d0f7cb5c94add8d6b34c07a083023d9170bde1cf51972a65a00dad3b609018d9

Analysis

max time kernel
93s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0f7cb5c94add8d6b34c07a083023d9170bde1cf51972a65a00dad3b609018d9.exe
Size

80KB
MD5

b7ba802846af3e68a5399868b8625764
SHA1

eeb605c6494a5cc9e19b79499e3e887e714f2c9c
SHA256

d0f7cb5c94add8d6b34c07a083023d9170bde1cf51972a65a00dad3b609018d9
SHA512

c11b819acc52613265d572b27b78521538d0d448bae2a4abee4296e427d8cf1f6672042ea8bcc8678fe334ebe9d949443c8a48aaebf759d0c95c862d415fbb79
SSDEEP

1536:rMZxcjN0Hn+XtbLU80Hf/Wv/Xvp+FX/03rWzDfWqdMVrlEFtyb7IYOOqw4Tv:rMYjNy4h0QX4526zTWqAhELy1MTTv

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d0f7cb5c94add8d6b34c07a083023d9170bde1cf51972a65a00dad3b609018d9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe

Executes dropped EXE 52 IoCs

pid	Process
1744	Kipabjil.exe
4364	Kagichjo.exe
3956	Kdffocib.exe
1836	Kkpnlm32.exe
1964	Kmnjhioc.exe
3468	Kckbqpnj.exe
1344	Lmqgnhmp.exe
5100	Lpocjdld.exe
4876	Lgikfn32.exe
1644	Liggbi32.exe
3812	Ldmlpbbj.exe
2408	Lgkhlnbn.exe
2344	Laalifad.exe
1588	Ldohebqh.exe
4872	Lkiqbl32.exe
2308	Lpfijcfl.exe
2524	Lgpagm32.exe
1524	Lklnhlfb.exe
952	Laefdf32.exe
900	Lddbqa32.exe
5044	Lknjmkdo.exe
2552	Mnlfigcc.exe
4080	Mdfofakp.exe
2544	Mkpgck32.exe
3120	Mnocof32.exe
3496	Mpmokb32.exe
1232	Mgghhlhq.exe
4712	Mjeddggd.exe
2348	Mpolqa32.exe
4244	Mcnhmm32.exe
3912	Mjhqjg32.exe
3024	Mpaifalo.exe
2616	Mcpebmkb.exe
1696	Mkgmcjld.exe
3148	Mnfipekh.exe
2796	Mpdelajl.exe
2000	Mgnnhk32.exe
2460	Nkjjij32.exe
2064	Nacbfdao.exe
1800	Nqfbaq32.exe
5072	Nceonl32.exe
3484	Nklfoi32.exe
4508	Nafokcol.exe
4848	Nddkgonp.exe
3612	Ncgkcl32.exe
4024	Njacpf32.exe
3080	Nbhkac32.exe
3472	Ncihikcg.exe
1272	Nkqpjidj.exe
3108	Nnolfdcn.exe
3384	Nqmhbpba.exe
4520	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2820	4520	WerFault.exe	136

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d0f7cb5c94add8d6b34c07a083023d9170bde1cf51972a65a00dad3b609018d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d0f7cb5c94add8d6b34c07a083023d9170bde1cf51972a65a00dad3b609018d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 1744	4260	d0f7cb5c94add8d6b34c07a083023d9170bde1cf51972a65a00dad3b609018d9.exe	82
PID 4260 wrote to memory of 1744	4260	d0f7cb5c94add8d6b34c07a083023d9170bde1cf51972a65a00dad3b609018d9.exe	82
PID 4260 wrote to memory of 1744	4260	d0f7cb5c94add8d6b34c07a083023d9170bde1cf51972a65a00dad3b609018d9.exe	82
PID 1744 wrote to memory of 4364	1744	Kipabjil.exe	83
PID 1744 wrote to memory of 4364	1744	Kipabjil.exe	83
PID 1744 wrote to memory of 4364	1744	Kipabjil.exe	83
PID 4364 wrote to memory of 3956	4364	Kagichjo.exe	84
PID 4364 wrote to memory of 3956	4364	Kagichjo.exe	84
PID 4364 wrote to memory of 3956	4364	Kagichjo.exe	84
PID 3956 wrote to memory of 1836	3956	Kdffocib.exe	85
PID 3956 wrote to memory of 1836	3956	Kdffocib.exe	85
PID 3956 wrote to memory of 1836	3956	Kdffocib.exe	85
PID 1836 wrote to memory of 1964	1836	Kkpnlm32.exe	86
PID 1836 wrote to memory of 1964	1836	Kkpnlm32.exe	86
PID 1836 wrote to memory of 1964	1836	Kkpnlm32.exe	86
PID 1964 wrote to memory of 3468	1964	Kmnjhioc.exe	87
PID 1964 wrote to memory of 3468	1964	Kmnjhioc.exe	87
PID 1964 wrote to memory of 3468	1964	Kmnjhioc.exe	87
PID 3468 wrote to memory of 1344	3468	Kckbqpnj.exe	89
PID 3468 wrote to memory of 1344	3468	Kckbqpnj.exe	89
PID 3468 wrote to memory of 1344	3468	Kckbqpnj.exe	89
PID 1344 wrote to memory of 5100	1344	Lmqgnhmp.exe	90
PID 1344 wrote to memory of 5100	1344	Lmqgnhmp.exe	90
PID 1344 wrote to memory of 5100	1344	Lmqgnhmp.exe	90
PID 5100 wrote to memory of 4876	5100	Lpocjdld.exe	91
PID 5100 wrote to memory of 4876	5100	Lpocjdld.exe	91
PID 5100 wrote to memory of 4876	5100	Lpocjdld.exe	91
PID 4876 wrote to memory of 1644	4876	Lgikfn32.exe	93
PID 4876 wrote to memory of 1644	4876	Lgikfn32.exe	93
PID 4876 wrote to memory of 1644	4876	Lgikfn32.exe	93
PID 1644 wrote to memory of 3812	1644	Liggbi32.exe	94
PID 1644 wrote to memory of 3812	1644	Liggbi32.exe	94
PID 1644 wrote to memory of 3812	1644	Liggbi32.exe	94
PID 3812 wrote to memory of 2408	3812	Ldmlpbbj.exe	95
PID 3812 wrote to memory of 2408	3812	Ldmlpbbj.exe	95
PID 3812 wrote to memory of 2408	3812	Ldmlpbbj.exe	95
PID 2408 wrote to memory of 2344	2408	Lgkhlnbn.exe	96
PID 2408 wrote to memory of 2344	2408	Lgkhlnbn.exe	96
PID 2408 wrote to memory of 2344	2408	Lgkhlnbn.exe	96
PID 2344 wrote to memory of 1588	2344	Laalifad.exe	97
PID 2344 wrote to memory of 1588	2344	Laalifad.exe	97
PID 2344 wrote to memory of 1588	2344	Laalifad.exe	97
PID 1588 wrote to memory of 4872	1588	Ldohebqh.exe	98
PID 1588 wrote to memory of 4872	1588	Ldohebqh.exe	98
PID 1588 wrote to memory of 4872	1588	Ldohebqh.exe	98
PID 4872 wrote to memory of 2308	4872	Lkiqbl32.exe	100
PID 4872 wrote to memory of 2308	4872	Lkiqbl32.exe	100
PID 4872 wrote to memory of 2308	4872	Lkiqbl32.exe	100
PID 2308 wrote to memory of 2524	2308	Lpfijcfl.exe	101
PID 2308 wrote to memory of 2524	2308	Lpfijcfl.exe	101
PID 2308 wrote to memory of 2524	2308	Lpfijcfl.exe	101
PID 2524 wrote to memory of 1524	2524	Lgpagm32.exe	102
PID 2524 wrote to memory of 1524	2524	Lgpagm32.exe	102
PID 2524 wrote to memory of 1524	2524	Lgpagm32.exe	102
PID 1524 wrote to memory of 952	1524	Lklnhlfb.exe	103
PID 1524 wrote to memory of 952	1524	Lklnhlfb.exe	103
PID 1524 wrote to memory of 952	1524	Lklnhlfb.exe	103
PID 952 wrote to memory of 900	952	Laefdf32.exe	104
PID 952 wrote to memory of 900	952	Laefdf32.exe	104
PID 952 wrote to memory of 900	952	Laefdf32.exe	104
PID 900 wrote to memory of 5044	900	Lddbqa32.exe	105
PID 900 wrote to memory of 5044	900	Lddbqa32.exe	105
PID 900 wrote to memory of 5044	900	Lddbqa32.exe	105
PID 5044 wrote to memory of 2552	5044	Lknjmkdo.exe	106

C:\Users\Admin\AppData\Local\Temp\d0f7cb5c94add8d6b34c07a083023d9170bde1cf51972a65a00dad3b609018d9.exe
"C:\Users\Admin\AppData\Local\Temp\d0f7cb5c94add8d6b34c07a083023d9170bde1cf51972a65a00dad3b609018d9.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Windows\SysWOW64\Kipabjil.exe
  C:\Windows\system32\Kipabjil.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\SysWOW64\Kagichjo.exe
    C:\Windows\system32\Kagichjo.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4364
  - - C:\Windows\SysWOW64\Kdffocib.exe
      C:\Windows\system32\Kdffocib.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3956
    - - C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1836
      - C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3120
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4244
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        35⤵
        Executes dropped EXE
        
        PID:1696
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2064
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1800
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5072
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4024
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3080
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3384
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        53⤵
        Executes dropped EXE
        
        PID:4520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 400
        54⤵
        Program crash
        
        PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4520 -ip 4520
1⤵
PID:3600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kagichjo.exe

Filesize
80KB

MD5
f0b9014ac60782077ff3fffda20fff4c

SHA1
ff2cb18c7c84ca3eb92a0f958a238deb8f303759

SHA256
0a6ff6591408c749ae1b6be4264007640c1e5a6829be1de1ac02b3e77fdf0a60

SHA512
2254fec113406ab56db2d7910ab8774f642c23c0a48c26d29b5910baf81643b25a6d1900db2364462094cfff2b05fb0ff3cdac684c627d4a33580c18a7acf45d

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
80KB

MD5
b12f05109c7d757b9547e018a816d188

SHA1
7b2a638de19d34f64ec62e074b05e28973e1b313

SHA256
63ee051dab2a31a6125dbe901c3ae12dfb26486418792f39492923bb8d41b05f

SHA512
5ad3cd4c1bc10c52c780ed84da0bb33232b064a8f14eb634b3fd063f445e8eefc7f079a4ae059cdfd357a87eb663faad0f86f52f79479b4e3bed107ec881d222

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
80KB

MD5
f2d4954597b07c12cdcb6d9f62ddb5ba

SHA1
addc36ca8daeee351bfe8b8214f3af4f73ae3288

SHA256
a38c9634395c64bd7f308566c668fbc858fa66f5ca0946b670d82ad8364b0597

SHA512
f5f90c5c82e8d3e25b25751989842fd15b497c196a4c914f857bdcdfc7ccfe40c3d01565063dc2599156dbaff11417044fccea9f82419817cfa160fc760d1144

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
80KB

MD5
9158229fa5f10c346a765e0a5d601180

SHA1
b56394d50a6e77607f32ccd1933df3562a022dc0

SHA256
85242966087b3f24bebb2f4007e1543b0599ad1cc4be2d6e8d46a03ec4a2dd73

SHA512
7cda40c78fb1532393ebc3107faea50ea6ba8835fdde13884e441754733cf798d43bdffcca967a4f2a668cc42ddeb0eee62815b596283dbd80469e128ea92567

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
80KB

MD5
f43fba75774e147397108e2ec0026ac9

SHA1
314cca3a3768156e9a71b0972b0bb23d8f1efda6

SHA256
5a4b1e92066017b767e3659d0874eabe9fb60e0ba67833dd34d2a47853bd9658

SHA512
eaff4241edaf3afcb90a9f924e29324f7ef251404aa089973c1b18aaf9c86152e4655331337fffc4705984b18ade9d8cba8cb9e4629e4ccfddb0ef2997479b61

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
80KB

MD5
bb37a8e929857ed5d9adb11a054a0be5

SHA1
c98f3afb5b5300da76c5ccbf24a8b5fc077fdecb

SHA256
2b81d5bef59fe4bfbb48497258341752e9faeca650165f684244535cd20ded0a

SHA512
7441be91e4ce6851250f660e175c9cea8c1c47f7ea00402cb48ee7aa510e07cdc04345ec66068b4985f4df4c25c6964f277bc7710f41203264329a10d76651e5

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
80KB

MD5
ee53967c24485f91f7fa653f5730403a

SHA1
19d874a1c408d39ff47ba63b640edb1195f373b1

SHA256
249a9ed469fddec84e3756a59a232597ef68bee6edadc18fa0e18998ee75afc3

SHA512
41cfce5d210699967a650cea366b13d751d4b67465b0c6823e392457e8b78909745cd73f280eb1736eec14332d01811d2ccdd0f33c13af9df0442867f719bdf2

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
80KB

MD5
a94325394ab63e65270c3ac4caa23cdc

SHA1
27cbeff17c549efc09825d6f21a223e30c6f9beb

SHA256
326b571389539b9b49260892b9dbbcd23ca4e06c7ae4d9aa0008f9d25a66b794

SHA512
4a50a7078f3074bad30f06f1155e477367898257873322780a2c39ad6617b909f9ee9d97ad0c4272025f100c8d8679a08b618d9975994c6c73ac3fb209537dc6

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
80KB

MD5
e510730b9a0f56e8949fe2e3af11be92

SHA1
5964f9c4705b8d7dc6e2de6bb8f34025d073fc74

SHA256
9d201786c41e1ee6bb0922e56216601c311a67ff7f698c497c3cf78fdd00650b

SHA512
45e416a7970757bc9363111ec99392283bc44de630a924c5b590ad274f77047b50c8b8cc168aeb5a0492d3ae9630d0d6ee26d71e2cab96f312bdd9c281dae6b4

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
80KB

MD5
749b7a6f0e36e27f0044de8b04350066

SHA1
2080ed2bec4b2f7140d3a5d2c3014ba378e162a9

SHA256
3d4a7421499a7caff554ce1f67036c77edbe2a3db56ed9798a545b0531364d74

SHA512
5d2d1d58dc3892a8d101b00c1e5ed40a7afa77dfa3cbd3f65378bf6505b8e9276a2d3a9f38d9f7303dcffcb41da80c52d617ac23b80d1065f66f3f5abbc658e8

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
80KB

MD5
a32b10d0f7b95a720c46b3a804dc098b

SHA1
0cf167a51b35c82efb06cbf77abb5d9db4ec0c72

SHA256
1356bb3cda59f9e6ec484b7c092df8d84bc4ca6f7f61ad4dbd5cbe9eae160197

SHA512
f1b88728249a164f8a7ef7b4463a3d261d36e121a83b410b5768d4c6b1c540409b9c63341a10d684b67713622773c49a6d14fdac1f06c68155026df20ee86806

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
80KB

MD5
773e2315256901c45a8219fa27e13532

SHA1
665b2649b8e552cd45483447ed7023006fb2ee2f

SHA256
f3e2d3342b00760d51b35b2fd9001b72f7f6f7452e7a9d1751e4ca6f3fce087a

SHA512
112f0ee595552430547734e8554577fc1e9b215cdae3111223df367be9213935c302427fdcf8a0ea031b4ff30911c19413c78c65559f5590dba4103bd96d6abb

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
80KB

MD5
96586ed479158d6da52ed386dac8a28f

SHA1
398e8f4757edd758b11efea42b3eaefae5bb1d90

SHA256
408f3bd36b2afd078e6a39c9b74d7f27f8ae1525684d0b5abe32234bbcc0e6bb

SHA512
d0231761a4a6c48d801163e537adb68939e75e9f10f624bb97521907f75c8cb141287120bd33ff30589d48769e0d588c1e7dc49ce120be1327f99d9e46185463

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
80KB

MD5
82c923e792f8539b0e6ff001f4bd13ea

SHA1
a8651ffb62b62670bf4aaaf175812336c8f50c27

SHA256
7887efcf46df9153fb682ebf1cdd061c1df0e4fb5c1642842aa54c0a518d6660

SHA512
a510bb34f483d95f1525464239d470e53986a0a657b8aa80bd1fa3d02f7b353a903fb0784e2219905eef88be236a486051c336ab61e40ea5038ace06192b3619

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
80KB

MD5
224f87c66e850cf903db61f2a0d92038

SHA1
ffa889aa3adea019bc53a1315d70c9827e1bee23

SHA256
bb9aaf8e4d8d68c9595fb84845f91963ba726cdfcbed985af45089b963a29e5d

SHA512
00142bd0b5a5b7c581b655037473aee47560a8bc71abe180721f0bc669500c1920c6f1e2766f375c9f704bf1dac138fc9f70712731cad17c8608defb68946947

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
80KB

MD5
6427334085665585e46a204eca773e02

SHA1
c2832bdf0689c1749514fc9807c86a8cbb25944d

SHA256
db0d3524705de3a179786e19c8dbfddcb483d66e8c785d83469ed10a252e0f9c

SHA512
94518cdb2844a4b65fd33059f1b4beebf57ca1cbc8eaddb5fa04f53e30c0df574e3bf61937b2b88ada7057dd87c5f36af42eb7914bd1982c2a16af260264b63b

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
80KB

MD5
e6d9e6a33b4d2e74b4ef93d3fcf92896

SHA1
b2c9781ee07b10dfd0544f689747579a3d72b67d

SHA256
2e54e9a9c7937a3ab9c1a0fbe93e6f537ef67a4ac92ac8b67397998ed2d1eba7

SHA512
003df58a22e25806099284819ba9bd34383452baf0e4916c636203d02fa00addef23caae9baf14f9a2cafb6720b33865e5669e0df13e7f8d6826db6184c15f16

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
80KB

MD5
5a639f85cd9ebbce48899fd406f58372

SHA1
77cf18637b1603af62029badfa89cbed57ebdf02

SHA256
86f18cc823a412787ea1165a6966ad1c90ad604fd9d1a6b4de2cc677ccfb44c6

SHA512
a0d86b39979cd91894de1a8576d29a685d389211fba95a026031df0a847011bc91b6a0efa3a96fa933e8f2865de368c31fdccb29dea0c13318556933ff43ab44

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
80KB

MD5
cf451547929bffa856aa222ee04ec950

SHA1
55171199cd81451bef5ce14b11cffc802ba1e827

SHA256
138d7e0503e95115e912f68ddeb64fff5592eb804319a614dd484dc1da369e1e

SHA512
063f76dca5d1ad94d472935cb172147974c5ea066cfe1bff2e78052b33aadbae0beddfccfe626f41079c721a11cf5203ecc97a3ab4d384fcd7b3a6e9a568cc23

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
80KB

MD5
1d79831cfc51d80f7fb35c06759ade35

SHA1
e127cd0655288e0669fca048d54866d2d871ba2a

SHA256
bdf8b3d2d2e8a1541d1c67d668eb6dd9ae5150292202b4d542147f630aaacb38

SHA512
c96d4d7fef65fe511c876c1f8294dc284a3c0e06d44d7b64f4218a363579f6f4698068fe21ed2f2b4ec341ec22f9bce2717e52423ca85b9f86f7c9a77a736126

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
80KB

MD5
7275aabc845cef2115432e3fe9d4f25d

SHA1
59b9cfde1c0d5bfa0b4e00170735a2b858480403

SHA256
5e071ac9eda10ba55d1173f64320f0cce5f6fa57b8f83f0a2a583f17d774400d

SHA512
41400690a9c07f2b5729257eff9c06a8ce741d9f1e58d638a3485c1b20288608139eeba5ecc0dd430dcfa96b24d0360f3a31bbdb3fb8a5a68e1821232fed05db

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
80KB

MD5
a50c803d21aaa6129b2dba38768fcc97

SHA1
248e56950989dd95dcf47419081fe663439ed258

SHA256
91478a48c14a2aa319654309a7d472c305811932201dc2a4fc32a2ecba731130

SHA512
8e4f9387a4d1b55e7f014515e3808ee83737e74142179b0c03305218c58a5c241920a7ff1e751594255fb59c476eb4f92b8ba7388c91f6e8d26e5658c6b07e31

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
80KB

MD5
d83c90929571de78ab68c9d2821e7966

SHA1
2398d8de499f219879a8184ee0ba10ce34e58734

SHA256
6d08b0c28df936513ffae26c25912917a53a0bbd4ead088f3067d7c177429b47

SHA512
5d5315f717dbdcf0d952e1aa6e10c4d5248f1353ab00d19e47b9208733d62d7922165b729791a51e562bd2ba14f192c10d77534067ae3d9f71a1cf25827cdc1f

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
80KB

MD5
e36325dd429c369b5d1e1dc26ba025b5

SHA1
be0669088281a8233b84962546f3e17947a34aee

SHA256
4bca1c2f62934516c55fbf43187abf06cff406d112d6edd0913aa84c6a368856

SHA512
31030a6dcaedb0ee9f3fb8826a822a904df2e87be494023ecf43f375bad0680ddd97b7da351d7b5da7767015b6fe12e1d724b1852155bff3a3324f1a8fd3a632

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
80KB

MD5
3c0ed20663141f10a907088ab70f16f5

SHA1
4e814ba65409403d286b8c978250303615ebf82f

SHA256
b847fb957cdee28d8f4446e5e54c4e60ba3f56b6f5523dcefba599ee4d2e9268

SHA512
2d262ffcbd83401e9d9288992540ec736ae1e646fd4d951f74206833424c264785850f89a933336c1f895e004a8d22c8266e6b928e118b54defeceaddf920ecb

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
80KB

MD5
f136e21de5dfc1948b807df769e5de76

SHA1
79ef8b2d3bdeb85a1cf3aac2fcd0574a22e04225

SHA256
69686d9f2a85652f12843796fe67f234f0b63683b3bc3a66734b4c204cf61ed3

SHA512
e48bec34ff02721d2a75df376e2e0cdec545ccce5c70f7af9b38411785971c2d6a59c4e0ad6e7e26e4a8cc04639d0a1c09a565ffb781c214b22652eb3b46d736

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
80KB

MD5
77cd4c297f15513f9959e71cf2c3e747

SHA1
80133e4d8513364f52788eec3dcc12f47c01bdeb

SHA256
8081bfcfbf83775c37ff271d1d16343853d225be0958a35da978bb5f8a9c65d0

SHA512
d23463f08ba0332497e7e9dd0da9ac2ad20780f0e1fed754217286837add7d300d3fe59cf31a1dd6caf2160c951e6aad854d4e6b9c05d26245f32728e97599c3

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
80KB

MD5
e5214d4f7991595c77bdcc96340b320e

SHA1
3115756e2db83dfeb369b296024c2be38f6f6b47

SHA256
489629ca956c13225d1ad183a0542ba3cdbb0d6e83d4ab71cbb76b07bb7203ca

SHA512
1e1c8a7d84d34e41b1303b597a9b76231b5b02d79ad33d5940c8baea74b6947201df96287d4739e1bcb7c6e52b40a8d0a1659cc0b6e16f3c81c65ac1fb57374c

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
80KB

MD5
1935354519ced182c74586d142fb3f78

SHA1
146a2d511a1a0b959400a6a28b7de7aa720705a8

SHA256
0579b3e8b46aecb5b3381e2aa0ddf359f89d5f9cbbbaa3c634a867037d0c7413

SHA512
e30f72710f8f92c0b04d57f9c8852bf9ba875cb71dcaff853f24ae0aede489a239069f724d611da7c871e7855b347cd68b62721c17b3e7ffc4659f73f8350173

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
80KB

MD5
a478a1860537c0ae6db8538402f58aa2

SHA1
62c58df031621995459a59a4acdd7e993681a547

SHA256
a1a3e188bd79ec88999ab7dec5ba80eb17de82df9838d694226d7a9a3dd21d82

SHA512
f4255308bed41538f649da873a8d42a032be483d2e883ed40d84218de65f12a9b6d9e8dd306c6596868353f7bbde9cdd67d9af23396f717fb37a0e52838564e7

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
80KB

MD5
919ba07fe09d0aa8ec020ce61fc399fe

SHA1
3fa19db181c16b4b396a7ad857f30cfb0fb3453b

SHA256
c376078d058003137fca7bd1db5d3b32640d2c4e6cee6ab3773a473ab2356bc5

SHA512
0f6ec10a4504014b33dd439ace85f4c9afd6e80d1914b45c50b531989f78a6d48c27e01995271364aefd161d624272c1f392c312ec7d7df9f3b5d257ea417ff7

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
80KB

MD5
e96aed5a96bf3c657a3e06ffd2695c97

SHA1
adbf1ddf4bcfb6f038c39e9074bd1d03a2e2eadc

SHA256
9eaf9b430ff6e26206d9fedcaddd526e081c1bd00f4c6f4086413ce585e8732a

SHA512
0909c8d228562699db9e705e4010a901428996b732e9d3836cb76db26f27659dac87bbcc50dbfe2cd07f66b765011cc6bfe5abd846f84e90ba9b94ff3e432019

Download Submit
memory/900-161-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/900-401-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/952-402-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/952-153-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1232-217-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1232-395-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1272-359-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1272-379-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1344-57-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1344-414-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1524-145-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1524-403-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1588-113-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1588-407-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1644-411-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1644-81-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1696-273-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1744-9-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1800-309-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1836-417-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1836-33-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1964-416-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1964-41-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2000-388-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2000-287-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2064-385-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2064-299-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2308-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2308-405-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2344-408-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2344-109-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2348-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2348-392-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2408-409-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2408-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2460-386-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2460-295-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2524-137-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2524-404-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2544-397-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2544-197-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2552-399-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2552-177-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2616-389-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2616-264-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2796-387-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2796-281-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3024-393-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3024-257-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3080-380-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3080-347-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3108-369-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3120-205-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3148-279-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3384-371-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3384-378-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3468-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3468-415-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3472-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3472-381-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3484-384-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3484-317-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3496-209-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3496-396-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3612-383-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3612-335-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3812-89-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3812-410-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3912-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3912-390-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3956-418-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3956-25-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4024-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4024-382-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4080-185-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4080-398-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4244-241-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4244-391-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4260-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4260-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4364-419-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4364-21-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4508-327-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4520-377-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4712-225-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4712-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4848-333-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4872-406-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4872-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4876-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4876-73-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5044-169-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5044-400-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5072-315-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5100-65-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5100-413-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads