b77e39099e06269cd492a46164884e5b8b83c9e18e606a1f171415702b7a5041

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b77e39099e06269cd492a46164884e5b8b83c9e18e606a1f171415702b7a5041.exe
Size

80KB
MD5

424d613a9ce2a3304d3cdbb5e3419cd4
SHA1

7f4d4576d12938059377194b4aad1f30bd5a7ad5
SHA256

b77e39099e06269cd492a46164884e5b8b83c9e18e606a1f171415702b7a5041
SHA512

af75f130758aa1d35eee539e219520bf1622fa2feee02158168cd1b50b57e7ab586886c4d64051a24d09ea29ce12418e01e12c7e9a285e9057ab5aca279624dd
SSDEEP

1536:kqYuNK2W5IDtDPPJh4NkfK2LjaIZTJ+7LhkiB0:RvDYNkfXjaMU7ui

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b77e39099e06269cd492a46164884e5b8b83c9e18e606a1f171415702b7a5041.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b77e39099e06269cd492a46164884e5b8b83c9e18e606a1f171415702b7a5041.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe

Executes dropped EXE 34 IoCs

pid	Process
1376	Kckbqpnj.exe
232	Liekmj32.exe
5072	Lalcng32.exe
1168	Lcmofolg.exe
4012	Liggbi32.exe
4544	Lmccchkn.exe
3568	Lcpllo32.exe
4548	Lijdhiaa.exe
4720	Laalifad.exe
1204	Ldohebqh.exe
1992	Lkiqbl32.exe
752	Lpfijcfl.exe
2564	Ldaeka32.exe
4020	Lklnhlfb.exe
5108	Ljnnch32.exe
5032	Laefdf32.exe
5068	Lddbqa32.exe
2352	Mjqjih32.exe
3488	Mciobn32.exe
4632	Mjcgohig.exe
3028	Mdiklqhm.exe
4856	Mkbchk32.exe
3024	Mdkhapfj.exe
1868	Mncmjfmk.exe
4592	Mdmegp32.exe
2512	Mjjmog32.exe
2448	Mcbahlip.exe
1596	Nnhfee32.exe
1948	Nceonl32.exe
1716	Nnjbke32.exe
4968	Nnmopdep.exe
3520	Nkqpjidj.exe
4292	Ndidbn32.exe
3452	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Lcpllo32.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	b77e39099e06269cd492a46164884e5b8b83c9e18e606a1f171415702b7a5041.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	b77e39099e06269cd492a46164884e5b8b83c9e18e606a1f171415702b7a5041.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Liekmj32.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lpfijcfl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3148	3452	WerFault.exe	113

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b77e39099e06269cd492a46164884e5b8b83c9e18e606a1f171415702b7a5041.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b77e39099e06269cd492a46164884e5b8b83c9e18e606a1f171415702b7a5041.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b77e39099e06269cd492a46164884e5b8b83c9e18e606a1f171415702b7a5041.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	b77e39099e06269cd492a46164884e5b8b83c9e18e606a1f171415702b7a5041.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	b77e39099e06269cd492a46164884e5b8b83c9e18e606a1f171415702b7a5041.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3412 wrote to memory of 1376	3412	b77e39099e06269cd492a46164884e5b8b83c9e18e606a1f171415702b7a5041.exe	80
PID 3412 wrote to memory of 1376	3412	b77e39099e06269cd492a46164884e5b8b83c9e18e606a1f171415702b7a5041.exe	80
PID 3412 wrote to memory of 1376	3412	b77e39099e06269cd492a46164884e5b8b83c9e18e606a1f171415702b7a5041.exe	80
PID 1376 wrote to memory of 232	1376	Kckbqpnj.exe	81
PID 1376 wrote to memory of 232	1376	Kckbqpnj.exe	81
PID 1376 wrote to memory of 232	1376	Kckbqpnj.exe	81
PID 232 wrote to memory of 5072	232	Liekmj32.exe	82
PID 232 wrote to memory of 5072	232	Liekmj32.exe	82
PID 232 wrote to memory of 5072	232	Liekmj32.exe	82
PID 5072 wrote to memory of 1168	5072	Lalcng32.exe	83
PID 5072 wrote to memory of 1168	5072	Lalcng32.exe	83
PID 5072 wrote to memory of 1168	5072	Lalcng32.exe	83
PID 1168 wrote to memory of 4012	1168	Lcmofolg.exe	84
PID 1168 wrote to memory of 4012	1168	Lcmofolg.exe	84
PID 1168 wrote to memory of 4012	1168	Lcmofolg.exe	84
PID 4012 wrote to memory of 4544	4012	Liggbi32.exe	85
PID 4012 wrote to memory of 4544	4012	Liggbi32.exe	85
PID 4012 wrote to memory of 4544	4012	Liggbi32.exe	85
PID 4544 wrote to memory of 3568	4544	Lmccchkn.exe	86
PID 4544 wrote to memory of 3568	4544	Lmccchkn.exe	86
PID 4544 wrote to memory of 3568	4544	Lmccchkn.exe	86
PID 3568 wrote to memory of 4548	3568	Lcpllo32.exe	87
PID 3568 wrote to memory of 4548	3568	Lcpllo32.exe	87
PID 3568 wrote to memory of 4548	3568	Lcpllo32.exe	87
PID 4548 wrote to memory of 4720	4548	Lijdhiaa.exe	88
PID 4548 wrote to memory of 4720	4548	Lijdhiaa.exe	88
PID 4548 wrote to memory of 4720	4548	Lijdhiaa.exe	88
PID 4720 wrote to memory of 1204	4720	Laalifad.exe	89
PID 4720 wrote to memory of 1204	4720	Laalifad.exe	89
PID 4720 wrote to memory of 1204	4720	Laalifad.exe	89
PID 1204 wrote to memory of 1992	1204	Ldohebqh.exe	90
PID 1204 wrote to memory of 1992	1204	Ldohebqh.exe	90
PID 1204 wrote to memory of 1992	1204	Ldohebqh.exe	90
PID 1992 wrote to memory of 752	1992	Lkiqbl32.exe	91
PID 1992 wrote to memory of 752	1992	Lkiqbl32.exe	91
PID 1992 wrote to memory of 752	1992	Lkiqbl32.exe	91
PID 752 wrote to memory of 2564	752	Lpfijcfl.exe	92
PID 752 wrote to memory of 2564	752	Lpfijcfl.exe	92
PID 752 wrote to memory of 2564	752	Lpfijcfl.exe	92
PID 2564 wrote to memory of 4020	2564	Ldaeka32.exe	93
PID 2564 wrote to memory of 4020	2564	Ldaeka32.exe	93
PID 2564 wrote to memory of 4020	2564	Ldaeka32.exe	93
PID 4020 wrote to memory of 5108	4020	Lklnhlfb.exe	94
PID 4020 wrote to memory of 5108	4020	Lklnhlfb.exe	94
PID 4020 wrote to memory of 5108	4020	Lklnhlfb.exe	94
PID 5108 wrote to memory of 5032	5108	Ljnnch32.exe	95
PID 5108 wrote to memory of 5032	5108	Ljnnch32.exe	95
PID 5108 wrote to memory of 5032	5108	Ljnnch32.exe	95
PID 5032 wrote to memory of 5068	5032	Laefdf32.exe	96
PID 5032 wrote to memory of 5068	5032	Laefdf32.exe	96
PID 5032 wrote to memory of 5068	5032	Laefdf32.exe	96
PID 5068 wrote to memory of 2352	5068	Lddbqa32.exe	97
PID 5068 wrote to memory of 2352	5068	Lddbqa32.exe	97
PID 5068 wrote to memory of 2352	5068	Lddbqa32.exe	97
PID 2352 wrote to memory of 3488	2352	Mjqjih32.exe	98
PID 2352 wrote to memory of 3488	2352	Mjqjih32.exe	98
PID 2352 wrote to memory of 3488	2352	Mjqjih32.exe	98
PID 3488 wrote to memory of 4632	3488	Mciobn32.exe	99
PID 3488 wrote to memory of 4632	3488	Mciobn32.exe	99
PID 3488 wrote to memory of 4632	3488	Mciobn32.exe	99
PID 4632 wrote to memory of 3028	4632	Mjcgohig.exe	100
PID 4632 wrote to memory of 3028	4632	Mjcgohig.exe	100
PID 4632 wrote to memory of 3028	4632	Mjcgohig.exe	100
PID 3028 wrote to memory of 4856	3028	Mdiklqhm.exe	101

C:\Users\Admin\AppData\Local\Temp\b77e39099e06269cd492a46164884e5b8b83c9e18e606a1f171415702b7a5041.exe
"C:\Users\Admin\AppData\Local\Temp\b77e39099e06269cd492a46164884e5b8b83c9e18e606a1f171415702b7a5041.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Windows\SysWOW64\Kckbqpnj.exe
  C:\Windows\system32\Kckbqpnj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Windows\SysWOW64\Liekmj32.exe
    C:\Windows\system32\Liekmj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:232
  - - C:\Windows\SysWOW64\Lalcng32.exe
      C:\Windows\system32\Lalcng32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5072
    - - C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1168
      - C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4856
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1716
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        35⤵
        Executes dropped EXE
        
        PID:3452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 400
        36⤵
        Program crash
        
        PID:3148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3452 -ip 3452
1⤵
PID:736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
80KB

MD5
496b6f63d9070c9b962c0aecc68d9655

SHA1
6ab8d116fd3f292b78a78da982fa15b7cbde53e4

SHA256
e051e468186a7d8102215c4acee5754ff0a5acfce8061ce735c7e0f41496bb93

SHA512
d15ab858dfd4aa2ef188d5c9165aec28a75bca863e11845c1fd30f3490431c087dd85ae8b643ee45b867fed397631b2f9d43af1ce6bee29dbae2f20d72377878

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
80KB

MD5
f62bd1b74ab2d1db1ecf917a9fb732c7

SHA1
eebf6e1bdb1cfa488f1ea795a0c1bd47213e87f9

SHA256
b98c524084105c1208061b8dbfc7f991e68daacac10d7a49381dcaf7e537b72d

SHA512
ee2b2d4655b862c138a830abe0f54619f3a9a3bc91ab376078f048d118a0e9d4943bedff6d5edf9f5a14ba90e2728a4b7d25fb8e55c5e7dd6c8dbe1557466151

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
80KB

MD5
bb03520b39775aa6a5578094d4088bcd

SHA1
a191b3755cae2d5decb8b3f39fe1b3d5f6cf7602

SHA256
58be54166271940d8a35ef4073acc1d1563428a27edf01ced737f13b4016bb61

SHA512
1eb4523a667f27b2b4107954b34b64172b5abbec157128b98556cc7874327e3f1709b0a47ded0846167a31c374ff56900efa8d75ab961f48fad515e3452451df

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
80KB

MD5
c6b1e13dba24f6874e2fadf64fc83521

SHA1
10e632ff9d05f5bd36eb630c0b40143e0c68e965

SHA256
d2ceafe09a6a68a930ef7f4bcee1a1d83af0bd60652004f1a67572e733eec54d

SHA512
13e5015515a77448af17d90967f2c17e36e46f09b4f14f46938d83f093aa7387f92e8dffe8ac5a2f4cd23aa5cbbd6f50a7aacec6ad5ae5aa0ca62b7e58e803f7

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
80KB

MD5
c3ed92c4d2fe15e65a8e4f178de2632a

SHA1
6ec8c613b529b59db5c077f94d93ce29a80a7b4f

SHA256
aa3eb5b148e9175c0aa23fd600bab8b7488f7c7e44e2e3d30168f27b21fc8a00

SHA512
ccd028b199d1bf3e19f2ad3acd07af5daebad7a894d11b5acccf3b620a176fd2f5a166a060c3f39374f17141da0a7f449221333ce6824f0a5ac7c161884905b1

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
80KB

MD5
18102d2f6c643c523bafaa5740e9f805

SHA1
7a9d552542af62c0bd381307ac19ae2f0c263a42

SHA256
2ee18f36b97f51ed93c3fe1982704920f9d2f3d507fe837204a35ba9fb5bc11e

SHA512
6bc4c22b8d41a2b63908fc95c36842b9534f6bb820b5bf54fe3d6bb068835c6d6fe945ecb68f3fb47b723b1808fb273459515fb4b34d1d6fe9b6ae039f939abc

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
80KB

MD5
3feb73fbf6cb674ce025d516ef62ebb9

SHA1
49cfb9fe128f7fa713a6613b97a45c5f8a81ec5c

SHA256
818fbab1858e4440b55574a756594442bf45f9652015800912ab999f0bdff347

SHA512
c79ceb4c4a0675bce32bfaa1802ab4a3cd705eca03ac9b4ed6b384cec75ddead3050cf15a6457b48f824d1472d281072ea22f07c11b06831189942efc38ccdb7

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
80KB

MD5
7edf94f14a4590a528b6dce7538901aa

SHA1
b151c533d4fd86b03b8fc790e2f1365d039ee987

SHA256
8c85e6fe8ec3258e6b59f29df53385e2cd0cf4eb341809a06b2c968d2357a754

SHA512
c6642fa0d3cc180009a33715042b90faaf7e8fc7ed21caa34e0647e4ded67f38bd6371db6408ecbf2cb9649516f1f54c50417d1e481a4191679c78045cb46295

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
80KB

MD5
78119abc22b786be99d71cf033cf0805

SHA1
3ce30c24abe5843d3a19ce914acf4009e17a104e

SHA256
669f15a3fb2a8011ecfca1cdcda5f051ee03741d901cdf9ed5a054d64d56d4a7

SHA512
76ab045c91dcbb5d7ecf7434a2edac089fd69f14f764ff14990e2f7836f9c68c8853afbf24055cd51578a57b0a95f2be8771e1fc8dc21ada6c2f230cdcdd44fd

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
80KB

MD5
01e97a07191fb4d984c799ffc18334a0

SHA1
039c9821802a9afd3fe301ea382744a39445eb51

SHA256
387ffc0668c56a395df4a692633d9026f35337fdf08ea7d7c414f0a4cbc0dbf0

SHA512
4e5a732f5870e34d27363b3f8f1241c49e78ad6b15b67a354412da5c65794e514a60c79146c91264b68b8ee68e013302ebabeaee5b3f6e8e965e520916d4a300

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
80KB

MD5
c4cfbb5fd3b3a2b3917ae1ec6f4b59c7

SHA1
4fb3287d015f4427f1f8787557317bc1a7b9e97d

SHA256
f517daacbc5822622c2dec8fc435132a63b8cfb28366c070d8c24ac0000589ce

SHA512
415a3604e108a37116e5ba3178b00d88f38f0d946b57c4f71fbcaf3bcc00ca1bb8c50d550e907de5b9875e9b70b58758a9adac330e3c9419527cf5158fde7dc7

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
80KB

MD5
6dfbc2ea6ab29f926b39cf2b57e2b68e

SHA1
6ff59ad4b1a595b0c97f95b01d9a48305583c30c

SHA256
813b3bb8e5e190221200c80f78b45326b9ca87cce18f27c3a14e8df97f1eb0da

SHA512
2155b05c67e7346c5f89fc851176db33f109bf6e38448419455ad46b52990cf3ee1f3553324dc569c28267000211670f6d9abe2e6ec959a79be56f7280033943

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
80KB

MD5
df04f629f7b09bee21df48d41341601b

SHA1
8f65b3c2e279017391a8810be77b1b136fbeaf89

SHA256
56b5816f10bbf21aee569cab2e72e54014d4882a2fd125202e53700e7ab7c0f7

SHA512
389e29b1a928cf6faa30a2a0db71d590a9132c36b4fb0847e6bdc94a8f007e7859c6c9251ea3a3db30558aa38bd888d0f88f937af4dc082c37b662aba4ca5343

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
80KB

MD5
ea30963a4a63275dc181b00653c3a845

SHA1
928b506277ebb8e3d9558ca0c2e1b05b42dca8b9

SHA256
131f87b5c2b81ab01ff452180b7c06dae119872f1f01e357bcc309be5f548492

SHA512
dc6e2aba6b5cdbedb4f208c9f35636fc05498c685ee2d65df83240dd5f0033d3d82821170b4c0677d587b07f097396c008ab6362800b4716a451992ec8b06d47

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
80KB

MD5
8dc71f73c7de934543ad73f6d6ad3372

SHA1
3195bfdf634ad875a94b20a4cb06fe6b14455caf

SHA256
4ea5be45f2789273fb8ff53810d1cf45dc5be81e3099e250a3b4f5fb857804f8

SHA512
0909969741ad2dbfb40a8393d6bfd9b0ea92399f7fafcd3c1ef25b4e5d120cd4e86f8a00d951cb33f07f07c611d4fe35e025ffd0362393fdbe0db9cf1d76cd24

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
80KB

MD5
846a9eaa58e75d70453be3c61fc42ab3

SHA1
430c65e099b9557c75757807ad105d98633d003b

SHA256
016534df800d5d5161ca0751faddbce4243673110fb8bc97a99b77165031319e

SHA512
ad2d5241fcee7ab3693152eb52c7a2af6d77c911540723a615a3d74d921bc4effc40c98b406782c2d761b72ab9ed1bc33f4277fd53e209d295e20c94ae6b8b15

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
80KB

MD5
24a34bb73d97a3014c2505dffbcf79bf

SHA1
4fcd8fecff29be491b04601ecca34746a6a74611

SHA256
d254a1f5df608af258a0fe926c4fffc2639cb951235a18db6a22b62d8115ffb8

SHA512
af01707d962806d99865d6fa799d80ff8c038473bff01b67aef4db2e04b55725156ecea61cf908b8634880a40e61908d71c26d766d87cae3973b5d8c95c6d829

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
80KB

MD5
1b4ee8175a14d9513e4df6bf5affecb5

SHA1
1ea1bafd7d852bc2f46ee89f3c09efa05e10a001

SHA256
5e78ef1b7b6989bb9a037e9d9cb16cf546ed8d2d1f9d918841baacc51fe914cf

SHA512
66c6f22405e108654344f8824c80b3e16d5adf05645371bafaefc7a313684fb2d5c6402f368ebd3d04c39e2a8edb0821531dfdff3f88064c66a0fd71338d6f48

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
80KB

MD5
1102289ddc6e2f3fb1502908ef2cd4e2

SHA1
6c43024cfb1321fa519e5e539ce001af61a486bc

SHA256
9bebbf3c2867525dc648d5431d018375d73bd7d73d10b917e02c63dd2e55ba16

SHA512
62a6671e5d79090e9c394911efd98ce1a78f3b2bb02fcf915a70a1a7d27a0acf48144dd4fc2d19d2f263c46abf411f41905d8a02f1c22110dece6f55e893606a

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
80KB

MD5
ee13dcc9867e5b97c705f13e7c41aba1

SHA1
d72f98b8034c0cf9b2b1a65da216aae5ef3f5065

SHA256
d711ad3a1ddd867fffde01ae94a7b5faec95c8a661c0014784952fd1b2a371f5

SHA512
636f3259ee3ae74c7abeb3c57799afb6fb7f31197963e63391fa1397e1e6b0b00e972a0f82fb7036ac62dded5dea0f85b9b69e1185f88c0461dee736c079b294

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
80KB

MD5
afbcd2793a39471d124d589161680793

SHA1
cb52b7a10eb7ab7979a471457c4d838155c0f888

SHA256
e46a1d027d026697420381c3d4ae28d32a676772213027daf629fb0f46148a91

SHA512
0cbcc3b01dcd4e04fba1c5a91d4c7613b6a6e5cad77fdefafebd5cb50f5aa6ba6ef18a5ded7e99f5ab3f7b172bc781e5ebfebe34f7ddff89785200383d8a514f

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
80KB

MD5
6127b44fb685895d80cb129925bb167e

SHA1
323af117ef846ad950bce61d3ff0a5e8b49d6d15

SHA256
030e863b5751c596fb5ce2712d4894478e10fc85749eade43e63879d15edbbce

SHA512
738fa0185306489bf39dd7717586d7b6f518fe9e039a32fcb88a7bd8c014a9b71ab0ba28bf0b20007bacdcf305de7018720065c70617db803aed6f7ad4885994

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
80KB

MD5
ff5b2e269bb8a59d901bec36b25f3893

SHA1
f419227a26e67cb5d848a0ed84f24d3a0d3aadf6

SHA256
9efd6cfd1ac76aa90b210d2f8ac37ecbd240df02f00aa7dae0cc14959bd37e67

SHA512
2101da1e9718ad5cc85cab0612f9623156d748256c3c8b13740ca1310905920f853deaefe7b6a5d2370b3a0cdff1310dbfb5de286c347a90d4291f6cf022356c

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
80KB

MD5
6b918e555d610f69c9c010767c77ade2

SHA1
a0e6b66609d69b10bed7361940f39c4e1e4b9dbb

SHA256
858c0ec363457702ea5a36aa4cf441d5b8b40e0904a5dfbe02c9834eb45b61c8

SHA512
8ca2ae86d5a1c8ff913c7a0cb8b0fefe81787c895e93f59a535b241a4fb7666310037e5aba1a549ed07966a7eccb67776ae5990da320ed70b3b4a85c2a5ea397

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
80KB

MD5
4f92d2a904c2bf98b8d7ae53020fcb1c

SHA1
b2181f11442407fd5c7ff2d9fce239312506ec06

SHA256
fad83a0fcfe1224573a3bbf0b6da76e09871a586bdf6f11c65654d92c97e980a

SHA512
438ac22cddaa6fa9546dd065644875b3abc871f1dffeb71c1da29abac09f3777f775104e7d4930e23097712642bc135cbe8e1154c4e8bc83fbb9f6d16350108d

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
80KB

MD5
6fb684b0b569d80b2919c8064a1585b0

SHA1
48729b78fe837269f9be7b9ed5e20bf0d23d934e

SHA256
d860825dc67e751521535a132d08f40f152f4c274317acdd013538e59547bc90

SHA512
570a3a30ef1a78e2d603e44df94ae66d4f634103ba85ba94233346610c1ee742ff54fa620097438c9d4d0b145337892674ee06dbefef070b9236882955c51ba7

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
80KB

MD5
4f34cbb026db1fb4bf6616927b4562d4

SHA1
ea82d538b5140d3378a24254b9f6823cde256ccc

SHA256
d15dabc4186da378724459d1445809d2344054a444f76bd5c403f58935bee8b3

SHA512
655934ee90931cc6746693a6d163b17e53a605da739743052d703a3c92a0a1fae3f314577de7cf4a1e96d0425e7ee64559dc13727a3942c2cdec2c5e10a664d7

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
80KB

MD5
792553dbc377cdc1e2f94adc154dc308

SHA1
af922bb7050f48158aed6b7ce944d66f3e0cdfb9

SHA256
c2bb4e3199ad9ec14b9b0c6fcd7d0c1f854fdb246cce6477e6bda22be479e05e

SHA512
43923f6b6e2e307284361f74bb273eca3336897be5e115f9e8e682a67b4b07b90a5f5575eef76616fe830088368a8029b625ec3afff8913447751bbe57894c69

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
80KB

MD5
e00162ec51122108ce575d82488e83f6

SHA1
5d801b89959a3302c2b0f55055190b7b40e6abdc

SHA256
62dbea004cf741f76295e87fe7425f317d97be538c54c04f02c036e05a504f07

SHA512
fde7f4f686478904979441d6755b48c0eb916384b6c1932ecf1b44182e9d54689174d4656ca51e14f491b47ea7847b518faed903d1d8483958609299ce4803d5

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
80KB

MD5
258dd8ba8b8d1337e76a99d7f935fddf

SHA1
bca2c4c7dba8f2daed7560fb9deec66e239122cb

SHA256
ffe4adf2cb4b7b2c6156eb795d85343a6d4d9ba13094a28c1dfa5bc7b53e3cd4

SHA512
f2497fbce56f4cab33a50d652fa1eecbc82e5c4fd150380638b7a653e6e23a2f9523f88739bf160087a670e0a9cfa3ad096f6feec9da563e105abc385dd0cf03

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
80KB

MD5
cef0d7923f488d0296f504f62be2c00c

SHA1
d5480a73ed1458f9a94bdb535f665119bb8a9e02

SHA256
f5f3d80c5964bdbaebb3d58f0726d8607ff079ad4a042bf531f1ebd3045cc3b9

SHA512
edf62d5937dc8ad8acc495b33dfc1f8ec313cdd352c1be4922fca198109b47cdecafebe4b11c6b25b4d92f2ec7609dabbe4717b8f8cfb5b54f141ff8fcb8b401

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
80KB

MD5
a40c7be6dfaf5d508ce73d49f45dfec6

SHA1
d849e18f4f98920822a53856634b7e568e17beba

SHA256
9d6c0a12342ffac1524ccb4354b0ea7bb8e5cad4df35be149cb05515769cb154

SHA512
cc019493307783ec267491121f4908037e538d272cc667bf35eda48364f2b9a1a89a0b68de3b2fc1b577b23f9bc79d93c5422c271ad863394f6ed50689dc8e0b

Download Submit
memory/232-99-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/232-17-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/752-196-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/752-100-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1168-33-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1168-121-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1204-179-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1204-82-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1376-9-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1376-90-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1596-241-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1596-299-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1716-259-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1716-297-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1868-206-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1868-291-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1948-250-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1948-298-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1992-187-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1992-91-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2352-240-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2352-152-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2448-233-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2448-300-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2512-301-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2512-224-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2564-109-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2564-205-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3024-284-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3024-198-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3028-267-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3028-180-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3412-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3412-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3412-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3452-293-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3452-292-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3488-249-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3488-161-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3520-278-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3520-295-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3568-57-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3568-151-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4012-133-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4012-41-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4020-122-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4292-285-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4292-294-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4544-143-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4544-49-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4548-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4548-160-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4592-215-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4592-302-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4632-171-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4632-258-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4720-74-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4720-170-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4856-276-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4856-189-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4968-296-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4968-269-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5032-135-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5032-223-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5068-148-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5068-231-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5072-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5072-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5108-134-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads