31ad92186a3401ddd603ef39b6cce1c48b2021d7c3fcf40883c6a47538c536e7

Analysis

max time kernel
133s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31ad92186a3401ddd603ef39b6cce1c48b2021d7c3fcf40883c6a47538c536e7.exe
Size

99KB
MD5

cc642eb7da3298da1f3c7a1c2b0ce114
SHA1

37bd3ea430b36a5b1b9b7ffe47301274ffdada65
SHA256

31ad92186a3401ddd603ef39b6cce1c48b2021d7c3fcf40883c6a47538c536e7
SHA512

a50885ef04651bc8a2be2d56ededcab6bfbb266db83a68e2f206c1332ea5492bf8eb065c1b6f8393e9294e57221c4f092601ae24b92d58203d943bdfb1d5e491
SSDEEP

3072:Lj5nBcUGAHWHA/RZw8TAAn9208eyQpwoTRBmDRGGurhUI:LdnBcU7/rRn9203am7UI

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	31ad92186a3401ddd603ef39b6cce1c48b2021d7c3fcf40883c6a47538c536e7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	31ad92186a3401ddd603ef39b6cce1c48b2021d7c3fcf40883c6a47538c536e7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe

Executes dropped EXE 31 IoCs

pid	Process
3176	Liekmj32.exe
3104	Ldkojb32.exe
2736	Lgikfn32.exe
3144	Liggbi32.exe
4980	Laopdgcg.exe
1632	Lnepih32.exe
2256	Laalifad.exe
508	Lcbiao32.exe
1848	Lilanioo.exe
1364	Lpfijcfl.exe
972	Lcdegnep.exe
4556	Lnjjdgee.exe
4604	Lphfpbdi.exe
1468	Lcgblncm.exe
652	Lgbnmm32.exe
5080	Mjqjih32.exe
4428	Mahbje32.exe
1208	Mpkbebbf.exe
536	Mamleegg.exe
1672	Mkepnjng.exe
2168	Mglack32.exe
3776	Maaepd32.exe
676	Njljefql.exe
568	Nqfbaq32.exe
400	Nafokcol.exe
100	Ncgkcl32.exe
3100	Njacpf32.exe
2640	Nbhkac32.exe
4216	Ncihikcg.exe
4432	Njcpee32.exe
4488	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	31ad92186a3401ddd603ef39b6cce1c48b2021d7c3fcf40883c6a47538c536e7.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Liekmj32.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	31ad92186a3401ddd603ef39b6cce1c48b2021d7c3fcf40883c6a47538c536e7.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mpkbebbf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2136	4488	WerFault.exe	116

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	31ad92186a3401ddd603ef39b6cce1c48b2021d7c3fcf40883c6a47538c536e7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	31ad92186a3401ddd603ef39b6cce1c48b2021d7c3fcf40883c6a47538c536e7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	31ad92186a3401ddd603ef39b6cce1c48b2021d7c3fcf40883c6a47538c536e7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	31ad92186a3401ddd603ef39b6cce1c48b2021d7c3fcf40883c6a47538c536e7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	31ad92186a3401ddd603ef39b6cce1c48b2021d7c3fcf40883c6a47538c536e7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3488 wrote to memory of 3176	3488	31ad92186a3401ddd603ef39b6cce1c48b2021d7c3fcf40883c6a47538c536e7.exe	83
PID 3488 wrote to memory of 3176	3488	31ad92186a3401ddd603ef39b6cce1c48b2021d7c3fcf40883c6a47538c536e7.exe	83
PID 3488 wrote to memory of 3176	3488	31ad92186a3401ddd603ef39b6cce1c48b2021d7c3fcf40883c6a47538c536e7.exe	83
PID 3176 wrote to memory of 3104	3176	Liekmj32.exe	84
PID 3176 wrote to memory of 3104	3176	Liekmj32.exe	84
PID 3176 wrote to memory of 3104	3176	Liekmj32.exe	84
PID 3104 wrote to memory of 2736	3104	Ldkojb32.exe	85
PID 3104 wrote to memory of 2736	3104	Ldkojb32.exe	85
PID 3104 wrote to memory of 2736	3104	Ldkojb32.exe	85
PID 2736 wrote to memory of 3144	2736	Lgikfn32.exe	86
PID 2736 wrote to memory of 3144	2736	Lgikfn32.exe	86
PID 2736 wrote to memory of 3144	2736	Lgikfn32.exe	86
PID 3144 wrote to memory of 4980	3144	Liggbi32.exe	87
PID 3144 wrote to memory of 4980	3144	Liggbi32.exe	87
PID 3144 wrote to memory of 4980	3144	Liggbi32.exe	87
PID 4980 wrote to memory of 1632	4980	Laopdgcg.exe	88
PID 4980 wrote to memory of 1632	4980	Laopdgcg.exe	88
PID 4980 wrote to memory of 1632	4980	Laopdgcg.exe	88
PID 1632 wrote to memory of 2256	1632	Lnepih32.exe	89
PID 1632 wrote to memory of 2256	1632	Lnepih32.exe	89
PID 1632 wrote to memory of 2256	1632	Lnepih32.exe	89
PID 2256 wrote to memory of 508	2256	Laalifad.exe	90
PID 2256 wrote to memory of 508	2256	Laalifad.exe	90
PID 2256 wrote to memory of 508	2256	Laalifad.exe	90
PID 508 wrote to memory of 1848	508	Lcbiao32.exe	91
PID 508 wrote to memory of 1848	508	Lcbiao32.exe	91
PID 508 wrote to memory of 1848	508	Lcbiao32.exe	91
PID 1848 wrote to memory of 1364	1848	Lilanioo.exe	92
PID 1848 wrote to memory of 1364	1848	Lilanioo.exe	92
PID 1848 wrote to memory of 1364	1848	Lilanioo.exe	92
PID 1364 wrote to memory of 972	1364	Lpfijcfl.exe	93
PID 1364 wrote to memory of 972	1364	Lpfijcfl.exe	93
PID 1364 wrote to memory of 972	1364	Lpfijcfl.exe	93
PID 972 wrote to memory of 4556	972	Lcdegnep.exe	95
PID 972 wrote to memory of 4556	972	Lcdegnep.exe	95
PID 972 wrote to memory of 4556	972	Lcdegnep.exe	95
PID 4556 wrote to memory of 4604	4556	Lnjjdgee.exe	96
PID 4556 wrote to memory of 4604	4556	Lnjjdgee.exe	96
PID 4556 wrote to memory of 4604	4556	Lnjjdgee.exe	96
PID 4604 wrote to memory of 1468	4604	Lphfpbdi.exe	97
PID 4604 wrote to memory of 1468	4604	Lphfpbdi.exe	97
PID 4604 wrote to memory of 1468	4604	Lphfpbdi.exe	97
PID 1468 wrote to memory of 652	1468	Lcgblncm.exe	98
PID 1468 wrote to memory of 652	1468	Lcgblncm.exe	98
PID 1468 wrote to memory of 652	1468	Lcgblncm.exe	98
PID 652 wrote to memory of 5080	652	Lgbnmm32.exe	99
PID 652 wrote to memory of 5080	652	Lgbnmm32.exe	99
PID 652 wrote to memory of 5080	652	Lgbnmm32.exe	99
PID 5080 wrote to memory of 4428	5080	Mjqjih32.exe	100
PID 5080 wrote to memory of 4428	5080	Mjqjih32.exe	100
PID 5080 wrote to memory of 4428	5080	Mjqjih32.exe	100
PID 4428 wrote to memory of 1208	4428	Mahbje32.exe	102
PID 4428 wrote to memory of 1208	4428	Mahbje32.exe	102
PID 4428 wrote to memory of 1208	4428	Mahbje32.exe	102
PID 1208 wrote to memory of 536	1208	Mpkbebbf.exe	103
PID 1208 wrote to memory of 536	1208	Mpkbebbf.exe	103
PID 1208 wrote to memory of 536	1208	Mpkbebbf.exe	103
PID 536 wrote to memory of 1672	536	Mamleegg.exe	104
PID 536 wrote to memory of 1672	536	Mamleegg.exe	104
PID 536 wrote to memory of 1672	536	Mamleegg.exe	104
PID 1672 wrote to memory of 2168	1672	Mkepnjng.exe	105
PID 1672 wrote to memory of 2168	1672	Mkepnjng.exe	105
PID 1672 wrote to memory of 2168	1672	Mkepnjng.exe	105
PID 2168 wrote to memory of 3776	2168	Mglack32.exe	106

C:\Users\Admin\AppData\Local\Temp\31ad92186a3401ddd603ef39b6cce1c48b2021d7c3fcf40883c6a47538c536e7.exe
"C:\Users\Admin\AppData\Local\Temp\31ad92186a3401ddd603ef39b6cce1c48b2021d7c3fcf40883c6a47538c536e7.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Windows\SysWOW64\Liekmj32.exe
  C:\Windows\system32\Liekmj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Windows\SysWOW64\Ldkojb32.exe
    C:\Windows\system32\Ldkojb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3104
  - - C:\Windows\SysWOW64\Lgikfn32.exe
      C:\Windows\system32\Lgikfn32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3144
      - C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:508
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3776
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:676
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:568
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:100
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        32⤵
        Executes dropped EXE
        
        PID:4488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 416
        33⤵
        Program crash
        
        PID:2136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4488 -ip 4488
1⤵
PID:3156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laalifad.exe

Filesize
99KB

MD5
51e72bdf569509c0556ccdd51c05e50b

SHA1
3ec7c23e320b93478900641f2ae47ca65b8b5b07

SHA256
cc395c4f68551e4df19870a5c06f28b277ae794ad5933b540e0761c46b5c9082

SHA512
a81e72c907f2712461db55d93100f5a863c97be7346d05c1c8cc11ed60481bce11f35abcd0c1e35613c97b43071f21406efbcf3a31361f48177580fdf44e295f

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
99KB

MD5
f3f9533a4f6072f109286d3ed6bd8ace

SHA1
2cc7b3d61669838a6ebcda8fae29f2d2d367f30f

SHA256
9b7b8e0ced72a02e123dbc56d5dd58fc7a5c1e69da737220490222452a3d2b5f

SHA512
193eb536b255b269e484b28f65d8dbc326b36a21a0bb4141e9b2a0225072f70ebd0d884434abbab5b25998a939b2e5c0f7259d2d03bbf234cbbd23ccebca081d

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
99KB

MD5
d217cfa1476de17f7f2033f2f5c48a36

SHA1
8fd75dcf86192c03aacce7ded67f5e53fc87b567

SHA256
f1cb9459abbde386d9a76bfaaa2139256615940132ee4ad4b5d80b4389e97b6d

SHA512
f546ea9861624576435524c42a3a417dd4356982c6097f0093c1888f536537eea556b7333c5a5c6a27b399ba3aafba74bfa17c900138feac63f64f90def7e8e1

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
99KB

MD5
e99313ff99c56ac9b766ebf29ad096d1

SHA1
03c9c36b28b248b578c66f163481b452ea494145

SHA256
6319e06d9a4fe70cb9b5c015cb250a609b2356cf82c73c8ee1804910a65bcafb

SHA512
12c403649e8121cbe960ada1e7cc59dfa7f1fd163c21b1711bb122937e8fedbe0bcef20c32480a51416dc587957ec477702e271e2e0ec21f2e12cf6f0f213de2

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
99KB

MD5
16d7e1f61a7424a9f42f9a399fb0063c

SHA1
4c853443a10dbc81cacf5bd2ab7f539b8165bd21

SHA256
4f7f6e37000ddae9f87c70a5f7c396233d34645889a4d94f74ee05ae644e9ee1

SHA512
fb79e763e07ef2ba646f5901a4b0910f0bf0c758a0d2a46f8076aaa765cbd520f885abd80c68a34159addbce3450102f18efa6aef97ea5f60bf97884fba732c8

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
99KB

MD5
fa6e3d1b4134d3cc805a0789762c5cfb

SHA1
96ab0b8dc3f0e48f1acc9ca0532d903ec76042e5

SHA256
7b4b616fc99bf15a4dba392e2bd4e74909064ea1e609130dcfe2eb96d30cbe3c

SHA512
319b077d79e1201ff8203f8fec51fe246f0e211bcdc8628b8cf5541bb9777908cdc822a9ecd3a5a44df143cf0caaac5149b3768d5c58e98b85fc3fdeeac20a90

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
99KB

MD5
59604749ca150db3713316ed88c06b30

SHA1
f1b162881cbca4c6054f0d3b182acd930a5baf2d

SHA256
266e9aeaff024f45589473a2d93b52597be71c9199cfc6ff298b6ecce0ffb8c2

SHA512
368b83c123bd3f6b7dec0ccb767cc29c1762c4f99f805a587b14b4757d4962f63d6f6158a95b861a271d7f7b52a0863fcd4db11ee07677621dfd1baf7df44900

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
99KB

MD5
9ddb39200cdb6d5492517cdc16650966

SHA1
919e12892c1d349ee339ebf28fcb4bf4fb8f3efe

SHA256
cfe35979f570480726ae228840dfd0ab464141f181ae363b405c5401c1d09ef0

SHA512
7e5b5b0518bc2c0d027f417266731536d10bd55743a509a49f217bacb5cd442b6a0fbad80c22b606b66716a42bd57c0296c8eb1c391d41d7a17f7d142cd59e53

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
99KB

MD5
19b1088f2908bbf10ddcccff97126142

SHA1
72c386cfcdcdd81a79633f7b6b05d74245d3c439

SHA256
1513e59ed417526bb355f4a145d12665e82e1b03f1d8190154f9fe27a260b569

SHA512
bc7f7fe55c519a068c20965a9d6f0a4884c3d4189abb4af1ca6a3e3c8253e4598c6e902df8fe0f0c6c0eac73ac8144e7725c47f419ec43d7c6afec74f844d663

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
99KB

MD5
5e4bfd7bfb5b58b7bb9b06094a5d422a

SHA1
bd3ba682167579eeef5b1f9e55eeb20207a36cf8

SHA256
b1edfb6790cc8c445297bf1c785a0512487786447d804e7f1515ed3a708fecc2

SHA512
80174c46d6d7686fdd05759083c8adba2b6294b75b4adabd1e79506be545b537742315a07f915f6b8647955b9c47672902f89a8606f07eda05878092ea288549

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
99KB

MD5
a2f2ee2f86b6b22dcc950488e18c534e

SHA1
d8a60d878260122ea0dea5d04b0d0a48c4215852

SHA256
9116c28cf03ace96c5bcb5b743b1fc6903127fa925f1c39e5159b08b91482512

SHA512
796ac00c0a835159f20cd7f03614cf30fa44b336dcb120ed6430f49c7f8bae597687970b7958a627b60cd065231b2168231865fd0537bbd2f40dad863beec4a1

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
99KB

MD5
e7ffd13952ab2af472b3b44dcc1851b1

SHA1
5b58f773ba2475c706ef520e361b7b69329a703e

SHA256
5f033823c87e50d2310479e49dd504bbc232052b8dd92d11d47de841f90616c1

SHA512
302340a52b7f56dc2764b57a050a73ec7f76e01de985284e5c66129cea4a0e64ffcbaba9bdb17c4b8e28d4c256bce80d1fac17d6ba31b897020016de8accb8c3

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
99KB

MD5
11abddcbda2570e1334f46459a564d50

SHA1
6937c440150301eca564d3eb2cec12e5b91dece8

SHA256
733559ab188467ade11fbfc11521a5a84ba58f6afd72b6938f455e1bcc7b91e4

SHA512
7168c50311ca8fdea3218a1d0b2ce39561d352df4d951ff6f1f47808a81e2c241e495052478711d4099b743526311afb60681e460d486012614402f8c9759237

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
99KB

MD5
da3668e548809404a5aa8c0b24215040

SHA1
ec5bd04726b138f99fc9c1cdba93754bdc5a4694

SHA256
c8e6579ab1e069659c92c29e7c4b4cbdb729b1fe2c9892e4e7b58629b3387ef3

SHA512
7d3cbccdb02cf7b953f0ab97cc7eedcfd9cea305d4673a69513d07f031cb7bb6c82e8d674db70d202c4128cefb0ab5c38adda10ca84d5457a1df727a57092f97

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
99KB

MD5
33707d4a928a78359ea1e7dbc8f4225d

SHA1
55454d3875f598d6d3eecb78c9fa714bf5908be9

SHA256
73b69ce4165cdb87ebb7a88dc61114fe4ce37a26807c7236cf18c53aa377a940

SHA512
4c3749a9ae5ab3da091bd5031141d6a36930559b82964900b10620fe9b6b679f402f0e78ae17e5a36b44109b9423ff8008eb56152592d07e749bca77565aca9e

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
99KB

MD5
32d8616e5cafe6f0bda213b86d48134e

SHA1
af445492d77cf55240d0401b6dba273e23a76e8e

SHA256
312137a59038d6f4a96dd52b8017e2bc240dd135b7f43388968acadb83115268

SHA512
05af60f9c34d0cd3a03647c3e7a117aeeef41564f9ffab41c50441e132b04359deb6cc43149834ff3b01284d9aa786b24af3160b18fbaa9ee8f33f7773a5d7d3

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
99KB

MD5
e3f2b637e24188456cff7d7078da273f

SHA1
06d9966d75f3a1637fd49626c28e58e2f950fb20

SHA256
10d6be1df58e33378e2897240755e0724ca065d2bcdaa7c09eb9008143933d98

SHA512
b80417de619ea018f1b5208dcb99bba7adb5d923bd2ccf8d880a1c9eeaff104ca1805d6928d9ce58bbd6bef8db81091bf3ddacc0ddaf6d29bd426fb5f1e068b9

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
99KB

MD5
697ea785dfb6dd555059b297f9444b48

SHA1
86894064885a6b676326b5b8d829e8632dfaa262

SHA256
9753bfb61727c108410d510872f24ee301176e650fbcf4513688b9599322437e

SHA512
a3dbd8f677211da22b24d8f06240c0ac569f73cf8e38a8ef1042c10d0288129864c17cb45427c2972f3edc4e96ceda4013ed8803042cdcf3c00177a041c6805a

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
99KB

MD5
0d1f6ee91c947c6ff852f4234d01e1b7

SHA1
7b7c1cfd153bad037c54ba87c1012a03012b4457

SHA256
d6126753858a40ecf243b526f1525f2710cad845e80616059d52ef9a73e73c0b

SHA512
46ab61d6901e976f6694c1974a5d62a8a625904cd52bd7b7509c08c50cef20ef2eaeee58c2367ef4d9e2a340c894246bcef0bd4db7ba2c45252a451c64cb4dbd

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
99KB

MD5
41900d95aaa72e07c4ba863420c85c10

SHA1
24ce70e4f747ea5221fea207b490a395203c7c43

SHA256
c23fe07aac2d622346984355443975dcdba49651ac40c2f2f71697c411371d1b

SHA512
85d23b7d2558190c3829d0d25b4ce8325e8216d8953bd7b07203f67041b01c224493fd75215f7457d9c097ab7bfc1f91b5de01d17215c7a6c75c6eb70e3937b1

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
99KB

MD5
aabfa7464e6b00632e5eea0aac1f27af

SHA1
1d9aaba226be4627a383617822974d36e7bbafd4

SHA256
fbc486027602115643b288f23b548c27882706a4937c398e97494967b94257db

SHA512
aa58af71af515353a8a543789c990f283e00f60529eacd5db61270cb4dd7123e43f377bd273dff60677446fc4d007995557bc577141c8247102481a36ca0248d

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
99KB

MD5
2c093b65fb3d54bc7b5934232736fd6b

SHA1
3a27dcaab4ea000005a03993fa42b5416d022316

SHA256
0fefcd59a5ecd3808ad5eedcdb3d79323bd2c1afa297f2192b6035f6282ead1e

SHA512
06f39389513695af0a65fe54597846ed6e7ed9c6b1485a2c80ba60cccc9f0f7aec938ffc83dc973bfbc1ab3576bafdac50d343c6cc95c0e51d09e23ba31d85c2

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
99KB

MD5
53e34413106a3e6bb5535b59a9a73562

SHA1
2af61a9428764691b9b58e40a1d142d6154aca19

SHA256
ac6b5104fc1a31e1196a2ffdc22f29326066f53e8fb0326745f04ea2fdfe9fd0

SHA512
ee2052d426cdb55ecb0a59f9ad72ea6a199d362c5851b2018484b7f2892a654ddcfd06cfad86b9a2ae80ea9163983b3936d2bcf7c644465caba1fe6f94f5be13

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
99KB

MD5
e08b87048cd054c47a075c4ae6d91e4d

SHA1
563b01c346eb981989623c600efbe7bd7367a021

SHA256
529c4ace7f266e3a7e2f2d486a6a4ccd9b2776d94a6c0138a68be677701fe817

SHA512
d674c307942a934b0e8ec3a08cace64308ea633a29577eb1791241a2f7f1708998fc5cefb0c0ed0de7bd47e0b9ddcc86f59e10611f4159fea69bc0901a2383b7

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
99KB

MD5
dccff25091324f9949113fe3d64d9e0a

SHA1
cd9d779c1f68eed30c220be26e0153934f58790e

SHA256
443d49c775bc73c8ab7cc2f46368c556fd5036ced1c21aefafecd530289a217e

SHA512
b5d7721082549d5d14d94b8030cf9bea28148a6c1d136f1aea1f9de004b11731d79d5af6c9ad9c01a16d4a3b51007ffade085a855429618005c3dc514df49623

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
99KB

MD5
50120d2981aeae7d559fffe393310516

SHA1
ddd74c095fa38e851c9faf8cd2bc331e97ccb6c0

SHA256
0d8e385fd87f350519e29019aa95d816f0c7f44d8827305f20d1c801316706b5

SHA512
b2b205cbfa8cc8f3c87010e8787c5c95e339bc2120ed799c5e18600e7f6dd97312a50a84528b05636d40289fc3c880efb0a08221a12086ea811514de034e9271

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
99KB

MD5
9a45971567784877046fc9468707ac38

SHA1
87252b4f86bd5dd29ef0336d4a37496b34c583e9

SHA256
3c26c7a11086c82b152c6a6ac19ada4c6e50d41bafee4fcb4b0fe506125c83a0

SHA512
d3ed22877e09ae6b7c9f8b59da56fc6cac233bd778ace1d05e9bc0e2cc6e06fc7a5ee05dfdf49f313e80faa4fb6fdec0d93b8c1c5a3563fd53306ba5265bf664

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
99KB

MD5
f4f091e78dd82019abd3dc8717b96f02

SHA1
0260bbb737c42b57e64db34cfaf5f79108aeadb0

SHA256
0b38df42729b7ff04d3cc6959dd2f7d0e60700a72bf80f252c8856ab07a6b4f7

SHA512
83675fe38814b653d06236bd189fef4865806570064223b337d9e838d4be56d8bbef84a01bc0a919752b9c4b15b6c1082cb1a44ad7961c3334c31e276ac82f49

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
99KB

MD5
83f1f0bd42d2d2727db9e8199ca50f3f

SHA1
82a90be076b4a7b359347b33efc7d154f038465b

SHA256
c0a0efaa491ad91dd5eb576679e84ca776747a278c174f2ace104e49c13665f8

SHA512
25f64ed9c3f1cd3c28ab452a73eae700ce08afbdaf87b21837c5a532026445cbb62e238d55b4345b3695538d273d050a8e5a4fd16c300e1816967eac4d2ecbe2

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
99KB

MD5
1cf4c0173cc1d066cd6c16ca4f2b5dea

SHA1
9dbbb6161e5802f948b40738defbdf7d5f47674b

SHA256
2a896b37f9d4c57138f4944f53ebfc26a86a4811f9416040adb703c5566b4a15

SHA512
2040ce9c66e9462d9f839df57fcdd7089e75f98bc0b5909fcfa245188a70be63eace916017828eb3588e665a0ebee554f00fa16cc4278ea167c61a24e7759d0a

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
99KB

MD5
5c0ca12d339416e34018b1a6d94b8962

SHA1
26382c36fd0b52044fda758f1809e31fe34cdeff

SHA256
eae1deed7bc50b61f2ec4e8d5ccf55444ad0e5c319f05679e07da459ed6892c8

SHA512
755852d8584979810bc375d3a00580c113f8c72ec25bb3d86a9e892e7fb1d5f8693e233f8a479f6231de419774b94f0d1009b6e25c44ae95cb975a419007ef1c

Download Submit
C:\Windows\SysWOW64\Pellipfm.dll

Filesize
7KB

MD5
922e1468132c8bb785daa82a8ea08a43

SHA1
aabb6e1aad352d4b48557d04470c6599dffda5f7

SHA256
2a82bce2b99d0efda78910aecc6f0d796317c64a65b3e70651006ae158798f4e

SHA512
03a0dcde14d877187647c35a8b2d3808501647c340765319b1f41ba0a3874e6a88660464b29e5410543fc237971d22b5898d17b4627b625037fde269aed943bf

Download Submit
memory/100-269-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/100-220-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/400-271-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/400-211-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/508-68-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/536-246-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/536-162-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/568-270-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/568-203-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/652-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/676-194-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/676-272-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/972-201-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/972-90-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1208-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1208-240-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1364-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1364-81-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1468-127-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1632-150-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1632-54-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1672-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1672-255-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1848-183-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1848-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2168-264-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2168-175-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2256-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2256-166-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2640-245-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2736-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2736-125-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3100-234-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3104-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3104-98-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3144-143-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3144-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3176-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3176-89-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3488-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3488-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3776-184-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3776-273-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4216-247-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4216-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4428-233-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4428-145-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4432-260-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4432-267-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4488-266-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4488-265-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4556-99-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4556-210-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4604-126-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4980-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4980-149-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5080-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads