a3a9b47636891e7b8526b964c85cd6ddb6bb818a1a71575126d34e8a21d36ba5

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3a9b47636891e7b8526b964c85cd6ddb6bb818a1a71575126d34e8a21d36ba5.exe
Size

186KB
MD5

eb9d6283cc4f647c098a1a9abdf70916
SHA1

ad3f2c3e5d32c4251968d62103dec7c175049f81
SHA256

a3a9b47636891e7b8526b964c85cd6ddb6bb818a1a71575126d34e8a21d36ba5
SHA512

2f914e3842e8119c0a9a27d99ad28bef6177aac3380c752400277ac1737aca2901d6a98fb8f4e43dc6426a465743757dc6c2a611f465e6c10a3e581469f7ac72
SSDEEP

3072:YJnI0igCv6ELQ53Fv+Y4H1vkF3VOMC4uMhZpMdoVBRDI+Vvlg3vG:Y5igCvM3F+Jk/4AcgHuv

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a3a9b47636891e7b8526b964c85cd6ddb6bb818a1a71575126d34e8a21d36ba5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a3a9b47636891e7b8526b964c85cd6ddb6bb818a1a71575126d34e8a21d36ba5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe

Executes dropped EXE 37 IoCs

pid	Process
1116	Kknafn32.exe
4888	Kagichjo.exe
2684	Kcifkp32.exe
2548	Kmnjhioc.exe
1656	Kgfoan32.exe
2608	Liekmj32.exe
3048	Lgikfn32.exe
4380	Lmccchkn.exe
5096	Ldmlpbbj.exe
1448	Lijdhiaa.exe
2776	Laalifad.exe
1896	Lgneampk.exe
4996	Lnhmng32.exe
4040	Lpfijcfl.exe
2016	Ljnnch32.exe
864	Lphfpbdi.exe
2208	Lgbnmm32.exe
4400	Mpkbebbf.exe
1200	Mkpgck32.exe
5084	Majopeii.exe
3836	Mgghhlhq.exe
4080	Mdkhapfj.exe
3688	Mkepnjng.exe
3612	Mpaifalo.exe
4588	Mpdelajl.exe
5024	Njljefql.exe
5004	Nqfbaq32.exe
3268	Nklfoi32.exe
4928	Nnjbke32.exe
3892	Ncgkcl32.exe
4280	Nkncdifl.exe
4488	Nqklmpdd.exe
3284	Ncihikcg.exe
4680	Nnolfdcn.exe
932	Nbkhfc32.exe
3976	Ncldnkae.exe
4168	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Kgfoan32.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Liekmj32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Njljefql.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3716	4168	WerFault.exe	121

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	a3a9b47636891e7b8526b964c85cd6ddb6bb818a1a71575126d34e8a21d36ba5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	a3a9b47636891e7b8526b964c85cd6ddb6bb818a1a71575126d34e8a21d36ba5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	a3a9b47636891e7b8526b964c85cd6ddb6bb818a1a71575126d34e8a21d36ba5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	a3a9b47636891e7b8526b964c85cd6ddb6bb818a1a71575126d34e8a21d36ba5.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 1116	4000	a3a9b47636891e7b8526b964c85cd6ddb6bb818a1a71575126d34e8a21d36ba5.exe	81
PID 4000 wrote to memory of 1116	4000	a3a9b47636891e7b8526b964c85cd6ddb6bb818a1a71575126d34e8a21d36ba5.exe	81
PID 4000 wrote to memory of 1116	4000	a3a9b47636891e7b8526b964c85cd6ddb6bb818a1a71575126d34e8a21d36ba5.exe	81
PID 1116 wrote to memory of 4888	1116	Kknafn32.exe	82
PID 1116 wrote to memory of 4888	1116	Kknafn32.exe	82
PID 1116 wrote to memory of 4888	1116	Kknafn32.exe	82
PID 4888 wrote to memory of 2684	4888	Kagichjo.exe	83
PID 4888 wrote to memory of 2684	4888	Kagichjo.exe	83
PID 4888 wrote to memory of 2684	4888	Kagichjo.exe	83
PID 2684 wrote to memory of 2548	2684	Kcifkp32.exe	84
PID 2684 wrote to memory of 2548	2684	Kcifkp32.exe	84
PID 2684 wrote to memory of 2548	2684	Kcifkp32.exe	84
PID 2548 wrote to memory of 1656	2548	Kmnjhioc.exe	86
PID 2548 wrote to memory of 1656	2548	Kmnjhioc.exe	86
PID 2548 wrote to memory of 1656	2548	Kmnjhioc.exe	86
PID 1656 wrote to memory of 2608	1656	Kgfoan32.exe	88
PID 1656 wrote to memory of 2608	1656	Kgfoan32.exe	88
PID 1656 wrote to memory of 2608	1656	Kgfoan32.exe	88
PID 2608 wrote to memory of 3048	2608	Liekmj32.exe	89
PID 2608 wrote to memory of 3048	2608	Liekmj32.exe	89
PID 2608 wrote to memory of 3048	2608	Liekmj32.exe	89
PID 3048 wrote to memory of 4380	3048	Lgikfn32.exe	90
PID 3048 wrote to memory of 4380	3048	Lgikfn32.exe	90
PID 3048 wrote to memory of 4380	3048	Lgikfn32.exe	90
PID 4380 wrote to memory of 5096	4380	Lmccchkn.exe	91
PID 4380 wrote to memory of 5096	4380	Lmccchkn.exe	91
PID 4380 wrote to memory of 5096	4380	Lmccchkn.exe	91
PID 5096 wrote to memory of 1448	5096	Ldmlpbbj.exe	93
PID 5096 wrote to memory of 1448	5096	Ldmlpbbj.exe	93
PID 5096 wrote to memory of 1448	5096	Ldmlpbbj.exe	93
PID 1448 wrote to memory of 2776	1448	Lijdhiaa.exe	94
PID 1448 wrote to memory of 2776	1448	Lijdhiaa.exe	94
PID 1448 wrote to memory of 2776	1448	Lijdhiaa.exe	94
PID 2776 wrote to memory of 1896	2776	Laalifad.exe	95
PID 2776 wrote to memory of 1896	2776	Laalifad.exe	95
PID 2776 wrote to memory of 1896	2776	Laalifad.exe	95
PID 1896 wrote to memory of 4996	1896	Lgneampk.exe	96
PID 1896 wrote to memory of 4996	1896	Lgneampk.exe	96
PID 1896 wrote to memory of 4996	1896	Lgneampk.exe	96
PID 4996 wrote to memory of 4040	4996	Lnhmng32.exe	97
PID 4996 wrote to memory of 4040	4996	Lnhmng32.exe	97
PID 4996 wrote to memory of 4040	4996	Lnhmng32.exe	97
PID 4040 wrote to memory of 2016	4040	Lpfijcfl.exe	98
PID 4040 wrote to memory of 2016	4040	Lpfijcfl.exe	98
PID 4040 wrote to memory of 2016	4040	Lpfijcfl.exe	98
PID 2016 wrote to memory of 864	2016	Ljnnch32.exe	99
PID 2016 wrote to memory of 864	2016	Ljnnch32.exe	99
PID 2016 wrote to memory of 864	2016	Ljnnch32.exe	99
PID 864 wrote to memory of 2208	864	Lphfpbdi.exe	100
PID 864 wrote to memory of 2208	864	Lphfpbdi.exe	100
PID 864 wrote to memory of 2208	864	Lphfpbdi.exe	100
PID 2208 wrote to memory of 4400	2208	Lgbnmm32.exe	101
PID 2208 wrote to memory of 4400	2208	Lgbnmm32.exe	101
PID 2208 wrote to memory of 4400	2208	Lgbnmm32.exe	101
PID 4400 wrote to memory of 1200	4400	Mpkbebbf.exe	102
PID 4400 wrote to memory of 1200	4400	Mpkbebbf.exe	102
PID 4400 wrote to memory of 1200	4400	Mpkbebbf.exe	102
PID 1200 wrote to memory of 5084	1200	Mkpgck32.exe	103
PID 1200 wrote to memory of 5084	1200	Mkpgck32.exe	103
PID 1200 wrote to memory of 5084	1200	Mkpgck32.exe	103
PID 5084 wrote to memory of 3836	5084	Majopeii.exe	104
PID 5084 wrote to memory of 3836	5084	Majopeii.exe	104
PID 5084 wrote to memory of 3836	5084	Majopeii.exe	104
PID 3836 wrote to memory of 4080	3836	Mgghhlhq.exe	105

C:\Users\Admin\AppData\Local\Temp\a3a9b47636891e7b8526b964c85cd6ddb6bb818a1a71575126d34e8a21d36ba5.exe
"C:\Users\Admin\AppData\Local\Temp\a3a9b47636891e7b8526b964c85cd6ddb6bb818a1a71575126d34e8a21d36ba5.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Windows\SysWOW64\Kknafn32.exe
  C:\Windows\system32\Kknafn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\SysWOW64\Kagichjo.exe
    C:\Windows\system32\Kagichjo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4888
  - - C:\Windows\SysWOW64\Kcifkp32.exe
      C:\Windows\system32\Kcifkp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
      - C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3836
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3688
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5024
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3892
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3284
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3976
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        38⤵
        Executes dropped EXE
        
        PID:4168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 400
        39⤵
        Program crash
        
        PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4168 -ip 4168
1⤵
PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kagichjo.exe

Filesize
186KB

MD5
31ea48d2dc811b486b95c34a95e0eafa

SHA1
327eff9f4e9120c3c2fc174dc71c7d2244d115c7

SHA256
3198fa2eba3cbb815f2e6235ec620f625185b9dc8ad5609dea57ae55d2228548

SHA512
4c4dec2119f9cc01c89e40496559a380e2367525bbd368b407f68f142b51ac8a2e1b920c3f534637711c9518c2b01284b2f6a33705a1c98a776b03ccb670a6ca

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
186KB

MD5
921e8772d13cffdae5ab3323a7157571

SHA1
d089eb19f6d888c70308bcbf4e1a55403e022593

SHA256
ed9e1b8ccf4bb6dfe290442f06400ea72ec76c2644c0fca60008ead2da39251a

SHA512
7aea490f886456f3c70b3561e3c86ccf643c364fc7c639da8145f3b4eda0e8eb9b47e099663fedd77686d071e860570c8a2194036bf8b619c6c02847fe028975

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
186KB

MD5
3243d4ee776f1a61fbe0654ddfbed216

SHA1
db6fac991c141eec35854b3d9e8e7f6a7188fc8a

SHA256
cbae379313758d486277caa8b9a53ea6f9ef9b9398348861f24279a9397e8992

SHA512
57fccb1783e3c2e77cfd98558e02f5e8ee1a62fb83d8c07ab19afd3f81a066865110aeb983512cb7c9e43b8a91a522db1aa13e823270a874f0ab5082ba8ae978

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
186KB

MD5
ffe6ed9b4020cf159a94c3098001ae34

SHA1
04eba203dbcd1992990de5e8bca2f782bdd01206

SHA256
92edfab3b9509ed8533eefc745821a643e0fca242abde6be7649b58bf1b2305b

SHA512
402266e2ccbfe564770cc5f99218bfabdd3b3da7c60801dc517d1c667c5f108b6005d90d52f49191b8f24b64dbafc26179c0b9e99f1064e5555a7f9a5a33ca6f

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
186KB

MD5
1410423c81e76da96262516cc3b1d52f

SHA1
3f97a70dd17fb123cd73cdcfd9b5eec54ec2fa5f

SHA256
3259302d205a834efaf87d0f0bdab03e6dc9dfa88107ce59c3fd4c5e49c0e9c1

SHA512
7149bd3597bec7f2b11a9c35660566301a4f8a1b88b974b5fa62afac607d93a8351e1c540c4fca017b761e176898b866cd5f93d4d72aa177ca0a177748c6099b

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
186KB

MD5
e94ec6d798a79d84ef07bcba2128b396

SHA1
340ac145a38fe1cfd3a9f649014692cb21b29b76

SHA256
2d1e1a724e6c8368a746d5da400a8913e66a33e1914931283a0300ab0d9d2937

SHA512
8c0f6722cba29049a63529e05ad1b96fd7e334adabd1ae14d84e6e2422f3e518f2a3fe48a7e4987d27c8fe5e0fb82f702e414ab2673d267aeb79769fc7df0ba4

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
186KB

MD5
11bef8bc77685bedff57b50d0d8c25f0

SHA1
1ae8c1f7ad48edd7c4f823aadbc92d0524ccfc54

SHA256
2505e1ff46289277828f2b57d974821afaeca75772c05a83374207d84aa69bff

SHA512
0dac616e9c5308a5fa39218c2ac8ca5c7f9f0b3a3a732419ae4e13d1649ce7e71ad2ab4b1705e93780cd9e4f4dc9235855d04d2907b92472d68ab0fc1c6ffff9

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
186KB

MD5
c2e75dd5a3dc45f00c08323d7561c64c

SHA1
eb45e52a405a36986e526e06967f2ab9fe815ecc

SHA256
4fb42201141329fe9ff647cdc45e5d8997f00545cb6786b527da9ec981f63bd0

SHA512
04fd8183b33e69e04d7cfe51f21672a04071402e6d2892a2c6b59f3643b7e6e47765040a68769b112c3fa06e91b5a14e146bab0f85af7c7da4ebe10c83567d69

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
186KB

MD5
73a161a3e090c18cf6630b9cd4175e30

SHA1
40ddc540fe58bdc5bd80a58e1c1ea7b564554771

SHA256
8e0649e9711e4c52ca7bc9aa23a781dfaf131413f0257f31705071c682291b05

SHA512
c6cb3d64383bcd2ae2f00c4d064856a239102b2f32e7682c60d7e41da291550c15223b742408a3f73469ebb01135840d44024ca6446340ccf0a134233efe5ae3

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
186KB

MD5
ff639548a2ad6922f0725a87dd04d1f8

SHA1
c4580d74d10ee050189fa9dcec007a92c9fc154a

SHA256
c297c2083716b7f3a55f726257b959d1bcec0723495481e12813796595b96bf5

SHA512
5ce7744899c8421837a8ae458c130210401afeb6fb6142afa298a01743549098026ba7f2d4c10cab5d737ca00e469b558d28c9d305399c5cf1c185bd6f2cfe26

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
186KB

MD5
0a8ed12388969ce29eee7da758b4e5a4

SHA1
d1c24498a32627c84885effa5ce6c12d25d187b1

SHA256
8f36acf98732f7833e83ca603d4c956aff67c0f0bd206c159b7754db66da8de4

SHA512
55ab7496da064939892613071d51e74643493028b4308016d9bdcf52340d4e84d35a8e73c7d7408680c1cd717ceec122937bdb685e5a763a7cd1cc70941f8104

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
186KB

MD5
8ddff2b4d574c3e2bca8b48b20fb384f

SHA1
8985220e9413f0c9b73262c51420bac815ebf7f1

SHA256
029e3058927eaefab8b2b4caa04248a5f6e2369083733bf161ef8013eaffa534

SHA512
a32cd43d0268a600da45bbdf85e710fc0ad7754652b52f82e948db3390682981191e750b049dee701097af42bff75f319ce2072a92a865b90f2049e7de3eafd5

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
186KB

MD5
5fef6ca76f7593637d3813fc6b65fa91

SHA1
044d5d36a15b126bdaa7e29e69fe1d879fafb67d

SHA256
13b82c501ddf84b48f9588077689c2061f3f4a1475367ddfc11112685f0016dd

SHA512
094d996e9533b7641f856619b6dea4df3d23f3ee27c519f38ea385f7cc5fe3577beec313708210f0e2596e0000ef8754c218c39f157c990cd38aeeb54aaae2af

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
186KB

MD5
a2d4134fc296ead7f6ce2a1b705fc7a1

SHA1
04c00eb2317da8964bf7156afec4c177f85494fc

SHA256
40f6b089909005a672e58625daf50edb0c0b70ad404c9f177f6a517d4055bfec

SHA512
e0eb52ac7f1b2e3d973cd094fc26f7c84c5801ad5522ffa98f86c2cf5c7eb181c78aa39ad53d79e58cafc7eb1636970fcd9975326f0ba082a4db6a3b0a49400f

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
186KB

MD5
9004be8eeb6a2a4bab8c8f19e7040c26

SHA1
0b012714003cb4309e4f41d6515b8b6b9189afdd

SHA256
efd169ce771d7fb33488689f905da3f23f9b1d5ffa985a05141458e149342b7e

SHA512
3a5f6de633d235ffee994918c9b9e598a38add68db55965bc61e16d20a24697f85145e1544c99f9747f0a664accabe22f4f5c79b84200abf906323fbc41e1741

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
186KB

MD5
073e0e1e851bcdd5b28795ee26138071

SHA1
154e94bdbc39ac5fee314bc312abe4774c7a9432

SHA256
6a3a360deb0dc1c60a13973ba196d1eec096eba4e247716dcd9a0686a85e66fa

SHA512
beadc1b06c5f11eb175c177edc6f15cb8ca6f24e99fee100b20916813d8bbcbf04bfaf5f7abc30a4b7af2c0cdc0ef21ee1b69a6eb3db06aab4144d9ec3b61144

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
186KB

MD5
12f76123ffcdf82e8aa50056519547ef

SHA1
e74a0eb46755edd6747d238746eb15fbea9f38fe

SHA256
7b013336ab479584823b274a01f6607919794239e691bc6f93ddb6d7ec47ec47

SHA512
a5542db4d840952f40dc5a27ef9b11f79ee14d53d9c1faeed8089d5b150ec21acccd800e5e244372253cd2109d10ca18f934ca45831951e190a4399edbc90686

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
186KB

MD5
791034c0d4b5e33a1f68d13b9fbc89ad

SHA1
49fc14afbfe6cbb3137ef70b3a3b963c54dfb9a6

SHA256
24c669da980db00f3d06831bffcdc8e5406a15ca4eba04fb758f87a6a87f78ff

SHA512
50160fb2e34b2739d1ef95b864adc5975298da905254130bbe9ed08f367f66c0b0560f962e544321430b4f18eaa3a69040ecbd5d1d4041ff0554592d238fd76d

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
186KB

MD5
f9e79deb204456399176f0d21d436fc7

SHA1
d4150144d19f5b1a095c9a3bcf742eb54bf84777

SHA256
385b9557b07959bc16ef50c5a990d31e09cf459adf702a98ff880debd4027e8b

SHA512
c4bb0d383e2e2d6e2f1bd574a0a346306f1953d29fabe9e5ec4393fdd2cba5f4bdb403e9cf22d96e79f08d4f2ee9328a561931623080c7ff85b30b6a8549a20d

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
186KB

MD5
fb1b75650faf9d0439f35d4dced959f4

SHA1
7aa6bb399631ad4a8161980ae9c9e1a4a4682bf2

SHA256
e6a77e9df9fdc98003119bdcda02b477674d14a3736beeece99f705b26e128b7

SHA512
18b0377d2a990d02dd3efcc1ae169e7bb4821805d8d36b7207d3ce0dc2d083b76be85b8fb92b0cfcc863db95725269947a1d174ee43c7eae1b15756a617410d2

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
186KB

MD5
6a0529d582a7d2bfe70ba16e2b6aaa6d

SHA1
7e98ce037ce48692bddf61ef493834918f97ecdc

SHA256
9af02625c7571dfe117ed2cc0f689e4fe77cd9f8a84f27218e4a7b64590d3f5e

SHA512
25f153ab413984486e57add4cbc32b44a05c9f336ded287304734e9ab0f566396ea699c511c6696345717670d447d046978fed500d589170d73f2f89832036dd

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
186KB

MD5
ed19fb57bcf339269a50f4e8a7aa9e3f

SHA1
3a620b25463ca367d47f6452b1a25441700fc8c2

SHA256
d916400564ae04afe3851f29d8207de387a9884bcdeb6fd358a0ec8af0863191

SHA512
ffed2d4259f4761000bca14617478a99a727f519f56aea2bc3888a3168b3db0a9f5eba511a09845e3e08d60905e99b4fdc0e0c3fb601362499b4ac1cf78ebe4d

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
186KB

MD5
e94e85f9fd77a496ab945eda723bef82

SHA1
63a6f378c6c6e2b7de9f8f3ba5cb1c1c4932fb7a

SHA256
47000e91be89fb6b7a0513cfed06fe6a48f730d8fb98d3f1bc4e3579d7187c20

SHA512
0174549d75c83b60ec52736c127ccefe4cc0fe796f4b442a42faf24527ba5d5a6c71189708d2839cd939ff497b20aab12cb49129e4fe8c8b6400b4241b2fe532

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
186KB

MD5
e5e0e748154b45f0752916f6ee46c60f

SHA1
0e1e2ef6c4e0d448d4206cd26cd200e28e0d7791

SHA256
a9c447a6b24e6b01e1435837505bd1a4f8d801a9919764f0c08b6dd45eb85df0

SHA512
8affacd3c9361b8d8df9612b41e1dfde963e07d9ff00a7727b1574c595e0c21bd7bc23dc51d3814721bca0f0e4b71dfbaf9e1e9952ed233acfc9693951e7380a

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
186KB

MD5
ec3b33048921c37309d0d5fccc37436e

SHA1
186b9df240079907cc017c2435d74d330977094b

SHA256
ba9a170f56d65d59f9d37b43eaff81408cb842a1eac972f9b20b47a2e6fddfb8

SHA512
53053244429ea475c9bf2e6b8c43ad8ca3997894edbb3e9e6d2a06f3a710df07a967b646a38cd25fee49c0b27721ac857eccc8ce8c4f48f399424e20856ffe70

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
186KB

MD5
a87054a49d75538f2ab54de5eae8bcf3

SHA1
22d29857016795ebc26bbdbf748f79dc86692090

SHA256
026a6f0b3e13fedd8570177bb151ae71d1c491dfac5aef03e33c5e2525eb5612

SHA512
d132a524d6894d169d7e51138a4f652928504d8e67cded22a360ea7ee5a25f3f7dd0b9f25f0c4cdc9203c8c7a2854d164572177e969523b43a2681be9ca47ebd

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
186KB

MD5
407cac2a520ed6ed785ae8bf1ce5dc93

SHA1
aea246b862cb363921a923e73c1567f6c5e92fb8

SHA256
eebd4ea928bceb507f1a42c80493a02988dbb2acd4d5b5951cb317fe9b397d96

SHA512
ba4e05d29a61284e2162fb09df7eb65fd054034668d279543ee6b41406bd38d834c1e804ba64b5a9059ec4e78fcee5ed831297f1e613899dbf5b709ef02b7770

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
186KB

MD5
223acda2d015e86f6fdbcf366dc39fe1

SHA1
b96ce6531cce88f10b92ded134cd1476fe25a004

SHA256
5c23350dd7333a5864c540948e729f2f597f82571631d15236e244e0358d5047

SHA512
17d6d5b2afcec3e8239c5f991ea625c2ea7c2b7d55c60ceabe62b0ffe84f7c3dfc66128da5787efd9412a7ce54024b22ae9a872550becaa7874b5ecd438ea56e

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
186KB

MD5
9503ad253679ed9256032f40561fb570

SHA1
077af8e82673eef5230d9841a130e4ccd1a53c90

SHA256
966fe3a3d3ff4fa6ba724115782489e37c574c0ba643469be9b27f316886590e

SHA512
1edfc55bc6570f17e2eb9f11c30231513a21b4b7ee6b8a23096564c9cf47684717aba02e2c67d930bc9c69e93ab4a2f06e51560b64eb47d5a981e2b7ab70e586

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
186KB

MD5
8b64a3dc659d2b7705f8297d8757c01e

SHA1
63d80105b5a80abdb7b2d615a29172596a8cade0

SHA256
3a5c540984997097fa6e0c9ec3e01494d77b6b197f2f1a88f7c394fd2eb8373e

SHA512
999f4cf0bc5df7be5533a66e6faf45fcc3eabf0bca0082dab57776425e5f5bde019792faf6162e320f90735ced670c2a6fba837fe9a42330ad780d112a4e60a2

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
186KB

MD5
24f0d458b096c83b64d7b7467b1cb663

SHA1
c87e6cfd6ef50c8beaa9120176d00bbebf652b38

SHA256
563febfd689ed8716b5317b75391fb37a813c47529a828fe74306241f0e34af9

SHA512
674bd30a19b7bc8323432abd8cfab3c323a00432babb90335ae8e5f38d37adf13b1c90e764899bf00889d0ec726ce6a5c8cfb1b603a7a3cd749c8804917a1fe8

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
186KB

MD5
89cd99d4e5361929752728b6d0388d1c

SHA1
1a97e1236a093621f506ab258b6d8b325107a876

SHA256
b796ddb6b8e405f5df1ab2483be233acbfbc80cf2ca3d73ca644261f48fbd35c

SHA512
2976b76fd17e2a7a4dd9b4d0b3fe1a48de2f411cc1ed1337d60d37be3d22ba275de2681e966db03e4988179c027df0ee6c30a17cf67d2fe734fae6c0f2281038

Download Submit
memory/864-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/864-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/932-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/932-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1116-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1116-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1200-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1200-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1448-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1896-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1896-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2608-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2608-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3268-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3268-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3284-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3284-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3612-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3612-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3688-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3688-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3836-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3836-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3892-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3892-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3976-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3976-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4000-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4000-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4000-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4040-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4040-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4080-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4080-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4168-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4168-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4280-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4280-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4488-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4488-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4588-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4588-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4680-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4680-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5096-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5096-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads