d17d300e9a67e052ae128033990b298270982bc4ee52d8a1268a31ad2bb511a5

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d17d300e9a67e052ae128033990b298270982bc4ee52d8a1268a31ad2bb511a5.exe
Size

80KB
MD5

18b9fe7aa0421e2f45f7af19d947e01e
SHA1

feb9ab9b513a9e372dfa01176f9999923d041f95
SHA256

d17d300e9a67e052ae128033990b298270982bc4ee52d8a1268a31ad2bb511a5
SHA512

c287ea7c202022dd48d23d148f729e8a6766dd725b41fb417ef764b355eaecfdbf4b3450ce1a65ce69f33aa78df63de5c321e31ca168a54463d3017172abfdc5
SSDEEP

1536:MAa7abutGY6btnXgGkPf2L5J9VqDlzVxyh+CbxMa:1hutVE5wPPk5J9IDlRxyhTb7

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d17d300e9a67e052ae128033990b298270982bc4ee52d8a1268a31ad2bb511a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d17d300e9a67e052ae128033990b298270982bc4ee52d8a1268a31ad2bb511a5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe

Executes dropped EXE 30 IoCs

pid	Process
3440	Lnhmng32.exe
232	Ldaeka32.exe
228	Lgpagm32.exe
1676	Ljnnch32.exe
1452	Lphfpbdi.exe
2436	Lgbnmm32.exe
4576	Mnlfigcc.exe
3572	Mdfofakp.exe
452	Mkpgck32.exe
1888	Majopeii.exe
3664	Mdiklqhm.exe
2776	Mkbchk32.exe
2712	Mpolqa32.exe
4044	Mcnhmm32.exe
404	Maohkd32.exe
1560	Mcpebmkb.exe
3492	Mkgmcjld.exe
4496	Mnfipekh.exe
2760	Mdpalp32.exe
1240	Mgnnhk32.exe
4116	Nnhfee32.exe
2452	Nqfbaq32.exe
1856	Ngpjnkpf.exe
5072	Nnjbke32.exe
2392	Ncgkcl32.exe
1816	Nnmopdep.exe
2280	Ndghmo32.exe
1652	Nqmhbpba.exe
4628	Ncldnkae.exe
2748	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	d17d300e9a67e052ae128033990b298270982bc4ee52d8a1268a31ad2bb511a5.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	d17d300e9a67e052ae128033990b298270982bc4ee52d8a1268a31ad2bb511a5.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	d17d300e9a67e052ae128033990b298270982bc4ee52d8a1268a31ad2bb511a5.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Maohkd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4876	2748	WerFault.exe	110

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d17d300e9a67e052ae128033990b298270982bc4ee52d8a1268a31ad2bb511a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d17d300e9a67e052ae128033990b298270982bc4ee52d8a1268a31ad2bb511a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	d17d300e9a67e052ae128033990b298270982bc4ee52d8a1268a31ad2bb511a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	d17d300e9a67e052ae128033990b298270982bc4ee52d8a1268a31ad2bb511a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d17d300e9a67e052ae128033990b298270982bc4ee52d8a1268a31ad2bb511a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lphfpbdi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3684 wrote to memory of 3440	3684	d17d300e9a67e052ae128033990b298270982bc4ee52d8a1268a31ad2bb511a5.exe	81
PID 3684 wrote to memory of 3440	3684	d17d300e9a67e052ae128033990b298270982bc4ee52d8a1268a31ad2bb511a5.exe	81
PID 3684 wrote to memory of 3440	3684	d17d300e9a67e052ae128033990b298270982bc4ee52d8a1268a31ad2bb511a5.exe	81
PID 3440 wrote to memory of 232	3440	Lnhmng32.exe	82
PID 3440 wrote to memory of 232	3440	Lnhmng32.exe	82
PID 3440 wrote to memory of 232	3440	Lnhmng32.exe	82
PID 232 wrote to memory of 228	232	Ldaeka32.exe	83
PID 232 wrote to memory of 228	232	Ldaeka32.exe	83
PID 232 wrote to memory of 228	232	Ldaeka32.exe	83
PID 228 wrote to memory of 1676	228	Lgpagm32.exe	84
PID 228 wrote to memory of 1676	228	Lgpagm32.exe	84
PID 228 wrote to memory of 1676	228	Lgpagm32.exe	84
PID 1676 wrote to memory of 1452	1676	Ljnnch32.exe	85
PID 1676 wrote to memory of 1452	1676	Ljnnch32.exe	85
PID 1676 wrote to memory of 1452	1676	Ljnnch32.exe	85
PID 1452 wrote to memory of 2436	1452	Lphfpbdi.exe	86
PID 1452 wrote to memory of 2436	1452	Lphfpbdi.exe	86
PID 1452 wrote to memory of 2436	1452	Lphfpbdi.exe	86
PID 2436 wrote to memory of 4576	2436	Lgbnmm32.exe	87
PID 2436 wrote to memory of 4576	2436	Lgbnmm32.exe	87
PID 2436 wrote to memory of 4576	2436	Lgbnmm32.exe	87
PID 4576 wrote to memory of 3572	4576	Mnlfigcc.exe	88
PID 4576 wrote to memory of 3572	4576	Mnlfigcc.exe	88
PID 4576 wrote to memory of 3572	4576	Mnlfigcc.exe	88
PID 3572 wrote to memory of 452	3572	Mdfofakp.exe	89
PID 3572 wrote to memory of 452	3572	Mdfofakp.exe	89
PID 3572 wrote to memory of 452	3572	Mdfofakp.exe	89
PID 452 wrote to memory of 1888	452	Mkpgck32.exe	90
PID 452 wrote to memory of 1888	452	Mkpgck32.exe	90
PID 452 wrote to memory of 1888	452	Mkpgck32.exe	90
PID 1888 wrote to memory of 3664	1888	Majopeii.exe	91
PID 1888 wrote to memory of 3664	1888	Majopeii.exe	91
PID 1888 wrote to memory of 3664	1888	Majopeii.exe	91
PID 3664 wrote to memory of 2776	3664	Mdiklqhm.exe	92
PID 3664 wrote to memory of 2776	3664	Mdiklqhm.exe	92
PID 3664 wrote to memory of 2776	3664	Mdiklqhm.exe	92
PID 2776 wrote to memory of 2712	2776	Mkbchk32.exe	93
PID 2776 wrote to memory of 2712	2776	Mkbchk32.exe	93
PID 2776 wrote to memory of 2712	2776	Mkbchk32.exe	93
PID 2712 wrote to memory of 4044	2712	Mpolqa32.exe	94
PID 2712 wrote to memory of 4044	2712	Mpolqa32.exe	94
PID 2712 wrote to memory of 4044	2712	Mpolqa32.exe	94
PID 4044 wrote to memory of 404	4044	Mcnhmm32.exe	95
PID 4044 wrote to memory of 404	4044	Mcnhmm32.exe	95
PID 4044 wrote to memory of 404	4044	Mcnhmm32.exe	95
PID 404 wrote to memory of 1560	404	Maohkd32.exe	96
PID 404 wrote to memory of 1560	404	Maohkd32.exe	96
PID 404 wrote to memory of 1560	404	Maohkd32.exe	96
PID 1560 wrote to memory of 3492	1560	Mcpebmkb.exe	97
PID 1560 wrote to memory of 3492	1560	Mcpebmkb.exe	97
PID 1560 wrote to memory of 3492	1560	Mcpebmkb.exe	97
PID 3492 wrote to memory of 4496	3492	Mkgmcjld.exe	98
PID 3492 wrote to memory of 4496	3492	Mkgmcjld.exe	98
PID 3492 wrote to memory of 4496	3492	Mkgmcjld.exe	98
PID 4496 wrote to memory of 2760	4496	Mnfipekh.exe	99
PID 4496 wrote to memory of 2760	4496	Mnfipekh.exe	99
PID 4496 wrote to memory of 2760	4496	Mnfipekh.exe	99
PID 2760 wrote to memory of 1240	2760	Mdpalp32.exe	100
PID 2760 wrote to memory of 1240	2760	Mdpalp32.exe	100
PID 2760 wrote to memory of 1240	2760	Mdpalp32.exe	100
PID 1240 wrote to memory of 4116	1240	Mgnnhk32.exe	101
PID 1240 wrote to memory of 4116	1240	Mgnnhk32.exe	101
PID 1240 wrote to memory of 4116	1240	Mgnnhk32.exe	101
PID 4116 wrote to memory of 2452	4116	Nnhfee32.exe	102

C:\Users\Admin\AppData\Local\Temp\d17d300e9a67e052ae128033990b298270982bc4ee52d8a1268a31ad2bb511a5.exe
"C:\Users\Admin\AppData\Local\Temp\d17d300e9a67e052ae128033990b298270982bc4ee52d8a1268a31ad2bb511a5.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Windows\SysWOW64\Lnhmng32.exe
  C:\Windows\system32\Lnhmng32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3440
- - C:\Windows\SysWOW64\Ldaeka32.exe
    C:\Windows\system32\Ldaeka32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:232
  - - C:\Windows\SysWOW64\Lgpagm32.exe
      C:\Windows\system32\Lgpagm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:228
    - - C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1676
      - C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        31⤵
        Executes dropped EXE
        
        PID:2748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 400
        32⤵
        Program crash
        
        PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2748 -ip 2748
1⤵
PID:1192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
80KB

MD5
b264bb06604c22c43e01fcd0b4f7a145

SHA1
e553faa32d3d3edc75ba97b6a318b88b8cf36590

SHA256
7cb44cc0675a4da918c4a664745a7210d2879ab871a1ed316cd29eb5baa81bce

SHA512
fa64016f48b9bf5a16077ce880e88709babe8565a34ee6d834977b9239048946cdd4966a50b7154de560c348759b0fb8c6e62e8e6fb501727999575925075161

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
80KB

MD5
1e791168e8c401527a10235e3d4e6d68

SHA1
709bd3b5c92cfe27add7f72c0757a0134de20538

SHA256
2c8098e7db7317c0fa7a0446258638f6d3db433335c052f627f2dbc4326b0b63

SHA512
f81cc651f66d15f2eb108bed39384c4a6e0405ec749822252d8839a31ca40668e2abc0a883ac4ac9ea38ac76dcd51d1c5e030a71be351aefb9949ea7cee7067a

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
80KB

MD5
581bdb3582e5295b93589ab3e644fa29

SHA1
3bcd30d7a1da67486ca8c0eda39abf05c2b64bd2

SHA256
0498a02124a7ba15a72d19fc25f58034b729c55a1be097f8cb8a22d772757b57

SHA512
2de72f2e29006ff6c078a14347589114816a6dd518074ce458bb56909e1048a15bd41bf4581ee90adecb3fa55df355552913f218c16bb49edfa947d27ef3b581

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
80KB

MD5
559ddf8a662cf07a5405fd00c26a5710

SHA1
66716cdb74dc21b8867415fd20efd5e6aea872b0

SHA256
5c54d54fc8e55470a89fc4539511c785c460a496c65c3ec81272d54d53b65848

SHA512
b5e492f9925b53bbf45fb1f4f6936f8a677fd06d7f7f7fe80d9221ba024e26c01e50c2cdb8c5d71f423347175d818679d997203c039d025abc2227bf29a4d69c

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
80KB

MD5
e1901660328489b89676b8f401bbc6d1

SHA1
9b2a67611910e2771a3003abdcce55ace52547b8

SHA256
aca7f729e0fe1f10b937b126e28d73c4032feeda9d69a74ab6ae243f29561034

SHA512
781a679e5f0a2f7f4f4869ef6037fbacfa83e2e1dd0c3481a71c505bb0eec4ae6baaa283c1f20394623297e56dfca41a7611c15e4785be5689e8e35a24566d29

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
80KB

MD5
99fbe8e16067c7dbd70c95023afa1128

SHA1
ebace5f9e02d871f785821d758b6d321b4b74f74

SHA256
8d396973b257ea5a74316deec2dba476d608c96829ee3db2a44caff1c6b0becd

SHA512
1141eedae621d6925a3ba9dea0b0ddd081d896762459ea2a564f2515370d7b4d18904cd715f535d9391ef4edb4f7fdec0eee00df6f9240a33f3a98b763489854

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
80KB

MD5
0280c7dfdc4360002ef60899e08f38da

SHA1
5506cc6728f58129eb22c07d0a3b63dcf9c3f093

SHA256
a32978e9d4f4f57e3ce60503ba8edfb09473e62f6212b9bb4ec18c5b053d3ec5

SHA512
9d0ccadff0135343ac654c952f2c7355a7b9a62bfd35025549f4e7de0cf8a44d1505b8e58f1b5856d66533cddea10029121d6c1e657ccd7deab93a9ec336c415

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
80KB

MD5
90bb4cb81efbc72669868331440211f1

SHA1
0027c7f72cb00b6f0a04d7d1a96f0be6702128fc

SHA256
b27337db8739179a454cf17a01f400429ab8732e407dbc858407286be25103eb

SHA512
92229f828d546384ebb44f166a91e386b62e567f01fb93b53fb33f4bc8bfdee30399031d42bac415d365d6d649a049dc69a8f94ad55435a3f476a314bfc65468

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
80KB

MD5
78ec4d7e698741755452dfb42f565e80

SHA1
58f0c6c1fe175a3c7e9dcef9b6d588a493e83bb3

SHA256
13cb6eb7589513aabc94ec22bad111a59d22ba981aa5e359e259f834ec8b7446

SHA512
6d6eec765fc784289f31f7a6f759ca4240f3d3cec5d3746fc2d9997adf422f2f85afe2fee6b9bb667f994c5af7e544191f7d523d97bb492617e8434d2b0cb927

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
80KB

MD5
4136b48bb53936c3077ab4fbc695cd79

SHA1
debb8c02af4d645ad7002a1a147093130b13e4cf

SHA256
74ceee7f80642ef69afb7eb7237adeafd8a55a94bdeb1180b33770d6f3f0013c

SHA512
7f53767d4ce39c8fb9813665617726bb789cf5a38e74f3d1b4878dd560afe890b87b52272aff8ceeaf8a402ea2054c398ab689522f78cec629d54cb79178d76a

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
80KB

MD5
d979c1aa27d6c0a3511491b26c5f3e89

SHA1
d08bf866f62b418cfed690fc23965be108340769

SHA256
c2bf494a50d20ec10de7f6d1058b0557b35b6f95202efdc599b9359f5ae24dc8

SHA512
856459ad80eadedf5ce0d8b26141d87144e2fe6c68cefcf5f6b79764707b9f525834670d9d796ac7abc5a3155f1e9f689cbecac75748836e07fda38f6c5eb047

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
80KB

MD5
ce346e484775855b7b63d529a16a5a6b

SHA1
08a1aa6684cd30586579ec8954b4d36b3474cfa5

SHA256
cdc54bdc32992dce8403a88bccf56955a82437d21703dd2cdd5ae2bc787dfa11

SHA512
bb02e9ff7fbbeda61688adb2d20b40a3535b5c7b6616b1cc8f7d003bc39905cd42103ce18bcdc209d9959b29a253fb6aa1dae518436902bf79d70d8a0ac50ca3

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
80KB

MD5
b0e5ed1fe40cf7474584ac61cab2895f

SHA1
e430e066186e05fad8552fd25380e25e98d16856

SHA256
e6949917ab4d04ce30febaa5a8dd1e3e01a1ba45a35e7379b104dbbf422be0a4

SHA512
2ea6d46b95a4fc3e1c49d985fdb2455097a5606dc10541874817eacb9fbe5b72ed24490a9b19a32a1d4ac85c25912be9c41920a130273f9adcf406285314f22f

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
80KB

MD5
9a94ceef55f04af4ab55196ab57ab72d

SHA1
fdd5132df1a6e9c58ead634c8f39c130ac473168

SHA256
224c6fc9ab26a8d84d0523bfcf7cef84cd8c1c85f7c0af938ed86e27848b2144

SHA512
07a0fffdb231952f7cd3434ae9a67f8b50cf6bf95b301b600257051c5190e01a7e88f9216dcb87f93385e4e5b948d95c6db55afac6f3d8cb0a7bd88293c9b16f

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
80KB

MD5
d783e03694f74b9e6fe3e5c2335c589b

SHA1
ebd4389a02185878a8527a97ce58f4c9a37e946d

SHA256
40060f11e08cbc67a2904ab86ccd2135edda2c7de4cfbbbf8bc2d9d10e0377ce

SHA512
f652b44d91c00294ad34b49ea181eb6505d726844882e7e524841305c84e29c72d3ce3cd523c8efa9308da1a2888d2e9bf8d176942a109a6c4d039d89b04a699

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
80KB

MD5
91e1a3099a7f91750769e6738435181b

SHA1
16e3b4b47d78e92889b4ec8257b13a9c540f7e6d

SHA256
aa2db2aec7c8651edc739496e6754cfabf246190571e417b128be4f5852b0358

SHA512
c1d4e8bb4231793ac25053b908ed78a2fcf18a0d9784d421322aa81e9e8e717a13d9f873c5aa7f9908e247d1bc17e27054dd07e826842c2acbbbee77978e8cf4

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
80KB

MD5
a80cab1fcba907148da46483ebaeb987

SHA1
3197655ef78b2f62b812f396f92e9c77133bf21a

SHA256
31a4a77a7b59c01f16b43351027674c8e80a41ec0de857393bf9109fa8f81a42

SHA512
402a3e3fee76d04b6bfcab6172a4918317827cbe7a8f8a0e4252df84c45db6e22a5f55033d51499ce8218950bab47fe1352c2cd51ba5fcaa0ec50622a694ea51

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
80KB

MD5
47ea0a537a8e285efe5dbb5d0819defa

SHA1
4205a7d2fc91ea981f781beb3a5701755eb6d261

SHA256
11f361285a421b4f29869447e08657593a9268ab3a65edaf91d972b6a3cad222

SHA512
5f355e6c389849f7ecd76193106e64e31c5f9fbe8195e2bf4a6600319185479c60db6296970b360d35a73f961d491a5449d5e95660df6388c722e579026a0c44

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
80KB

MD5
061cced381f776cc427e2de554c3abc6

SHA1
a339c6fb47285f6ebfa3e4a04729e7b6c3da9672

SHA256
0fe6222085ec0cbb0540bb875325d3dbdfb332822d527d56aa3f5b05caebb9ba

SHA512
a0099ef51f1de22d3a8a9a095e318530badaee9a6c2df8a74bfdc2f31263115ded8d6a177b6e34e2b2cfb5f58947ae752439afb7bb2ad39f255c3c01d4705e27

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
80KB

MD5
e0119fe66b34b7d6a4f1996a7f788492

SHA1
708b76980526d5d908fe050a72b87f6e5a442992

SHA256
30e6da4de716747cfbbf23796b8141aa2be4e698f4a4b34b751fe0cc72edc6b3

SHA512
9462ae55baacedab5f951a13e03c42e90181eb3a623c1ae4bc9d2b466e5fcd16454ca8d127f5a9127ee809bfbfd82c33cb910bdcebae2dddd3904665be472232

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
80KB

MD5
d0b605cff650df48f7f273db3bd5fbc3

SHA1
bb4e0cd0e102eceba7a69939621944c5199cb6fb

SHA256
2e7aa7b52385fcfcc495af9074b1d764651b46d5ee3cdbe62e4a5d8dd27c69f3

SHA512
eca528bdc293d313046e985c9cd04e5d34bdacef660498b1b67d16b07357bdbb461a255894eb9b409fb8c8cc0190ecb08fa659d46424942778994cd7abaabf7f

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
80KB

MD5
6867c1483b9b8c3392b67376b0aae9c2

SHA1
e658edc5090e4ffc098225338b4bcac864603083

SHA256
b84f293d37900f0b9541885bb61617ca37f9c1819091df15c3f11a0372e144e3

SHA512
502c7fea78570e5334ae1a1ca20a9c3e6d7204ce8cdee4b0a4fb2ec2a1b4a101211d04f14a63a4164b8a28e5f92ff29abde9624aee6b91b0b35a67f99ffa8ef1

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
80KB

MD5
a8f7e0eaaee79e001d820e94c0447b1c

SHA1
7a957455dcc9fe7131a5586f450f041e79cf371e

SHA256
31ded399e14b49f8d706d212682193496f22613fbbcc5bd43d72b4aa702c8e4f

SHA512
14f0e47991e611bcfc316710a8f549f68b4f0b2d91006139a066a4dba8fd70932a36dc9574b107c4d0650aed73932e4285419810249fdd9441ae56017890870a

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
80KB

MD5
3fd698a0d78d275232b0f98b0924f22c

SHA1
bdc18e7929ab556a6e780a95fe8e39b7419b59b9

SHA256
2cd0c6d779d94f2055628fd79d181216fcf259f4ecde9ee4cd99e47ded7c2909

SHA512
1c5833cec2384d252b0a19a91fdc3df6236991ca4f3909576407c86b4e9776233e193b21cf162e0abfef09699037d173ebca17077f05b9d95fecec7391599e19

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
80KB

MD5
3a60d60823ceffae5fd33cf169f42a28

SHA1
583f3ff2567a30fa413b42e13eb3cae8dafa0703

SHA256
b74fa95aed4c0f15308b0748fa6e5b5d2f3a7e7b6e57be4c1241f3300fdc7b0e

SHA512
a322308de5de90df192c75bfd640e2eecc04de6e9ff81d7a304810c8ba417208aa153332ea980890c99366a4eaef1078d983fd897d4f0e807bc687e00ccc3ea7

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
80KB

MD5
dad28d2acf05b499289a735482f6f8f8

SHA1
4fc95b79329b988dedd7e3acb155e33bac426a38

SHA256
be16907d957d2a0517c6502f3b6dfe95807d10eb5b2254a257beb76cff0d00d3

SHA512
e92ae022d2ef4bd6e7d685392ab8d33755ee39e4f8f756a08189ea16b6014246414bd0b4d54ec5b4f6d210df2094ef4c78d2b5303a99ca9516e137b5110a0494

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
80KB

MD5
bf89ee21bebfb2be0c320333f651c5df

SHA1
c0038e654efbe6b685240996fd888d877167682a

SHA256
00155bd22744a02314f055a42a25f5b231868870b16c0f2c409ae1a82e258931

SHA512
a38ff505d5b79b013e9fbe7c9fecd1b4c6ab48b8240afd599b02a112adb7e63502bf3038ab8daacbd48ce0432599462e962a886a3ab2d281ec7753122877d1f0

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
80KB

MD5
41bf756c741576e867d8ea2a387ec099

SHA1
d414ee72b1c1ec69ddbf08fd62554a63ae602190

SHA256
c808a2982d9259e70c93ab342a2faa79808caed9f5a5dd4681767c3875034f64

SHA512
c5c00a7920575be8e100c2c8bb7d14b513720017ba26b23cd1b5032d95aac19044133dc45182448176a9799f5331b772b72a2258ebf2eaac6d83b5ff9b601d16

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
80KB

MD5
7e32e8d91bb54ea9db51b72b0c9f7082

SHA1
6f4f1d13a7ff7ee24ac72974f5e6a98ebce6fe4f

SHA256
bdcc7856d225b5f2de00b85e829b379ef4243eeeefc3b0ed9f81f0ec835e36a6

SHA512
663b86a076ec671aa2dd7e4dc595118390f6e5b12131fbecc5dd32948d287036437c8d1ac3b4739c92449c3db3a176d27f2f83d4a80b7e871e021d5674871eb8

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
80KB

MD5
e6f7c62ce181d17cdc2a87ee55e77a06

SHA1
639d7787b47482e5fcebdf09cd26dc861ea48c06

SHA256
441f41f8a22e872345c5b0b4a0232b392b63b5b0ffc1e44fe4c106703ceae7b1

SHA512
14ea8540c015821d7e26fe572efe216dbde3ad24d962ffbbcd8900aaaf22d0b35ea67a257c206444aa12413e595b08dfa6b008697313b5b6b3fc34397d07650e

Download Submit
memory/228-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/228-267-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/232-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/232-21-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/404-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/404-255-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/452-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/452-261-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1240-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1240-252-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1452-265-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1452-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1560-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1560-254-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1652-230-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1652-244-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1676-266-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1676-37-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1816-246-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1816-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1856-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1856-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1888-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1888-260-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2280-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2280-243-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2392-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2392-245-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2436-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2436-264-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2452-180-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2452-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2712-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2712-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2748-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2748-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2760-251-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2760-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2776-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2776-258-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3440-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3440-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3492-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3492-253-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3572-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3572-262-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3664-259-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3664-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3684-270-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3684-4-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3684-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4044-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4044-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4116-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4116-250-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4496-271-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4496-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4576-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4576-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4628-237-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5072-247-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5072-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads