1d7ead8dd3edf177c66dbd86e72fc1fb205ab4932098e9e11d966f4565d8b456

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d7ead8dd3edf177c66dbd86e72fc1fb205ab4932098e9e11d966f4565d8b456.exe
Size

77KB
MD5

d27f2df73e11c2d8f43a620c24595f57
SHA1

bbf2ae85ae57727d036845867a0633372a961cd6
SHA256

1d7ead8dd3edf177c66dbd86e72fc1fb205ab4932098e9e11d966f4565d8b456
SHA512

ebb3fa84251141111c99a900cb321f3c8b9842f037f864568163e820f17ee5444caf10fc480917ff1beadcfe9dca52137eed1dae76a7147c45fcd027c3659ba3
SSDEEP

1536:xys+oGV8rMGsZGHScMdB0u48XRSu6M4a2oY2AEPv4o32LtCAwfi+TjRC/:xyte/FScMd+u48XRSu6/vEARwf1TjY

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkklljmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckjkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igchlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Igchlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdbkjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkjcplpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljmlbfhi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmbknddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1d7ead8dd3edf177c66dbd86e72fc1fb205ab4932098e9e11d966f4565d8b456.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kklpekno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jgojpjem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphhenhc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljmlbfhi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mencccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilcmjl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikhjki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfiale32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mencccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kklpekno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilcmjl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgojpjem.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcmafj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmgocb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjpcbe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfiale32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npojdpef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkmhaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpcbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kiqpop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mieeibkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mapjmehi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkmhaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmbknddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcmafj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkjcplpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaldcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgjfkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphhenhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ikhjki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaldcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Leimip32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Libicbma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkklljmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiqpop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgjfkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npojdpef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdbkjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mieeibkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkpegi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1d7ead8dd3edf177c66dbd86e72fc1fb205ab4932098e9e11d966f4565d8b456.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmgocb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Libicbma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mapjmehi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkpegi32.exe

Executes dropped EXE 28 IoCs

pid	Process
1284	Igchlf32.exe
2700	Ilcmjl32.exe
2092	Ikhjki32.exe
2784	Jgojpjem.exe
2496	Jdbkjn32.exe
2544	Jjpcbe32.exe
2016	Jfiale32.exe
2760	Jcmafj32.exe
2808	Kkjcplpa.exe
2044	Kklpekno.exe
2404	Kiqpop32.exe
752	Kaldcb32.exe
956	Leimip32.exe
1644	Lgjfkk32.exe
2384	Lmgocb32.exe
840	Lphhenhc.exe
1156	Ljmlbfhi.exe
3052	Libicbma.exe
2128	Mieeibkn.exe
1100	Mapjmehi.exe
1672	Mencccop.exe
1316	Mkklljmg.exe
1940	Mkmhaj32.exe
2844	Nkpegi32.exe
2444	Nckjkl32.exe
2080	Npojdpef.exe
1528	Nmbknddp.exe
1056	Nlhgoqhh.exe

Loads dropped DLL 56 IoCs

pid	Process
1988	1d7ead8dd3edf177c66dbd86e72fc1fb205ab4932098e9e11d966f4565d8b456.exe
1988	1d7ead8dd3edf177c66dbd86e72fc1fb205ab4932098e9e11d966f4565d8b456.exe
1284	Igchlf32.exe
1284	Igchlf32.exe
2700	Ilcmjl32.exe
2700	Ilcmjl32.exe
2092	Ikhjki32.exe
2092	Ikhjki32.exe
2784	Jgojpjem.exe
2784	Jgojpjem.exe
2496	Jdbkjn32.exe
2496	Jdbkjn32.exe
2544	Jjpcbe32.exe
2544	Jjpcbe32.exe
2016	Jfiale32.exe
2016	Jfiale32.exe
2760	Jcmafj32.exe
2760	Jcmafj32.exe
2808	Kkjcplpa.exe
2808	Kkjcplpa.exe
2044	Kklpekno.exe
2044	Kklpekno.exe
2404	Kiqpop32.exe
2404	Kiqpop32.exe
752	Kaldcb32.exe
752	Kaldcb32.exe
956	Leimip32.exe
956	Leimip32.exe
1644	Lgjfkk32.exe
1644	Lgjfkk32.exe
2384	Lmgocb32.exe
2384	Lmgocb32.exe
840	Lphhenhc.exe
840	Lphhenhc.exe
1156	Ljmlbfhi.exe
1156	Ljmlbfhi.exe
3052	Libicbma.exe
3052	Libicbma.exe
2128	Mieeibkn.exe
2128	Mieeibkn.exe
1100	Mapjmehi.exe
1100	Mapjmehi.exe
1672	Mencccop.exe
1672	Mencccop.exe
1316	Mkklljmg.exe
1316	Mkklljmg.exe
1940	Mkmhaj32.exe
1940	Mkmhaj32.exe
2844	Nkpegi32.exe
2844	Nkpegi32.exe
2444	Nckjkl32.exe
2444	Nckjkl32.exe
2080	Npojdpef.exe
2080	Npojdpef.exe
1528	Nmbknddp.exe
1528	Nmbknddp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jjpcbe32.exe	Jdbkjn32.exe
File created	C:\Windows\SysWOW64\Dlfdghbq.dll	Lgjfkk32.exe
File opened for modification	C:\Windows\SysWOW64\Mieeibkn.exe	Libicbma.exe
File opened for modification	C:\Windows\SysWOW64\Mkklljmg.exe	Mencccop.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nmbknddp.exe
File created	C:\Windows\SysWOW64\Afdignjb.dll	Mkmhaj32.exe
File opened for modification	C:\Windows\SysWOW64\Jdbkjn32.exe	Jgojpjem.exe
File opened for modification	C:\Windows\SysWOW64\Kiqpop32.exe	Kklpekno.exe
File opened for modification	C:\Windows\SysWOW64\Leimip32.exe	Kaldcb32.exe
File opened for modification	C:\Windows\SysWOW64\Lgjfkk32.exe	Leimip32.exe
File created	C:\Windows\SysWOW64\Mkmhaj32.exe	Mkklljmg.exe
File opened for modification	C:\Windows\SysWOW64\Nkpegi32.exe	Mkmhaj32.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nmbknddp.exe
File created	C:\Windows\SysWOW64\Hnepch32.dll	Jgojpjem.exe
File created	C:\Windows\SysWOW64\Jcmafj32.exe	Jfiale32.exe
File created	C:\Windows\SysWOW64\Kiqpop32.exe	Kklpekno.exe
File created	C:\Windows\SysWOW64\Kaldcb32.exe	Kiqpop32.exe
File created	C:\Windows\SysWOW64\Mkklljmg.exe	Mencccop.exe
File created	C:\Windows\SysWOW64\Qaqkcf32.dll	Mkklljmg.exe
File created	C:\Windows\SysWOW64\Afcklihm.dll	1d7ead8dd3edf177c66dbd86e72fc1fb205ab4932098e9e11d966f4565d8b456.exe
File created	C:\Windows\SysWOW64\Ikhjki32.exe	Ilcmjl32.exe
File created	C:\Windows\SysWOW64\Jfiale32.exe	Jjpcbe32.exe
File created	C:\Windows\SysWOW64\Mmdcie32.dll	Leimip32.exe
File created	C:\Windows\SysWOW64\Gnddig32.dll	Lmgocb32.exe
File opened for modification	C:\Windows\SysWOW64\Kkjcplpa.exe	Jcmafj32.exe
File opened for modification	C:\Windows\SysWOW64\Lmgocb32.exe	Lgjfkk32.exe
File created	C:\Windows\SysWOW64\Ngoohnkj.dll	Npojdpef.exe
File created	C:\Windows\SysWOW64\Ajdlmi32.dll	Libicbma.exe
File created	C:\Windows\SysWOW64\Kcpnnfqg.dll	Nkpegi32.exe
File opened for modification	C:\Windows\SysWOW64\Ikhjki32.exe	Ilcmjl32.exe
File created	C:\Windows\SysWOW64\Jgojpjem.exe	Ikhjki32.exe
File created	C:\Windows\SysWOW64\Jdbkjn32.exe	Jgojpjem.exe
File opened for modification	C:\Windows\SysWOW64\Kaldcb32.exe	Kiqpop32.exe
File created	C:\Windows\SysWOW64\Leimip32.exe	Kaldcb32.exe
File created	C:\Windows\SysWOW64\Libicbma.exe	Ljmlbfhi.exe
File created	C:\Windows\SysWOW64\Eqnolc32.dll	Nckjkl32.exe
File created	C:\Windows\SysWOW64\Igchlf32.exe	1d7ead8dd3edf177c66dbd86e72fc1fb205ab4932098e9e11d966f4565d8b456.exe
File opened for modification	C:\Windows\SysWOW64\Libicbma.exe	Ljmlbfhi.exe
File opened for modification	C:\Windows\SysWOW64\Ilcmjl32.exe	Igchlf32.exe
File created	C:\Windows\SysWOW64\Mecjiaic.dll	Ilcmjl32.exe
File created	C:\Windows\SysWOW64\Bohnbn32.dll	Kiqpop32.exe
File opened for modification	C:\Windows\SysWOW64\Mkmhaj32.exe	Mkklljmg.exe
File created	C:\Windows\SysWOW64\Mjbkcgmo.dll	Jdbkjn32.exe
File created	C:\Windows\SysWOW64\Mieeibkn.exe	Libicbma.exe
File created	C:\Windows\SysWOW64\Ecfmdf32.dll	Mieeibkn.exe
File opened for modification	C:\Windows\SysWOW64\Mencccop.exe	Mapjmehi.exe
File opened for modification	C:\Windows\SysWOW64\Nckjkl32.exe	Nkpegi32.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Nmbknddp.exe
File created	C:\Windows\SysWOW64\Ilcmjl32.exe	Igchlf32.exe
File opened for modification	C:\Windows\SysWOW64\Kklpekno.exe	Kkjcplpa.exe
File created	C:\Windows\SysWOW64\Jkfalhjp.dll	Kaldcb32.exe
File created	C:\Windows\SysWOW64\Lphhenhc.exe	Lmgocb32.exe
File opened for modification	C:\Windows\SysWOW64\Ljmlbfhi.exe	Lphhenhc.exe
File created	C:\Windows\SysWOW64\Nkpegi32.exe	Mkmhaj32.exe
File created	C:\Windows\SysWOW64\Ljmlbfhi.exe	Lphhenhc.exe
File created	C:\Windows\SysWOW64\Mencccop.exe	Mapjmehi.exe
File opened for modification	C:\Windows\SysWOW64\Igchlf32.exe	1d7ead8dd3edf177c66dbd86e72fc1fb205ab4932098e9e11d966f4565d8b456.exe
File opened for modification	C:\Windows\SysWOW64\Jgojpjem.exe	Ikhjki32.exe
File created	C:\Windows\SysWOW64\Eiemmk32.dll	Ikhjki32.exe
File created	C:\Windows\SysWOW64\Dkqmaqbm.dll	Jjpcbe32.exe
File created	C:\Windows\SysWOW64\Pbefefec.dll	Jcmafj32.exe
File created	C:\Windows\SysWOW64\Jjnbaf32.dll	Kkjcplpa.exe
File created	C:\Windows\SysWOW64\Hendhe32.dll	Mapjmehi.exe
File created	C:\Windows\SysWOW64\Npojdpef.exe	Nckjkl32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcpnnfqg.dll"	Nkpegi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdfjcc32.dll"	Igchlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnepch32.dll"	Jgojpjem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdbkjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjpcbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkjcplpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kiqpop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mieeibkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkpegi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npojdpef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpmiamoh.dll"	Kklpekno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kiqpop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaldcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaldcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaqkcf32.dll"	Mkklljmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkklljmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngoohnkj.dll"	Npojdpef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjnbaf32.dll"	Kkjcplpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbelde32.dll"	Ljmlbfhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mieeibkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mapjmehi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mencccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkklljmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkmhaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilcmjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphhenhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hendhe32.dll"	Mapjmehi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nckjkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	1d7ead8dd3edf177c66dbd86e72fc1fb205ab4932098e9e11d966f4565d8b456.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jgojpjem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jgojpjem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Leimip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgjfkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgjfkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqnolc32.dll"	Nckjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afcklihm.dll"	1d7ead8dd3edf177c66dbd86e72fc1fb205ab4932098e9e11d966f4565d8b456.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ikhjki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdbkjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbefefec.dll"	Jcmafj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcmafj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljmlbfhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afdignjb.dll"	Mkmhaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiemmk32.dll"	Ikhjki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlfdghbq.dll"	Lgjfkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnddig32.dll"	Lmgocb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajdlmi32.dll"	Libicbma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkqmaqbm.dll"	Jjpcbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjpcbe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfiale32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjngcolf.dll"	Lphhenhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mapjmehi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmbknddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmgocb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphhenhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npojdpef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Igchlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1d7ead8dd3edf177c66dbd86e72fc1fb205ab4932098e9e11d966f4565d8b456.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcmafj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bohnbn32.dll"	Kiqpop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkfalhjp.dll"	Kaldcb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	1d7ead8dd3edf177c66dbd86e72fc1fb205ab4932098e9e11d966f4565d8b456.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfiale32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kklpekno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmgocb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 1284	1988	1d7ead8dd3edf177c66dbd86e72fc1fb205ab4932098e9e11d966f4565d8b456.exe	28
PID 1988 wrote to memory of 1284	1988	1d7ead8dd3edf177c66dbd86e72fc1fb205ab4932098e9e11d966f4565d8b456.exe	28
PID 1988 wrote to memory of 1284	1988	1d7ead8dd3edf177c66dbd86e72fc1fb205ab4932098e9e11d966f4565d8b456.exe	28
PID 1988 wrote to memory of 1284	1988	1d7ead8dd3edf177c66dbd86e72fc1fb205ab4932098e9e11d966f4565d8b456.exe	28
PID 1284 wrote to memory of 2700	1284	Igchlf32.exe	29
PID 1284 wrote to memory of 2700	1284	Igchlf32.exe	29
PID 1284 wrote to memory of 2700	1284	Igchlf32.exe	29
PID 1284 wrote to memory of 2700	1284	Igchlf32.exe	29
PID 2700 wrote to memory of 2092	2700	Ilcmjl32.exe	30
PID 2700 wrote to memory of 2092	2700	Ilcmjl32.exe	30
PID 2700 wrote to memory of 2092	2700	Ilcmjl32.exe	30
PID 2700 wrote to memory of 2092	2700	Ilcmjl32.exe	30
PID 2092 wrote to memory of 2784	2092	Ikhjki32.exe	31
PID 2092 wrote to memory of 2784	2092	Ikhjki32.exe	31
PID 2092 wrote to memory of 2784	2092	Ikhjki32.exe	31
PID 2092 wrote to memory of 2784	2092	Ikhjki32.exe	31
PID 2784 wrote to memory of 2496	2784	Jgojpjem.exe	32
PID 2784 wrote to memory of 2496	2784	Jgojpjem.exe	32
PID 2784 wrote to memory of 2496	2784	Jgojpjem.exe	32
PID 2784 wrote to memory of 2496	2784	Jgojpjem.exe	32
PID 2496 wrote to memory of 2544	2496	Jdbkjn32.exe	33
PID 2496 wrote to memory of 2544	2496	Jdbkjn32.exe	33
PID 2496 wrote to memory of 2544	2496	Jdbkjn32.exe	33
PID 2496 wrote to memory of 2544	2496	Jdbkjn32.exe	33
PID 2544 wrote to memory of 2016	2544	Jjpcbe32.exe	34
PID 2544 wrote to memory of 2016	2544	Jjpcbe32.exe	34
PID 2544 wrote to memory of 2016	2544	Jjpcbe32.exe	34
PID 2544 wrote to memory of 2016	2544	Jjpcbe32.exe	34
PID 2016 wrote to memory of 2760	2016	Jfiale32.exe	35
PID 2016 wrote to memory of 2760	2016	Jfiale32.exe	35
PID 2016 wrote to memory of 2760	2016	Jfiale32.exe	35
PID 2016 wrote to memory of 2760	2016	Jfiale32.exe	35
PID 2760 wrote to memory of 2808	2760	Jcmafj32.exe	36
PID 2760 wrote to memory of 2808	2760	Jcmafj32.exe	36
PID 2760 wrote to memory of 2808	2760	Jcmafj32.exe	36
PID 2760 wrote to memory of 2808	2760	Jcmafj32.exe	36
PID 2808 wrote to memory of 2044	2808	Kkjcplpa.exe	37
PID 2808 wrote to memory of 2044	2808	Kkjcplpa.exe	37
PID 2808 wrote to memory of 2044	2808	Kkjcplpa.exe	37
PID 2808 wrote to memory of 2044	2808	Kkjcplpa.exe	37
PID 2044 wrote to memory of 2404	2044	Kklpekno.exe	38
PID 2044 wrote to memory of 2404	2044	Kklpekno.exe	38
PID 2044 wrote to memory of 2404	2044	Kklpekno.exe	38
PID 2044 wrote to memory of 2404	2044	Kklpekno.exe	38
PID 2404 wrote to memory of 752	2404	Kiqpop32.exe	39
PID 2404 wrote to memory of 752	2404	Kiqpop32.exe	39
PID 2404 wrote to memory of 752	2404	Kiqpop32.exe	39
PID 2404 wrote to memory of 752	2404	Kiqpop32.exe	39
PID 752 wrote to memory of 956	752	Kaldcb32.exe	40
PID 752 wrote to memory of 956	752	Kaldcb32.exe	40
PID 752 wrote to memory of 956	752	Kaldcb32.exe	40
PID 752 wrote to memory of 956	752	Kaldcb32.exe	40
PID 956 wrote to memory of 1644	956	Leimip32.exe	41
PID 956 wrote to memory of 1644	956	Leimip32.exe	41
PID 956 wrote to memory of 1644	956	Leimip32.exe	41
PID 956 wrote to memory of 1644	956	Leimip32.exe	41
PID 1644 wrote to memory of 2384	1644	Lgjfkk32.exe	42
PID 1644 wrote to memory of 2384	1644	Lgjfkk32.exe	42
PID 1644 wrote to memory of 2384	1644	Lgjfkk32.exe	42
PID 1644 wrote to memory of 2384	1644	Lgjfkk32.exe	42
PID 2384 wrote to memory of 840	2384	Lmgocb32.exe	43
PID 2384 wrote to memory of 840	2384	Lmgocb32.exe	43
PID 2384 wrote to memory of 840	2384	Lmgocb32.exe	43
PID 2384 wrote to memory of 840	2384	Lmgocb32.exe	43

C:\Users\Admin\AppData\Local\Temp\1d7ead8dd3edf177c66dbd86e72fc1fb205ab4932098e9e11d966f4565d8b456.exe
"C:\Users\Admin\AppData\Local\Temp\1d7ead8dd3edf177c66dbd86e72fc1fb205ab4932098e9e11d966f4565d8b456.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\SysWOW64\Igchlf32.exe
  C:\Windows\system32\Igchlf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\SysWOW64\Ilcmjl32.exe
    C:\Windows\system32\Ilcmjl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\SysWOW64\Ikhjki32.exe
      C:\Windows\system32\Ikhjki32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2092
    - - C:\Windows\SysWOW64\Jgojpjem.exe
        
        C:\Windows\system32\Jgojpjem.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2784
      - C:\Windows\SysWOW64\Jdbkjn32.exe
        
        C:\Windows\system32\Jdbkjn32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Jjpcbe32.exe
        
        C:\Windows\system32\Jjpcbe32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Jfiale32.exe
        
        C:\Windows\system32\Jfiale32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Jcmafj32.exe
        
        C:\Windows\system32\Jcmafj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Kkjcplpa.exe
        
        C:\Windows\system32\Kkjcplpa.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Kklpekno.exe
        
        C:\Windows\system32\Kklpekno.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\Kiqpop32.exe
        
        C:\Windows\system32\Kiqpop32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Kaldcb32.exe
        
        C:\Windows\system32\Kaldcb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SysWOW64\Leimip32.exe
        
        C:\Windows\system32\Leimip32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\SysWOW64\Lgjfkk32.exe
        
        C:\Windows\system32\Lgjfkk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Lmgocb32.exe
        
        C:\Windows\system32\Lmgocb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Lphhenhc.exe
        
        C:\Windows\system32\Lphhenhc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Ljmlbfhi.exe
        
        C:\Windows\system32\Ljmlbfhi.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Libicbma.exe
        
        C:\Windows\system32\Libicbma.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Mieeibkn.exe
        
        C:\Windows\system32\Mieeibkn.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Mapjmehi.exe
        
        C:\Windows\system32\Mapjmehi.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Mencccop.exe
        
        C:\Windows\system32\Mencccop.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Mkklljmg.exe
        
        C:\Windows\system32\Mkklljmg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\Mkmhaj32.exe
        
        C:\Windows\system32\Mkmhaj32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Nkpegi32.exe
        
        C:\Windows\system32\Nkpegi32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Nckjkl32.exe
        
        C:\Windows\system32\Nckjkl32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Npojdpef.exe
        
        C:\Windows\system32\Npojdpef.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Nmbknddp.exe
        
        C:\Windows\system32\Nmbknddp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        29⤵
        Executes dropped EXE
        
        PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lgjfkk32.exe

Filesize
77KB

MD5
c43a61031c7cec156d425224948cfb3d

SHA1
7d2b8e7462e2d1177eda469fa415bd543e0d9ebd

SHA256
7af9e19bd42e2cb03b2e4bba8cba029312136a7e843ae65782e196ad55720ac1

SHA512
e13d0ebdc6b98a14cd532a6526c4e56a663c3b1bb9c2e28feec19ccefe8d40fcea1385971a31447736537080b006e985025d1d50dda9d7af5dd5d04d4d70bc9b

Download Submit
C:\Windows\SysWOW64\Libicbma.exe

Filesize
77KB

MD5
2c77de30561ab5410aa077d0b4cbd6f3

SHA1
4d26ac8619072e916b63f9bef67ed8d20e9092c0

SHA256
c31cd791570bafb98cfbf55fe4e176ff64f2affcf2e9c923afed0902a7bb1054

SHA512
29b596e53462b082c5daecfa9a871a69a81466de08c48f10adf7bc5a33bab33e8007084049b7fc34e0b2e85f6bfbf172ffcec57fed78b7dffa5d13c5eae3408a

Download Submit
C:\Windows\SysWOW64\Ljmlbfhi.exe

Filesize
77KB

MD5
df36e2445229ec03721294a9cba4f31d

SHA1
4960f0ae78f963084439965c5075129d6f0050eb

SHA256
7ec5a11c4dc4e39d889af1a73eb4edfe491bd3e9cc59282c5c631f10374d190f

SHA512
0a56f281c22c70beedc7c0529d71c58f5db0f0ca320235549541c6353830180ebca468d1e6cfa8b4726cc9d5b3e39784f9c982531f90b6ffbeed3bb3fca91bb2

Download Submit
C:\Windows\SysWOW64\Mapjmehi.exe

Filesize
77KB

MD5
dc4d8945b132bd5c5daed857c25627b0

SHA1
5cc22eeb4a67009357d477913b5e2ceb104c4038

SHA256
ab8172f3c9e5e02684abb6bd997654e9f3199496a57ed000b238d775acf70972

SHA512
5f733ab6b0f853a14962af9d3a80f88f15ec627d711c1ac490c5d7d0c7b72ec326c90a2c3833c0654bf9569ee4024c4b59e6181038a0f23ee5c3fc3de2de8163

Download Submit
C:\Windows\SysWOW64\Mencccop.exe

Filesize
77KB

MD5
8857cc4dfc4c04e15722a2076a9f36a1

SHA1
653f2092cccfa79d3f583f05dfceac62db2838d6

SHA256
09028ea1ae054aec0256a025711ae374a22a731ebbe7f8b226084a1573a44950

SHA512
f8225c384dedc41a930f6e423f45ade74f53ec9920c575186dfa912abb7ee9b04437ae7e6dbe85b742b71247be17aadf0e7932babef972bff0cb503cd79d3dc3

Download Submit
C:\Windows\SysWOW64\Mieeibkn.exe

Filesize
77KB

MD5
366930897c755e8f2b8ac18be66e96f2

SHA1
2c6abefbf41dcf025efdee99af8aee3c09705096

SHA256
d91fd98e6b91f57b33ce11364a98b4f5124c6ae3b5664c0661ee57ac9dc1dce0

SHA512
6c96e160ba32cbaaf7296cb4fc4825ef5f8cd4f41b98ddfee52415138f7efb18b82e2e3e584354095b367b6a5771a1e131fd8095333d3331ec891d1e47a8b657

Download Submit
C:\Windows\SysWOW64\Mkklljmg.exe

Filesize
77KB

MD5
e546faf9e4418e4ff8445ef14e45693e

SHA1
ff0226ae7ebf1a28d9556373a29ab60e389ff18e

SHA256
95ab61d9329fac6262e74e5585eb7f61f9dc0ecc03cec6f55d16eeaeccb0dd8e

SHA512
f3b1306e4447c2d8200b0af6508a11a6aabbdf08cdf8219f2e9a5fb6e4a14e0336bd74dcdbc076f81213c50b8f875685c64c5b1fd58322d38ee9795fbf1a72e9

Download Submit
C:\Windows\SysWOW64\Mkmhaj32.exe

Filesize
77KB

MD5
67ba327f274f84f7ed96191074cfb18a

SHA1
ea5bec0881a4488bfb44577f05b3180c31c599da

SHA256
1056fa2a31644eee6d4306d5a44ea4ec1257c2fa07af07f43866ef7636536b0d

SHA512
d5edc10c557d308b7d0cbaeb60d565cfb93ec428d19d7f1dede4c18380a86832db9d88c84d690cd6ea85424c7425c7b9fac91b73e9a15f9744702aa9c5f67afe

Download Submit
C:\Windows\SysWOW64\Nckjkl32.exe

Filesize
77KB

MD5
9a61ee40d4e3d329f191cca42edded2f

SHA1
98219f9b30bb1fa743a1be82727a0f460e27577a

SHA256
498cd2126f3faaaaac2fa3042af6dd89e520e1615bb9897e189c0d799734544f

SHA512
d2a2b085d12eac0f0953c253bc059ce9881a26e42ccbe187e9377a35ca8037d783655f8eb81ca9aef827612dbb7ff5e1b22051ab58f4ae741cede1d7bef3560b

Download Submit
C:\Windows\SysWOW64\Nkpegi32.exe

Filesize
77KB

MD5
970999eb96dd9ca3f108eaf085ec50aa

SHA1
cd68a796fa436cbdea35f920b4b8b869ed26db61

SHA256
adbc76bcdf9ab975397e47b22d38543785d4fcbefeef8aecb3c98e87522d0efa

SHA512
684f85925af58fc8f29248f2608284e334c2406dbd99dad1b76c7bafa2fa1e56b107d23b142b43dc4c35ecb5a9d0d1919ac4647480827b2905e320a2ad545b8f

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
77KB

MD5
c4d7680d41d8308f9d9e940fee3792ea

SHA1
0a083c9ce4594747e084e336f5f6d287f446e70f

SHA256
57d5e26932904255923c5efb6fcdee0330e7e8e0846008f4d699e8c704165520

SHA512
a44f2b4fd9a05890913225c89025c64536b2dae7b03c0e69cf9fe6642590b12d3367851b4c05493d1cfdafa2a6650855a58f51664d4bc09489964cdf526c0930

Download Submit
C:\Windows\SysWOW64\Nmbknddp.exe

Filesize
77KB

MD5
860ab9de50b474c6363d85c1aa4ea199

SHA1
a2a356287be8b3164491f517c420a52ccdc6a0e7

SHA256
80a0b9474bccc8d997e432e6605dadeb5c70afc043db90ae377cdd0d36418a31

SHA512
80080dfbdc81efdeeed01b24a90b05ed24637f6eb4299d2cbc82293c6458830fb48bf0dffaeb1ab1c7f666934389ee0435249c92568629f18f965535fb5a2ad7

Download Submit
C:\Windows\SysWOW64\Npojdpef.exe

Filesize
77KB

MD5
61f6b0d2061ee66d351d712c1fb3bb13

SHA1
2add9b075339c0dce9484e5a9c32703c936419e8

SHA256
b2c276ef3cb04906c94ad95c955dfa0e7497adf3e2c9feecc7c6fb47464e22de

SHA512
dddb8ee6fcf5bbbfffebc11fad1f8f751c03a6d62caa8d766083145fd49b4bb08d8edc40bc4ac1610777fbf405b78cbc7b0b583ce9d9a407ddf4e77d33e847ba

Download Submit
\Windows\SysWOW64\Igchlf32.exe

Filesize
77KB

MD5
ef7908503fb0e610879f87ea852a051f

SHA1
454a88dd6ce22bd0baf263c6e1222520f53ac00d

SHA256
e6ffe597fbcea7b290fb9fba360a2fbdf433ab911136ed7ad9296e578c88b18e

SHA512
848a9b24fad67a5d27dddb2b65b1be47b8768cb9da026c918a04543831da0cadbcb82a4796de0fe3b12de119f13b857f5a4f208eff08b38d11810706a868f7b7

Download Submit
\Windows\SysWOW64\Ikhjki32.exe

Filesize
77KB

MD5
ad439667e5afa963dd251e52d233b96b

SHA1
6e295c8e1bd1fe6399a94a2332de98f67ab3b966

SHA256
a79456a79dc83e30680cb365f057215184100e09e2c80b9a3b1da735ecc43366

SHA512
e5eec6216393fb8fcd434d98238fe1e97191f0a3f448aea272e3c7b2b7df46772120fc957c842b85bef8eebac6e01134745a05f6fcfa55e6955d1c1b5591ca79

Download Submit
\Windows\SysWOW64\Ilcmjl32.exe

Filesize
77KB

MD5
29edaa1107458a0bc17a181b49890705

SHA1
1075a42e39ed67aa989f7a051e35bcb040873ca3

SHA256
a6d50fc24dbe911a55dce1cf5ac16ec1e3af403282e4a97c929d7f5ba3a5c81d

SHA512
607c54706f7f3d4bd580bf949e2b4bb1c40cd658af1fa08049695216dee86cec3de93ad2fec7826fe4cc2e9f290c712e6cb381c69496c3ffc8cad85b1a2285f1

Download Submit
\Windows\SysWOW64\Jcmafj32.exe

Filesize
77KB

MD5
abca720daa79ab8c0c549fbe3cc4df0e

SHA1
0fba9538b5bf65328422834fca2cea4b5ef91101

SHA256
705015b697c2f0046bbd9fe14e0df0deb35e6b9c4dc0774c8cad0cfc2a5aced5

SHA512
6cd4ed937faf4a9250843473b1a44a421f94f56cbcae3fdc7b9d2a1b4bd3eaf9c892ff2c355a75001248e14b39c6060fa28eb8b39d4462de2f262e3ac091162d

Download Submit
\Windows\SysWOW64\Jdbkjn32.exe

Filesize
77KB

MD5
795c8d4c67c1ecce60a3da8952dff0b7

SHA1
02066a42cb1bc28001f433c0d425fada9ec77c5d

SHA256
495d2c020407c6b537377cf4d7945da7cb5b7eb2904a5e21e387917bb439aa4c

SHA512
cfcd7910603b538be2925459b4eb9a6dd304119bedbc82025607d37cbf473f68ceb640a15b2dce59e13ad0cdea5a98e477b19573fb5fc4902d78b13bab66f92b

Download Submit
\Windows\SysWOW64\Jfiale32.exe

Filesize
77KB

MD5
77aa1b5fd7a0989459f91f92b9274226

SHA1
f5c88064b4c643a4d0a45bb4df64a486aec40679

SHA256
4491990484cd2f924295da6b0c316f67fcf9064c275079574f3a1ed0cb48c55c

SHA512
eeb564de184564a7931e1fdba031463e2d886a9b99b415e61e0d5b635089369517b54195dc70e90f1df7858fb09e09b76d830bb1675910fb8db78062e66e6042

Download Submit
\Windows\SysWOW64\Jgojpjem.exe

Filesize
77KB

MD5
c812800e06babd46413c42f2bb1a01cf

SHA1
3f4e96adcaa9f9ffa40de47940efb648ef4f3d07

SHA256
01c9b6dac1ef13abf9aacff1c5c422c5c7658b2cbc9de221122a178bc0dd3d99

SHA512
3d7280aa2e224f218067f3c05672ceff0f95054cb08411887e73529ecd1d5125c388b4c66a2ab0b93281055d5784e92d93cbec19e9fc2c269b139f86069e1990

Download Submit
\Windows\SysWOW64\Jjpcbe32.exe

Filesize
77KB

MD5
ca9b0b974c1101e04ebecd9575231ca2

SHA1
f55a7b7c08dc3348980647cfb111a2aeb27348b7

SHA256
233194092e8330054430fbe21413ca037ac1da03223698f36e64c53807a506c2

SHA512
35cd8ed5842e50b0a6d8899b58d9ab34522c55db08c85d52d2c0a98b6be3bce6760683b9b7527732bb6aa2e1b55f0f1e63e53434a92059abf49c2a3f19007c0f

Download Submit
\Windows\SysWOW64\Kaldcb32.exe

Filesize
77KB

MD5
c371ceeabedc66f5fc826f169f6f813e

SHA1
49afc269e808068ca6947e4cb27b63d895bfe33a

SHA256
5b056417b6d65f79e3358423f60356a29b70ee30aae4035da26199058f80b127

SHA512
12b1193020b1c0bea10288be69e3934ffaa787f9a24aaa81866dfc30d875e5c6b639e7bf2e975e141dde3e8e8649584d41a2cfecfad9079a64221609a607b46d

Download Submit
\Windows\SysWOW64\Kiqpop32.exe

Filesize
77KB

MD5
1e8b09dbac6da4d12592f7b4a225cec8

SHA1
d2cf71b7e7d8f2e55cd4641560657b6541856a20

SHA256
b2106dd0c6ea9e12c74c21b1acd57d1cee9345854ad8b64ecd7f1775f2c78285

SHA512
6c81b7ccce67e3dbc9362c0c878a42f5ee1f16b0cb44f7ff1e327be4988f1f690013e30c1343c140f991eccb7080f0f3f2032a0d56116f64794d1662e512d244

Download Submit
\Windows\SysWOW64\Kkjcplpa.exe

Filesize
77KB

MD5
a77978686f282533dde9775da4c7c825

SHA1
c3c5049ab5db27034d02474a7320adeef94bcef0

SHA256
a02d399d80b60acf257af9debf86c99f647497b25426a58be17142974685e550

SHA512
78405230233cf0c69e7083ce9a0ef48ae173e45c9fa89b0ae640f2354bdba06c4727da63925363edea3070fe1b3a4972d6595053d3ff34541a3677a1ca89089f

Download Submit
\Windows\SysWOW64\Kklpekno.exe

Filesize
77KB

MD5
20c354235021907e9946d8e48d560b43

SHA1
61c3fbc1adf6be53507c33fe23b7cde6b0ada967

SHA256
5da8afbcb7c69755b09a66d9fb050d8f80f8b63d889f6a51ec56a3a5ba3323d3

SHA512
8107620480196e1d19400f22330424dcaaa6819c394f814cf113623b0263b111e8dff51c534b69b2003e8e0d8ce4ac7ff91b75956bab0ba4b045de9eb597c9fc

Download Submit
\Windows\SysWOW64\Leimip32.exe

Filesize
77KB

MD5
372f3adb6bae6f75d28a060d1ed5a472

SHA1
4f55cde55f2e59ce5294740ca4dbd8a3ecd193f5

SHA256
3846a1ec03063b0c1d6afcc0823b782fff4b6c05fa5f56e0e271ead76f2256b9

SHA512
fbf6f963f3ba8e74ff39bca60435669659ee9084b79427e026ef30b2451509d3312f852e077548f5bd32e6afd2b1120b9b186007ff5a0406c4f0c1d7ecaa96aa

Download Submit
\Windows\SysWOW64\Lmgocb32.exe

Filesize
77KB

MD5
cc210e56cc2f67949442dd2132c3d438

SHA1
70be6cec511d9f88502d77d3dd463ce97b7373ad

SHA256
39b63a555da4b57e10a2f62cf69d713401b466da74bfbe7e6f74176272d6f6df

SHA512
c2d32162345cd17a2a2bed8a5129d6cb50d3d01ba39a44a98cc22fe67cac0af0dffedaf8bfa38e8cf15bea554042bc9322133d0e910b7fdbc286db5337e360c6

Download Submit
\Windows\SysWOW64\Lphhenhc.exe

Filesize
77KB

MD5
55fd427873f278635fbc17a793966721

SHA1
bf771d2b7437419b20490ca484dcf2aa3afe4b25

SHA256
5fc5d217ed5ad092fbb5032584f31f1cedfae508ec039e826127a9836fe04524

SHA512
b690466bc2bb544a05bc598d7ca38287b8198dce8faa6cbace665d93b3ddb9e04bf780bc2306887055a8617cb580b0844af66c415e83cb99ed55a1c56d23ac39

Download Submit
memory/752-351-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/752-158-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/840-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/840-210-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/840-217-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/956-171-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/956-350-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1056-339-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1056-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1100-264-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1100-344-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1100-260-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1100-251-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1156-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1156-227-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/1284-26-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1284-25-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1284-361-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1316-277-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1316-283-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1316-282-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1528-331-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1528-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1528-334-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download
memory/1528-338-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download
memory/1644-349-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1644-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1672-272-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1672-265-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1672-271-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1672-343-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1940-286-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1940-297-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1940-299-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1940-342-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1988-6-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1988-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1988-362-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2016-93-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2016-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2016-101-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2044-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2044-132-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2080-321-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2080-326-0x00000000002B0000-0x00000000002F0000-memory.dmp

Filesize
256KB

Download
memory/2080-327-0x00000000002B0000-0x00000000002F0000-memory.dmp

Filesize
256KB

Download
memory/2092-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2092-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2128-244-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2128-250-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2128-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2128-246-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2384-197-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2384-348-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2404-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2404-146-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2444-320-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2444-314-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2444-318-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2496-74-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2496-356-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2496-68-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2544-360-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2700-34-0x00000000001B0000-0x00000000001F0000-memory.dmp

Filesize
256KB

Download
memory/2700-363-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2760-118-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2760-355-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2784-357-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2784-61-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2784-53-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2808-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2844-305-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2844-304-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2844-300-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3052-345-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3052-239-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads