bcbf49c88842630a7679e9f84f7daec54c4385f239adf0fe8facd723676b142d

Analysis

max time kernel
92s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 23:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bcbf49c88842630a7679e9f84f7daec54c4385f239adf0fe8facd723676b142d.exe
Size

227KB
MD5

126e618bbe9106644c068b8b10b72410
SHA1

13f4b302c5347df3b1f6622ad9c09ddc2bc627dd
SHA256

bcbf49c88842630a7679e9f84f7daec54c4385f239adf0fe8facd723676b142d
SHA512

0eb9098e49b885298801c041e8eb743c081ec64655b0117d2ec64cf2b742a4ddbe41090efa739eeea2723fd1755a28e11f733574efbb5ff814e3b50fdbe02208
SSDEEP

3072:/B42rUzYTfgyn5w3I1Dey5pwoTRBmDRGGurhUXvBj2QE2HegPelTeIdI7jFHu:p42r+C8Sqrm7U5j2QE2+g24Id2jFHu

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	bcbf49c88842630a7679e9f84f7daec54c4385f239adf0fe8facd723676b142d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	bcbf49c88842630a7679e9f84f7daec54c4385f239adf0fe8facd723676b142d.exe

Executes dropped EXE 37 IoCs

pid	Process
2196	Lijdhiaa.exe
3016	Laalifad.exe
2072	Ldohebqh.exe
1644	Lgneampk.exe
1624	Lkiqbl32.exe
3272	Lnhmng32.exe
3544	Lpfijcfl.exe
4696	Lgpagm32.exe
2028	Lddbqa32.exe
3728	Lgbnmm32.exe
1960	Mahbje32.exe
3656	Mdfofakp.exe
1928	Mciobn32.exe
884	Mjcgohig.exe
5112	Majopeii.exe
4540	Mdiklqhm.exe
2928	Mkbchk32.exe
3184	Mnapdf32.exe
1124	Mpolqa32.exe
5040	Mjhqjg32.exe
5016	Maohkd32.exe
2460	Mcpebmkb.exe
4016	Mnfipekh.exe
2700	Mpdelajl.exe
3468	Mdpalp32.exe
4520	Nacbfdao.exe
400	Nceonl32.exe
564	Ngpjnkpf.exe
4476	Nnjbke32.exe
1832	Ngcgcjnc.exe
3136	Nnmopdep.exe
1728	Nqklmpdd.exe
1568	Ncihikcg.exe
2208	Nkqpjidj.exe
3676	Ndidbn32.exe
628	Ncldnkae.exe
4740	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	bcbf49c88842630a7679e9f84f7daec54c4385f239adf0fe8facd723676b142d.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Lpfijcfl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3736	4740	WerFault.exe	121

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	bcbf49c88842630a7679e9f84f7daec54c4385f239adf0fe8facd723676b142d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	bcbf49c88842630a7679e9f84f7daec54c4385f239adf0fe8facd723676b142d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	bcbf49c88842630a7679e9f84f7daec54c4385f239adf0fe8facd723676b142d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	bcbf49c88842630a7679e9f84f7daec54c4385f239adf0fe8facd723676b142d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	bcbf49c88842630a7679e9f84f7daec54c4385f239adf0fe8facd723676b142d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpfijcfl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3464 wrote to memory of 2196	3464	bcbf49c88842630a7679e9f84f7daec54c4385f239adf0fe8facd723676b142d.exe	85
PID 3464 wrote to memory of 2196	3464	bcbf49c88842630a7679e9f84f7daec54c4385f239adf0fe8facd723676b142d.exe	85
PID 3464 wrote to memory of 2196	3464	bcbf49c88842630a7679e9f84f7daec54c4385f239adf0fe8facd723676b142d.exe	85
PID 2196 wrote to memory of 3016	2196	Lijdhiaa.exe	86
PID 2196 wrote to memory of 3016	2196	Lijdhiaa.exe	86
PID 2196 wrote to memory of 3016	2196	Lijdhiaa.exe	86
PID 3016 wrote to memory of 2072	3016	Laalifad.exe	87
PID 3016 wrote to memory of 2072	3016	Laalifad.exe	87
PID 3016 wrote to memory of 2072	3016	Laalifad.exe	87
PID 2072 wrote to memory of 1644	2072	Ldohebqh.exe	88
PID 2072 wrote to memory of 1644	2072	Ldohebqh.exe	88
PID 2072 wrote to memory of 1644	2072	Ldohebqh.exe	88
PID 1644 wrote to memory of 1624	1644	Lgneampk.exe	89
PID 1644 wrote to memory of 1624	1644	Lgneampk.exe	89
PID 1644 wrote to memory of 1624	1644	Lgneampk.exe	89
PID 1624 wrote to memory of 3272	1624	Lkiqbl32.exe	90
PID 1624 wrote to memory of 3272	1624	Lkiqbl32.exe	90
PID 1624 wrote to memory of 3272	1624	Lkiqbl32.exe	90
PID 3272 wrote to memory of 3544	3272	Lnhmng32.exe	91
PID 3272 wrote to memory of 3544	3272	Lnhmng32.exe	91
PID 3272 wrote to memory of 3544	3272	Lnhmng32.exe	91
PID 3544 wrote to memory of 4696	3544	Lpfijcfl.exe	92
PID 3544 wrote to memory of 4696	3544	Lpfijcfl.exe	92
PID 3544 wrote to memory of 4696	3544	Lpfijcfl.exe	92
PID 4696 wrote to memory of 2028	4696	Lgpagm32.exe	93
PID 4696 wrote to memory of 2028	4696	Lgpagm32.exe	93
PID 4696 wrote to memory of 2028	4696	Lgpagm32.exe	93
PID 2028 wrote to memory of 3728	2028	Lddbqa32.exe	94
PID 2028 wrote to memory of 3728	2028	Lddbqa32.exe	94
PID 2028 wrote to memory of 3728	2028	Lddbqa32.exe	94
PID 3728 wrote to memory of 1960	3728	Lgbnmm32.exe	95
PID 3728 wrote to memory of 1960	3728	Lgbnmm32.exe	95
PID 3728 wrote to memory of 1960	3728	Lgbnmm32.exe	95
PID 1960 wrote to memory of 3656	1960	Mahbje32.exe	96
PID 1960 wrote to memory of 3656	1960	Mahbje32.exe	96
PID 1960 wrote to memory of 3656	1960	Mahbje32.exe	96
PID 3656 wrote to memory of 1928	3656	Mdfofakp.exe	97
PID 3656 wrote to memory of 1928	3656	Mdfofakp.exe	97
PID 3656 wrote to memory of 1928	3656	Mdfofakp.exe	97
PID 1928 wrote to memory of 884	1928	Mciobn32.exe	98
PID 1928 wrote to memory of 884	1928	Mciobn32.exe	98
PID 1928 wrote to memory of 884	1928	Mciobn32.exe	98
PID 884 wrote to memory of 5112	884	Mjcgohig.exe	99
PID 884 wrote to memory of 5112	884	Mjcgohig.exe	99
PID 884 wrote to memory of 5112	884	Mjcgohig.exe	99
PID 5112 wrote to memory of 4540	5112	Majopeii.exe	100
PID 5112 wrote to memory of 4540	5112	Majopeii.exe	100
PID 5112 wrote to memory of 4540	5112	Majopeii.exe	100
PID 4540 wrote to memory of 2928	4540	Mdiklqhm.exe	101
PID 4540 wrote to memory of 2928	4540	Mdiklqhm.exe	101
PID 4540 wrote to memory of 2928	4540	Mdiklqhm.exe	101
PID 2928 wrote to memory of 3184	2928	Mkbchk32.exe	102
PID 2928 wrote to memory of 3184	2928	Mkbchk32.exe	102
PID 2928 wrote to memory of 3184	2928	Mkbchk32.exe	102
PID 3184 wrote to memory of 1124	3184	Mnapdf32.exe	103
PID 3184 wrote to memory of 1124	3184	Mnapdf32.exe	103
PID 3184 wrote to memory of 1124	3184	Mnapdf32.exe	103
PID 1124 wrote to memory of 5040	1124	Mpolqa32.exe	104
PID 1124 wrote to memory of 5040	1124	Mpolqa32.exe	104
PID 1124 wrote to memory of 5040	1124	Mpolqa32.exe	104
PID 5040 wrote to memory of 5016	5040	Mjhqjg32.exe	105
PID 5040 wrote to memory of 5016	5040	Mjhqjg32.exe	105
PID 5040 wrote to memory of 5016	5040	Mjhqjg32.exe	105
PID 5016 wrote to memory of 2460	5016	Maohkd32.exe	106

C:\Users\Admin\AppData\Local\Temp\bcbf49c88842630a7679e9f84f7daec54c4385f239adf0fe8facd723676b142d.exe
"C:\Users\Admin\AppData\Local\Temp\bcbf49c88842630a7679e9f84f7daec54c4385f239adf0fe8facd723676b142d.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Windows\SysWOW64\Lijdhiaa.exe
  C:\Windows\system32\Lijdhiaa.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\SysWOW64\Laalifad.exe
    C:\Windows\system32\Laalifad.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Windows\SysWOW64\Ldohebqh.exe
      C:\Windows\system32\Ldohebqh.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2072
    - - C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1644
      - C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:400
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:564
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1832
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1568
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3676
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        38⤵
        Executes dropped EXE
        
        PID:4740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 420
        39⤵
        Program crash
        
        PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4740 -ip 4740
1⤵
PID:392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ekiidlll.dll

Filesize
7KB

MD5
67ec97308fd3d937f206553c9c8d60a0

SHA1
6847939f0b8fc9a52459e40eaae6d803383ed7ed

SHA256
787070c53df708d6a0823f2b86e756e587458f98f6fdc72afaa857d4cb430a14

SHA512
ca5c10fdbd3ca2bcc68623b569b0d801eed128c47b6653d5e2f6c5e2218d15314c36686c837dd3011dd99b870de01b5a55e99b11a34831133c79af60b938d08c

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
227KB

MD5
3f13894466ba76f6dda8d8a9d5d2c0ca

SHA1
14ae98a8ca20677bb4c2df162b6dcf8bfa44b348

SHA256
227f0800a5a2d8fd34caabbf4d0e0451f9015d4bc6bb7d3d45d7324179bb3d60

SHA512
58b11d18d49a63070e4eb56628c1e79f90f40338b7aa3cf3450c6bb32d90bd7869107814723b4c91578ece54b177b29426803f80a5e85e4ce4f0c65b46a687db

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
227KB

MD5
92ce8736f406bf1e08dc7169092f5337

SHA1
9d47047312d9ba8e789cdcf058b717664718f719

SHA256
7ae69c9f95cde2bbbc381c3a1a940e4d76eafb4bf0920aabce4556556926271b

SHA512
c2a1770891475a77f8308a9bcd62704f34e59b36257d42eb2f28f470c4c70753ad0880d83a22b8948c56a2bcc9c89a581306dfea646ec1a8c01240997cd6cdfd

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
227KB

MD5
5d4ad21e5fbc76002e7403e42b9ad796

SHA1
9ea54c5f5ef120ed5da364ac7717d76bc3086f1d

SHA256
1538f7dbe01fdec58ab2e0212c3fad8c1df931d3f74a52b9730eb71ca3ea5ba6

SHA512
7531e277e34ab93994095e03e3e6dc98cd67eef40607e2bbb5bab4f90a000a3af9bf4dba473ba5785a977d87f367d40d55d8116a0058657c39418b343be60f28

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
227KB

MD5
f165613cf09158af9dd36c2f451202c5

SHA1
d53afaf28e3ea0a2bd33e81d881c1b639228c483

SHA256
99b07192c157ec7eb17713039321bfb1aab528412f89106ffd1d31bb18619e13

SHA512
b14ced0fb0bb1a70c811998d6c518cd235b3dd1ec0133c8ccf3a26743be8162105443c8a26e6248462790208bd3245a0952f52c3b8ce99c8ebf5e2dcf49d37ac

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
227KB

MD5
e31c55e638325d08d882aab0ecfe939a

SHA1
35205781f4e4c30129efaf72b6fa31c24f0c73b8

SHA256
b9fe73500cc80a312f2705e150ad98058762a1e94e381026475aa6b09df925b8

SHA512
efb907c1bf4bee4b3f3be1490c748affb5204e52043e3cf7fccfdb927174871a188b4670f4fb031619b017e1045526f4daca3ea32c4c046de586f723a02b5f82

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
227KB

MD5
13ee23d50fd9c8fefc0ac603f8187c56

SHA1
955d194490c20deb9bf2eaadd030c1d74497b252

SHA256
c89d7ead33a0870798346c35a72210706cb48569774fec725cdf3ca0c2de702d

SHA512
9766ba2a9d70a0ae6e34bc53396d3e89b4cab3ce09c3dae1dc4cc64f496e941ab0ee01d2e6a6f927782f1e974004b23b34ffaabe72d0f8c322f2b11defdb7096

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
227KB

MD5
39cb222d3d92ff487da6a1e9925d6c8d

SHA1
ce4276607859844e366ee5f406864c12429888b3

SHA256
34880eeadf96c61d4ed1f021c0953ceeab2d8ca8218c25840d245a0228a6f78b

SHA512
5be16bd8c73dff66e46fff5fbe977e06fbae6e642cacfbc63638dc7170fff1d5dd7da23f6456f9cd2d8c9bbf8281d83b5e8bb6e50a5d19ef3a83cdecb761928c

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
227KB

MD5
16a75851d62b37e14648ffed00acfc67

SHA1
18692fbdbb1a6be6b6960844ffe36053cbf48499

SHA256
5dd148a929e1410a0a99dacdfea96d31624d4c1418b1450579d42f8480e6a155

SHA512
f3c5daf70b81cf5c66e525438760993e2e4537923db4b3e77f5980be7e280d031032077a8552362d24f5b1da5d9abe4a10c89db57168c4a53dec0867b849d03b

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
227KB

MD5
e6d6da58b6be3232f80c6483cefdba28

SHA1
b0dd708b037092d27913106bb5bf171b2cd48203

SHA256
80b12d9c1375d3151621e87efabc6d0d3057296ea7b4ab33ed5e9b6c2db24f7a

SHA512
8f3aa3135a67e25e9a7b48ef143330b74c5cb8f1d34e938efce51c45ba2c27e80d237e72b3d5b032f1a4b6088803dc4904ba78e5cd51eca479fbf9097b24e405

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
227KB

MD5
db60df41d4469bbdfd965191774405dd

SHA1
78f5a9bf9fe1e7a0f1215b348189c0af202cfdc4

SHA256
1a63ccfc1eda6ea89a4a96eabe23f25fba2ecc12d92da478f57d6bf764c324fd

SHA512
80dcd27f75aa8c1d3fcc9ecb61ce4fec36e002da571c4056dffb7b7e44f1b343ccf37630190a42b00b10cd91e3251f8c3332fde659cfd502bddcd0cfc96b83f1

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
227KB

MD5
2fc1daea2a06ccb32bb58081043d2cc4

SHA1
15b6e8cff9ac45b632f46b1a5dfbfff51390d606

SHA256
35bfd4383c3359a2c6dedae513f470b7a347e22f5b2b2a09b8711d2cee3cede6

SHA512
7c768f7b466c86da6528f1f96ad5af0691961261a53e2b79875ccf0014733659338157154aeb6f09fd7e4925e93ce3e9318d7dbad2ea63c2e5edca4b1470c480

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
227KB

MD5
04497d0b1db09e67a04836aec3ce0d92

SHA1
b42ac66c4f9b786464f446724cae1db1c622207c

SHA256
36a993e251e395ccd03dce6b99e2bde7d7d52a7842ac7f0a33237256ca80cf71

SHA512
5502661c39c7450ad8d418c397622f0947fe3c5d5f05606cab4072765a7e5039f13d25cb67384716d2de4921dbe527546f8785322aca0ff72b4d9b721cfd0b74

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
227KB

MD5
ed6229f6bbd579d16fa98c88b9c2f0f1

SHA1
bc73cf61ba98407201040684cecf30121f6f71ad

SHA256
e9bccaf2d2bd0734f8a10bb7024f6762975226b4f22d256de88130d4f2717201

SHA512
509cf8fbfdf7c0393f057faee3ac1df71191a4ed09c9ce0f78a26bca976d059f1486938c546a62a0da4ca862b55e922fd080c143a67acca066eac754df41bd51

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
227KB

MD5
b427ef9a22a0341843e6800a7cb46eeb

SHA1
46d65b7859a46a86b8cf28bf4907a1588d49384f

SHA256
fa280348f1ebb760d6666e44db5228e820479179b350eb733c3d8adb8bda8aa1

SHA512
f4ee0fc36ed9afc4a539b96c14ec23fadaa66b3d50d6de3e50fbdcc62fc63ff6debd4c5c563d0e5585acc1c1a556d96215623144d30fe3b79558d333f3b4af5f

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
227KB

MD5
d9125a90448e1e62bad1dfbee7029fb6

SHA1
1e9d4c0c8a6203fdafffaaac01eb1b8a8fe38689

SHA256
e92e0a7f8af61b8272991678926ffa2c2b6ba7b78e7156c28702671a9da46170

SHA512
52a34ae6a382cf204a6e23fd1bbb76066b18f1a59decab8cfc21eab3796f129510b0287c4db3e2bac51329f33198a1eea6aa530bae7fab5eb4bda736dd9f5fe2

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
227KB

MD5
445c5a4457b2aee28066d0067da69961

SHA1
c04ca905e5af53f9763b79df1103a193a0e0b0fa

SHA256
79efb731d1e53d86f0fbd03a4f008c506ffd265a8a5c990e947514f9b9cda388

SHA512
ca6a272da612b7448c8d9489404555e6afe680500050d7c67f0a7df547892cb9678bb6e30346b47850936984108e9815d97be702c2525a078ffab5938ce1e45c

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
227KB

MD5
dc92698585dcb6c8f74e4e4ddf663141

SHA1
0c24cac4d975f106dbee8c3fefbab52446c85ead

SHA256
ab54ad379f52e87d3b950e1e7847b709d9b97194cd989e6eeb7de5af07e2481a

SHA512
984ba467d01284a6666abea4dd191954ab31d64f6730c4db4f04e3ddc224a448f8a2d75fbd7b81a90a1a99ca3b691fd9be7aa915356ef7faa655f6298666e207

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
227KB

MD5
14ada3f2d56e023f3733db4d5ec6473c

SHA1
88f6773d66b5179a61d95946b442e4067013ded2

SHA256
a44bf8988a5811b66e3a7006f3161dc5f4fa254a268c8c59c7e333e145095bf9

SHA512
3274314f5199ec88d8cdd521b82657bd5007c55068d0dfe1f6805db32ea496927a2e404bba076128945cf1ea1bea971840002d5f49871793e051486f15df2764

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
227KB

MD5
dae7ae440455b1237c87fc9464a8e8c1

SHA1
c0f7af482df6e188ca5908b7798cd851c6445b6f

SHA256
38e888e310522bbd1ee3783673ce31871a7bbb4935bf42898a4e6f894ae03993

SHA512
d9412af2936b9f889a21ebf6f590060dbe3fc7c96b00a66d2943faec901c628b52169c882ea2cd2f364986d6a50f6511b5d8de936f5a1db842bb55a6e33f79f4

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
227KB

MD5
af0ac240fca44009de8868c9d1b96bee

SHA1
e7f4305c1566c26d6c3a353a43ad53e53da529b7

SHA256
6100493da13ce8ca9264145d65b4cc34f6a52f8000e6953437882e29730f35b5

SHA512
0f7acd8844e253b1683b05ef545e2f17da99d3ddb336dbaa3482213a5e01e74c2cc2ffbe48d63e361442766695168720ab1e73ab822c0e835894499b952165dc

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
227KB

MD5
4cbbe3f56722043f8ecb683765b71e1f

SHA1
2389b6f97ed3d7830e80d2f22ff42d915a2d0527

SHA256
28c731827ab126aed801aaba9823d84a33f2bffc4c7ca3d4cc13ddd661ff8102

SHA512
4421864c68599a70ca527c1c6966e6d7491563b4908775a95a129397fa7dd94eb1727a379fc3b2fe7fc02a7237d6db12e6cfdfb83649259e08e6700ff13423ae

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
227KB

MD5
8536fadbdb822b22775e6a04ea2e18f4

SHA1
3b6f4ba994375d3f5b5179ea4e262b609209c9db

SHA256
f10c1c5c3f7c492252ee052e173f748483d60e9d6213a958d0bc28059ddade8f

SHA512
264a686593fc090ce2fa59500778db7caa1fcffa65b53ed94d3ec6f2540a14f2544b32f0386357c1505dc4f1eb1d82c9df798634012d768961ac9dff814e9b89

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
227KB

MD5
f2f22f5234e1bdcb7a4f5846f9d33c11

SHA1
9a31c79249c162ae548114e4ae99b44fdc747e7e

SHA256
8f51e71656a49105428fe51ed7da4b1778b3c36e8e4980617d3b30884fee2e1e

SHA512
b73085630e15deef82e721a0c3bd08a3e290b95d761c396da60d9c47c92da73597fa2f85bd70ccebcbec12934b3b8f9b4ee42da17cfc45ddb296a421cfb4e2e8

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
227KB

MD5
e349d4d861cd0de3a966dcca557ffd02

SHA1
83ab4d231efda357d199dc695c61ce2b6fb25e3c

SHA256
9c7b899b16422e0346864bd970672d633796b39feb2c6e1a9daa6d5960fd9958

SHA512
193cdb20f178db061dba23edcc46157d4e0bef1ba7ec3335fc86cc3f2ae0b7a9d2a81d5e05ee5a37f5d10758c631f90d7e6a3cfa6b481387a3e40c505b5fdb96

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
227KB

MD5
d84d463955990caa8ba63298ce39d6e2

SHA1
3bf95b164fb10c37622fb02ece3e6f71b407e787

SHA256
f0855ab1fbb41e16260fafda6c55035f765dafc29d612ed5eb60418988ad2d0e

SHA512
2d4fa58f2f68e5e72712d623f67b09bffdf5c94c928515fac9a97384992104336d881e6941ee2643fa156f83261577f4b8f5c4a52f511e7a9ba31cb16b489fef

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
227KB

MD5
fb0aa3282594bfb3967bf1f7a864fdbb

SHA1
a32bb2657aad08c2e3c42737ed6b38f5e6657880

SHA256
d21bd3b3731e26f3d6b4508902d4dd0e81ed61d51d632a1fa47a923702db33cf

SHA512
150a09950c2eff4e74bd51edbc24329425a18350e0b5459b94e971059456beacf5fe749921e468bc9afc8f0fe9f12731d224ae2dbcb0a05c02adff291f2bbc88

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
227KB

MD5
b2d660860af053d10e56d19898f375f8

SHA1
277d4b8fdff0c102d53b3c3cd214db84e78775d7

SHA256
8278be6d394293ae356a29bf7219df81b09314ac6fa2df76a8bc7eec6595e939

SHA512
917d8aa4051fa66c3fc58e3ec90aeed9a48c406bbf598f7c7e1883703c509d9668d1e98febffbb94848f24ba7b007a2cbc4e953b05e838af1451f265947e62f5

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
227KB

MD5
dace2156cf2fcc24da0c22b6bd7f686d

SHA1
4360800d8bfc6ae8087c85756da4762f8d91203b

SHA256
4487150cf99a2102c9658c365f1f00c965e130c5b9008d560292e84b0d5f7c47

SHA512
033740a62434c566dc915ee49461afeeb6774ba67872e4fae2225ea4a213642ee560dbfbbf414c6eabe53c095334e8661850ac2e976bd8055a73e3c02570433d

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
227KB

MD5
ffb8339d97521f8ddb85db5095cd8d5c

SHA1
a9197b52d41fe581727318611dea3c3a0f336e74

SHA256
8f64f599c5c7fec7c3ef8f40d64e526cef0a9df49cb3a23f0c69102e8a8ae45f

SHA512
0ab8e7bf35c945003286234b1c0eeef5bfa0f42dff33060691a36b914b1cdba72d388b22b4f3fe1a65cc35db08c798f85a0f327c4760b3aec3ce7ae37fd55ffb

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
227KB

MD5
47f319db7ea9ee0937d787af49eae523

SHA1
b475e657792816e67fd7ebfc01e2a89fa82c0a3b

SHA256
5a44f3e3d55e9cfc6e4a30f70765b0d6ece6da3192df3e3b35d1af4621dd92b2

SHA512
dc21e2425585c6e730543d7a44f227762589980623316201f0b75d255df49e1e032642a23c89b7693f8995462ec839ed9b3ac3276125396b98fd5068e70c38a5

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
227KB

MD5
f27f4e7cd2ac041f3f48b6fad5b9cbd6

SHA1
31ecc48f2af10caa39db1ad26d9e7e1b88789539

SHA256
148103ec4ee136106611dfa70e88025ba7f7a9963c2486ea65f5ca47a79be6f8

SHA512
bd06eb718b005b862e1bdb8de2fd277135438e19378006955997d1466ec8473cdc904a27be8b27dc8b6fc57bdb97d95f5aa34985fcad128fcd07fbfdba62becf

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
227KB

MD5
ad33d093a9ffccd01ed18d2b5bb80bb1

SHA1
ba683b9aad26f7fe27a81afdc064101e29a2027b

SHA256
ae934ee79c25d2494a6877172da57fec465d66a20b15835f66958a0d338e9afd

SHA512
187bac1000bdbd4a29caeb4653208eb91185af1adc2ec2a1261a7f69112a9d909a9133763574e8314409a0120744bf5cfefcd393a9296d3bebd6a65b0b5cb6b9

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
227KB

MD5
87a0954f196e0d00c0684e4423fc3640

SHA1
1f3b7b79a358ba166fe72371b78083439ee234fa

SHA256
1364690017a2ed491185c899547478c51a32537f68f496bed7e86fad12847942

SHA512
468fd112075c9e0552c11143cb91811a3699a1b6bf802375c53877c85f656c15029a2078f20402c43a0ad085734da61268bc7c795c2f30282c8559dbc28d8416

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
227KB

MD5
80b99d5cdc6f5439ae72373767eec149

SHA1
74921d342658414598056b4bb97b0bf59cffe78b

SHA256
7cf743ede78af66af57cbb516ac711acedc69eb0393f9a56431a119e3e889691

SHA512
a17d00fde649501caaf24c72eff2c3184ae0d42ff879b6bcfa06bd4cc32ef240c82b8a8352a95c7cf1beb5346f066c9ecf9b7082813db88b27e0872fb4990255

Download Submit
memory/400-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/400-226-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/564-239-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/564-306-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/628-303-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/884-129-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1124-242-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1124-158-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1568-281-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1624-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1624-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1644-106-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1644-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1728-308-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1728-269-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1832-259-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1928-114-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1960-95-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2028-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2028-165-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2072-28-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2196-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2196-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2208-283-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2208-307-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2460-185-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2460-275-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2700-202-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2700-284-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2928-145-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3016-20-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3136-265-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3184-234-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3184-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3272-132-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3272-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3464-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3464-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3468-290-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3468-210-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3544-60-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3656-183-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3656-98-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3676-296-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3728-81-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3728-175-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4016-282-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4016-193-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4476-309-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4476-243-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4520-218-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4520-297-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4540-138-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4696-156-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4696-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4740-305-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5016-180-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5040-166-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5040-252-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5112-122-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5112-200-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads