4d0792607122e8a0662f0d23a680523798b8a451e1fc3a4f3bdc17a0c5cae6ab

Analysis

max time kernel
51s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 21:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4d0792607122e8a0662f0d23a680523798b8a451e1fc3a4f3bdc17a0c5cae6ab.exe
Size

59KB
MD5

150c32b55dc808b02bd28f9ebc81a01a
SHA1

f6126209943119476b7bbb302f0ff2150455b571
SHA256

4d0792607122e8a0662f0d23a680523798b8a451e1fc3a4f3bdc17a0c5cae6ab
SHA512

079afaf47caa90be7eb65875c276de05a7e8c4172099c0ba9d725678ffef39933724d96fbc01f80c9cad64d7f3acefb5c246d1e63386689d444f436c9e595a72
SSDEEP

1536:wkk+rkdD87MQ7BAlRK6wSwMm/QB+2/xI2L+O:wkk+rkIOK6Xm/QB+2/xZ+O

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4d0792607122e8a0662f0d23a680523798b8a451e1fc3a4f3bdc17a0c5cae6ab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4d0792607122e8a0662f0d23a680523798b8a451e1fc3a4f3bdc17a0c5cae6ab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe

Executes dropped EXE 27 IoCs

pid	Process
2192	Mkbchk32.exe
2200	Mnapdf32.exe
528	Mpolqa32.exe
3692	Mdkhapfj.exe
3436	Mkepnjng.exe
1384	Mjhqjg32.exe
4772	Mpaifalo.exe
4968	Mcpebmkb.exe
364	Mjjmog32.exe
3116	Maaepd32.exe
2892	Mdpalp32.exe
4104	Nkjjij32.exe
2888	Nnhfee32.exe
740	Nqfbaq32.exe
2836	Ngpjnkpf.exe
4524	Nklfoi32.exe
4732	Nafokcol.exe
1432	Nddkgonp.exe
1172	Nkncdifl.exe
2388	Njacpf32.exe
4980	Nbhkac32.exe
1032	Ndghmo32.exe
4684	Ncihikcg.exe
3956	Nkqpjidj.exe
2232	Nbkhfc32.exe
5048	Ndidbn32.exe
868	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	4d0792607122e8a0662f0d23a680523798b8a451e1fc3a4f3bdc17a0c5cae6ab.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	4d0792607122e8a0662f0d23a680523798b8a451e1fc3a4f3bdc17a0c5cae6ab.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	4d0792607122e8a0662f0d23a680523798b8a451e1fc3a4f3bdc17a0c5cae6ab.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3392	868	WerFault.exe	111

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	4d0792607122e8a0662f0d23a680523798b8a451e1fc3a4f3bdc17a0c5cae6ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	4d0792607122e8a0662f0d23a680523798b8a451e1fc3a4f3bdc17a0c5cae6ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	4d0792607122e8a0662f0d23a680523798b8a451e1fc3a4f3bdc17a0c5cae6ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Ndghmo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 2192	4720	4d0792607122e8a0662f0d23a680523798b8a451e1fc3a4f3bdc17a0c5cae6ab.exe	83
PID 4720 wrote to memory of 2192	4720	4d0792607122e8a0662f0d23a680523798b8a451e1fc3a4f3bdc17a0c5cae6ab.exe	83
PID 4720 wrote to memory of 2192	4720	4d0792607122e8a0662f0d23a680523798b8a451e1fc3a4f3bdc17a0c5cae6ab.exe	83
PID 2192 wrote to memory of 2200	2192	Mkbchk32.exe	84
PID 2192 wrote to memory of 2200	2192	Mkbchk32.exe	84
PID 2192 wrote to memory of 2200	2192	Mkbchk32.exe	84
PID 2200 wrote to memory of 528	2200	Mnapdf32.exe	85
PID 2200 wrote to memory of 528	2200	Mnapdf32.exe	85
PID 2200 wrote to memory of 528	2200	Mnapdf32.exe	85
PID 528 wrote to memory of 3692	528	Mpolqa32.exe	86
PID 528 wrote to memory of 3692	528	Mpolqa32.exe	86
PID 528 wrote to memory of 3692	528	Mpolqa32.exe	86
PID 3692 wrote to memory of 3436	3692	Mdkhapfj.exe	87
PID 3692 wrote to memory of 3436	3692	Mdkhapfj.exe	87
PID 3692 wrote to memory of 3436	3692	Mdkhapfj.exe	87
PID 3436 wrote to memory of 1384	3436	Mkepnjng.exe	88
PID 3436 wrote to memory of 1384	3436	Mkepnjng.exe	88
PID 3436 wrote to memory of 1384	3436	Mkepnjng.exe	88
PID 1384 wrote to memory of 4772	1384	Mjhqjg32.exe	89
PID 1384 wrote to memory of 4772	1384	Mjhqjg32.exe	89
PID 1384 wrote to memory of 4772	1384	Mjhqjg32.exe	89
PID 4772 wrote to memory of 4968	4772	Mpaifalo.exe	91
PID 4772 wrote to memory of 4968	4772	Mpaifalo.exe	91
PID 4772 wrote to memory of 4968	4772	Mpaifalo.exe	91
PID 4968 wrote to memory of 364	4968	Mcpebmkb.exe	92
PID 4968 wrote to memory of 364	4968	Mcpebmkb.exe	92
PID 4968 wrote to memory of 364	4968	Mcpebmkb.exe	92
PID 364 wrote to memory of 3116	364	Mjjmog32.exe	93
PID 364 wrote to memory of 3116	364	Mjjmog32.exe	93
PID 364 wrote to memory of 3116	364	Mjjmog32.exe	93
PID 3116 wrote to memory of 2892	3116	Maaepd32.exe	94
PID 3116 wrote to memory of 2892	3116	Maaepd32.exe	94
PID 3116 wrote to memory of 2892	3116	Maaepd32.exe	94
PID 2892 wrote to memory of 4104	2892	Mdpalp32.exe	95
PID 2892 wrote to memory of 4104	2892	Mdpalp32.exe	95
PID 2892 wrote to memory of 4104	2892	Mdpalp32.exe	95
PID 4104 wrote to memory of 2888	4104	Nkjjij32.exe	96
PID 4104 wrote to memory of 2888	4104	Nkjjij32.exe	96
PID 4104 wrote to memory of 2888	4104	Nkjjij32.exe	96
PID 2888 wrote to memory of 740	2888	Nnhfee32.exe	97
PID 2888 wrote to memory of 740	2888	Nnhfee32.exe	97
PID 2888 wrote to memory of 740	2888	Nnhfee32.exe	97
PID 740 wrote to memory of 2836	740	Nqfbaq32.exe	98
PID 740 wrote to memory of 2836	740	Nqfbaq32.exe	98
PID 740 wrote to memory of 2836	740	Nqfbaq32.exe	98
PID 2836 wrote to memory of 4524	2836	Ngpjnkpf.exe	100
PID 2836 wrote to memory of 4524	2836	Ngpjnkpf.exe	100
PID 2836 wrote to memory of 4524	2836	Ngpjnkpf.exe	100
PID 4524 wrote to memory of 4732	4524	Nklfoi32.exe	101
PID 4524 wrote to memory of 4732	4524	Nklfoi32.exe	101
PID 4524 wrote to memory of 4732	4524	Nklfoi32.exe	101
PID 4732 wrote to memory of 1432	4732	Nafokcol.exe	102
PID 4732 wrote to memory of 1432	4732	Nafokcol.exe	102
PID 4732 wrote to memory of 1432	4732	Nafokcol.exe	102
PID 1432 wrote to memory of 1172	1432	Nddkgonp.exe	103
PID 1432 wrote to memory of 1172	1432	Nddkgonp.exe	103
PID 1432 wrote to memory of 1172	1432	Nddkgonp.exe	103
PID 1172 wrote to memory of 2388	1172	Nkncdifl.exe	104
PID 1172 wrote to memory of 2388	1172	Nkncdifl.exe	104
PID 1172 wrote to memory of 2388	1172	Nkncdifl.exe	104
PID 2388 wrote to memory of 4980	2388	Njacpf32.exe	105
PID 2388 wrote to memory of 4980	2388	Njacpf32.exe	105
PID 2388 wrote to memory of 4980	2388	Njacpf32.exe	105
PID 4980 wrote to memory of 1032	4980	Nbhkac32.exe	106

C:\Users\Admin\AppData\Local\Temp\4d0792607122e8a0662f0d23a680523798b8a451e1fc3a4f3bdc17a0c5cae6ab.exe
"C:\Users\Admin\AppData\Local\Temp\4d0792607122e8a0662f0d23a680523798b8a451e1fc3a4f3bdc17a0c5cae6ab.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Windows\SysWOW64\Mkbchk32.exe
  C:\Windows\system32\Mkbchk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\SysWOW64\Mnapdf32.exe
    C:\Windows\system32\Mnapdf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Windows\SysWOW64\Mpolqa32.exe
      C:\Windows\system32\Mpolqa32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:528
    - - C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3692
      - C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:364
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1032
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        28⤵
        Executes dropped EXE
        
        PID:868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 400
        29⤵
        Program crash
        
        PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 868 -ip 868
1⤵
PID:3104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Maaepd32.exe

Filesize
59KB

MD5
2403c3156d73ed98528c38f1692cfc35

SHA1
09fd0ef6f64bcf90900fe940a937d174be738058

SHA256
85cf2dbabc2a3473882084e32f8157f71979a0e5af91f3b81c5a74d847d55869

SHA512
bf8bc9eef2b26da31d9ed83bde8e7430270a428c6640eaf9c3f36dbb927434f3b3a2a06a8eaf8223de68d6fd46fb1cd4d190aa0cfc421fba3a2bce9752d39e14

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
59KB

MD5
032dc408ee155c1b57abd3309adb7635

SHA1
17eb2736ae67ff83c2e06c818cb2f4a97dfb6117

SHA256
da123dead1c3ef9580d0bc0817a939bb7c944b21cdb9a46aae1994eebe948d12

SHA512
1dbf100e902627f9b5b6e6302bcf34841bc387ebb256846ebaa5e450683db94d3f1734e05ba9a5b3eda350c2116ff1c755e7fe226dd6205913e59dadb0e4b1c1

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
59KB

MD5
dd56c56367bb7ec4241160d17e7af9ef

SHA1
b88f39cce8274ecdf90f71d266fc1a768e5df619

SHA256
883e101ab84785b3bb110fb609cecbf7c28ab32c9f6fce1f1fa249efc451a80a

SHA512
639a6f546ac48df4452614c040dc21168f3c9f9a2db17123ec4a0c9794f75693be5757559c3da5d341009ecfce1e796be073aa45652a0a282f74afba7d38fb33

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
59KB

MD5
10e4da3f57c5f9878db639dc27af34cb

SHA1
24184251135ee4e4839f5f7602db1fdf31201470

SHA256
493fd6dc369dbba09485cc809910ee900c7d7ef7b1b55210a3bc0fcce05b98f3

SHA512
4d746968316ca070c5ea8e67b1d827ca766e6e0ef15f54942663b159eaaa1f285ac81f974f50cc708286f12ef90bc50ba88e0466747a9fecf9b28df64311fcc9

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
59KB

MD5
edec5a7d98feac6796698436163b8366

SHA1
97f0d1bc8a84b1222c52df2039816b684aac1ba7

SHA256
0808a4ae570813f7d1ec6d1f04b121867a63e56e4e62bff204571e47b61f6d8a

SHA512
96b0f31b812007d4541b8dd57e5f856b61f8b39cdc396e4a9fedc42c4f11c0a287a65e4ab2d28059e283188c0753c181dcbadce1e374789a2ba416fa5adac699

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
59KB

MD5
36eee278c9a5bc8dc17e0baa7b3f4887

SHA1
fd6877789105c81b4127fa4fe603cd3541719ab1

SHA256
894ade04aab228c7fa978e87b8bda5da7358be4edfc62712bd547669c5c9d71e

SHA512
cef675eaa77e93d6f6cb62f969869233354d78418d62a00f0800d3f4584d522bd1868dffa297dcf336d926e8fd40f0e242a9dc5d831ad16db2bc209e8960c878

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
59KB

MD5
2368f4f99bff372d961762abe905bbd3

SHA1
c0ed52212e07f77751f73e8f9ac1b06f37962d59

SHA256
2a356361da96fcbeb3475861a7c60d059dae51eeaaa1329f36a8be318fc61dd2

SHA512
91179d8210adc9d8b69993792940f7f818be7217b66b1022de35da7778b67cc5c98e4e1be63df76aca2b784eafab56260344374893cf148751e315c484001a9c

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
59KB

MD5
aac182f4a6958557b9dde298925c3ada

SHA1
bbf5c9ec68a27081e909eaa51d6b77f328995898

SHA256
0c210c09be0b229c368d64232991cf005fda873c8ddfb12e8203892d2001953a

SHA512
dfba3ea2f780180140735f54f776ab7b15e3d64cc1f65088cce6b489b8d6f8cf9df6fc02ce8f73062f3a11d6aae00ce1606bb4d5d71c7a1d02aafd61dd51d108

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
59KB

MD5
5379d981fb0545555ff6197addb9293f

SHA1
4520f8db3939a9b311cf4ed52c6746c0510a336a

SHA256
9f99d80c54dcee204635aa8965520a9d3082a6997b302c40ad674a27592373ad

SHA512
905e9c4d3a0a334e172ce5181c66aadf447073ec8e8448bad83ecbd95da5305b2ff92c406856645b9f68b5a5e0e9d5aa3d796da28394d0059ecba1cdb60b1723

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
59KB

MD5
b250442071e31be488d49af2facee3a3

SHA1
ddb683b8f6f586462dc960e61699f679dda887a8

SHA256
e769166809e1ffb57dcba4d6e909f21b1f1277d80d4ae9a298ea7a7bb9785ac5

SHA512
5dcbb2860b989bc531a0e36e07d959c7474a3be976a317e6e9293c4ef8c5455e86e056852166cb7613a915f483dcb7f6cd7f914fc4680a0f0901699bebfbc6e7

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
59KB

MD5
40e6e190a9731a059c22945d3299f233

SHA1
efadd5949733f75e1534535e067d22cf64ed0e49

SHA256
7195bcfad0183b15b84356ef787015dc73b0f7f4b7c8953b9cf4309bd4532f0e

SHA512
93e426ab0edc4628c8b951e75236caa4c57d9dc42b61f4977618cac3f4ea89784efee18449423bf334190600e07de761e93f431f125f1af1fccbb4ca8af226cf

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
59KB

MD5
0808d4e55c1c34106923223507d288f6

SHA1
5d14355b762fdd5a6f66d8054e6886027ead8f51

SHA256
4b0527a5655f81689d2e42425a95ea87dd2c39c856776fcdc8be3f1798aa30a1

SHA512
ea4ef5a2f95276e32e9ec6d7bc3f357cc08595b5cdc35b73f42719ac8a7074d61e42958220cf978afc20f6eb2c9157262685586203347caa9bcd66d26a8c8c43

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
59KB

MD5
9317c2477961353f93fd6e509ce58e1a

SHA1
fb1ea36a3e945a4c0f9d36a53218e00487cda22e

SHA256
c8d9224c20ae43eef3437877fe02bb0458d09fe1f7e92772731ca404a1dd0a55

SHA512
0297d72f1925eec573d6ab5bdad82a845142408a410a8127aa3a2bca51cf993cd1e21dbdf1a7b3cc8ba5991f87945820900ca04848d7f0beeaf89bbedbb5a9fb

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
59KB

MD5
bbc9ef247f2b4c97e9ae58b01d72a1a8

SHA1
6db40360191f7ac20491693093c59dbd6c70294b

SHA256
919c2662b94c592278ae453afa0b0561a698d384b4d8fed6ba88e2584a2fa7ee

SHA512
6dd4ac4586872bff000101796540dafc9b9e4592f4cb19f6447c362dd2aaf42c637ccba4756961f2bae56f018d925416423b950fb2e0ff79777718aa9ec18760

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
59KB

MD5
806ca1183a325bf11adc325e6f486048

SHA1
d119e02eabc860d3f93625f9efd15479a9ebbb61

SHA256
a638f8640dabe6ccae233ca10e8187e4000e7602162baa4d55b573fcea305b0a

SHA512
59b98e13ae0602adf92be829d7338aa4bb9080979d402f67fd6f5e8616f202899674769c2239d80ae19b7be3722d6482238caae96c67bf4f8dd33a9124fe3107

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
59KB

MD5
067e611da068f7f880bddf47c00897e4

SHA1
fded00017d284e1878c96f17ff06d1d8e7ad866c

SHA256
33acc3a80aa3e84542c7adb1bb09abc1f01141da6102730184425ead515d3cc5

SHA512
34e0d7c58e916617b6c84762e843ac8722f96023ac11a67563e285a856c3655d4d1eed92b70ccd91fc76056820705e6442c41754fc7ebc94151dc6b5b1b99400

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
59KB

MD5
703e375b8e11b520d3e31e4cade61213

SHA1
cc7b592fbb1fd41ca78892fa705d1cacd046ab3a

SHA256
37b93ea8b01639aebc1dd16ff4ade164f6650233c99b0c12d10a17a726d2d013

SHA512
9dbf6e2c1113d7f4716cc7e5607000cc21796abf11988d256c8e0bb181a6e31af89a4fa888175fd4847507bf599c9a2793e5fcc97899176f321d0c4a653a80b0

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
59KB

MD5
5654656399260ae8f654ed1229a5da05

SHA1
81f9985bb98f54ccfc582cc5119bc64789cdadca

SHA256
4056e0258c0ec974293952dc97763af78f4d0f9c1e19f09057e54147470fac80

SHA512
14480749d6a83dbb2ac51c0f45d617cd28b41812ae0e66cb71645638226ec6c5013b21da55b3adba676a8d95275efcf713fe3aa841366f219001b06ca5aaaed3

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
59KB

MD5
460b3a4b0842923b9f652db0ec72c1bd

SHA1
dc9f311bce2a33b6af0275c7bd8cd0e03d382df8

SHA256
2c83c8f9d8177d5d5334c4a983b5ba72adeeb0cf0b67e4602a9713e73ca4ae1b

SHA512
46974080a577ec1f0ccc7342dd5fd4056ed54db2db4aa61975bfa7daacd823ed3201e11a4a078744036905e3b22410e8eb6bdedb57fde3657acf8f2181ee45b5

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
59KB

MD5
25c92f10c99252616a3d0c6decf5b2df

SHA1
db26cab5ef0525de1c3a3c05183ce08a83c56bbf

SHA256
a5321394a04decc656ae2b0d27ec2c45065d5505aa0a6a2a4c9b2e7e682d8beb

SHA512
d946ae296fbf976f998470cf180d7baf5979070a4897b6095f16dcb2ea3b8fd4332813b1bbd8d6bdec208479cc6cbfa652f5533b4a3faba92e1fb5a8230e5ac5

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
59KB

MD5
649732d67378d6860bfca1bfef6bd95a

SHA1
bf9ac4ee382b83e2374d8b77f6feb50b34f9591b

SHA256
bdb433b56cb26e712bbbe1b48c734213bf93b11f7a1e24968552802817ee0742

SHA512
6a010e0db859ed76bbf595615fde297bbcbf0a3947acec2f87d60e663d7c5e8bdae81914388c9843154e4cefdcf95467bb42c9d8502bf0db56cb67bc3e7310ca

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
59KB

MD5
dcb4e8031b9b597928c9b7541a24b85f

SHA1
02b68a3b11773e33b38a551d714dff0f43fe48eb

SHA256
dabdc43141938d637310a631fae64604971c2876ecaeb66aaa6cd64d0f7e59ea

SHA512
948561529f7c5367ea95d99d6a09e928e2e171b4842440e9ffe12ac5f817b9bab158a5e08cbadc3866b622e9e731f3a5de316737778293a8ceff4199a53f9028

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
59KB

MD5
e35a88326599a51ae0c6b67c97abd637

SHA1
79283c1ae8bec71dcbaa49f2303188e4e27a75e9

SHA256
6877efb56fd37bddfaebb089736fcce4fb3e555f201a656b7fdcfd8203be8b31

SHA512
5b945a570a36b021a1630a527ca4e864135854c991cca5afb9d06ab278ef1f28d1e4f625674e1119e57383f74d5a4c4d8f987c63bcc7b9c0ee000d9a02b15b95

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
59KB

MD5
3e7c7bd5cbe5011192f14f4cbd5275eb

SHA1
038b4a0ca92b9a62fb88371e4bd000eab8f64848

SHA256
7261ad18aa6ffd48baa0065d201b5c078117cafc6ca622d0f62f794a0a356eb0

SHA512
d8bbda763af2acd7bcf9f3f96f2f3313b1fd14808e2e23e5fc38e9124f503590dcfd9dca4a9172f0b78adf86a85198d609180cdf84500ddecb58bef24fe132d0

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
59KB

MD5
62c025257059632fafbbedfa35ed9c15

SHA1
0a24f51c7946c2f9b1df316e6828f237319ffef1

SHA256
c608d35ef4ed34c573acea1130dfc60569c0cda93dc7e46d4d50e612c780c4f9

SHA512
7eff1996b4bca3e4343e3b7f17ed408c0e908477fa56ddce423da63f28dbab8471cbaa11f558c1b3341dde405468de09d920944f1d73398b3b14c69ea7298845

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
59KB

MD5
9794b8b489cf935fbbb9c9032e9bda5d

SHA1
85583b193b07f5393941fbc8cd53de07369c5d51

SHA256
f47334122d45b78863c8747b93048a9ab0b9b9bc4a6465a3c0180431b590cc3b

SHA512
cd15694c7c40410f50f0d4465a2fcd024c1fc8efcdded6bbd353ae88ced83c8e1efbd7a79b24fa79dfe426e990d2cbb03d7f1a8efcffcdc7f2281faa77b59dd3

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
59KB

MD5
c93c651f6423680f1d052359915de239

SHA1
01a488f7a3330e77c2d2bf729886b7f119bae176

SHA256
36f55c6a129d3319906bffc2f5af8d06f0c7c8730c20748f52500e9bc7e9dac4

SHA512
78578bc8a5e0529f25da8f4cf8cfc20c8d875f1e59779c95c6e969d48dc1c2371e5bf61881f98b9ec391934addb70ca7324a0855c52b3217630743a070fd4b8e

Download Submit
memory/364-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/364-254-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/528-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/528-265-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/740-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/740-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/868-219-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/868-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1032-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1032-181-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1172-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1172-234-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1384-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1384-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1432-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1432-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2192-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2192-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2200-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2200-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2232-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2232-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2388-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2388-165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2836-121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2836-242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2888-246-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2888-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-250-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3116-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3116-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3436-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3692-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3692-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3956-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4104-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4104-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4524-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4524-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4684-226-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4684-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4720-5-0x0000000000433000-0x0000000000434000-memory.dmp

Filesize
4KB

Download
memory/4720-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4720-271-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4732-238-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4732-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4772-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4772-258-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4968-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4968-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4980-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4980-230-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-221-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads