e6a7226e550cfe3c8028d99ed412a253fb5e81691a888f59b6b20089fe72e2c0

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 04:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6a7226e550cfe3c8028d99ed412a253fb5e81691a888f59b6b20089fe72e2c0.exe
Size

240KB
MD5

aa2e4ad1d10f75367e1fb6ad62170a78
SHA1

98c17d3d4c0ee3d5edfba3c5c26b25d7fdbc4489
SHA256

e6a7226e550cfe3c8028d99ed412a253fb5e81691a888f59b6b20089fe72e2c0
SHA512

70005086315810e4bbc07b5c77dda63a5001d9be8e87781a3b8e9db8c8c51d39e1c9a845fc97e73ac2261703418f7c9b8e5978ba34b77c691f285cd2290d542d
SSDEEP

6144:forHI+LfV4AOGyZ6YugQdjGG1wsKm6eBgdQbkoKTBEA:fozfq7GyXu1jGG1wsGeBgRTGA

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e6a7226e550cfe3c8028d99ed412a253fb5e81691a888f59b6b20089fe72e2c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	e6a7226e550cfe3c8028d99ed412a253fb5e81691a888f59b6b20089fe72e2c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe

Executes dropped EXE 30 IoCs

pid	Process
1780	Kmjqmi32.exe
216	Kgbefoji.exe
744	Kmlnbi32.exe
3748	Kagichjo.exe
1380	Kpmfddnf.exe
60	Lmqgnhmp.exe
2448	Ldkojb32.exe
1616	Lmccchkn.exe
3224	Lcpllo32.exe
4540	Lijdhiaa.exe
2084	Lcbiao32.exe
5000	Lkiqbl32.exe
1980	Laciofpa.exe
3964	Lgpagm32.exe
816	Lphfpbdi.exe
3716	Mnlfigcc.exe
4156	Mdfofakp.exe
1592	Mpmokb32.exe
2760	Mkbchk32.exe
4036	Mnapdf32.exe
940	Maohkd32.exe
716	Maaepd32.exe
780	Mgnnhk32.exe
4436	Ndbnboqb.exe
5028	Njogjfoj.exe
1232	Ncgkcl32.exe
2172	Nkncdifl.exe
3528	Ndghmo32.exe
4568	Nnolfdcn.exe
4844	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Kmjqmi32.exe	e6a7226e550cfe3c8028d99ed412a253fb5e81691a888f59b6b20089fe72e2c0.exe
File created	C:\Windows\SysWOW64\Kgbefoji.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Lcpllo32.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	e6a7226e550cfe3c8028d99ed412a253fb5e81691a888f59b6b20089fe72e2c0.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Kpmfddnf.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Kgbefoji.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kagichjo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
944	4844	WerFault.exe	110

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e6a7226e550cfe3c8028d99ed412a253fb5e81691a888f59b6b20089fe72e2c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	e6a7226e550cfe3c8028d99ed412a253fb5e81691a888f59b6b20089fe72e2c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	e6a7226e550cfe3c8028d99ed412a253fb5e81691a888f59b6b20089fe72e2c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	e6a7226e550cfe3c8028d99ed412a253fb5e81691a888f59b6b20089fe72e2c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	e6a7226e550cfe3c8028d99ed412a253fb5e81691a888f59b6b20089fe72e2c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lijdhiaa.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 1780	4060	e6a7226e550cfe3c8028d99ed412a253fb5e81691a888f59b6b20089fe72e2c0.exe	81
PID 4060 wrote to memory of 1780	4060	e6a7226e550cfe3c8028d99ed412a253fb5e81691a888f59b6b20089fe72e2c0.exe	81
PID 4060 wrote to memory of 1780	4060	e6a7226e550cfe3c8028d99ed412a253fb5e81691a888f59b6b20089fe72e2c0.exe	81
PID 1780 wrote to memory of 216	1780	Kmjqmi32.exe	82
PID 1780 wrote to memory of 216	1780	Kmjqmi32.exe	82
PID 1780 wrote to memory of 216	1780	Kmjqmi32.exe	82
PID 216 wrote to memory of 744	216	Kgbefoji.exe	83
PID 216 wrote to memory of 744	216	Kgbefoji.exe	83
PID 216 wrote to memory of 744	216	Kgbefoji.exe	83
PID 744 wrote to memory of 3748	744	Kmlnbi32.exe	84
PID 744 wrote to memory of 3748	744	Kmlnbi32.exe	84
PID 744 wrote to memory of 3748	744	Kmlnbi32.exe	84
PID 3748 wrote to memory of 1380	3748	Kagichjo.exe	85
PID 3748 wrote to memory of 1380	3748	Kagichjo.exe	85
PID 3748 wrote to memory of 1380	3748	Kagichjo.exe	85
PID 1380 wrote to memory of 60	1380	Kpmfddnf.exe	86
PID 1380 wrote to memory of 60	1380	Kpmfddnf.exe	86
PID 1380 wrote to memory of 60	1380	Kpmfddnf.exe	86
PID 60 wrote to memory of 2448	60	Lmqgnhmp.exe	87
PID 60 wrote to memory of 2448	60	Lmqgnhmp.exe	87
PID 60 wrote to memory of 2448	60	Lmqgnhmp.exe	87
PID 2448 wrote to memory of 1616	2448	Ldkojb32.exe	88
PID 2448 wrote to memory of 1616	2448	Ldkojb32.exe	88
PID 2448 wrote to memory of 1616	2448	Ldkojb32.exe	88
PID 1616 wrote to memory of 3224	1616	Lmccchkn.exe	89
PID 1616 wrote to memory of 3224	1616	Lmccchkn.exe	89
PID 1616 wrote to memory of 3224	1616	Lmccchkn.exe	89
PID 3224 wrote to memory of 4540	3224	Lcpllo32.exe	90
PID 3224 wrote to memory of 4540	3224	Lcpllo32.exe	90
PID 3224 wrote to memory of 4540	3224	Lcpllo32.exe	90
PID 4540 wrote to memory of 2084	4540	Lijdhiaa.exe	91
PID 4540 wrote to memory of 2084	4540	Lijdhiaa.exe	91
PID 4540 wrote to memory of 2084	4540	Lijdhiaa.exe	91
PID 2084 wrote to memory of 5000	2084	Lcbiao32.exe	92
PID 2084 wrote to memory of 5000	2084	Lcbiao32.exe	92
PID 2084 wrote to memory of 5000	2084	Lcbiao32.exe	92
PID 5000 wrote to memory of 1980	5000	Lkiqbl32.exe	93
PID 5000 wrote to memory of 1980	5000	Lkiqbl32.exe	93
PID 5000 wrote to memory of 1980	5000	Lkiqbl32.exe	93
PID 1980 wrote to memory of 3964	1980	Laciofpa.exe	94
PID 1980 wrote to memory of 3964	1980	Laciofpa.exe	94
PID 1980 wrote to memory of 3964	1980	Laciofpa.exe	94
PID 3964 wrote to memory of 816	3964	Lgpagm32.exe	95
PID 3964 wrote to memory of 816	3964	Lgpagm32.exe	95
PID 3964 wrote to memory of 816	3964	Lgpagm32.exe	95
PID 816 wrote to memory of 3716	816	Lphfpbdi.exe	96
PID 816 wrote to memory of 3716	816	Lphfpbdi.exe	96
PID 816 wrote to memory of 3716	816	Lphfpbdi.exe	96
PID 3716 wrote to memory of 4156	3716	Mnlfigcc.exe	97
PID 3716 wrote to memory of 4156	3716	Mnlfigcc.exe	97
PID 3716 wrote to memory of 4156	3716	Mnlfigcc.exe	97
PID 4156 wrote to memory of 1592	4156	Mdfofakp.exe	98
PID 4156 wrote to memory of 1592	4156	Mdfofakp.exe	98
PID 4156 wrote to memory of 1592	4156	Mdfofakp.exe	98
PID 1592 wrote to memory of 2760	1592	Mpmokb32.exe	99
PID 1592 wrote to memory of 2760	1592	Mpmokb32.exe	99
PID 1592 wrote to memory of 2760	1592	Mpmokb32.exe	99
PID 2760 wrote to memory of 4036	2760	Mkbchk32.exe	100
PID 2760 wrote to memory of 4036	2760	Mkbchk32.exe	100
PID 2760 wrote to memory of 4036	2760	Mkbchk32.exe	100
PID 4036 wrote to memory of 940	4036	Mnapdf32.exe	101
PID 4036 wrote to memory of 940	4036	Mnapdf32.exe	101
PID 4036 wrote to memory of 940	4036	Mnapdf32.exe	101
PID 940 wrote to memory of 716	940	Maohkd32.exe	102

C:\Users\Admin\AppData\Local\Temp\e6a7226e550cfe3c8028d99ed412a253fb5e81691a888f59b6b20089fe72e2c0.exe
"C:\Users\Admin\AppData\Local\Temp\e6a7226e550cfe3c8028d99ed412a253fb5e81691a888f59b6b20089fe72e2c0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Windows\SysWOW64\Kmjqmi32.exe
  C:\Windows\system32\Kmjqmi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\SysWOW64\Kgbefoji.exe
    C:\Windows\system32\Kgbefoji.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:216
  - - C:\Windows\SysWOW64\Kmlnbi32.exe
      C:\Windows\system32\Kmlnbi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:744
    - - C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3748
      - C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:716
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:780
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        31⤵
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 412
        32⤵
        Program crash
        
        PID:944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4844 -ip 4844
1⤵
PID:4412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bnjdmn32.dll

Filesize
7KB

MD5
bcb93dad3088a5314d531d4e2ce5eb8f

SHA1
ff6a5b893eab90b8878ac9a71b6ad4eab449ee30

SHA256
9be59c592ea745e06524ab03d735df1a5bc24b8251a9c5f36157622bed443f3f

SHA512
5e4ec179aa27a2eae13da03f5995c29f1c16ac9c5c7d11378bb5b685ee9f3164def8baac26660a0010e62860ee4178e0dbd39ac50e905a55d82d20c09e88c9c2

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
240KB

MD5
b8f231b58e1f69d1960f857773771c24

SHA1
6a0e10c698af9e0747178b79dbd9e01299d58a8c

SHA256
cac782dd5067c21745ab31ef5ed69799ef3b2002ea8a19fd715baa20793416b0

SHA512
560034804dcdd88c61bf29ca59e6385423664c805aa3f788bb75e8161032d945771b862c474d0587c7cc68a98d3d7d8ed8d172feffda1fc7aff87b5592320192

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
240KB

MD5
4ea79d7404090ebe113f900e330b3711

SHA1
074ee4da6dec5509d58f75b8d28b69a36c4b4ac0

SHA256
d766114dc34f5e9e1cc16cca7f15512516a561735b1e282bbff3adfdd8a78db0

SHA512
4698bb71fe0dd8991cb9075f21becf245d475b31bd5772747f8f2371b601340713726ce0ef635be38dc986391a8e78d8be729533c0239c7f9279b8e3269022c5

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
240KB

MD5
b2baf922828d8ffaeb432da597b402c5

SHA1
1d40256df3903c656690cec154de155acc73afca

SHA256
d3ab726378e3455ea621c460f55e1db98fc3ce6a74d2007b7614985ef674dac1

SHA512
c8f96cd0b4e4d2febbd0ad96f0b9bd53c2c5f67e5f079e0b74f41c450bc254bd1d92aa23fbb7e594c2143799c9beeca39d8501350a8f249eef0a4da79e21df96

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
240KB

MD5
d75d7f9e96ac953388d065ba4d789d7f

SHA1
27f24dfb0b494d90ee3e0482cf9067bacbfb1ccd

SHA256
58d2a10215989e560f8cf995283e78790f16e9b947ce16392fa5d8b334a74a07

SHA512
b965b6cb531fa97fd858e2c9893ace6a6af08513274849482f8a25830bb37d7f086473524f1e45fd3733a5766046e9232418c67a1fa386a204c37278cf96057b

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
240KB

MD5
75777082d735e3b676c36675eb9c2e9d

SHA1
db5f933d9f4cd389ed98736bffa93a6063db34db

SHA256
43631e315be4ac8c2d2a4fd5b8c0e7bc6e3d3bea908589961ca315edcf44d00e

SHA512
8a39938717955f827033033488cb373c3d0925527477927c73515311d7d235d27591318d5a947d217ddc759c2b4d3ac7ef531ac4f0f8222c23ad023f75860de8

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
240KB

MD5
8bb15ee835e1602b7aec5da51e9b454e

SHA1
64d81082c7d09e5f80d447ba48216282475a80c3

SHA256
0f4d4d3e02b6ce44da564fe9c523b7a7a52d7eaa111839cc0f6be2bb224e80e4

SHA512
1b45298b7878e02685c769dffe02ef405658bb0d99ae836eab1062c1a524b41f293effe1e6920dd5288a4293903052550329e5620f0c8088eff6c01b7af955cb

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
240KB

MD5
40f0a9e634a6004fcbaf4ff632c20ae2

SHA1
62dbb7642cea7a506dbb9bd3f8c5c0b258ba631c

SHA256
ad6dcc5e1d78ba3d1b3a0fe871fe0c908d57ead8652ff0db782ec6b460b74edc

SHA512
3b59cde765a92887da98d770b4a54883574ddca7239d546707cba2af4a9147a57a682053e6efb9560a84d5522689d0a5faec7e6f5f5e98da2d027d5e8525e380

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
240KB

MD5
7dfb4bdf8d3482971c1c6c9b64abbff9

SHA1
90d35fc9c24f3b47cf0c519d18dd91c7bc8fc4cf

SHA256
7328856743fa04872b38594ceff5534d2ac65c8c23588d1650eb88781d8e1b7a

SHA512
1d01892bc4956571c47fd5015cd8072304d5ca765817889c95ba58c39d950ba01c123a9ed345a0ca879eff7ee7cc1c2ec6ec4645f035ca7a89e406732227fa20

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
240KB

MD5
6516c5bc10b23810947dc7b6325e826a

SHA1
1f53037204b27ed9bfdae24c2a45084f6ddde160

SHA256
f14c0513ac4ec2780dbb10f355cf86728c660f84422cb806f4d051e4d9298c57

SHA512
219da9539cd5e2fe0f11dc4e91fedfc66df2dfc0d68f35e59de6956c8cac3093f188d5f5304cdbf5da3891290a0fdd44f3019fee6415027ab11e94bac4c95174

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
240KB

MD5
f546bc889c44de49242b53b2bf1501ab

SHA1
4f0f4755d1ceccb67cdc0bb974d66ea7f05e919e

SHA256
85c679b7fb197ec8a1699ed98c9d0591242812cc4d73a56b47326fff70307cd5

SHA512
a3599f271fd690ea6b900b9ffc000c2532dc0c3d69a64caa37e64ef105941c7ee840228ac6c46ede8e30f92601abcab54c772027af26fb322900e9acb4777ae2

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
240KB

MD5
0644d62029dacc769a59e571c3bf6014

SHA1
14418a4c04c60d91e06f927f10f5cc9063ff1b57

SHA256
f95acd64466b0b0e45c8ce3e6308301bd4a2d5e77189922b8584c54aca82ab15

SHA512
3047b87c51e2590c03cf581238fd623d188bad160d91066f91c6fb6bf33aa20faf9fd3b22eb758891e3f249253bd4c9684d23b54377c41937f590d9e9b11ac49

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
240KB

MD5
4ce117f0ec0d6be17c210a567100f3e4

SHA1
fa4f33ce1e5493970fa517106ff9d28cbda42440

SHA256
b0627a68090dc4034e1c22f323fcee8a0d2a652868903e5d57dd3fd167b413d3

SHA512
092955ed4fdc9ad0b35b17dbd171ba87ee29173ec39df120e51c52cac114197f4a2856c48f29bff793521a34018643072d21c129c6ac2f6449a7049d8fb4bb32

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
240KB

MD5
95fbde27881abee62b295c32707e6907

SHA1
bf1dea7a213a791a50b4ad0e60d6bbd711eba0a4

SHA256
3c9dc6972e8485611e52b631ae446dd927b5dd3744e283cea11efc484aceffd2

SHA512
6b3f55ba9308176aacea9c736c0e55423e5e2d073d8a5f5ff76777a1f88498d3ba7703d97cf502714e5e54903948c8991fffd5e2fca992b636df2b82055410bd

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
240KB

MD5
61d86b4e8b8b684e4649009384a8c130

SHA1
7b186da91bb02b1b55bb78f92bda843aaa5d312e

SHA256
33ef9ea47abf7b0ca043aedead81fc76e622d21435836cba945b9639d7ce35d3

SHA512
caed3e794268503142ee7d66ca50eed16e1fdece901e4f01e53a30c39ac19dd36c2c5767a71f237f72911b642f71e770daaa4c5e635642bf2cca92ae52340b1f

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
240KB

MD5
4a2931ef87deb53102582bcff9caac13

SHA1
404fd61e82b56692e95e5d5461cef7e3137c7150

SHA256
d7611f6af59e432bd78cf359be581682785e074c250dbdea1eb97558d2e538db

SHA512
6f8859b1e5aff355221fd937083a204f00d6a07779fba4e2ad04d1aa9dab85b5406b73b98c2147a473cb89a4e9fede965bf89cb14284cad34c7629d37c104bd2

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
240KB

MD5
73cbfa7a0e5788583379051d482cddce

SHA1
4c6d7ba7adb7556c60afbcc3331c817d0978870b

SHA256
b0cbc9f36b2f811081a4f71cb71e26ca013b2becba15fac9339bf4d7383bc8f4

SHA512
97ec61e7e42b92e4626dca71290ce8a396b62b1b1e5c63065b9bf871e18cafec1226fcb66888eaa6e08ac04d4486e60230a13dbd1bef00da76d92e9bef8b1219

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
240KB

MD5
f774ea00840ef8a06aa627c5c5519161

SHA1
9b2c193a08f9bd425ce8e04e4618d0c66ab3da91

SHA256
9fab10619597ca67b551e17a253c764a77d042571283ce2d320891a6665ff0e7

SHA512
50437e8b94d89dbaf854f3233dc1ed4bbf725e20bbf2d0ef7e9b23723bd72f719c969b78a8099bd847c30205f31ac1bd7b54ed1079c182e78476eebd94c0125d

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
240KB

MD5
6860d2b8181ef01ffdb9d7dc39e907d2

SHA1
a74c3232418ad8add0344883e0e597cf594f1030

SHA256
d140e25cb06f1c173129fda911de12e1c1889148352e3cbea0255cb25f53432d

SHA512
df9b1641a2ff64238d2eaa32097ed05f369e38b339622ef287c69eafb1450be7301c903960456bd213bae6734fa913094bf0196932bd0f80655f5e6514c3a680

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
240KB

MD5
728e1c48f4c812db2253510922ef05a0

SHA1
f116e9f92100dc320696d0f6273c271863b301fe

SHA256
5716ae308bbbca663bbd2c080d48cc3ca210365c7994814369f73040777e4182

SHA512
758bf79f098a5ebec54078e0d82378296060c4c921ba8e2e1e70558a3f2b8a0bc95c84a040c1161aef24c57da3c17ce20ef07036151bbe0a291304b38f98c8bc

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
240KB

MD5
1e904779d427e9beface57b0fa984527

SHA1
f45a64cb64a987c7bb284a7e9dd029ae34365f9e

SHA256
a4cfe3dc4b2df143e16b5e7f93185e5cd2e979cbeb04c5a1af794d342e6e39a4

SHA512
ec3d667808f1a2aff745e86c50e7c543624611b11d0c27564f698a17eaffb97c02005b0f1559f7de7035ff1191f4e4b027bd5326eb34eaeb6e339864da728775

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
240KB

MD5
11f5c8f8a942e91d31d6f5d6e9540789

SHA1
6d7295971050b64f9d26293f9e9c6d4a6d310e25

SHA256
7ed800f4bc2d553bc53d3633c8579da4e417ca4419be95a2b8d11de796613a8a

SHA512
25d80350f71d05131af92edd7305ee6afdcab7b2eecc1f43ee6572ac0a9e22e0d374ed1fe69fa7842c108a5b7769135b9c539ee55a6480ddb8be329f2df99d73

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
240KB

MD5
80d2f97f2c1a4f1d77ee7afeb9e68176

SHA1
d2c55f19486f38d99eaed8db2affb0e498c9b112

SHA256
3eb96dac164123c9fdc81bc44c789f6970c106a431d6e1a6a0e57217b232a8f2

SHA512
fc973e5b17c355dabdf0b80e743395a5d100731f1f7dce62df61e56c07deaf88cbc1d6ed94fd60a382760049f7286ccab208a629ceff5f40fc33372f66eae66d

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
240KB

MD5
2585a1b1d234495b50b21c108a115e56

SHA1
27196917f6d1123bb42940bdbd169b9f791ee828

SHA256
b04fd2ce89dee8bd1a6bc96bdd2577b70bf38a5d7a422aef8211a6131fb63d82

SHA512
137b51159f2e638ab689adb0e6b795d9b996169535275f5cf765da63ddb68ebef8489177a7961334ff5ffc3d98af9ec192cd072d62f3cd1067e87f1fd5b1f326

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
240KB

MD5
fef8c7e2344ac722c3e3dcbc23e628b3

SHA1
13a176291701b9fcec928f39008c62c6fd8e2c0f

SHA256
2e39906a398f35f407d03f9d02e212305552a0983a39a83f5b51cdf49a066de6

SHA512
e503b4ae648e0bed0c43d300d15c879873e0491202015cc828bf20dd535bf473d8e94db401e2012f4c41d7d17d6aff9c791adca010142bee012d721f53e041c4

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
240KB

MD5
d797fbe0c8336a5d6a16ef9f8ab65ca9

SHA1
fb2265fb8ea5988bb6d3e4d428ab2f604bedba98

SHA256
d3098f8c138bf3f83e2e010e4a49086cf7d7fdbafccefe19bdc0ee5b9bd47f2f

SHA512
5cffa6adfe5ae86d86bfd0b92d5251aad03f92b187ffbc9b05b7048dff27555e403fe028032db395f4b3bdc0a4077ea9a3db736c6a47a1832cc96097bd4a5c62

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
240KB

MD5
9e0d5717b87adfdd133f5853176e7754

SHA1
6dddb87bd085cf9e8df5bb5178dfdf098d6d3793

SHA256
c06c17153d87402ee5bae373b3397f81c00e2bafa16c03936938e49d542e1080

SHA512
9c4ba19973d610ebf208702e1598006d53c5b0ef0dca3b08ee5cc387bcfe247f1652cf7823df49ae4587a60323f692d0f4fda5d8239240370168c81d016e79a5

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
240KB

MD5
f1df819f11c2175d21548b116bc17e8d

SHA1
5c0018f1fbda0cd2df68a28ab23c375f30dd4f1e

SHA256
0c04cf149aaaa8432ecd32acab6904f432d5abc57a5a48e3b57023f488eaeffd

SHA512
2726ef2499b27548e789981f7d2f5e82d709be204733d71fca753839c190bf4e684ada19d57e933913fc5de157f66cff7a7f823b6f2542901adbba925f2bfae7

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
240KB

MD5
a058481aa96d0266b1d5a346a86d9a8f

SHA1
835c762c97f70c8f220116744ef0f4cb0bfd8c16

SHA256
7a6ebdfcd5ee7d5a27b4123c3568793fdf8fce1dc70a6144a595c11259b4f477

SHA512
907d995cd678241d4c8d73be79f7b4f7bd4e55c3a54eedd1844e49ccd9a81410582e0d3b90bb5c5668250fe5adf63c87c26ae752989030b332d4921783a90337

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
240KB

MD5
7aaef035a1f9751caedd78f0126d8305

SHA1
37130a1935e16c46168f68dcb8a7e8798420dfc7

SHA256
8def7f61dbaebecb6dc7c2761ee43fe6cb885b29f73fc88307eca90a59803c6a

SHA512
a3f83d27c584d484bc7392f90b75a2696f5ebb2888fb14bcbc8be9c18131925753706238e2d7864dacaa2ebb556490c60536cacc358b647cbe4ec44e6b965b97

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
240KB

MD5
90079f90ee21cf09c6178f36b81c12e7

SHA1
5a6ba290116f8f13943409a5ed9c98d5cd975079

SHA256
0f43cb984a4d3e92b405d314e71c740dedc28e555b2d4f930a818afab25744d5

SHA512
912abdea12c5cc1a9ce8cf65b72bbdbf8e7facbf4715e4cf7139f1d42793ecb419f7628dc7d9d6ed7a8070a295a1661f6e4d0478f45136a1227914047ffde154

Download Submit
memory/60-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/60-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/216-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/716-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/716-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/744-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/744-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/780-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/780-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/816-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/816-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/940-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/940-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1232-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1232-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1380-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1380-289-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1592-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1592-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1616-283-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1616-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1780-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1780-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1980-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1980-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2084-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2084-277-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2448-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2448-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-155-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3224-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3224-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3528-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3528-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3716-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3716-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3748-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3748-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3964-271-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3964-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4036-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4036-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4060-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4060-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4156-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4156-265-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4436-251-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4436-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4540-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4540-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5000-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5000-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5028-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5028-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads