b2d5362ba6473858b0ad13c91721ffe83185f7eb0b386b629329c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe

Executes dropped EXE 16 IoCs

pid	Process
3796	Mpaifalo.exe
5044	Mcpebmkb.exe
1856	Mkgmcjld.exe
4032	Mpdelajl.exe
1864	Mcbahlip.exe
1432	Njljefql.exe
2560	Ndbnboqb.exe
1712	Njogjfoj.exe
3572	Nafokcol.exe
2208	Ncgkcl32.exe
1364	Njacpf32.exe
404	Nqklmpdd.exe
3352	Ngedij32.exe
3716	Nbkhfc32.exe
4828	Ndidbn32.exe
4124	Nkcmohbg.exe

Drops file in System32 directory 48 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	248f2327f3b2d5362ba6473858b0ad13c91721ffe83185f7eb0b386b629329c4.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	248f2327f3b2d5362ba6473858b0ad13c91721ffe83185f7eb0b386b629329c4.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	248f2327f3b2d5362ba6473858b0ad13c91721ffe83185f7eb0b386b629329c4.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mcbahlip.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1632	4124	WerFault.exe	96

Modifies registry class 51 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	248f2327f3b2d5362ba6473858b0ad13c91721ffe83185f7eb0b386b629329c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	248f2327f3b2d5362ba6473858b0ad13c91721ffe83185f7eb0b386b629329c4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	248f2327f3b2d5362ba6473858b0ad13c91721ffe83185f7eb0b386b629329c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	248f2327f3b2d5362ba6473858b0ad13c91721ffe83185f7eb0b386b629329c4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	248f2327f3b2d5362ba6473858b0ad13c91721ffe83185f7eb0b386b629329c4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	248f2327f3b2d5362ba6473858b0ad13c91721ffe83185f7eb0b386b629329c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4660 wrote to memory of 3796	4660	248f2327f3b2d5362ba6473858b0ad13c91721ffe83185f7eb0b386b629329c4.exe	81
PID 4660 wrote to memory of 3796	4660	248f2327f3b2d5362ba6473858b0ad13c91721ffe83185f7eb0b386b629329c4.exe	81
PID 4660 wrote to memory of 3796	4660	248f2327f3b2d5362ba6473858b0ad13c91721ffe83185f7eb0b386b629329c4.exe	81
PID 3796 wrote to memory of 5044	3796	Mpaifalo.exe	82
PID 3796 wrote to memory of 5044	3796	Mpaifalo.exe	82
PID 3796 wrote to memory of 5044	3796	Mpaifalo.exe	82
PID 5044 wrote to memory of 1856	5044	Mcpebmkb.exe	83
PID 5044 wrote to memory of 1856	5044	Mcpebmkb.exe	83
PID 5044 wrote to memory of 1856	5044	Mcpebmkb.exe	83
PID 1856 wrote to memory of 4032	1856	Mkgmcjld.exe	84
PID 1856 wrote to memory of 4032	1856	Mkgmcjld.exe	84
PID 1856 wrote to memory of 4032	1856	Mkgmcjld.exe	84
PID 4032 wrote to memory of 1864	4032	Mpdelajl.exe	85
PID 4032 wrote to memory of 1864	4032	Mpdelajl.exe	85
PID 4032 wrote to memory of 1864	4032	Mpdelajl.exe	85
PID 1864 wrote to memory of 1432	1864	Mcbahlip.exe	86
PID 1864 wrote to memory of 1432	1864	Mcbahlip.exe	86
PID 1864 wrote to memory of 1432	1864	Mcbahlip.exe	86
PID 1432 wrote to memory of 2560	1432	Njljefql.exe	87
PID 1432 wrote to memory of 2560	1432	Njljefql.exe	87
PID 1432 wrote to memory of 2560	1432	Njljefql.exe	87
PID 2560 wrote to memory of 1712	2560	Ndbnboqb.exe	88
PID 2560 wrote to memory of 1712	2560	Ndbnboqb.exe	88
PID 2560 wrote to memory of 1712	2560	Ndbnboqb.exe	88
PID 1712 wrote to memory of 3572	1712	Njogjfoj.exe	89
PID 1712 wrote to memory of 3572	1712	Njogjfoj.exe	89
PID 1712 wrote to memory of 3572	1712	Njogjfoj.exe	89
PID 3572 wrote to memory of 2208	3572	Nafokcol.exe	90
PID 3572 wrote to memory of 2208	3572	Nafokcol.exe	90
PID 3572 wrote to memory of 2208	3572	Nafokcol.exe	90
PID 2208 wrote to memory of 1364	2208	Ncgkcl32.exe	91
PID 2208 wrote to memory of 1364	2208	Ncgkcl32.exe	91
PID 2208 wrote to memory of 1364	2208	Ncgkcl32.exe	91
PID 1364 wrote to memory of 404	1364	Njacpf32.exe	92
PID 1364 wrote to memory of 404	1364	Njacpf32.exe	92
PID 1364 wrote to memory of 404	1364	Njacpf32.exe	92
PID 404 wrote to memory of 3352	404	Nqklmpdd.exe	93
PID 404 wrote to memory of 3352	404	Nqklmpdd.exe	93
PID 404 wrote to memory of 3352	404	Nqklmpdd.exe	93
PID 3352 wrote to memory of 3716	3352	Ngedij32.exe	94
PID 3352 wrote to memory of 3716	3352	Ngedij32.exe	94
PID 3352 wrote to memory of 3716	3352	Ngedij32.exe	94
PID 3716 wrote to memory of 4828	3716	Nbkhfc32.exe	95
PID 3716 wrote to memory of 4828	3716	Nbkhfc32.exe	95
PID 3716 wrote to memory of 4828	3716	Nbkhfc32.exe	95
PID 4828 wrote to memory of 4124	4828	Ndidbn32.exe	96
PID 4828 wrote to memory of 4124	4828	Ndidbn32.exe	96
PID 4828 wrote to memory of 4124	4828	Ndidbn32.exe	96

C:\Users\Admin\AppData\Local\Temp\248f2327f3b2d5362ba6473858b0ad13c91721ffe83185f7eb0b386b629329c4.exe
"C:\Users\Admin\AppData\Local\Temp\248f2327f3b2d5362ba6473858b0ad13c91721ffe83185f7eb0b386b629329c4.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Windows\SysWOW64\Mpaifalo.exe
  C:\Windows\system32\Mpaifalo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3796
- - C:\Windows\SysWOW64\Mcpebmkb.exe
    C:\Windows\system32\Mcpebmkb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Windows\SysWOW64\Mkgmcjld.exe
      C:\Windows\system32\Mkgmcjld.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1856
    - - C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4032
      - C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3352
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        17⤵
        Executes dropped EXE
        
        PID:4124
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 412
        18⤵
        Program crash
        
        PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4124 -ip 4124
1⤵
PID:3940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lelgbkio.dll

Filesize
7KB

MD5
1af841754432f927a08c773ada55a8b0

SHA1
9577cd80bc1b7adb101d4235d2dff706d42edd49

SHA256
82d5237ef328a69f95ec62ad4c5e043307fc9a123a1b2edcb7acdbce2a042609

SHA512
56bb6725f5057e5a600ff50587f90c1318fe9e3f59a1fa31bb7c704c39b7730b1eed2d0e1547fd2e0f4ebb2e5ef381ba3af0a2d7cecb253818b8fc24098cbacb

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
98KB

MD5
7cfd47af6e6be9eafad2b3e438669d30

SHA1
5e93e7783206ceea3345576570a6ed9eb3343e41

SHA256
7beccc6ad5f0f0bea6e70b88430736494100e699611ea419982a1117cb2a3a78

SHA512
29865a5f0d07b282f45a40c7bd493e3c70c8064b73768b491d8cb774258fb7264276ccfa80565ca9ad60fccccbd4a6ccf502032d35acf64b6cd393286ca73462

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
98KB

MD5
df4cbb11834b3fe1811763932d0666f0

SHA1
f3ccb6d5261f5b7ac7741d22908159769098b50d

SHA256
910f22de7f34d4984c70c7e09e5d85a6dda3af6e06186294ae6272ebafbda08f

SHA512
3e9520dea58fe9e5152f2cc70647c5cb01f03e42602140f79efcd79c28d88984f89fd4c44aadb74387361f162c205ba1e84370c1e40566c03fe6588ffd37b101

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
98KB

MD5
a72fe078ef6cecb483f6c02bd517948a

SHA1
6330945a08fc23cc64314133e5446d87cefd34fe

SHA256
e6ec1079bf71183e8f6d1dae1936ffc8df31e26868305abd139d802224054ad8

SHA512
dbe1a7d019fe0512c1211c234402620b144f3f6269f91f184992637f833d0232bfcf335caaf9557bea8b2782e0a75cb29fd775b97db530815879dbe7dd49aab1

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
98KB

MD5
18ffbff9e99629ac080dab23c4bd5e37

SHA1
d9288cccb1d05efdfa70514a4839f3a161b3571f

SHA256
2eb30fa9116a0c8e53061cc95b137450d3528b8e73a8580613c48cf9ba2c3e15

SHA512
5dc632381d4377e8e898b9fa57ab3974ac60f145ed94b41ab76e3a8ba0f30ff521e753bb20978519217e50b292161ced243e49a46f31562b1e79b3159730ee29

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
98KB

MD5
1772e24b2e0c6650a7064fa14f3f61a9

SHA1
c17445ce125a2bcbcbd34513dbac79d18365e979

SHA256
d287c0111336ca0253342fca7a79854026bd0d388ca74c1d0d45bbda3c9caa32

SHA512
1f639fc7468451c7aa9f73f8601b1ca9402d4f9887bff856c8b445c58d93f1d9410232cf89e7e7ed0a5e6b1d06b113039a266e6d9103cedd4e2fc6181959861a

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
98KB

MD5
f65a892c755509b40ff04dbd60b61201

SHA1
c4e8955d50febd4b8e27af955e2d41c2150c6e1e

SHA256
0390cc60cc4515589ae4a1fbaf1c3ab0d6e3d0608bfc272158176c220725968c

SHA512
3c5b87e710b238f0460b26022dccc9211286978ba107f397b463314f9514a34d077ae40d75ff6d3f92fe807d64d73384a7428157d6a67ce44bade06422d1ff73

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
98KB

MD5
f20b9f5dc20d12df694ef6528a36f744

SHA1
222ab20bae509c8a5b73803bd70dd166f55197a0

SHA256
45ecc84103e5befe2bb5659fcfc11a91b9c8cc418d83c9f853e80fc93a75732b

SHA512
6889d4ece9c31c8961c25ff1a0d7bdc89d2b9976be5b1ff8ce02091a5cb946d27848c80086d86785bf5b9df2220f9ecf808b4a199f2175a976e2a105bb813157

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
98KB

MD5
fad78062704298b5def7c2ff85d13fa1

SHA1
a0c52e47e5acc852f5cf7b88a41562da710e4e62

SHA256
106c21cd4053bd25a789e51a9f4bedde14db157ecb5d24be053724df1dfe1d87

SHA512
9d29dba7434e2ebbd2723bd30ffa56edd5466174b9b6d005e863d0b06ca01b2a240969d11fc24d460cb02122be8d969b5d141942bde1cbcbcc54d556a0584ac8

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
98KB

MD5
34f5dc68d2ffc925325c14727d1f52a2

SHA1
8aa155f70d74784e21e47f297f6cc35ed91011e5

SHA256
8c58829ebc0b9857095c0ebcef55944ac28e8aee8e2c9d4f2ec1ec6e83b43192

SHA512
7be2e8552765e659ff11fba74c65ca6da4ba3fa72569d3a67733d7aa489ff1e40d9de5c6047461c4074ff863ecfceaae8cc15aa9e4928ad05cd52490e1379919

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
98KB

MD5
c1f50eb3e747cd1131cd8ab4e7c51089

SHA1
a494756d097c4889d2e5a9acc6d5c5934dd18c1e

SHA256
94e836424b515cd23fc06d37057de133b4b716eb99dc8872859c58c5f1d50190

SHA512
6752ba0250d781066d0709f61d2370b40a505522b1e6a92a073cb506a6a86436b2a195e7a65fb4dcc7a38b558f62b888745111b22ead18701371ab74937d9cb0

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
98KB

MD5
c500d0725e336cc258610650a94558d8

SHA1
87c90a0fd640ad8221d557b6e9475e925f3816b0

SHA256
f0b6275f7532e77342166dd6919c13d51af10bd2dce799e5d20cb9f7d1081292

SHA512
26f926ef23ec32156a34d524c39430d918b9e46b36930bc54d58a43d7c47b883bc580520e35c2b2a7b046fe692d4a2a17a8fb2e681af8817fd224ae09f53d50f

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
98KB

MD5
a01a251d31d7c9f3dc197f96012365ff

SHA1
05e8faa8d7f2240c7737eae5cf58dab1ac29a4fa

SHA256
dad7e65a9a8b7429556efdb2ca12fd31d63cf9c7abe09ab56f07b81845cbfcd6

SHA512
d10da90d7ef0ee41ba5404527b1353d970eae632597f6fa26792605900e404c831278595a985adbf279590af9977a96aaa9edbae4675a50d038af4085e5faa66

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
98KB

MD5
057749f50949faa44acdcb4b2d267aa1

SHA1
2ba6d4c73e799681d1b3e45920f0fb2f83372f2e

SHA256
8e12a7d7cb700066718450c58d5684e6a768aa23538e3ca115b2fa77e66bfe99

SHA512
cff8cd83d01a618edb557974370ff15eea68e1601e706537bfe9aa102e991e4982e8bfede54870afc9d36e8067e3f07a334b6477f071fd5bc404e1449ed23e5f

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
98KB

MD5
e8be126fc4c5054a9d5fe1fee29b74d0

SHA1
9ddcde838492525353b83fc7e3e26bdd41d9d039

SHA256
a1e3c88f72137bc3aea8eb8d721089419c9d09fa5bf35afaa934a2541ae0348a

SHA512
b880c5f5c43a83bf1233f29a81948b68ee9f33a5b44ff6836db9639174533bbda8cfd1839c8c4ef7dae38ea247b8668753600f7954f151970dc6b61c95f14d54

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
98KB

MD5
ef7b5618c6b1094e833dbafff9c0131f

SHA1
b71be3276a6376f2e5ee0d5d6b1f125e74847f26

SHA256
59c158622f5dc62d0176f88212a1142df5c0b1d648295ab7c33a2ea64297ef6a

SHA512
1e7fd1593334ca2fdd72975fb72ffa58ce2b6d3c7e960fbba83c61bb0ab021bb8bb0900653980aae336598966155a2209e7585b89b76a7625d6a416465f257db

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
98KB

MD5
15d9b1b1438a31c45f006097c4fc706b

SHA1
2b74e520e36a91d185696b66ce06b42bf5637aad

SHA256
8ca444acfc16dbc5c6b79a79b454ba62a7b644fb5c907658204fb93265d6903e

SHA512
2f5c365d9315bcd267daaf70a9ede37d225d23dd3df632b66a35a3a3e1ad82586298cedf2c2de8e9d31db690f4e313c57181e41dcfac2e89bc7519fc682db0ec

Download Submit
memory/404-133-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/404-95-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1364-134-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1364-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1432-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1432-139-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1712-137-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1712-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1856-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1856-142-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1864-140-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1864-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2208-135-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2208-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2560-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2560-138-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3352-131-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3352-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3572-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3572-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3716-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3716-132-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3796-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3796-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4032-141-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4032-36-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4124-127-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4124-129-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4660-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4660-145-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4828-130-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4828-120-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5044-143-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5044-20-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads