812c84e3fecc040563605ad874f72937ae6edf6464deff5880bb7ce37f845807

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

812c84e3fecc040563605ad874f72937ae6edf6464deff5880bb7ce37f845807.exe
Size

232KB
MD5

11fd7f01992c72b375816ef60f7631c1
SHA1

3c6a39835fc053593403a9996f70910fba4f3f72
SHA256

812c84e3fecc040563605ad874f72937ae6edf6464deff5880bb7ce37f845807
SHA512

c3976ba439fe6fc3192857e75fe813f1180df03158a11803e12e9df33457211eba17b5d1329514919d48431db3c35d5cb52cc93a8cea1ee054ac8209613c54f6
SSDEEP

3072:JNYAW0hAsIn7usluTXp6UF5wzec+tZOnU1/s5HH0AU/yRvS3u121TzlbNRfzPad8:JX+9n6s21L7/s50z/Wa3/PNlPX

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	812c84e3fecc040563605ad874f72937ae6edf6464deff5880bb7ce37f845807.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	812c84e3fecc040563605ad874f72937ae6edf6464deff5880bb7ce37f845807.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe

Executes dropped EXE 31 IoCs

pid	Process
2272	Kibnhjgj.exe
3956	Kpmfddnf.exe
3484	Lmqgnhmp.exe
1628	Lcmofolg.exe
2496	Lkdggmlj.exe
384	Liggbi32.exe
4156	Lpappc32.exe
376	Lgkhlnbn.exe
4084	Ldohebqh.exe
3016	Lgneampk.exe
1512	Laciofpa.exe
2268	Ldaeka32.exe
740	Laefdf32.exe
2900	Lgbnmm32.exe
2232	Mnlfigcc.exe
1096	Mpkbebbf.exe
2700	Mgekbljc.exe
928	Mnocof32.exe
2924	Mdiklqhm.exe
5032	Mkbchk32.exe
1492	Mnfipekh.exe
3164	Mpdelajl.exe
3912	Nnhfee32.exe
3656	Nceonl32.exe
2712	Nklfoi32.exe
3848	Nafokcol.exe
3940	Nddkgonp.exe
3636	Nbhkac32.exe
320	Ncihikcg.exe
1992	Ndidbn32.exe
4456	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	812c84e3fecc040563605ad874f72937ae6edf6464deff5880bb7ce37f845807.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Lpappc32.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	812c84e3fecc040563605ad874f72937ae6edf6464deff5880bb7ce37f845807.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kpmfddnf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5116	4456	WerFault.exe	115

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	812c84e3fecc040563605ad874f72937ae6edf6464deff5880bb7ce37f845807.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	812c84e3fecc040563605ad874f72937ae6edf6464deff5880bb7ce37f845807.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	812c84e3fecc040563605ad874f72937ae6edf6464deff5880bb7ce37f845807.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2272	2932	812c84e3fecc040563605ad874f72937ae6edf6464deff5880bb7ce37f845807.exe	85
PID 2932 wrote to memory of 2272	2932	812c84e3fecc040563605ad874f72937ae6edf6464deff5880bb7ce37f845807.exe	85
PID 2932 wrote to memory of 2272	2932	812c84e3fecc040563605ad874f72937ae6edf6464deff5880bb7ce37f845807.exe	85
PID 2272 wrote to memory of 3956	2272	Kibnhjgj.exe	86
PID 2272 wrote to memory of 3956	2272	Kibnhjgj.exe	86
PID 2272 wrote to memory of 3956	2272	Kibnhjgj.exe	86
PID 3956 wrote to memory of 3484	3956	Kpmfddnf.exe	87
PID 3956 wrote to memory of 3484	3956	Kpmfddnf.exe	87
PID 3956 wrote to memory of 3484	3956	Kpmfddnf.exe	87
PID 3484 wrote to memory of 1628	3484	Lmqgnhmp.exe	88
PID 3484 wrote to memory of 1628	3484	Lmqgnhmp.exe	88
PID 3484 wrote to memory of 1628	3484	Lmqgnhmp.exe	88
PID 1628 wrote to memory of 2496	1628	Lcmofolg.exe	89
PID 1628 wrote to memory of 2496	1628	Lcmofolg.exe	89
PID 1628 wrote to memory of 2496	1628	Lcmofolg.exe	89
PID 2496 wrote to memory of 384	2496	Lkdggmlj.exe	90
PID 2496 wrote to memory of 384	2496	Lkdggmlj.exe	90
PID 2496 wrote to memory of 384	2496	Lkdggmlj.exe	90
PID 384 wrote to memory of 4156	384	Liggbi32.exe	91
PID 384 wrote to memory of 4156	384	Liggbi32.exe	91
PID 384 wrote to memory of 4156	384	Liggbi32.exe	91
PID 4156 wrote to memory of 376	4156	Lpappc32.exe	92
PID 4156 wrote to memory of 376	4156	Lpappc32.exe	92
PID 4156 wrote to memory of 376	4156	Lpappc32.exe	92
PID 376 wrote to memory of 4084	376	Lgkhlnbn.exe	93
PID 376 wrote to memory of 4084	376	Lgkhlnbn.exe	93
PID 376 wrote to memory of 4084	376	Lgkhlnbn.exe	93
PID 4084 wrote to memory of 3016	4084	Ldohebqh.exe	94
PID 4084 wrote to memory of 3016	4084	Ldohebqh.exe	94
PID 4084 wrote to memory of 3016	4084	Ldohebqh.exe	94
PID 3016 wrote to memory of 1512	3016	Lgneampk.exe	95
PID 3016 wrote to memory of 1512	3016	Lgneampk.exe	95
PID 3016 wrote to memory of 1512	3016	Lgneampk.exe	95
PID 1512 wrote to memory of 2268	1512	Laciofpa.exe	96
PID 1512 wrote to memory of 2268	1512	Laciofpa.exe	96
PID 1512 wrote to memory of 2268	1512	Laciofpa.exe	96
PID 2268 wrote to memory of 740	2268	Ldaeka32.exe	97
PID 2268 wrote to memory of 740	2268	Ldaeka32.exe	97
PID 2268 wrote to memory of 740	2268	Ldaeka32.exe	97
PID 740 wrote to memory of 2900	740	Laefdf32.exe	98
PID 740 wrote to memory of 2900	740	Laefdf32.exe	98
PID 740 wrote to memory of 2900	740	Laefdf32.exe	98
PID 2900 wrote to memory of 2232	2900	Lgbnmm32.exe	99
PID 2900 wrote to memory of 2232	2900	Lgbnmm32.exe	99
PID 2900 wrote to memory of 2232	2900	Lgbnmm32.exe	99
PID 2232 wrote to memory of 1096	2232	Mnlfigcc.exe	100
PID 2232 wrote to memory of 1096	2232	Mnlfigcc.exe	100
PID 2232 wrote to memory of 1096	2232	Mnlfigcc.exe	100
PID 1096 wrote to memory of 2700	1096	Mpkbebbf.exe	101
PID 1096 wrote to memory of 2700	1096	Mpkbebbf.exe	101
PID 1096 wrote to memory of 2700	1096	Mpkbebbf.exe	101
PID 2700 wrote to memory of 928	2700	Mgekbljc.exe	102
PID 2700 wrote to memory of 928	2700	Mgekbljc.exe	102
PID 2700 wrote to memory of 928	2700	Mgekbljc.exe	102
PID 928 wrote to memory of 2924	928	Mnocof32.exe	103
PID 928 wrote to memory of 2924	928	Mnocof32.exe	103
PID 928 wrote to memory of 2924	928	Mnocof32.exe	103
PID 2924 wrote to memory of 5032	2924	Mdiklqhm.exe	104
PID 2924 wrote to memory of 5032	2924	Mdiklqhm.exe	104
PID 2924 wrote to memory of 5032	2924	Mdiklqhm.exe	104
PID 5032 wrote to memory of 1492	5032	Mkbchk32.exe	105
PID 5032 wrote to memory of 1492	5032	Mkbchk32.exe	105
PID 5032 wrote to memory of 1492	5032	Mkbchk32.exe	105
PID 1492 wrote to memory of 3164	1492	Mnfipekh.exe	106

C:\Users\Admin\AppData\Local\Temp\812c84e3fecc040563605ad874f72937ae6edf6464deff5880bb7ce37f845807.exe
"C:\Users\Admin\AppData\Local\Temp\812c84e3fecc040563605ad874f72937ae6edf6464deff5880bb7ce37f845807.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\SysWOW64\Kibnhjgj.exe
  C:\Windows\system32\Kibnhjgj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\SysWOW64\Kpmfddnf.exe
    C:\Windows\system32\Kpmfddnf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3956
  - - C:\Windows\SysWOW64\Lmqgnhmp.exe
      C:\Windows\system32\Lmqgnhmp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3484
    - - C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1628
      - C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3164
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3656
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3848
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:320
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        32⤵
        Executes dropped EXE
        
        PID:4456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 412
        33⤵
        Program crash
        
        PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4456 -ip 4456
1⤵
PID:3724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
232KB

MD5
3842bab08a04d0b73aa642ae58d55c87

SHA1
4d8977036c7f34a8f41176943cf9114c6b4b03a2

SHA256
2a62b3255c4896a2350ff31715c5aa60fff3d68eece4c107bb28d2edbf9b0d4e

SHA512
c170cf45d589c8ff1ef4ef32b85dbaa4811774c12f34f04b828b448d9496bacda051f120759a91992170195939a749ef365aff64fb1a1e1fa1786b4b83fa5a8a

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
232KB

MD5
793518793d8418c5bf7a71755172e814

SHA1
027869bd4baea4affa7e44cd44412750cf7ff70f

SHA256
eb902e8962e8deae59c5740abc004f1622cc2038185308be9031182a006fd3b8

SHA512
0ff8277cb10c1362aa789eb68c961e47090a83b09b5c1006381d637623b4a165370188bb0417450146049675af8b870ce86270cbdc848418697bc0e221f43026

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
135KB

MD5
4c97d73ffe6a1d896107016d63296410

SHA1
91800bbad412cd14da327b3365dbcda62e4b1e09

SHA256
f0f8d5b5b7b2a805b620bf4249a18a0872d05a226e5e87ef52ed6a94e6332371

SHA512
c68cd8e63bff920bf07d9cb5732e4e8c8605ea40fa99e9f39bee575ef4f00bd2fcdd54e04a2abe0dbb9af0554441db43bcb1c4a6e4261ade8e16cd019304ab63

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
232KB

MD5
97a6090bb1c9aac02151f0368f5fd354

SHA1
e04ffa88dca11d867b9e8b1a100d1a7c74b1febb

SHA256
87a72b3fa32d4c8ded3c20055335b7f88a0e6351d13b60dac2f5343e2aeb2cdb

SHA512
97b990c501e5ec38167d74346f4ac8bf888b824e7341604be15776a315401459085dc5050b83b0a7a5362b201ae92ffe7588f45f777f55317faaa23ca515e3be

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
232KB

MD5
b9b524d3515d28ddb5db6f97ee186a37

SHA1
9594d3029573374faa93cf2a94925f9cebb8ff2f

SHA256
4c311c57b6db5367eff7038925783fc5b473636ad67d1e30605efad30605d996

SHA512
de4600cf0376f2e41e1e4fbb892f8091d1ee97fed196ae79ca24e0e351866452d4448844846efa79a768c63feb78f5245bff3a3bf0a630f447d32fdd9c3a705a

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
232KB

MD5
f96516e8b04198b5844b9259546c0d34

SHA1
0b238c25f2a15fd93d78cd221cf0c43a8d6d7608

SHA256
7981090ca93631482c6b58ae79e86966e55013501e96a195c95361f16c14b905

SHA512
135f9acb0f9523c53e56f48915dea1dfcb4f8ac51fefd7f6ed6a38d2f70ee04c73f176c2f495b1cf0632843219103c593b93cdf074cf031d7927b4d2b244d1df

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
232KB

MD5
e69e8a523631631e9ac06dea25de01f3

SHA1
8cc820d383c8ffbfe9c48ac69e948e4ff0467a47

SHA256
8cbe0553ac7e5e9813909804e033c919643a84a2cb4789a895a44909ce7a53a9

SHA512
252db8167aa004052c443d1232dee9f5dfd2a561295bf5316a82e0b2e78d45ccb608d008980dc70fa104a867da6c7a26b90eed11e6f5d74cfe14f8919d53e430

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
232KB

MD5
7243e301c2704e8cef369b5998f90863

SHA1
7968eab30cf3f7b0e43e76667a6711f6b4e9fa85

SHA256
0fe1852695759c4a8724c4b3cf674372d73e85860abfffda0c80b819883234d9

SHA512
34f90bf3a10d4cd0191646b4176c4c270f08bd10026ace920b7b24e6a3eedb2c53731ffeed80e85c2afbaf51d8b2c2781b9aee59189c62c376a0f04a8de2fe0b

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
232KB

MD5
a03c728aad7b4610ca4e79c661cb8fb5

SHA1
639bc3e077b8dcbbfc6271834dd389534e395324

SHA256
f7548ca4487e579640d0ea3e9a9bcb57780e12078ec9ed559db81d844355e865

SHA512
37b32d9aa2df0bf6c714a9aca86a567bcfe9ea5b3f81de10bffc6f3b005ceb5ea9b26106886a04be5f1fb8326ee74b98aefa6ac0ef0dd0ddd3e3f1fd55380d9d

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
232KB

MD5
b8af4b04800ed9b5960c9d4ba57a09d5

SHA1
62469f1fb0c7a0e2944e38bf37562b67992d78e2

SHA256
e5fd91c27fc4dc7857cf5b46eab146ae6dfe5d77816ea18d0acd809b40550266

SHA512
ceae0a3c3e5d940dd7275625ae9504e92713eb5b40ae88ed42baab0018828442919f9b9855b5c50d6938feac1c0e0d624cc33a1cf8fb460749b94eba2210cd1c

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
232KB

MD5
7420dc8c5f16e39b02b441786e9f27ea

SHA1
1f5d392ddb73fd88935745717a9278e59228f3cb

SHA256
219ba59477766596a7019499a3d82cc0915214dc487dcf81dc4bb67926c850de

SHA512
6009978f4e3277a79b5db3815cb395c8f140c9225ada6d4b3d1138028009a25a291a0b767302a30634ec17acf65815489cf3a17ae30d519273f7accad080b8ac

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
232KB

MD5
d5aa191b4327ffcf6de291ae8d89d347

SHA1
4adb84b8a2e6191f85e9e48cdea53a088dc34289

SHA256
8f6ff6239643acba1a32eee6eec0bd2fdba49ba009030623cc1db4f436189932

SHA512
63093be054a41a7f75f65b32b5f10e334a5d7b145add72977c920d1ad8b961dc391b41d7941e3e052fce4c4c50343fcf4e6ec286400e2d626c447a8e76a9f372

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
232KB

MD5
0a29160565063b74ffd42c635081173c

SHA1
e3456b97c37f52613f3ba1805042017e5f323090

SHA256
e54aa6f7d57eb48bbfa8afb3e24f425cc68eb25814a60b88056e649a9b410fea

SHA512
1b6cfdc372beceaa78cd5a2b0e528cb7df5ff5a2a0fab53b044ace8dc99ec374e2b48a64d8849111bb64a291cd6977c32eaa605f89b4afe86564bfd3b100ea76

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
128KB

MD5
29084c14f0a7bb16cc36eda3fba14f5f

SHA1
c360ea4b7c1c540c6a21ea5d00a823508b399b1c

SHA256
0b1c9b7861030d43d58e9e6dda13f4d1d0e6ba08260bda6119b2336a461fe8e9

SHA512
599dd40d2847c2b8c6d58bc1e5d3d1527e19af4fb183b62a39466008af08ba7e3ee766eb3114321c53161c84d26eacdfb2ad19f4c23e515bff96ffeb7d28de8b

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
232KB

MD5
867b6ff9c4a774ba694f54616ac40618

SHA1
4a989258d6b18874cc05e4b126d2d161fbdb2949

SHA256
7f592181e11dc2a194e2728266fb1acea05c76082f42bb6c2acd44933e204e48

SHA512
5b5069fe1fa4b6bd01f1073b4ed3bc52d6e030651451e9481a0bb3c614323e34f7851da80e51aa53f7d17c84ec9fc817c3bd6a73d35b8f5607240e25042b6eb5

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
232KB

MD5
0ab92c5fab234f78a532494fa1a7b670

SHA1
de52fa9c11c793f66b5a688703d2360ececc77df

SHA256
254948b7283bb384286c30f7731943e0866212419e9dcf7001c66d6e3b025834

SHA512
a429c759083e0a1e8fb5737b74c14c0dd6edcf185faef87dec56851fd8a8dffdb8a9b7b68530d80267fcc81cbab738eba7bb1b517832d814926a68057056732c

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
232KB

MD5
4074ece0bbad17ec47137e16751451ec

SHA1
245de650492e7282ca8d612f94539ec555fedf9b

SHA256
90373d256d6ecafe9c651fb4458d497be4232cb8fa4a2240aca29c3e9b370fc0

SHA512
7db7283996dd81c64c5cda2889c4729287132b37c652107dcf94fd153fa171adf80b9776eecf3d6eab1be7d0f272dab6c23459d7fa1326ddc1053a0404186053

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
232KB

MD5
98aca9fc574cfbfbc259e486109a899f

SHA1
3c364d8f33e49b6da7373c8f13c3369769b118dd

SHA256
7a6243e5d577686ab31d6e9ae9e6c11cdd8c19b69b189d47dd15b88fe83cb9da

SHA512
d8df2c7b085db494d8174cf0cb9f62eff99234f2ffbeba18a5f85cc2a62fc4197b762c588bb9838256d9298e8247b54dc8f6dbf3fa39b2ad2fc96de174af44e6

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
232KB

MD5
52270e9ffc3975753cd075e6e07a40e7

SHA1
61ad0e33efd3f11f62aa82b640c56dea6b3de077

SHA256
1049cdb579ccf3f90231326c84fb1785110b03432795a51eb8b9754d7ac81c8d

SHA512
ab95c2ec58a88ce92ab9d50b99046ea71b6660e34a2db443408bb770c0ee47dbfd1fa93d9efaa3f0a8cb648f2cf43be0d159031d40c79777c38444c386dfd66d

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
232KB

MD5
74d2baf845751a203262332a36277997

SHA1
91f973b26d1fde00c98a749620ab4adc41517a0f

SHA256
24aa5cd9ccf3c0639dcc6fd2a9bfa3a0abeb6dcd678fdde70fd8cc9476558d9c

SHA512
156c2c1143612ca1b5e33d0c13715af0302404ac0a63de73f3385a00aedece34b86cf8884d2c500dabef42575413e2b7b31f0f00161cfa213c6791c2ad4bb529

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
232KB

MD5
cf4ec6b193fab57a42c6f26a92bbe4f0

SHA1
d49ce199e939cc7556d609d0707d16a0f85633b3

SHA256
b010f8b98f3a99ccbb6eadf99d0a15ff7d33d7f36abf411cabbb64c0fef2e8cb

SHA512
a6905c4c3d45701c6e1b00cacfc86baaef9b6334ce9e2f9778bec0b42c67437025b27df4ccf09ba35533f382b1cc76fffef3ca836af782237a01824d3337cb39

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
232KB

MD5
85803eacf4b1968e9abcb3038d435bb3

SHA1
2beb5f06d1bd63ecdb8ec920441e3bd32d3c7da7

SHA256
09f83ca40923fba3c7184ee7a15f78812e8d8ac5f6a1008257c7263097602692

SHA512
1bbd1d9e56086202d561c7c49f83fe7b6087adb457a1185609d8db7867fde0834073ff57a7c265fcdf6bf1a774a4219a6cb870f93f56cd98b72f8b7bf3158db8

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
232KB

MD5
64723bcbd57cd7f081d9cbaf8b4c6033

SHA1
a62fd60e18e10f727d9ccf263099574bea35b88d

SHA256
ccc0814bd173b1ba9d59e2db8ac22df33d7e2bc96192eca66f8ee388a8659086

SHA512
2ee61a97cda75198e9aa6917d12e8a9552b14b67030c8fedf35092717c49fcb482a5ebd09dc4fef996832687d27438595ec5b1a4b04ab958b84c4d5964bbf6d9

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
232KB

MD5
80598e1d2fde79781d98fe0363ef6b25

SHA1
b41241e9422ab7e376e8f936f1ff71e99c2f417a

SHA256
60031b5b9b9f867b768cf4a86f95cfa7e63c67e3557567219f6752c877ef2d3f

SHA512
876541d2fefa2076b778afa5e53c1fb93f0ee42bc76e524fd7853894851b2ed51bf5267365e125d8a6eb67ebb61fffaf00d001dca97bb579c8f0c7fb6dd38293

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
232KB

MD5
0b5e2345074d8b44eb1afe28d6f5ff41

SHA1
b7a576e2f7de83be59a89a6e3e95759f0ff7909d

SHA256
d7bebbe37868713c3277211e2b3317d748bf4da722b4f2808efd5f980aeb3241

SHA512
98faf9322c00039826457996483cbbe49d1e8f5699784741ba745e061bd5286241d03115e2b5fa1f0fbe281a10b8a4cd256937800c27de6694b856102e78e8b5

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
232KB

MD5
ad86e4f6e35090d825ca2b978640ab4b

SHA1
fad0167ef4e21265b6caa6bcb871a555538cf441

SHA256
ef0ba0d822f239892c0f1264adf84e1e708748678e1fdf1e46a880ab36669e4d

SHA512
4953c24096aaa91b347767f31dfc6162c144469f29723d51be08fbf42561aae3e3c9d17608d8fe963ba50681833dc3e86b4113cb9a5762a1a795ce85d7bf4680

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
232KB

MD5
da47b31ebba71d4c2d329757f05e8a65

SHA1
d5977894678b49bbd36c9a46cb796d8d7a0f7038

SHA256
9e5ba273b310680007eab7166d462447dd4620046aac4d8b644a28e25e94df40

SHA512
0c80307aba4dfe5ff981f79b893ea6f43c4f1cc0f7d7ea631b95d96c8e22841fbe735221a9c01a78a68b6f56c4be0463b1629a9178645a3a623ab4cbd47b4889

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
232KB

MD5
1d4cb2cac7674c98d7820f7560819626

SHA1
ce7c8dc6db0d8adabe04d7ad3dfafe28f5aa92bc

SHA256
829b86e82a083ee70dc0c8e6111647f108c5d56897143cbade590410232e6907

SHA512
ffe60fdbc4b285c0e07cc1db3c54056bee07fdef31653345f18ce89306e23c1007333ae4edbefefa3ea7d3ad100bc0529aa478c46e8d420eed2ea3ce2c8e7ed6

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
232KB

MD5
324876cc706ba71d5cfb45712f6ef735

SHA1
a2368eb4c6f6b18d15b6ac1a047d9674a8ef58f5

SHA256
ff098d15452bd7245cc9eeefff4d07346063fca6ae4e06cdbde2a734e271bf19

SHA512
481e76a105c8432e01ed69301268934abc2d12b8f23b364dbc55bf54edc47678d80b5dd0627adc982264a60c7245a6165d7214100b7da70c193856dcc3094f09

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
232KB

MD5
7e9e4c3ec518432659f3e4b5a1e3772a

SHA1
89963d0271e5968aa36698d951d47d1e7a5e8879

SHA256
6329c1853c8c9fada4f6df419ecbd19efc6aa0b826c1b3d56859636082e5773a

SHA512
3344353de5b386c9ced6d1338441c6d919a7d7190e3922d6f97fb625976fbeac75d516fd6f71d35e1bd48e744ba7569a4d7474fc881e40788a46afc156382d54

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
232KB

MD5
9477fbc63914859f6c3ad5fd71cb78dd

SHA1
2eef235094a073feaf6489cc9e61ddd10f738b31

SHA256
8a759770acc91ae06e544e4de505cab1433e570cb1947f2c2aa85566884ee470

SHA512
c010ff90ed5b7254da67282874a58bfe353f6aecb8e189e032bebc696083ee448405ff704c28b0263946dda7e31b7c67b4943b26ff803907e48b6799d0aeeec9

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
232KB

MD5
2d959746064bba68ba65e9a367edef2f

SHA1
20c7f2499cb895f039fdd5b2252223cddb10e2a6

SHA256
d28a3c0e1161823394bebdffbdd5ec0a7cac6159dc2aa4efb69902b3cd5bdf39

SHA512
9f7990822605a175656ba9e5a7f45777100202ab1d232d619d2b609811b9a1bccf35a35418c44128eeb309d289a8419f8735c91cecc9f1fb755bd0317bc18285

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
232KB

MD5
01ade32bc9e3794faf9f3b3607a9fa88

SHA1
1f36de83138afb957bcbe5c5c46dcd41447e83a1

SHA256
2ee3dbb973e77c604c22b43ceb9069a8ca6f2c46c0387ec3e1a0f7cbe7e2f31d

SHA512
08b014596fa3000455459931a41d5eaaecacb3b648681b6c877a03be887c04a8044eef86b0d0210ed92f7b1827b556c61392ea8b36ce623ec77f152fb7ea62e2

Download Submit
memory/320-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/320-251-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/376-272-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/376-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/384-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/384-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/740-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/740-267-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/928-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/928-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1096-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1096-264-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1492-259-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1492-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1512-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1512-269-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1628-35-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1628-276-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-244-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2232-124-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2268-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2268-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2272-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2272-279-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2496-44-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2700-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2700-263-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2712-204-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2900-118-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2924-261-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2924-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2932-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2932-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3016-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3016-270-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3164-180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3164-258-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3484-277-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3484-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3636-229-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3656-196-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3848-212-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3912-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3912-257-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3940-220-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3956-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3956-278-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4084-271-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4084-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4156-273-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4156-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4456-249-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4456-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5032-260-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5032-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads