45dbdfc84533e5e29bb48121b3669d3279990c1f580a2faee4d1dfacf18f2cde

Analysis

max time kernel
120s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
07-03-2024 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45dbdfc84533e5e29bb48121b3669d3279990c1f580a2faee4d1dfacf18f2cde.exe
Size

896KB
MD5

0de8b982684878daf4fc6d65aa49d2f0
SHA1

f62c549f614cb6d9db403cac80bd2cdcf3a5b11d
SHA256

45dbdfc84533e5e29bb48121b3669d3279990c1f580a2faee4d1dfacf18f2cde
SHA512

e9bba83ddee80fdf4d48eb20d6cceb6fb9c0e49def01aa255062c942fa0562487888aec3b7e7c66ea67b75490ffdb9dc78fea0a9fcf9f18cc6c3104e8fba1140
SSDEEP

24576:oRBR6Ph2kkkkK4kXkkkkkkkkhLX3a20R0v50+5:6WbazR0vp

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	45dbdfc84533e5e29bb48121b3669d3279990c1f580a2faee4d1dfacf18f2cde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	45dbdfc84533e5e29bb48121b3669d3279990c1f580a2faee4d1dfacf18f2cde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe

Executes dropped EXE 42 IoCs

pid	Process
3412	Kckbqpnj.exe
3024	Kkbkamnl.exe
3160	Lcmofolg.exe
2652	Liggbi32.exe
2896	Laopdgcg.exe
1488	Lijdhiaa.exe
5028	Lcbiao32.exe
2940	Lilanioo.exe
968	Laciofpa.exe
416	Ldaeka32.exe
2052	Mpkbebbf.exe
4508	Mciobn32.exe
456	Mkpgck32.exe
1400	Mdiklqhm.exe
1344	Mpolqa32.exe
864	Mcnhmm32.exe
4908	Mkepnjng.exe
3612	Mcpebmkb.exe
4040	Mjjmog32.exe
4784	Maaepd32.exe
2356	Mdpalp32.exe
3020	Mcbahlip.exe
1152	Njljefql.exe
4904	Ndbnboqb.exe
4396	Ngpjnkpf.exe
2452	Nklfoi32.exe
3588	Nnjbke32.exe
920	Nafokcol.exe
3996	Nqiogp32.exe
3360	Ncgkcl32.exe
2004	Ngcgcjnc.exe
2484	Njacpf32.exe
1204	Nnmopdep.exe
1544	Nbhkac32.exe
3428	Ndghmo32.exe
1432	Ncihikcg.exe
4288	Nkqpjidj.exe
4200	Njcpee32.exe
4204	Nqmhbpba.exe
3888	Ndidbn32.exe
3304	Nggqoj32.exe
916	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	45dbdfc84533e5e29bb48121b3669d3279990c1f580a2faee4d1dfacf18f2cde.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	45dbdfc84533e5e29bb48121b3669d3279990c1f580a2faee4d1dfacf18f2cde.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lcmofolg.exe

Program crash 1 IoCs

pid	pid_target	Process
792	916	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	45dbdfc84533e5e29bb48121b3669d3279990c1f580a2faee4d1dfacf18f2cde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	45dbdfc84533e5e29bb48121b3669d3279990c1f580a2faee4d1dfacf18f2cde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggqoj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3148 wrote to memory of 3412	3148	45dbdfc84533e5e29bb48121b3669d3279990c1f580a2faee4d1dfacf18f2cde.exe	85
PID 3148 wrote to memory of 3412	3148	45dbdfc84533e5e29bb48121b3669d3279990c1f580a2faee4d1dfacf18f2cde.exe	85
PID 3148 wrote to memory of 3412	3148	45dbdfc84533e5e29bb48121b3669d3279990c1f580a2faee4d1dfacf18f2cde.exe	85
PID 3412 wrote to memory of 3024	3412	Kckbqpnj.exe	86
PID 3412 wrote to memory of 3024	3412	Kckbqpnj.exe	86
PID 3412 wrote to memory of 3024	3412	Kckbqpnj.exe	86
PID 3024 wrote to memory of 3160	3024	Kkbkamnl.exe	87
PID 3024 wrote to memory of 3160	3024	Kkbkamnl.exe	87
PID 3024 wrote to memory of 3160	3024	Kkbkamnl.exe	87
PID 3160 wrote to memory of 2652	3160	Lcmofolg.exe	88
PID 3160 wrote to memory of 2652	3160	Lcmofolg.exe	88
PID 3160 wrote to memory of 2652	3160	Lcmofolg.exe	88
PID 2652 wrote to memory of 2896	2652	Liggbi32.exe	89
PID 2652 wrote to memory of 2896	2652	Liggbi32.exe	89
PID 2652 wrote to memory of 2896	2652	Liggbi32.exe	89
PID 2896 wrote to memory of 1488	2896	Laopdgcg.exe	90
PID 2896 wrote to memory of 1488	2896	Laopdgcg.exe	90
PID 2896 wrote to memory of 1488	2896	Laopdgcg.exe	90
PID 1488 wrote to memory of 5028	1488	Lijdhiaa.exe	91
PID 1488 wrote to memory of 5028	1488	Lijdhiaa.exe	91
PID 1488 wrote to memory of 5028	1488	Lijdhiaa.exe	91
PID 5028 wrote to memory of 2940	5028	Lcbiao32.exe	92
PID 5028 wrote to memory of 2940	5028	Lcbiao32.exe	92
PID 5028 wrote to memory of 2940	5028	Lcbiao32.exe	92
PID 2940 wrote to memory of 968	2940	Lilanioo.exe	93
PID 2940 wrote to memory of 968	2940	Lilanioo.exe	93
PID 2940 wrote to memory of 968	2940	Lilanioo.exe	93
PID 968 wrote to memory of 416	968	Laciofpa.exe	94
PID 968 wrote to memory of 416	968	Laciofpa.exe	94
PID 968 wrote to memory of 416	968	Laciofpa.exe	94
PID 416 wrote to memory of 2052	416	Ldaeka32.exe	95
PID 416 wrote to memory of 2052	416	Ldaeka32.exe	95
PID 416 wrote to memory of 2052	416	Ldaeka32.exe	95
PID 2052 wrote to memory of 4508	2052	Mpkbebbf.exe	96
PID 2052 wrote to memory of 4508	2052	Mpkbebbf.exe	96
PID 2052 wrote to memory of 4508	2052	Mpkbebbf.exe	96
PID 4508 wrote to memory of 456	4508	Mciobn32.exe	97
PID 4508 wrote to memory of 456	4508	Mciobn32.exe	97
PID 4508 wrote to memory of 456	4508	Mciobn32.exe	97
PID 456 wrote to memory of 1400	456	Mkpgck32.exe	98
PID 456 wrote to memory of 1400	456	Mkpgck32.exe	98
PID 456 wrote to memory of 1400	456	Mkpgck32.exe	98
PID 1400 wrote to memory of 1344	1400	Mdiklqhm.exe	99
PID 1400 wrote to memory of 1344	1400	Mdiklqhm.exe	99
PID 1400 wrote to memory of 1344	1400	Mdiklqhm.exe	99
PID 1344 wrote to memory of 864	1344	Mpolqa32.exe	100
PID 1344 wrote to memory of 864	1344	Mpolqa32.exe	100
PID 1344 wrote to memory of 864	1344	Mpolqa32.exe	100
PID 864 wrote to memory of 4908	864	Mcnhmm32.exe	101
PID 864 wrote to memory of 4908	864	Mcnhmm32.exe	101
PID 864 wrote to memory of 4908	864	Mcnhmm32.exe	101
PID 4908 wrote to memory of 3612	4908	Mkepnjng.exe	102
PID 4908 wrote to memory of 3612	4908	Mkepnjng.exe	102
PID 4908 wrote to memory of 3612	4908	Mkepnjng.exe	102
PID 3612 wrote to memory of 4040	3612	Mcpebmkb.exe	103
PID 3612 wrote to memory of 4040	3612	Mcpebmkb.exe	103
PID 3612 wrote to memory of 4040	3612	Mcpebmkb.exe	103
PID 4040 wrote to memory of 4784	4040	Mjjmog32.exe	104
PID 4040 wrote to memory of 4784	4040	Mjjmog32.exe	104
PID 4040 wrote to memory of 4784	4040	Mjjmog32.exe	104
PID 4784 wrote to memory of 2356	4784	Maaepd32.exe	105
PID 4784 wrote to memory of 2356	4784	Maaepd32.exe	105
PID 4784 wrote to memory of 2356	4784	Maaepd32.exe	105
PID 2356 wrote to memory of 3020	2356	Mdpalp32.exe	106

C:\Users\Admin\AppData\Local\Temp\45dbdfc84533e5e29bb48121b3669d3279990c1f580a2faee4d1dfacf18f2cde.exe
"C:\Users\Admin\AppData\Local\Temp\45dbdfc84533e5e29bb48121b3669d3279990c1f580a2faee4d1dfacf18f2cde.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Windows\SysWOW64\Kckbqpnj.exe
  C:\Windows\system32\Kckbqpnj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3412
- - C:\Windows\SysWOW64\Kkbkamnl.exe
    C:\Windows\system32\Kkbkamnl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\SysWOW64\Lcmofolg.exe
      C:\Windows\system32\Lcmofolg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3160
    - - C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2652
      - C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:416
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2452
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3996
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3360
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2484
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1204
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3888
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        44⤵
        Executes dropped EXE
        
        PID:916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 400
        45⤵
        Program crash
        
        PID:792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 916 -ip 916
1⤵
PID:4584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
896KB

MD5
2221287cedf4bcd94150e86b68767977

SHA1
b56e91f00c98df5405be08832121de9f8d3b578e

SHA256
e34dbc023c2442a3bfbce313265cc727954ff903be54370c4dd73e5c98aa7a55

SHA512
668391160fdc5f4d5fae63f1e67e15a257b9673a5ed572a03912acba4be4fd7739777e6b2e3fbabc253e734ba9d765eee6f1e12bd143dc51cafa32e4f6867521

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
896KB

MD5
005b0bbba7bde9b513d5e5720fca7426

SHA1
b5ce65f53288821cce19901cf93ac3b0b8683e86

SHA256
8428512ddcda8bb1e8eb22fb96631c29beb88b7b35bf31963cdfcbbc277ba3b3

SHA512
bbd6361a7d5140cca9f41707c8af4f794e323e9a0b28691d3e4699342047ca9b1133cefd55c78d75f1c0a65878d6cb8bee21f80a03428ab577d4963a0e61aa02

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
839KB

MD5
a9997edda2df51fb9caf2fcf783c1ff0

SHA1
49990db8a5b63b7110e48c8eb6c21805f8c4caaa

SHA256
79c185ddbe09d26506e8a80cf3fcfdc684582aa8ac890c6997b6dbc15d9d5e9b

SHA512
ef84c3ef4461de3b447f1e4cadadbdaa462a3f5d9e30de295c52e8413025a0760f742c2b44aba1ffc0bf0bb2d373696f8a66d207f2e609756fc09b72af4ff219

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
305KB

MD5
87395c3db843fdf2f42f335d25d11613

SHA1
fabd61b781899b52b276888bd26fc3f0c52c93ae

SHA256
20ea6c94fa0007df060300ff111893b6a87d74eca35694ae8ad85cc7c9cd10a4

SHA512
a38a0338d6799a0096a319d675fa21329010b0ef71ccc8da322e9e3aa7719a9a8d7e25a4ef999a00ff1b7b477662633b3f9371602dde68ef75d59ba2aafd83da

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
479KB

MD5
0a95d50dac82480921e7be934b0ec73b

SHA1
34118fde55fc7a68c1c3377b37c4eb7b202edd7f

SHA256
e7453c0b8a20a8e29711f15163446748898ebf406eae94d92e02254f4805f65f

SHA512
768de0770e7ef617984e53f7811fcd50ee4d6ff8c3e24d97dd50a84654740e14f6eefda8a657049492c6c92cdd9dad7964d64c4b18b95b588e5cff9b389a6260

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
896KB

MD5
fcc074894c99409ed68141bbc2743ccf

SHA1
4416e2db5f8cdfa757598578c3ef1f1ccd1cd5a8

SHA256
34bd4ed295e699c79905f41efd53875e6a22276638364825bed73f76cb2f570b

SHA512
ba25e1801d495faaa3dc4669efe1674ca2f94986c89735f5dc0c2ae24871c1f04a42f066bb8876aad819b06e13c2d31bcda3bab1d9670394f8cf24df5143eb6e

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
552KB

MD5
faa21f8700aba653f944e38089f022bd

SHA1
7df3599f60b3ea7a38932b52cec89bc487c93a52

SHA256
8ff2be9019ce59136bb735a30a96826300cac5463e8e90c484bbb0cc465c5f50

SHA512
8c44e36207ed3d7b7a35d2b178052c36cf109a9405b0aed0cd801b18b37560df0477c7fa3a3125cc25df5d35c6738fa0b35ad450f7699e01a992bdf341036689

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
456KB

MD5
17e2fcf1fd5e7f25fa6e60ae4183fcc1

SHA1
09efd9e405bda90cdb3abf2fcc2f9d2d74e9019c

SHA256
ee7a90f9547b67e1e732d9a885217325b915be670b2a2a3d47e8ab840c7c79ea

SHA512
5dfb7136a9621f389ab52929274b8e6767c34c7cbb96cbdbe17a6a3a6a5f5ca913ff7989e4eaa215985339624c7577d2c54a629eeeaec8efdfab8d207f7195e5

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
594KB

MD5
66ba4188bf4704515e5a375c13aab132

SHA1
243358d0f8a05fbc4737a6ae463982c2fd648af1

SHA256
b907bbf628ef59f24b1de57efb21f8f238e1f22a63100c2bc5ed3d38e762fd32

SHA512
986174b1ec62fcc96a31c8feff76eb08d899142622dfca968db84dea65dcd9419488fb70f29c9733e9286010fca57edb878ae23a37fed187b94aeb5fb8eb670c

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
846KB

MD5
0562e8f436d84707e023a2fdd9bbcc78

SHA1
6b59651caef8a39ddc0c9407d93a36438a17d690

SHA256
dec429422b114b5532ebbe6846130351ed1971a4c204413bafb92d940363f4ed

SHA512
3cab1316df9d0d3f349b0c24d82e2c6c6c6e966b5a99e07799484ba9fd05ce5b474df3e1215a2e315fd2a30550f78f5f8b25008314e5b77bf15933d95249ab2a

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
746KB

MD5
e8e75f2c189bf7d3fa37c949db999ac5

SHA1
793c5ce83706f83e40084e91958a74000eb8efa0

SHA256
18dec510e5cab5128aecd939434ac76931edfb0574b0f0118c9254056d02540a

SHA512
0435339eaf38390185a6cd9cee567c22404a3a5c27daff08b428775c96afbae99df082568fb5f2bee3ae9a9f07a075853dd7ef323f829fc1339a4ca7ddf40376

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
310KB

MD5
2d5994e681d303b6c1cc5bb72bde3de1

SHA1
58ed240a6ac383fb30ac72363766302a863dc349

SHA256
d1786f999161232dab254016410e88ef4d1f2f6cef84aaab149c50213264b444

SHA512
015fc7cb7b010f0073d10fe95df71bfe45a3e8091150512503252c7b736e9ef1d54ad67fd4194e2c6e8dbaea05522651ac9c791985edc5ae7e252ccd67cf55cf

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
485KB

MD5
a6d5fb2d469bf038c88198fb3459400b

SHA1
831345b370d3d44e78eaf4e71f3b90e6753eba42

SHA256
adcbac513d371035921348168eb6a05855dd91c0e1c04439fcebe388588ce61d

SHA512
6e3782c247be249ccb9f33a040330a03922a6c621996c3f9168422c61e15dc718099873372088bc3ffd1402440a2c95f03369b675a3aa449648695d87899bf0b

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
709KB

MD5
be965e931022000b16490c6b55d745b6

SHA1
673455b3617a614392515b462aa8233faef883cd

SHA256
72982f94dcb36a19c445e081eee48b4e5e9207a59b0798dced7c469224506a36

SHA512
4a23a92bc818c065aa40f2535677fe6475e3c11549b026d5c1a73f6bed3228a95b671b91d78fe074b6fc0d419c1cd7ac2b870aae2bb9d5154cfc69928a49ba93

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
393KB

MD5
38279b190acf40f5a04e4e8acc2f127b

SHA1
f83b5bbef43006b9c3921bb39141fc6ebe00ee82

SHA256
5d9e4fc8935f405d4bfdf8e3a84872af4b82f7484b221a3e017fb3d253f1a62c

SHA512
3ec8535760127d3f737ac8385a6cae1f5f5758eb38e2cec2a21b286bb973858151bac468d7651fa3fd072d93107fcc17148dbea586a1da72ac2e70145c0a898d

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
896KB

MD5
9e6792b662d53350dfd892289561c4da

SHA1
91b18d20f2300b8390c8f60c253896c76cb7b24b

SHA256
c3420616ea5f5fc3d920fe86f8d411c32a6e9f8677d95f35c993372f10cfce66

SHA512
fa8c9ed2772c562dfd4edb14d8aa9dca99ec73e4fb1b81f70689eccda128d0bc19ca6681cee736e1165f4d2e6a4403b6cd8cec6f0d870f1fb4d0fcfc63c690a8

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
625KB

MD5
78803dc5b2b88161b2a9e186d960a036

SHA1
580a36bb03776637d3005bac4339abe38110bb5a

SHA256
5e5c0a8fa8508d04a52ffbd0b91b15bcff0814dc5111992be400f174f9561046

SHA512
d95197a1cfc035da783fb821fb1ae90e54735b6edc7412704a9e2dd1c8d8c2760edf65151ce5d0b087a3f9bd331bb75ba8fa1613998773e2a7bac37295e04add

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
896KB

MD5
9bdee2342478a09f3f89de2e6535deea

SHA1
128041c1811fc38b8604bc24fd6cf5c9984e96a3

SHA256
fb40fb29896c48b857e86736051bf66c86f79a997e2ac7834e019c5d62148eca

SHA512
80fc455cd3dda4ad2fa90855c9419ee9c5c60c701c5656d5a6e708442666d236bf7f987d2ca7541801f6795d40616aee6721066694965e2d74557040b05a95c6

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
362KB

MD5
5f4e4cb3635c44c5e9d1c9087f91040e

SHA1
160684deb035fec27aa46977ba7492129f137548

SHA256
eb864a5fdefe9e5306faf3d6651f9239305e648c71ac4a5d57038ccb9628020f

SHA512
f1c4f8a6ca47f20e19e582eb7d13c9ead374adebf2b654d057cdf3d62ed431b37f3765ee310a19045ea71a40a9f599da068c62eb7631d3e2e17da201cab968c3

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
896KB

MD5
e20f185e6ace2f04e007b624f53805c2

SHA1
20b6c9460d91b92e1707289f3883abf66c1dde70

SHA256
ae6336456af45911728fb83c082cf9c5d662f696df4755077f9a0ad31b827469

SHA512
e42d209a75b6c1380754d95700b28f4449ff785f017934b480486a1c773fc684df1ebd64e8986aee77c593b362d02206f2ff5daa2688280bf7b7120abe254b47

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
896KB

MD5
b64ff0c058015f4213e156995745250d

SHA1
623cc5b1f0e3ae7bbdd78476152a1725a785cfd3

SHA256
63befde2d1b14dab91d3f043d83b270320e32af657cf4986ad6f6f1a7635c3f7

SHA512
084391290dad2c02f7d99dfa06627df58ce2dfd62c2b23ea95ccc0cb4cf5d4a4b7856e1bd5bcb28c9373c8fda37d2f80fca44d14e62dd0c0f4154df3d02985a8

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
896KB

MD5
c5de13d880ef6089ff336610e2955209

SHA1
50754b3bc388752f08de07a7717c2a6828b48467

SHA256
4ffc8c1a77c40e678272262464b8742d83b6ed0431a980108d65aa38e7e06bf0

SHA512
4851fb71d93cf27484884461796817b8d6a08e379512f19d198be0e6173bcefd93c3d38c5af5e9873441d50586ae27a96a79e156826150a752fcd05fc15c187f

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
896KB

MD5
c6389f3a1883a1902459542a5404f292

SHA1
3a5b27cfc6c29b42c7697f2ecba163cb80c177a9

SHA256
1797df0998bdfa232567472f8ad8db87c24ce01be9ee1defe94c97a16c79a6db

SHA512
60d3dc1820f981e9040b9aec3a5f505d86124716d9e03c98b29554af300fcb99f75b415271f77e666f894e2b2ba8fd3da149b5dccc614186bef0ae6016f1b714

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
896KB

MD5
d762403831c3564867f7043ef0d9c56e

SHA1
2376303a0e26487adec2238e0b0d63caa01904d0

SHA256
fd469ffb82e7d2eaf7da15a8a3b41812a881c4471a47a86c101594288e5cd4d5

SHA512
229d10e5757ed3c5cbd3b2bf33f81d19316383b7fb1c088c13a11a401ca69030e19151396bba8044d0ebc8574356a72811d157ae5b98ef293c832308975470bc

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
896KB

MD5
572be7832f6928d8a580e11e97d312fa

SHA1
3a40ae204d0fc0171c5d92da0d1d0e665443ff4b

SHA256
a83ab564f0806914b281a8f903e15c5a1bcda08fe07daf8c759ed52ed5eca26e

SHA512
2b9de1c472593547260cd198fde315bba61bc314051363f9fce912f207bd51a35a55bd0dc6f1d1bec64add85e0997f7c47a7bf01f0c24828b9eb67abbda02cbd

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
896KB

MD5
560498bdeb437897293e2db235a7917c

SHA1
c211428e669ac040f5def289659acdde0edc2bf2

SHA256
46119457f2c853c1b2e359f08e03ba341bcd8d353beddf14ab13f67fc91e6b79

SHA512
71976188ed1e6307bb3b60b7e1c677d918c65885663c95efe424ee6555ab58a1e2853c316ddd664df9aa0cca9c8fad05582833769e300673e4f700e6085aea63

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
442KB

MD5
2f56a9254c74f5f9cab605eacde86c02

SHA1
14d5b52342679ac1fc9821cad8c72317e62709ba

SHA256
8e0f40ded328d3d6acc0b89fd77205914bf56da53ba30f9e1ade1eb41f72ff06

SHA512
165f808cdd9e543aa79a84f95ec1cfeeade767e557853b9c3deb59653366a4adc4b68563ca174b399df65ca6cfa039be1acd57c48fb417739cac5c2f69534001

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
896KB

MD5
b6cb38ddfa4dc13fc461c3e4d32065c7

SHA1
483416799fe07e8fe4b72410c50509999e1e1820

SHA256
e62c4871eac2a9a58133697c68edbc0288ae5d6fe35bee5cf1d2c12b22a711a2

SHA512
5992ef6782c3d4381c54ff5d7306a63c81b3287834f9a9792982dc4cfb284fdaee4ae5830c5fe3e9077938de7ef661307fa6abdd4a8f7c7491e9a4960620e90f

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
201KB

MD5
c02da822d8cdce2fd4fd27e3c7a61c00

SHA1
f0c1d1b44b543347df618aa4192b6e93d5d06038

SHA256
fbf3cefd4ec00c3a80b4774ba49b91f22d2e7ba118fd234b6bebd17eb228f178

SHA512
4b4903f1379f7b6fe0e4218bc4fb62b71fbd1c6a1bc876aa6f50dd39f7500bfc898842aa8bd7af926845241cfee1cd3a83dcb7a1d451b163cdf2058ef8de88b1

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
514KB

MD5
5059e9e6ecc4096b1e7b2f940a86a0de

SHA1
7bac5399a7764da2c468065fc662f13b816e900d

SHA256
b11483ae23ed6f0705e96a4626151d21165478e65ce8e660ae80cc05308ef877

SHA512
9b6bfa02806ad4157f110920d00239a505e88b16a33b365cffdfd74a84d3bb29fb2df332d0f2dccb589e1a2411636fdabdf88c07b6d425cf70dda97d6502834c

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
122KB

MD5
9e760b30be70c39117ae59a1ca7fe7ba

SHA1
6c45a83921dabc7d14ad6c93070975a8050ac7d1

SHA256
321d451caaea6a48dca911fcd973d30de73ef972b372de1a57c5f09f2bd288cc

SHA512
0470735861d46856a95e05eb297a1af829fb426170e7b0127ac7e3925a0077d33aed08d62329ab3e78660ffa034b4f86c5242b4b52ce0b1a091c2eb0c9b2cdd4

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
121KB

MD5
8965e9a92b23e1ecbf08903c59a7602c

SHA1
5604602292653b2fb5701ba013b33f0171ccece2

SHA256
2f2ff1727339fad7e28eedcf7bae621b947d4f38532c61fc53c2107a781f401f

SHA512
1d4a175f96f3154c329de0aaa679bd9cd76746ca2fe6fd4338bbef2f20a9ed2053631aa6213281559a8687cfac7e1b4d4679cd635ee461f003d4da068433cee3

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
896KB

MD5
d259f11c9f1f41e8752688bcacbca7ec

SHA1
2c694c6c21d2258c87a6e6ffbf0952608d408830

SHA256
99136fd6bb3af0fe9e10112794a03f3ffbd6cc03bfa20f3fbd637175f36ef41e

SHA512
4df38ca6706db113b85d1d0401685f60418903d4f31711b5b83d649ea7d0cc18185debd4823129a0782019dc8632143842631c1fd47725cb6095aedc5a54dc6b

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
259KB

MD5
1741cd244c09088295da1ef311aea804

SHA1
37139c636a97fc38c9244b5e85f037e8be226787

SHA256
89b3fba251a6f2cf02ea23f1ca6d51994400ae7f66624529174f77f7dbb5fe35

SHA512
e2c0159573679fe630eda17f340260c698324ab40828994cf70a821b091fac025a5d85f2e58d0b29832e762509b480ec8b22466ff75f06f409688c8065e50da0

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
102KB

MD5
7aa4b8b8dab3b9ef5d877853942c9648

SHA1
db99a3cb836af44b1f02a2031110f6649d873128

SHA256
024481c91f17fada199ce4d8a3cf5ca731f00ebea7340d1503393af2139912cc

SHA512
3e1b4d829357cb7d6bb020f5f5a8e221ef3981fecdd67dbbb421c8c338a58c73b222a1fd093ee6e92d1461a70c9df806b133bf57d3ebce43f09168ce721a3c0f

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
896KB

MD5
d77b2c6e412886942394c7db53ab5328

SHA1
d4805c9df6d9a71ed02037cdb1025c6cd811c46f

SHA256
f73fbf65e739ca40b9081293f75b0f760c0d01c24ec1d01f34e3887a768c0582

SHA512
3fdf486d186de75ad8b27b29e874e654208cf10b1c2698879fb45fa94bc8664c03e43d4440daadde737ce6a289b00f056f669d2fa25f3e41b5a984535286105c

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
74KB

MD5
9789cc98cd14242f76ed5ae176b148e7

SHA1
3899b4301323f432ad02dac410f161e73ef6885a

SHA256
0a4190925416d08b572a65d23b318a9962452dc18a462ed9513b2e0da7737a66

SHA512
f1cf0ba85b0dc4c60852b0df17de6a9a7b3255d15ad0797282cb9c4ccea282371aa61bf6c3a09d5b5f552c74e3a84365bf3b860ec0601a7fbe669c18e14a8ba6

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
896KB

MD5
247e66324017b9a6fde483c57d6edd10

SHA1
cc074fd71bee89041f0e91f428ad85ca659da2fb

SHA256
01e16b23aa5fb091adb54048002860e2b46daa1c546872516d961fe8549e24e5

SHA512
d532c9d606a128a360dd185914ac2f67d930c6739241a83691ee5fc8e701f2d7721fe77b4ffff1fe35a491dc5f1d1e3a9f0a1033554d847e10a04393331b53a3

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
418KB

MD5
9b2dbd40866cf15570d612f02b6c09a9

SHA1
8034c9a2475892bc1293b8b8ceb2f1db23eb4a21

SHA256
afb4a7dd2e2f8704b7d8856cb1241947a2ec46006393846b2ef524e4a2ee16b3

SHA512
8b4082943f394b7637bb3ae3571186d124fdbd3b7546bc237fba74f4c83fafa8dc91cdefe081a41864d1b4d7ad11f0f77897fc45d2d3a15bac36db9ca0fc6302

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
896KB

MD5
466b8967437796bbd07cc17d39aca227

SHA1
9a924bf55227767c7d134f72476ca5420116c50b

SHA256
0ec1c41e566e41fbf6d9d344065d6f89155bdfe3ff0ea428045fce94cea450a4

SHA512
ecede8588fc048e74bb2f325360cf0ee7c39b45eba046dbfd37b15c4a9ced0612326303a84fb1d4ce176a83529b87cf47e3cd142f4181371d4c61ef5f2a4e598

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
292KB

MD5
20dba560cc0a994bac228a6f536f6501

SHA1
0e407d49cc0e2118d562fc0e6dd89cfd2dcabd46

SHA256
08600d5863bb7bb96e957055a3c17b4c97f273f99061e053eb9c8ee0fd0117a8

SHA512
6fd928ae2a4bdb9803b6f3a751e82f3efe0ca606ba3ab5f359241c0d2ba311cd7d58b57a9136fbbc419cea2e63d4a5bd59253b778893d6587d43ee5ae50b3759

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
896KB

MD5
ed8222e3912d502769c8fb4451ddc07d

SHA1
1dbffd56e91d2d7cf37db3b34f55ee40507607f0

SHA256
491e46326dd546c4360040c299e136923256989272d9fec3f60a00c61a36e601

SHA512
0f59ff678a625e228cb4facf0efbe8b66ab0189684d3118260599cc1325e6f5ba6feb4c9b3c6787b1eba90a4d4b1706457f351132a8e2ba8f52bb50d6007473c

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
896KB

MD5
40cae3542bd680cc1d1bec5bb0da4854

SHA1
cb2073a5e2319b1bac79cfb2750d7cc2d4242cea

SHA256
b1be2f8ae641021b21c2c4bb27da59142e348976480bd1c47f918e6734ffdd2d

SHA512
943d10cc6c93628a786b6ea4024e0977748c3b23e2130f7014cc74c1614a3830308f71d9faa53b83d4523bb16d69e69b6abb0cafbc90202c412a143072d57a29

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
896KB

MD5
e8414c88286a768890977431a661522d

SHA1
3e1967398bc606b1d69cc8de1156c52edd6065d7

SHA256
85982d1cf0c8782f3bbfb42526d65fa472e7d6ede14a7f7af1a460811d532b67

SHA512
08aecf956aad672c07fef40a8b5cc3a299af9c40164daa624939c223de01c34670f7677431a069de9f46dd7667edcf4f697f488b770c9af2bf8a1d618c3394ec

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
896KB

MD5
4a5e6e723c9c095122b95892f32e4291

SHA1
28e11b72166c0a4e82e51a2399773eeb67d06706

SHA256
ebd4d65da4502c89b69d343ea07f4e3cedaefccee8d5f7de0af2126e555a630e

SHA512
c511fe81870c0340d7951397201250e58ee01e9c21ebf8527824461b22f622c2714eb3cc6a7a69efa3b61f132354023648c3b94f0c7a7d19ad3cc4a887ccefeb

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
896KB

MD5
d4939290f3f5cb3765cf15c91ac14bd7

SHA1
6807e75fd57bb8b6a4c3f5d4108f75a5bff26d52

SHA256
1bbb13286e9335812aaa90e8af0a643ba07f4338ab74e8e5b5cf4fc5201d9ce6

SHA512
11c6169aa32e18832a201590ee097f7cf06f276271f297350720a44f618efb876f52dbf416815ac58af9be40c07c55706fe822d806ee53e7af50688c1ba9ee61

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
896KB

MD5
32bb64e9f6f5e91ad56556e101be3ee8

SHA1
fbf2767823e0f01cd8795234bc33a5ee042b66f0

SHA256
6da85e7de8415e658add7286d15b23085a5c6eabcb22220a4e0851b9973f1fb0

SHA512
e498f8cd8c8f9b708e1569360e625ac6365a62e459dc6e75db2068497133e5f7df19b77f218bbe3ab831a27271da1057b02b54ba77a869f029adfb15f6a8cc07

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
896KB

MD5
dcf6e792fe7ee3fc048a6888a329df48

SHA1
70b23bb3cb0d7a6e193c26882632ca93a9a4e9ec

SHA256
accfab3e355ebc04e3343c949e2d221d2e178c22376732f2b45e608d7553859d

SHA512
6eb90d7499a2f89dc7c0083988bb33a51c2908a5603518fb566d47d586b6eb19ab4b2996a06bc881709a4179975583ef351850bd897aea041388a3b9ab335048

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
343KB

MD5
61e9b0363b77aae259b9fd734b1778bb

SHA1
894721b67103be9fd558e02e3f77f6bf773a334f

SHA256
9e19b0eeba94d48be7b936c41f146c3920921e8ce3b3d71c05979e134810563a

SHA512
6ffd655c45d11479c5292729b31f37a16e9e9ce8499beb456ddb975be468e8f2dce90af7aabddf7238bf443e69200c67fcf5a762d59f6d3dee287c8ec69762ae

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
896KB

MD5
84a78635e22c044e3a9707fdf7970373

SHA1
b4911141e078bf1325f48ca3000bbcdb0106ef7b

SHA256
c51f5b7e35ae553f8d2d965a101c31ade92bc517b3650efc60799cbf8ba834cc

SHA512
193fdc20f0bcd63423f827370ecf04836571d6f7047aa635df955e18907fa5e75d153aae481f5d0f668c38abb24490d1a8f86bdd190cdcc264d2f1e101bdc0e7

Download Submit
memory/416-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/416-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/456-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/456-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/864-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/864-130-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/916-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-77-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1152-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1204-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1344-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1344-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1400-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1400-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2004-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3148-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3148-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3148-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3160-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3160-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3304-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3360-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3412-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3412-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3428-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3612-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3612-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3888-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3996-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4040-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4040-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4200-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4288-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4784-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4784-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5028-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads