5fe33096234e52d3452c829fb7c2f5c9e72a74560b085570b023b18f6039d4b0

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5fe33096234e52d3452c829fb7c2f5c9e72a74560b085570b023b18f6039d4b0.exe
Size

400KB
MD5

4d12840c819fb08b6f6c9c7e80b536e9
SHA1

2afd64fd94c115ee59aecce15e9ae687dffe962c
SHA256

5fe33096234e52d3452c829fb7c2f5c9e72a74560b085570b023b18f6039d4b0
SHA512

8a9661ea6cc9506a04085f5baeb7f6c694a6a39f7b582a1a17ffb968fffc3f38ec2b5d8fbc6f22e5d2618c00af909a7901cf9a01355a7ba1301d41381dc844d2
SSDEEP

6144:3Mb91bdLAY/Xr4Br3CbArLAZ26RQ8sY6CbArLAY/9bPk6Cbv:URrgryg426RQagrkj

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5fe33096234e52d3452c829fb7c2f5c9e72a74560b085570b023b18f6039d4b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	5fe33096234e52d3452c829fb7c2f5c9e72a74560b085570b023b18f6039d4b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe

Executes dropped EXE 26 IoCs

pid	Process
4996	Kaemnhla.exe
4628	Kknafn32.exe
3672	Kipabjil.exe
4484	Kibnhjgj.exe
4172	Kckbqpnj.exe
1020	Lalcng32.exe
3300	Lkdggmlj.exe
4116	Lpappc32.exe
996	Lkgdml32.exe
740	Ldohebqh.exe
2016	Lnhmng32.exe
3484	Lcdegnep.exe
5020	Lphfpbdi.exe
3740	Lknjmkdo.exe
4388	Mnlfigcc.exe
2312	Majopeii.exe
3000	Mjeddggd.exe
1228	Mgidml32.exe
4856	Mkgmcjld.exe
1460	Mcbahlip.exe
3972	Nkjjij32.exe
1816	Ngpjnkpf.exe
3916	Nafokcol.exe
948	Nnmopdep.exe
408	Nkqpjidj.exe
1236	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nafokcol.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Kaemnhla.exe	5fe33096234e52d3452c829fb7c2f5c9e72a74560b085570b023b18f6039d4b0.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kipabjil.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	5fe33096234e52d3452c829fb7c2f5c9e72a74560b085570b023b18f6039d4b0.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Kbmfdgkm.dll	Kknafn32.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Kckbqpnj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3804	1236	WerFault.exe	105

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	5fe33096234e52d3452c829fb7c2f5c9e72a74560b085570b023b18f6039d4b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	5fe33096234e52d3452c829fb7c2f5c9e72a74560b085570b023b18f6039d4b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	5fe33096234e52d3452c829fb7c2f5c9e72a74560b085570b023b18f6039d4b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncoccha.dll"	5fe33096234e52d3452c829fb7c2f5c9e72a74560b085570b023b18f6039d4b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	5fe33096234e52d3452c829fb7c2f5c9e72a74560b085570b023b18f6039d4b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	5fe33096234e52d3452c829fb7c2f5c9e72a74560b085570b023b18f6039d4b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 4996	4920	5fe33096234e52d3452c829fb7c2f5c9e72a74560b085570b023b18f6039d4b0.exe	80
PID 4920 wrote to memory of 4996	4920	5fe33096234e52d3452c829fb7c2f5c9e72a74560b085570b023b18f6039d4b0.exe	80
PID 4920 wrote to memory of 4996	4920	5fe33096234e52d3452c829fb7c2f5c9e72a74560b085570b023b18f6039d4b0.exe	80
PID 4996 wrote to memory of 4628	4996	Kaemnhla.exe	81
PID 4996 wrote to memory of 4628	4996	Kaemnhla.exe	81
PID 4996 wrote to memory of 4628	4996	Kaemnhla.exe	81
PID 4628 wrote to memory of 3672	4628	Kknafn32.exe	82
PID 4628 wrote to memory of 3672	4628	Kknafn32.exe	82
PID 4628 wrote to memory of 3672	4628	Kknafn32.exe	82
PID 3672 wrote to memory of 4484	3672	Kipabjil.exe	83
PID 3672 wrote to memory of 4484	3672	Kipabjil.exe	83
PID 3672 wrote to memory of 4484	3672	Kipabjil.exe	83
PID 4484 wrote to memory of 4172	4484	Kibnhjgj.exe	84
PID 4484 wrote to memory of 4172	4484	Kibnhjgj.exe	84
PID 4484 wrote to memory of 4172	4484	Kibnhjgj.exe	84
PID 4172 wrote to memory of 1020	4172	Kckbqpnj.exe	85
PID 4172 wrote to memory of 1020	4172	Kckbqpnj.exe	85
PID 4172 wrote to memory of 1020	4172	Kckbqpnj.exe	85
PID 1020 wrote to memory of 3300	1020	Lalcng32.exe	86
PID 1020 wrote to memory of 3300	1020	Lalcng32.exe	86
PID 1020 wrote to memory of 3300	1020	Lalcng32.exe	86
PID 3300 wrote to memory of 4116	3300	Lkdggmlj.exe	87
PID 3300 wrote to memory of 4116	3300	Lkdggmlj.exe	87
PID 3300 wrote to memory of 4116	3300	Lkdggmlj.exe	87
PID 4116 wrote to memory of 996	4116	Lpappc32.exe	88
PID 4116 wrote to memory of 996	4116	Lpappc32.exe	88
PID 4116 wrote to memory of 996	4116	Lpappc32.exe	88
PID 996 wrote to memory of 740	996	Lkgdml32.exe	89
PID 996 wrote to memory of 740	996	Lkgdml32.exe	89
PID 996 wrote to memory of 740	996	Lkgdml32.exe	89
PID 740 wrote to memory of 2016	740	Ldohebqh.exe	90
PID 740 wrote to memory of 2016	740	Ldohebqh.exe	90
PID 740 wrote to memory of 2016	740	Ldohebqh.exe	90
PID 2016 wrote to memory of 3484	2016	Lnhmng32.exe	91
PID 2016 wrote to memory of 3484	2016	Lnhmng32.exe	91
PID 2016 wrote to memory of 3484	2016	Lnhmng32.exe	91
PID 3484 wrote to memory of 5020	3484	Lcdegnep.exe	92
PID 3484 wrote to memory of 5020	3484	Lcdegnep.exe	92
PID 3484 wrote to memory of 5020	3484	Lcdegnep.exe	92
PID 5020 wrote to memory of 3740	5020	Lphfpbdi.exe	93
PID 5020 wrote to memory of 3740	5020	Lphfpbdi.exe	93
PID 5020 wrote to memory of 3740	5020	Lphfpbdi.exe	93
PID 3740 wrote to memory of 4388	3740	Lknjmkdo.exe	94
PID 3740 wrote to memory of 4388	3740	Lknjmkdo.exe	94
PID 3740 wrote to memory of 4388	3740	Lknjmkdo.exe	94
PID 4388 wrote to memory of 2312	4388	Mnlfigcc.exe	95
PID 4388 wrote to memory of 2312	4388	Mnlfigcc.exe	95
PID 4388 wrote to memory of 2312	4388	Mnlfigcc.exe	95
PID 2312 wrote to memory of 3000	2312	Majopeii.exe	96
PID 2312 wrote to memory of 3000	2312	Majopeii.exe	96
PID 2312 wrote to memory of 3000	2312	Majopeii.exe	96
PID 3000 wrote to memory of 1228	3000	Mjeddggd.exe	97
PID 3000 wrote to memory of 1228	3000	Mjeddggd.exe	97
PID 3000 wrote to memory of 1228	3000	Mjeddggd.exe	97
PID 1228 wrote to memory of 4856	1228	Mgidml32.exe	98
PID 1228 wrote to memory of 4856	1228	Mgidml32.exe	98
PID 1228 wrote to memory of 4856	1228	Mgidml32.exe	98
PID 4856 wrote to memory of 1460	4856	Mkgmcjld.exe	99
PID 4856 wrote to memory of 1460	4856	Mkgmcjld.exe	99
PID 4856 wrote to memory of 1460	4856	Mkgmcjld.exe	99
PID 1460 wrote to memory of 3972	1460	Mcbahlip.exe	100
PID 1460 wrote to memory of 3972	1460	Mcbahlip.exe	100
PID 1460 wrote to memory of 3972	1460	Mcbahlip.exe	100
PID 3972 wrote to memory of 1816	3972	Nkjjij32.exe	101

C:\Users\Admin\AppData\Local\Temp\5fe33096234e52d3452c829fb7c2f5c9e72a74560b085570b023b18f6039d4b0.exe
"C:\Users\Admin\AppData\Local\Temp\5fe33096234e52d3452c829fb7c2f5c9e72a74560b085570b023b18f6039d4b0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Windows\SysWOW64\Kaemnhla.exe
  C:\Windows\system32\Kaemnhla.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Windows\SysWOW64\Kknafn32.exe
    C:\Windows\system32\Kknafn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4628
  - - C:\Windows\SysWOW64\Kipabjil.exe
      C:\Windows\system32\Kipabjil.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3672
    - - C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4484
      - C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        27⤵
        Executes dropped EXE
        
        PID:1236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 228
        28⤵
        Program crash
        
        PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1236 -ip 1236
1⤵
PID:4232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
400KB

MD5
8d2e4b5877fe3515029c524463f6a96e

SHA1
f9f0421f47c8faa2ee9421e7d6da2725552ce89d

SHA256
3e29c16bbd789e2c0154d473e5f5e8f9cdd5df5a8c2a3d15eda2be999dbda068

SHA512
91827e27dce53e309962b4d5afe005b23dd1774cf6200cc2b86b3918795ac045abd7c075bcc7e7fcdaeecaca44cdc379d4b774f36d2821ce75899a618a0d522d

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
400KB

MD5
9b26ae49ed238649c5b089eb95ebe225

SHA1
72d5ea62cf9688ff5fdef5dc6ad4fff0f273bc42

SHA256
6e1c1d3be42664fc2c67bec0ed0a003d0e771c95373e7fb2c1ae59d7cd387e6d

SHA512
0c035827847b70e96671eb8fd023658870cfa98bf6aef1d94dec3128e909cd66049be3409e0325a5c0498015d94253a9a2cf42f1d23af7dd52482dfe72c4e790

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
400KB

MD5
d01ea9bd690c9784550521313b1c0705

SHA1
7ca1d310aa09c8535960cb4b68763776f58dd2e5

SHA256
82d4d4fc8a9decf93df9dd7ed2eb60db08f8101ba46f308497c6c66aa78e7ddd

SHA512
f2826823a574ee45c9e2f48d983f190ca8a895a4129023237ac94bd2401d7de7e1f50c9086e7e242656c58c15396c3e1a9480cec16a18fc2cf58aa5da9d6e82f

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
400KB

MD5
3b16c42d2c72193bfd16b40ab72c75af

SHA1
197277708e1cac8873479e29677e9653a1c809be

SHA256
0913f7b828d78ceba064a82f84f818e99a495259c6ceeecebc7b4deab1ebe3ff

SHA512
13e0c618c11125877badc8402ed2b28041ba024eff951368d7748e71db45a77d2f8db23bd08601d18df9374d6bbe5a873e9bbb768899a3c471f77cdf4376d924

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
400KB

MD5
132c22d94e74ea62011fce337e9056bf

SHA1
ad2341f3b3069341fac5d399e45f75dc2be06b47

SHA256
f3499b824947550db022e91b1e8550370dd82d94e38604c141544a4b7b422b0b

SHA512
5a94ebe5c6289db081aab1d7fca75c7af1d81af8ed336594ec01b3be7e534c53871140aa51d8e1e2ea3f695f6e9a19b6ca0279fa39910431614f313deefd24ba

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
400KB

MD5
e0d8b792f891610260287b249fa41f78

SHA1
fa8488f05a25e27c7cecc231c491fe28238da4ce

SHA256
b2ab7124da609cfe7a3e55502c6b27d55e69b25ed4f65c969b395e02b3fa6e53

SHA512
7330505c5e2c47783e34b4bd392beeb7be7f69e23ba3128fd442a43dd51cdc14b7c9315e9f70cbdecc2441e7c3f7ae0fdd3b0f25ff07655b0dd7ed38aa65bf0f

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
400KB

MD5
6bf4db2000dfad5f219c67e01dd22279

SHA1
a0d2edb0774b90960685e04deeb752b5a5fd3675

SHA256
1f941b4258dd4d485aeb993442683a61dba1073d4cf9ca2df8c5b5515eb2850d

SHA512
e241618c52c2687a84490d4b664d0c9680d8f67b4996876955c5d4e2f1fcf74bccc6d11683abce1225c067a8a14220ae356db9ef863a0195bfd51a64134c6941

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
400KB

MD5
93a057908f9fee6219c1db26b0cdcd4e

SHA1
aa9df35fe8257f40f6d27183a84d178a08e0826a

SHA256
52ec6da0c842735108e1419908108169677381c3d5a140666324cb66c92612a8

SHA512
7abdc30f35294352e77c0d181a6a49f12ce94cade5c6e3d0286b532fa566b865240233a691459760b3f679e20498c7719b9bb0931702f057c136807a1bbeab23

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
256KB

MD5
227ea53c41a348e424f800bfd3044f62

SHA1
3b2b4d0fe639448399bb074e18e52ee60e6a88f5

SHA256
776c7c16ab31160a7b1cee0ae451b42be69d6fd1d098a60571a07ba67e6180e6

SHA512
ec6c73aa64e828922dab881aa52959393f940eaf9f634039db59cf21fca188bc96c786354a8854e0b382c8891e39d8e50f0a5ab46e2fe8385755495d66ee5cf1

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
400KB

MD5
eb1f13571cc6c1fb548f6de26b4b80b1

SHA1
7cd7ec1054e1ac8b2597b4591d82b15ef1c0b381

SHA256
a0667d4c5b8a3b488d26f92b6838e46a1b4f519b4f7ccd41d00376993a421e8b

SHA512
6fae53958c378b8834dc867478d005e2a12826626003ee361fbd2920fef17c5cc2c92c185f0e2b1b58a701b77bbf94a5922d618edb068db5a78522c28fc72264

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
400KB

MD5
f2aea938cd9fb0fb923f91b9b294ddb6

SHA1
d9e361395dd8e1ac99858661367ea09631b7d562

SHA256
f81f39eb1fb9c1dc70fb6a59797431e7adf2ed2ab8474857983c13bf7434f339

SHA512
3d7a806b07eaabd7d1da35fd1629a6abd354ed59a7893b526a95b30c9afe014ebdfc9295417f22f3cd703e9472b0724504346b4850da9c1f98b73d89fa6552df

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
400KB

MD5
fcbd12cd86e2571b4574178ce12b52c3

SHA1
34d47575db94c94e5a0dd3e762ac50faf30cf683

SHA256
ab3ac28a4ae6a188a6fc9fc8987bf20e249e42cc1e8fc896f07a9ea70b24c417

SHA512
9672b326e58507b272147f79a5dda74ae9de75f232a657ca2098968e28d1721cbb0572415661ca7a3a8cf358e0c1ef356eb7e31a6dd6a6b859167fddb9311fe6

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
400KB

MD5
510194712b150d5575f038d6867f0957

SHA1
242ec7f606fcc152c2fae1a54e061de494c80eb8

SHA256
53cf9dd6d0b04bea20c1b3bf78a303d379e0d71e7c0a173d49718f171239ec6b

SHA512
d9f22cc014287f7eb44950166313a31a919d4b698196d8f014dff099f2dd700cea03635c172f66305c9febd43cc2dabe3f51768934713cf1ef5250a5d9476505

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
400KB

MD5
2ef3516c685d4d94e15e57711031905a

SHA1
073ca82cb82973010cba4b67ece4bd2a72740002

SHA256
2bf78a81c5840c9cca46c2ea5583a0e0c38c93ca84007fd1015cd6f700a541c2

SHA512
18a78011e451222ea7993db1634665ad25bfdd72d0966c4751b1c3a0695038a6249bcc03855039df3ef12c2acba8b0b76b7572ea8958ae9e61dd938cd1c5b269

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
400KB

MD5
66e9b4b4e11ed17da2030d89ba201877

SHA1
ef52acc65053048505a827d31c0d21b742997d8d

SHA256
c834c185f106a3f7b446774f454b151d367d154263cad1b2be1e59ba5f7bcd98

SHA512
a01eb6b3c6620047a05e854d06d90291dcf12084a20bd51fe5c40f65d9abbf0b45d2b58caf8130b255acd30231a841195f884e6c8b6d8d3ccacd8d98f9982d62

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
400KB

MD5
f8e700d89b83309c0445c5eac10bb89a

SHA1
5d7542bdac174f4f6a03b1c67a777830b36bbff8

SHA256
cab09fa22a3d968a0afb3d48739470ede0dcac39ff94541191d44d5b487a35e7

SHA512
5cff02a16fe839ba0481d1f496b778d7f01dd1b7ceaa3c099b394f39c3ce9cfc57f7e75dafee062aedc9a5696aae74629b826c8750df3b467f2b3a811bf4011f

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
400KB

MD5
90258f90efc3de4a471e03cbd157bd07

SHA1
ce2f3d9ce41cb4d900aff2fbe8d4b61ce93c0d46

SHA256
4f5e60a7bafdebfa8ababc26e8a386cbee397a1c3cc33a2e9bfea7be363ce8a9

SHA512
30cb0e0ae918bf7df0e4ab4af775846740f2b60d058151e303e98c7d3ed5b17afc0605528afae2637fd7dfa03c54bffbe5b7b43e8bbf3d6ca31a4b99cd46005f

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
400KB

MD5
f8dd53eb275f90962b9d1387b798250b

SHA1
6254822c83ae7116d100c381121ea0a181e74fc7

SHA256
76ca2b1ce666323dcf26162ace15ca9ae503fad3ad855e0f01c8182d21cbf77b

SHA512
b14dd73af64c5b10a3aa1c9fb35d162ae6485de375e5bfc8a015a2ee2450e939e698faddb66f36fbbb99ebbc79b339c8c1a54218e2892c8399599ebb4bc6af6a

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
400KB

MD5
2e85e0fb07ff67f0caebac93b953eca1

SHA1
455064928621e1f5f623ce40169989ad21264b6a

SHA256
97451f86b505a70a14f1aaeddcba9f3d235bba93bc615d8a8dde717e7892c0cf

SHA512
77e457b59327df22327ab5b51ccc3fa43bec8f1d16f32badaa7a80eda13be01bd73e8f3a924c7e3ac16ddab242714fdba1d415f1a641adab95fe04a083c596fd

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
400KB

MD5
0e1927b9ca46555d94f56eec6ade1184

SHA1
198075fe67b87e1f14af279cde1dc21334905e75

SHA256
f8b1b2b6291680c59deebbd2075004e14db324b79970e28aa985466b46d471ac

SHA512
414f795712f506517237ff3eb45ae07e61163d632fed3495247b15c957b396f87aa177e44ec7291eea06e4ff6457cd5a9992833fc2f3d529ad2fa324415d3a71

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
400KB

MD5
8a05dde40962a0503b1daeec12380e6c

SHA1
0ca4977b88a74f9868142657837c1c380f05b5c5

SHA256
9cce51e07f43efb9d9f8a13b05f6fefae6e777ff7234dac65ec18d9646f3c176

SHA512
b705a933087c4b2b0d88ccdb21c9eb5b8777833c134b1715451fc83cac6da926176ea10c23a9b58b94f751f203a0de3b9a807ff67031d9f3cec66a1aeb8317d5

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
400KB

MD5
c4f7a662ed147ec4e3152aa38888156e

SHA1
697b5a685b554f7efce87ab3e689f725770b297c

SHA256
0ccf75cf467d588c84b04a2d91f71f5676242ea442283c6a88dfa19f6358632c

SHA512
970bd7965f0fa194e4e3b9df25ffcec7061d305b4b368b1139dde0a27e17dc4133c868a0b74b620d0c0c31f2cc3375a8649b624be29c854261c82b6221668fa4

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
400KB

MD5
05983d8c9f269fb6e6012321fc7b3fa7

SHA1
dd1684aad091b2223b0145c9cac7bb875aa78103

SHA256
716551a56a67f20342b4e8cf1f48090c94b130f2976054439c66406b4f5c05f0

SHA512
b6613ec2221a7a2eec0f001ada2dd0fa2614041935e78a865dbd9c5075686868740d3fb5796209e2ac3570febc5fb312efb328a5beaca53dc87027e89f7b8b13

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
400KB

MD5
cc2fdb4d01804b2a9770998a8ed3ae48

SHA1
43d01ed07d1935c88eb60bc7ead4c3bf9ff8fa33

SHA256
f9042385efff0a2ecf5733b22efdae0185a34845cffafdce934ca8378e216f3a

SHA512
56266e5134eaa5d42889ca15086251ce6c712e2aa40c086a1457747a8affbc703d14c8b9132ed2cf075233f0a9b27870763bd300612675c9a9b3b98be58078a8

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
400KB

MD5
e2aa89c84fb86c797e6b6261e46f5226

SHA1
623160909d20396d623b3676b1322a4ab261f905

SHA256
e1e3be09b96957abd4ffc8dbfc7601a807bbfb8584c539baf5cb6e99104c8527

SHA512
452fcea66f0e4b838488e5f53976e88d4afcf3efb72bacf0abe6f42f26c8705439c4b01704ae2e7144c3954342d133d5bb5b1d19fd9676dc8869fb5def1c42ea

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
400KB

MD5
22dd55f268994f2f4028ee230bee315d

SHA1
b78af4d86816c38cbaaf33c10a5a0dcfa5ed4f46

SHA256
f06e2efa0b7df0c944d16f2bc0cd4c4de9ae701d697e980d349b424d82acb45f

SHA512
69f2b7ce0a74e821750a4a4f7d9c864a495f6030b4f857e5c1ee4016b4edfa1daab378ab04cc28ec9f6ef81145fddb33c6cb657d563fd532ebc758040b2102f0

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
400KB

MD5
e640382511111bffab1003068452a006

SHA1
af4809b4237eaf21c2751b6678bf97f5a26c0077

SHA256
9509abb089f50704e47a7737eaf51945905680d8ddd62062c4a4e7a5caf08c29

SHA512
e6e6c38d1ebe257440ef0ceb024c8b6e3963271131a4e8d828c0d757e14b0455931dae34645c96a5090655ed6336e2dce273ce661e967a2c81c0c0ddef277395

Download Submit
memory/408-200-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/408-213-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/740-243-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/740-81-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/948-216-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/948-193-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/996-245-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/996-72-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1020-263-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1020-48-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1228-144-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1228-227-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1236-214-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1236-208-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1460-161-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1460-222-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1816-177-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1816-226-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2016-241-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2016-89-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2312-128-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2312-232-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3000-136-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3000-230-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3300-56-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3300-249-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3484-97-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3484-239-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3672-24-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3672-256-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3740-235-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3740-113-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3916-184-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3916-217-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3972-220-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3972-168-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4116-65-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4116-247-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4172-41-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4172-252-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4388-233-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4388-121-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4484-254-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4484-33-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4628-258-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4628-22-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4856-153-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4856-224-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4920-262-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4920-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4920-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4996-260-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4996-8-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5020-105-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5020-237-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads