d52ad60ea0cc34799a84dd840bf0d204191042ce698a60a0897bf3923f6e21d7

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d52ad60ea0cc34799a84dd840bf0d204191042ce698a60a0897bf3923f6e21d7.exe
Size

80KB
MD5

afb1f546a1bf0253c828caee82e6c373
SHA1

c21c2d3a3e6de5fed99ecd6197baa932bce6bcc0
SHA256

d52ad60ea0cc34799a84dd840bf0d204191042ce698a60a0897bf3923f6e21d7
SHA512

c38dfc3c8309195b9cf2a3ecbb361c89457696a01d56215f8973283ea2c64527444f7ade026bb92e4f7c295fe08ff1ab0901cc3bae2dd09a0c99645ec552b87b
SSDEEP

1536:Ae2Q9HXLMgChCk03a7KiVzDN+zL20gJi1i9:A6qgChkquiVPgzL20WKS

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d52ad60ea0cc34799a84dd840bf0d204191042ce698a60a0897bf3923f6e21d7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d52ad60ea0cc34799a84dd840bf0d204191042ce698a60a0897bf3923f6e21d7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe

Executes dropped EXE 31 IoCs

pid	Process
3644	Ldmlpbbj.exe
3684	Lkgdml32.exe
636	Ldohebqh.exe
2116	Lgneampk.exe
952	Lnhmng32.exe
1924	Lpfijcfl.exe
1884	Lgpagm32.exe
1560	Ljnnch32.exe
3064	Lddbqa32.exe
4348	Lgbnmm32.exe
1524	Mjqjih32.exe
1692	Mnlfigcc.exe
2900	Mjcgohig.exe
1460	Majopeii.exe
1140	Mgghhlhq.exe
4764	Mnapdf32.exe
1928	Mdkhapfj.exe
2948	Maohkd32.exe
3956	Mkgmcjld.exe
2932	Mnfipekh.exe
2672	Mdpalp32.exe
2112	Nnhfee32.exe
3852	Ndbnboqb.exe
2176	Ngpjnkpf.exe
4808	Nqiogp32.exe
3512	Ncgkcl32.exe
4464	Njacpf32.exe
4208	Nqklmpdd.exe
1580	Nkqpjidj.exe
4684	Ndidbn32.exe
2644	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	d52ad60ea0cc34799a84dd840bf0d204191042ce698a60a0897bf3923f6e21d7.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	d52ad60ea0cc34799a84dd840bf0d204191042ce698a60a0897bf3923f6e21d7.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4776	2644	WerFault.exe	116

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d52ad60ea0cc34799a84dd840bf0d204191042ce698a60a0897bf3923f6e21d7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	d52ad60ea0cc34799a84dd840bf0d204191042ce698a60a0897bf3923f6e21d7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d52ad60ea0cc34799a84dd840bf0d204191042ce698a60a0897bf3923f6e21d7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d52ad60ea0cc34799a84dd840bf0d204191042ce698a60a0897bf3923f6e21d7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d52ad60ea0cc34799a84dd840bf0d204191042ce698a60a0897bf3923f6e21d7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 3644	4020	d52ad60ea0cc34799a84dd840bf0d204191042ce698a60a0897bf3923f6e21d7.exe	83
PID 4020 wrote to memory of 3644	4020	d52ad60ea0cc34799a84dd840bf0d204191042ce698a60a0897bf3923f6e21d7.exe	83
PID 4020 wrote to memory of 3644	4020	d52ad60ea0cc34799a84dd840bf0d204191042ce698a60a0897bf3923f6e21d7.exe	83
PID 3644 wrote to memory of 3684	3644	Ldmlpbbj.exe	84
PID 3644 wrote to memory of 3684	3644	Ldmlpbbj.exe	84
PID 3644 wrote to memory of 3684	3644	Ldmlpbbj.exe	84
PID 3684 wrote to memory of 636	3684	Lkgdml32.exe	85
PID 3684 wrote to memory of 636	3684	Lkgdml32.exe	85
PID 3684 wrote to memory of 636	3684	Lkgdml32.exe	85
PID 636 wrote to memory of 2116	636	Ldohebqh.exe	86
PID 636 wrote to memory of 2116	636	Ldohebqh.exe	86
PID 636 wrote to memory of 2116	636	Ldohebqh.exe	86
PID 2116 wrote to memory of 952	2116	Lgneampk.exe	87
PID 2116 wrote to memory of 952	2116	Lgneampk.exe	87
PID 2116 wrote to memory of 952	2116	Lgneampk.exe	87
PID 952 wrote to memory of 1924	952	Lnhmng32.exe	88
PID 952 wrote to memory of 1924	952	Lnhmng32.exe	88
PID 952 wrote to memory of 1924	952	Lnhmng32.exe	88
PID 1924 wrote to memory of 1884	1924	Lpfijcfl.exe	89
PID 1924 wrote to memory of 1884	1924	Lpfijcfl.exe	89
PID 1924 wrote to memory of 1884	1924	Lpfijcfl.exe	89
PID 1884 wrote to memory of 1560	1884	Lgpagm32.exe	90
PID 1884 wrote to memory of 1560	1884	Lgpagm32.exe	90
PID 1884 wrote to memory of 1560	1884	Lgpagm32.exe	90
PID 1560 wrote to memory of 3064	1560	Ljnnch32.exe	91
PID 1560 wrote to memory of 3064	1560	Ljnnch32.exe	91
PID 1560 wrote to memory of 3064	1560	Ljnnch32.exe	91
PID 3064 wrote to memory of 4348	3064	Lddbqa32.exe	92
PID 3064 wrote to memory of 4348	3064	Lddbqa32.exe	92
PID 3064 wrote to memory of 4348	3064	Lddbqa32.exe	92
PID 4348 wrote to memory of 1524	4348	Lgbnmm32.exe	93
PID 4348 wrote to memory of 1524	4348	Lgbnmm32.exe	93
PID 4348 wrote to memory of 1524	4348	Lgbnmm32.exe	93
PID 1524 wrote to memory of 1692	1524	Mjqjih32.exe	94
PID 1524 wrote to memory of 1692	1524	Mjqjih32.exe	94
PID 1524 wrote to memory of 1692	1524	Mjqjih32.exe	94
PID 1692 wrote to memory of 2900	1692	Mnlfigcc.exe	96
PID 1692 wrote to memory of 2900	1692	Mnlfigcc.exe	96
PID 1692 wrote to memory of 2900	1692	Mnlfigcc.exe	96
PID 2900 wrote to memory of 1460	2900	Mjcgohig.exe	97
PID 2900 wrote to memory of 1460	2900	Mjcgohig.exe	97
PID 2900 wrote to memory of 1460	2900	Mjcgohig.exe	97
PID 1460 wrote to memory of 1140	1460	Majopeii.exe	98
PID 1460 wrote to memory of 1140	1460	Majopeii.exe	98
PID 1460 wrote to memory of 1140	1460	Majopeii.exe	98
PID 1140 wrote to memory of 4764	1140	Mgghhlhq.exe	99
PID 1140 wrote to memory of 4764	1140	Mgghhlhq.exe	99
PID 1140 wrote to memory of 4764	1140	Mgghhlhq.exe	99
PID 4764 wrote to memory of 1928	4764	Mnapdf32.exe	100
PID 4764 wrote to memory of 1928	4764	Mnapdf32.exe	100
PID 4764 wrote to memory of 1928	4764	Mnapdf32.exe	100
PID 1928 wrote to memory of 2948	1928	Mdkhapfj.exe	102
PID 1928 wrote to memory of 2948	1928	Mdkhapfj.exe	102
PID 1928 wrote to memory of 2948	1928	Mdkhapfj.exe	102
PID 2948 wrote to memory of 3956	2948	Maohkd32.exe	103
PID 2948 wrote to memory of 3956	2948	Maohkd32.exe	103
PID 2948 wrote to memory of 3956	2948	Maohkd32.exe	103
PID 3956 wrote to memory of 2932	3956	Mkgmcjld.exe	105
PID 3956 wrote to memory of 2932	3956	Mkgmcjld.exe	105
PID 3956 wrote to memory of 2932	3956	Mkgmcjld.exe	105
PID 2932 wrote to memory of 2672	2932	Mnfipekh.exe	106
PID 2932 wrote to memory of 2672	2932	Mnfipekh.exe	106
PID 2932 wrote to memory of 2672	2932	Mnfipekh.exe	106
PID 2672 wrote to memory of 2112	2672	Mdpalp32.exe	107

C:\Users\Admin\AppData\Local\Temp\d52ad60ea0cc34799a84dd840bf0d204191042ce698a60a0897bf3923f6e21d7.exe
"C:\Users\Admin\AppData\Local\Temp\d52ad60ea0cc34799a84dd840bf0d204191042ce698a60a0897bf3923f6e21d7.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Windows\SysWOW64\Ldmlpbbj.exe
  C:\Windows\system32\Ldmlpbbj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3644
- - C:\Windows\SysWOW64\Lkgdml32.exe
    C:\Windows\system32\Lkgdml32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3684
  - - C:\Windows\SysWOW64\Ldohebqh.exe
      C:\Windows\system32\Ldohebqh.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:636
    - - C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
      - C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3852
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4208
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        32⤵
        Executes dropped EXE
        
        PID:2644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 404
        33⤵
        Program crash
        
        PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2644 -ip 2644
1⤵
PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
80KB

MD5
133c6681804b0ae9bbfb18f3d94b8ab3

SHA1
e27de894b98115cbaad3c0212a0724fd0d7fb163

SHA256
e20d67e8307776a4cf92819f0e62d246a85b95e5d717a5365e87a403101c8dd9

SHA512
7bcb0677130525304b2aa6db7efa6b5cab1ebda484e0a83780e3e925b37948e933dec356d2a5caa4b9b8d19ed8d547ff05928d6d29e8301c7b986378d84f1237

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
80KB

MD5
248d4fc44634a4e8ac6a1fa137c91489

SHA1
592298bdfe1c0328bda87ca10597e18e6b2cf317

SHA256
97e7e5663daab35cd21dc25e5993d868ca9d37a3bac9971d77d7db15dc1439e7

SHA512
739bfb819c4588c4f59a8e27e28223a290a3c917ab80a620586ecc9a5bab1104b1f9e152a39d3999fbf5b534757060f575576996fca5c5b296dbc27b666b0d50

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
80KB

MD5
b49920e9301e5ac49c540a02d8f50669

SHA1
2b37a5a6be40f3875fbab7ac3141604dcecea470

SHA256
b8ba8fd5b21f592cb167822065461e7993005d95b7032d741cd5dbe5cd01243d

SHA512
ac4f8bd8843da945f97ea2167736bb43791b0f010e369b7f888f2f60d79b4e4ac21e1e3b41d53d103f246fa510ac3c9ba47bcc135c4b36bb96b1e9a1161767a5

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
80KB

MD5
4d65a83e7ff645456d2a8b3230b83380

SHA1
0a5499a9a6df174d61cb8eddf35a2715b36f0f04

SHA256
8c6b8c00117e0640436d16475e6e28fd2f0a274fc04c67c114f7be28d9449cc3

SHA512
4276488af2222f8954c398f3193d4b437fc2cad1af9549fbac3b7118a120283a528f7ada31ecd05212e020491ca8143a140aa3d7d49ed0d31ac327382652a4c1

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
80KB

MD5
61698987078ad34c78a5cd082651b4e6

SHA1
5ac72837d441bbdabd8284474fa03010d239f345

SHA256
03ddeb955114f0a2a409bf2c9fc79bec950a8601577db9ee2a5631afdeb34503

SHA512
0780b01a1cf0bd703406820dcfcd5f1bfb22ac132096946b62826d8701ccc20082720b68894d6e81dd0dd19d234e800ba7755e9563406b99ab12f02e0fb15cb4

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
80KB

MD5
fe812557f8ee3ab9395a34cdac93c4f7

SHA1
441b886dd6c5c5435e3a4099870eac7899ed5184

SHA256
417e2b8245823523868a5320d3f4999aff943de0fa3e8c7e4955f3001888fbfb

SHA512
63973e0c6872d4f19cad4e80bb1567c7a52104f5ef0b790a1c8ab9f5ef75c2956a6f41e82c64f51e26edf8cde3f03bab1359679c77c211b6fb70e0e0c8d3b9a9

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
80KB

MD5
f9089530396121aa08ff044d64e63a80

SHA1
4e7621fffbd2bc7842f694926d38531561ca52e5

SHA256
beb04f81dd89a7df711023eb85236235e16f592e45bbc662c73ae926d3de4716

SHA512
a38e5d4d220abb118dcbc70eb2d0fd3ac3077dee5112d318fc97bb6dff156587eaf8081d0a61b4c2180428d282f3f99311dcfbc5b8b33b610500953e1701e6bf

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
80KB

MD5
0475849773bfc274c903497bb9fa69d8

SHA1
5dd2a268a81796be9318d5c4f29e4f977ef80b10

SHA256
c56d1fab47053c1cc17ed831aaed54cb5c81d941646a39f2aebafff7aa59bd74

SHA512
95f4f9614a08fee21ebeece97ac74d29762dc2ced048f20ac248d52a3ad2526f7ff954454497dd44a0bad2ef116ec91d8e9cb0ba01da28f15ce99d27f463d832

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
80KB

MD5
f14c30586c5e1c9cd5212306734d442e

SHA1
8897492c86fd88fcd506824546175ec52f9f2c1a

SHA256
b6509e614b2b5860536e26dd404b864a9bdaaf7bcc1eaa0b3b5c41be992dc260

SHA512
734ff82c00987c1256f4a5d4da691afc8e6c44f15b7c2273ab7faa03cf691b86589dff195a7add51db560da223afe3cdfae892dbd30ea5ef92ebe27a4c41eff5

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
80KB

MD5
b91699b8663bf19270b3a1b0815161b3

SHA1
ff6aeb174d3e87d41dd6eef88710556bbc4c8b30

SHA256
5f1aee87492536d5d7308c8aad6ae302f847117dd239a4ef3a017441af6d4813

SHA512
104a4e51078320077c9502ce2822f74d41b20e6960e50238f8e19c2f84d278e1b2ff6ee8aac70cc559fa19cdbd1f79327d4f39abfdfd10b79da25f0fe267a2d4

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
80KB

MD5
5d6507821de1f8f8677b3cd1ccc82dbd

SHA1
05a45024ec1734e2757beec123ed4b9644ec9eb8

SHA256
2b725192f55e9f63ea7fd5f671342817582ac34ec5c77f1c748215adbd3a8abf

SHA512
b8d5be8a160cd7cc1b4c193f0c478a3b52bfdf54e83d197f8cff8f958105e1b5aac29a5c424534d985dcf60a9addc2876f40fc898b1a0e37f011df6acd33fa71

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
80KB

MD5
c5c7157ff06978404578d37c5d5c87af

SHA1
191ba6aa3895b24b02b7b6e8033f9d2d07954ee1

SHA256
13fa5ce1aab2baba4fb640a39244d3783118468f419729f9dae0474efb547e6c

SHA512
33f9824b1c2e815ff7b46debe56d8e4ca4da3ae4fe06cdc7d43692f2961d924736ca5a369b1071c854f6dfee45b1c4f677f65030592e7de7ed43ab600a122fe6

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
80KB

MD5
a4cf0503bcdfa12817fd28c6cb58d81d

SHA1
06d75c4474248ebceed6483eaaee608b006357fa

SHA256
e6a350acd80efcd533f269890deeb2114c8c089768bfe19ff7ec188a462120c4

SHA512
b0d2ab19e17dfcabbbba53d1fb8177e2e21c27a05b21241bbd0d07157b0ab64ae1921ac86b38f7af672fd36213085bc6873ed4ee8754abd9b8bace75dacec2ee

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
80KB

MD5
60f915d5a9ef4ac5b9180c4f408c5351

SHA1
6903f8e02b328dc38fdc8d745871550e384c1a9b

SHA256
9b7a333e452c7c59f344f8a5b28b6c3590bc23b79a0870e7bd987e6b32ac9ba3

SHA512
6719f750f8d27ab9e4d2f94b4711eefffcadabde687f70f11fcda0b1704a992ab75d424b31ebf802ecb5801d18a2fdfc32b6a3ba21a8668437ca0e32d90cbe7a

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
80KB

MD5
5b2f298d6ff601c2eb7c925309b3fd03

SHA1
3bdd4fde0587c2b213ea911e2e36928efb051582

SHA256
edd7de9a3be52eaf02efdf5f27c1348b61295451dc865d83b995031dbf898b75

SHA512
62521d30022d7c7bb5496c1787d0f6e022e0bcafd617996f49e6aa161db3857d49ad2d344b657159063cc8d57f058fab8d29f43714c4d422412fa46d151ba501

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
80KB

MD5
6f0461fb30402561453a195f65229682

SHA1
2ef809f17ea15228cc36232faa6f775de15c5315

SHA256
962c34bb14e585b59d0a4f64f936d62053877fd38c283e2dedc39e800fb084c1

SHA512
c738757608a2dd9eb4c8dd3096bb9b31c62e0e3e1d6ca98e0a88c89102b531e75fbb6ecc0ef05b0360f8b6f35363404d9781f4e37620088a876b2e3eae94c32a

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
80KB

MD5
7dac8ae9a177b6fac3c5354c71a41d0c

SHA1
31bc2fff5d12b0a8d977d9a855d6af0a3ab9c967

SHA256
a48c6847a75bb6b4134e3313846d1872d79acbe6d3506bd35530da3c7b413dcb

SHA512
5bcde4742b44e826877e44a3278d7586561ad2ae69b02355439f5de2ab9018856da98ab631466d5be3098af85e6891effd31c7619fb6d42ff9adec3df05403e3

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
80KB

MD5
4b8218f390877da544c1d24adaf8cdcf

SHA1
081fa13de557675d25328f59896ebb59180005c9

SHA256
1f4fd7fb19bb30b1195b3e654e52db1903fc94dd3bc8d122566f47991c77a260

SHA512
2657a4e8e3d22f045ee5b905695121286e575e68ddb91b815419a697816065121b536ed84cc989c1632f22589d4740adc16607624088c9a0e9f2fcdc3f667d29

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
80KB

MD5
cee61e34e2a6892905340799fe95bec9

SHA1
5f451bbfeeea38b5a7b1afb3b9c2d05fce7e891b

SHA256
9d56afb4bdb052a27649005ec1e6734fee8d93340f4f0649c6d1856dc9d4c54c

SHA512
e852093c59fe77b6f2840e9baf99e013b80a21d352184c64443c9d28e6d06ecd530a9e327d164de6fb208a7b13414f09befcb7c2a02858621054ce7f75adaf6a

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
80KB

MD5
aa4441bf69fb1be4d117b8c30e4438a2

SHA1
b00bab7229b13db3a5b0833128eee6feb633009d

SHA256
fc1bce91aed459df29a6f54fd9b156ea2c46afc026d3184a73175409bb8c50e0

SHA512
7dcdd63b6ce50dd295b886b63db4a23a5777a1b3c6841eb81ddfa4087197cef8d1bb652c5c46cd71b80f4451205c7742c235878238112eec6a451b9ab3dbeee8

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
80KB

MD5
e4036b465a3a7bd1c8085980f488ca3e

SHA1
12035506e0f997551ca1290ddc245619e34a5ff6

SHA256
776a48cf7e9e38520a04a81073c51aaac64149381484e99bf4deb597558884e5

SHA512
30d3da44c95563e26a3ac30e390c64cf0a205e718d8211b9fc44eb05e0f0c6283e45e6227b935961f88f362bf664bcac2daae7c57f0e6111678b5e0fceb6d34b

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
80KB

MD5
4ba8c39c7bd6885e76ae3f06d89df9f2

SHA1
75fe6f02f298827bbf455cf5280773d39257f29d

SHA256
c071a0a305bedb988614f1918e269b2da7d1f22e125a04a08a8a0e5d0995882c

SHA512
e986db37b20c28b325e0b473515359273ad686897ba713de948fae0298b1a17b9126d7a72433876240eaf23002873bbea7bf90398eed8c993bb3ff188f1c4bff

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
80KB

MD5
bc792f94572b9af76af76c30246b725f

SHA1
4266f0c3f05e7f940e2047a7a42fd6e66f9b140c

SHA256
97997ef82fbed468c13b9e016e9576e26539f60b7f6c150d8354013605f0803f

SHA512
d316c123019dea4237d5e0dc45e7ac394d967fa7623dc3030c60cadaaa5e419377c195939fb15e23f33218ba053bdf4b0b508376943b873a359050618ff9b292

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
80KB

MD5
2f501454906be8ee68d9693c31523f6e

SHA1
3249c657a4a64c1c10608951bf9afca5f3a69b6b

SHA256
831df275b7798d446c3ca77bd8c3d237ab25f1f9635e539107a2327ceeca3f04

SHA512
340b64458d3e3154e12751e0b8746d7067e23d0577617e3c8e5167e80af8071192fee692751123d6c8e5df6ff171a8e50e7e67264300256d5bc300cc6cef3644

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
80KB

MD5
1953f85fed6142c935a755a734ed7824

SHA1
dd96e936c04f3dc478bf8d5b2d0cf36dd1a90a80

SHA256
8234cc47971f027b0009f019eb9ed4b3e942ad646d9c4bb19af9175a9c3d027c

SHA512
a3b1a748a4221e985009af437b97e860e1445d774b73f9545d44d255363f24977225f21de7c8d51e7a6c73bc805af11dcbbb06a69cd31cd9262740928425e429

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
80KB

MD5
ef7d7e6b8a858740277d9ec1f29997dc

SHA1
f02937c89216bea19ab81d8381f1e146002b431c

SHA256
56c0650aaa6f2d763c9c386a2de243496011b11e191649f4163dba32d6850ae6

SHA512
1753145f98646e2d2eaacd2e021ef72270999f12d87f0816e82a34b6ec1aea16f01624e9c10a2cdab33cb532c7df20fdac6725060afe9ffebc693f586d09427d

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
80KB

MD5
57a7f083e630e62492e0a2a641fdd398

SHA1
199515616f68e4209be9b13399aea978f71c8316

SHA256
5d528bd57acf5193d310f7d7434d49378bb897f9ada45fedc3242a10b166beb8

SHA512
16414d5765e5c3713a855275ae20bd1989ebe0227e1cedab8a4470c3ed46ace282a6b1a17ca566145cf84544c53c880f6bce1c8968387dc21b209fd6bb8ca89f

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
80KB

MD5
ae1e23b5e0130f3b00ed3e49a906ca80

SHA1
4b4b00aaa4edaa1aef84b7d166162b0371538d23

SHA256
a656596cc6ffabdeab00f27a4520a805e26e72465c01071be663dd56237f1dee

SHA512
6e55d1ec1a53b22161bf885ae81da09dd5769defd27eed9e122a9d9c1e19985720ef6dab83c1293710cf3f621c8b32142a9298d8a4bbd261b2f8f68944d90937

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
80KB

MD5
fbda026c7e9a5ef2ac72c96b5e2e076f

SHA1
770a6a650dbd9004c88907db0207fe82b99929fc

SHA256
cd2b1c45c44c032c0bd145ed1f72906feaeac58ff95eeb0829063ef0e39ab817

SHA512
8c7cbf3ac1197b5ec981fb551e046b2ea6c127adb94d4c589bfcc2e1ee2e1e0859e4cd1ec8b486e8c0af2d9ef57fbefe1ff356cbcb527b67f5d980adcb1353dd

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
80KB

MD5
3712897d4e5b378accd5b25ab07e0fed

SHA1
b8d465aa4e7255bb04b0faf51f3ac69adc88bc79

SHA256
30046d1b3ef59b258f8e968768d1d1035675ad517c0f828a3e76a08d4ef334b0

SHA512
f36b2acc1f1c20dce2705e216fd78b50c3f9fcd4a1abf0fbbab32e01b795012cbe489ab2726763d9065c0cd2cf7818d64a86e276b2794cdca3b35d85ae55cf8d

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
80KB

MD5
9081ff13c2fe9092d5c3acbe4f30120e

SHA1
bfe8bd344daf2b38965767c39ae0e3c1610950e6

SHA256
57c66fbcf88454e6e76dd4d1f2f7ed7907bd74abb97a6822134f314362ffca00

SHA512
1b2f4bc1ceee5791e3ae496b8851ed9dfde7c305d83d49c6fcee44cddac937ef9faa910587aacf59fecdf8d9afed6fff49a1d91a9a9b5107f4d9b950540c690a

Download Submit
memory/636-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/636-116-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/952-41-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/952-139-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1140-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1140-126-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1460-121-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1460-206-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1524-98-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1560-65-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1560-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1580-269-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1580-250-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1692-99-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1692-187-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1884-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1884-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1924-49-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1924-142-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1928-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1928-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2112-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2112-188-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2116-33-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2116-125-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2176-273-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2176-207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2644-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2672-267-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2672-180-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2900-201-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2900-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2932-175-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2948-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2948-241-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3064-174-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3064-77-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3512-229-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3644-9-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3644-97-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3684-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3684-107-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3852-202-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3956-249-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3956-162-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4020-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4020-76-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4020-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4208-242-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4208-270-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4348-179-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4348-81-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4464-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4464-271-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4684-263-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4764-141-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4808-272-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4808-216-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads