03014bccc661136400ec276e211f7395c51463c825fb7f3dead1a5b95ca84fc4

Analysis

max time kernel
93s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2024, 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03014bccc661136400ec276e211f7395c51463c825fb7f3dead1a5b95ca84fc4.exe
Size

128KB
MD5

c4f9d35538f11b2fb35b45e5d4ae648c
SHA1

40533ee2bc6f85110f1aad2a38cf99658cda9cf0
SHA256

03014bccc661136400ec276e211f7395c51463c825fb7f3dead1a5b95ca84fc4
SHA512

92c099151a563a161215cfa63be2f16db3a82dedae404d7bfeb43825e5a97064bef2ab6eacefc368ce1439ddc268229368a03bb9531b5e2f73292a9b818e38c0
SSDEEP

3072:5Y58KZO2lX/4YQcdNi2PzdH13+EE+RaZ6r+GDZnr:5k8v2lQo3i2Pzd5IF6rfBr

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	03014bccc661136400ec276e211f7395c51463c825fb7f3dead1a5b95ca84fc4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	03014bccc661136400ec276e211f7395c51463c825fb7f3dead1a5b95ca84fc4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkdggmlj.exe

Executes dropped EXE 40 IoCs

pid	Process
4580	Lkdggmlj.exe
4584	Lmccchkn.exe
1900	Ldmlpbbj.exe
2640	Lgkhlnbn.exe
2900	Lijdhiaa.exe
4884	Lpcmec32.exe
228	Lcbiao32.exe
4180	Lkiqbl32.exe
1400	Laciofpa.exe
3312	Ldaeka32.exe
4840	Lklnhlfb.exe
3992	Lnjjdgee.exe
4352	Lphfpbdi.exe
5060	Lcgblncm.exe
2252	Mjqjih32.exe
4476	Mdfofakp.exe
1980	Mkpgck32.exe
3780	Mpmokb32.exe
3704	Mgghhlhq.exe
3708	Mamleegg.exe
3024	Mpolqa32.exe
1312	Mcnhmm32.exe
1696	Mjhqjg32.exe
920	Mglack32.exe
4512	Mjjmog32.exe
4724	Maaepd32.exe
3540	Mcbahlip.exe
3412	Nnhfee32.exe
1920	Nqfbaq32.exe
3772	Ngpjnkpf.exe
1692	Njogjfoj.exe
4684	Nafokcol.exe
320	Nddkgonp.exe
2040	Ngcgcjnc.exe
2136	Njacpf32.exe
4276	Nbhkac32.exe
2056	Ndghmo32.exe
2008	Nkqpjidj.exe
4668	Ncldnkae.exe
4844	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	03014bccc661136400ec276e211f7395c51463c825fb7f3dead1a5b95ca84fc4.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	03014bccc661136400ec276e211f7395c51463c825fb7f3dead1a5b95ca84fc4.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mcbahlip.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
112	4844	WerFault.exe	124

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	03014bccc661136400ec276e211f7395c51463c825fb7f3dead1a5b95ca84fc4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	03014bccc661136400ec276e211f7395c51463c825fb7f3dead1a5b95ca84fc4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	03014bccc661136400ec276e211f7395c51463c825fb7f3dead1a5b95ca84fc4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	03014bccc661136400ec276e211f7395c51463c825fb7f3dead1a5b95ca84fc4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	03014bccc661136400ec276e211f7395c51463c825fb7f3dead1a5b95ca84fc4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Lkdggmlj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 4580	2732	03014bccc661136400ec276e211f7395c51463c825fb7f3dead1a5b95ca84fc4.exe	85
PID 2732 wrote to memory of 4580	2732	03014bccc661136400ec276e211f7395c51463c825fb7f3dead1a5b95ca84fc4.exe	85
PID 2732 wrote to memory of 4580	2732	03014bccc661136400ec276e211f7395c51463c825fb7f3dead1a5b95ca84fc4.exe	85
PID 4580 wrote to memory of 4584	4580	Lkdggmlj.exe	86
PID 4580 wrote to memory of 4584	4580	Lkdggmlj.exe	86
PID 4580 wrote to memory of 4584	4580	Lkdggmlj.exe	86
PID 4584 wrote to memory of 1900	4584	Lmccchkn.exe	87
PID 4584 wrote to memory of 1900	4584	Lmccchkn.exe	87
PID 4584 wrote to memory of 1900	4584	Lmccchkn.exe	87
PID 1900 wrote to memory of 2640	1900	Ldmlpbbj.exe	88
PID 1900 wrote to memory of 2640	1900	Ldmlpbbj.exe	88
PID 1900 wrote to memory of 2640	1900	Ldmlpbbj.exe	88
PID 2640 wrote to memory of 2900	2640	Lgkhlnbn.exe	89
PID 2640 wrote to memory of 2900	2640	Lgkhlnbn.exe	89
PID 2640 wrote to memory of 2900	2640	Lgkhlnbn.exe	89
PID 2900 wrote to memory of 4884	2900	Lijdhiaa.exe	90
PID 2900 wrote to memory of 4884	2900	Lijdhiaa.exe	90
PID 2900 wrote to memory of 4884	2900	Lijdhiaa.exe	90
PID 4884 wrote to memory of 228	4884	Lpcmec32.exe	91
PID 4884 wrote to memory of 228	4884	Lpcmec32.exe	91
PID 4884 wrote to memory of 228	4884	Lpcmec32.exe	91
PID 228 wrote to memory of 4180	228	Lcbiao32.exe	92
PID 228 wrote to memory of 4180	228	Lcbiao32.exe	92
PID 228 wrote to memory of 4180	228	Lcbiao32.exe	92
PID 4180 wrote to memory of 1400	4180	Lkiqbl32.exe	93
PID 4180 wrote to memory of 1400	4180	Lkiqbl32.exe	93
PID 4180 wrote to memory of 1400	4180	Lkiqbl32.exe	93
PID 1400 wrote to memory of 3312	1400	Laciofpa.exe	94
PID 1400 wrote to memory of 3312	1400	Laciofpa.exe	94
PID 1400 wrote to memory of 3312	1400	Laciofpa.exe	94
PID 3312 wrote to memory of 4840	3312	Ldaeka32.exe	95
PID 3312 wrote to memory of 4840	3312	Ldaeka32.exe	95
PID 3312 wrote to memory of 4840	3312	Ldaeka32.exe	95
PID 4840 wrote to memory of 3992	4840	Lklnhlfb.exe	96
PID 4840 wrote to memory of 3992	4840	Lklnhlfb.exe	96
PID 4840 wrote to memory of 3992	4840	Lklnhlfb.exe	96
PID 3992 wrote to memory of 4352	3992	Lnjjdgee.exe	97
PID 3992 wrote to memory of 4352	3992	Lnjjdgee.exe	97
PID 3992 wrote to memory of 4352	3992	Lnjjdgee.exe	97
PID 4352 wrote to memory of 5060	4352	Lphfpbdi.exe	98
PID 4352 wrote to memory of 5060	4352	Lphfpbdi.exe	98
PID 4352 wrote to memory of 5060	4352	Lphfpbdi.exe	98
PID 5060 wrote to memory of 2252	5060	Lcgblncm.exe	99
PID 5060 wrote to memory of 2252	5060	Lcgblncm.exe	99
PID 5060 wrote to memory of 2252	5060	Lcgblncm.exe	99
PID 2252 wrote to memory of 4476	2252	Mjqjih32.exe	100
PID 2252 wrote to memory of 4476	2252	Mjqjih32.exe	100
PID 2252 wrote to memory of 4476	2252	Mjqjih32.exe	100
PID 4476 wrote to memory of 1980	4476	Mdfofakp.exe	101
PID 4476 wrote to memory of 1980	4476	Mdfofakp.exe	101
PID 4476 wrote to memory of 1980	4476	Mdfofakp.exe	101
PID 1980 wrote to memory of 3780	1980	Mkpgck32.exe	102
PID 1980 wrote to memory of 3780	1980	Mkpgck32.exe	102
PID 1980 wrote to memory of 3780	1980	Mkpgck32.exe	102
PID 3780 wrote to memory of 3704	3780	Mpmokb32.exe	103
PID 3780 wrote to memory of 3704	3780	Mpmokb32.exe	103
PID 3780 wrote to memory of 3704	3780	Mpmokb32.exe	103
PID 3704 wrote to memory of 3708	3704	Mgghhlhq.exe	104
PID 3704 wrote to memory of 3708	3704	Mgghhlhq.exe	104
PID 3704 wrote to memory of 3708	3704	Mgghhlhq.exe	104
PID 3708 wrote to memory of 3024	3708	Mamleegg.exe	105
PID 3708 wrote to memory of 3024	3708	Mamleegg.exe	105
PID 3708 wrote to memory of 3024	3708	Mamleegg.exe	105
PID 3024 wrote to memory of 1312	3024	Mpolqa32.exe	106

C:\Users\Admin\AppData\Local\Temp\03014bccc661136400ec276e211f7395c51463c825fb7f3dead1a5b95ca84fc4.exe
"C:\Users\Admin\AppData\Local\Temp\03014bccc661136400ec276e211f7395c51463c825fb7f3dead1a5b95ca84fc4.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\SysWOW64\Lkdggmlj.exe
  C:\Windows\system32\Lkdggmlj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4580
- - C:\Windows\SysWOW64\Lmccchkn.exe
    C:\Windows\system32\Lmccchkn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4584
  - - C:\Windows\SysWOW64\Ldmlpbbj.exe
      C:\Windows\system32\Ldmlpbbj.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1900
    - - C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2640
      - C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3780
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1312
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3540
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3412
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:320
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4276
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        41⤵
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 232
        42⤵
        Program crash
        
        PID:112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4844 -ip 4844
1⤵
PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laciofpa.exe

Filesize
128KB

MD5
bd6b9680c737e965305ccab4b1df9e81

SHA1
cd4f3fccfcd2d8486be3d17e79dffcb74c75895d

SHA256
0f97deef07c2cfab5134086230623fb2f36395f8bda3a252f701ad2e57dce906

SHA512
2ab0734f7443bb4ac06f2b4bf61a799942abf63fab00cede7471d43f5a1c5f83c4015dfaf3197fb917147d0ab07344dc152e73a477a9089e69bcec0cc3aee6c9

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
128KB

MD5
85cb12ccd11d3abc2520c8568217977e

SHA1
105613bea3a269602d44f665c3d3bdde4f0405a4

SHA256
c7a96e404490e240e03c77abe3e9b6e464b996a4dd8833c3eac9e24e18b5ad95

SHA512
da89b8a2f1d62495b80e25716aa0907040660c4fc68341ef3b59eda6743f2b1e31fc8cf38a99de2e87017b15b91b2a34e93a7b2b1903ca4866f235cf6a1add4a

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
128KB

MD5
4c1ef4dc7dc7e13969376d24f1a04f75

SHA1
eb8824bb3abb87bd90c6647f65e22973d1903693

SHA256
d9ef8b955953d6e137e7dc8d4f2b15366e1365213ce821bc966f77dddef49266

SHA512
117749275b42ba680be178e96dd1fa6c100406cbe06cd55265a327a6badfddaa5423a0d97efcd55f414bdce289bb3ba7fb08a97c69dc65ac77ef284b866b037f

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
128KB

MD5
d49deecad5750454db4966fd017393b1

SHA1
c0152e92fd15559ef55a003b3472fbb68d90bc77

SHA256
600aa8c7e31dc840d55219c105f57700895fe8cd771074e3a73fc10c0b32711f

SHA512
d62bbd384777fbb289ccd9d15e40803409e720c0fe20d4d2ec72d8028233764507dd0f914b5cce57d23ec224cde1d98b25a28298887d57628ca6e4eee1ba4a06

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
128KB

MD5
2dac618fd9b309880c186173bdcc0826

SHA1
b58e23c81ab9a0906a3a5d06d7a5e778d5fc93f6

SHA256
d930fdd4d2b8a0d6abb4225da359046b9332e1cacef9aa8ee346c3dbb2d85425

SHA512
026b215c93142947a4b7b079280aca7ebedce1399a15613497054c8ff79d825da53fb111bda36239e6659d341bd273dd3fb5dfd06aaa97244980cfd7950b4309

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
128KB

MD5
6f8039172d0fb5be564ca2a02913c7ff

SHA1
07755d62debbe3d39819cc1ead09efb665b9a5e1

SHA256
c8fba3fefffebeb0fa2b792bcf9cc88036c039a14e0a5e8905735b98e03c06dd

SHA512
0a28d146a0aa7ae01d328e66cebc967166851b27e13202c25067d9404952e90a7b21643ed6ef4757553aaff76a6c7a68cc2cea40d9d1d0c7593d93499dad6ba7

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
128KB

MD5
98b573218d756617743b05e697105a9b

SHA1
df7eac4ed4f61d7045f3d29e1f84b60f6726a599

SHA256
64b3da26d8061b7d9a467f4114c2634e40be0f3aa8f54129c2b7432938b1cfd8

SHA512
854a6a618ab28ff4407330eb32c8c3d832379e26187a68cd2888ae3f88a9e1a3d015ee3b5fa3a1221935978b3fae1b757aaf8751b177f5fd31a3a80bf92c3d1b

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
128KB

MD5
0176136be8029bd3fe782c4de54c8b2a

SHA1
c51533c31111accd2823eafa1106c437500846f0

SHA256
b59dfa8eea8969d8369eaaea517dd81edebf6d33a31589cd99e15bfc61a7d5ac

SHA512
175fc6b2acc810b1daf6b76ad6944107d592657efce20ffb02359f2844add497be3bb9dab0e75858df632f555a5f775a93e933d583080f6a274398daabc7404a

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
128KB

MD5
a6124d819f20501c527503a0ab5523cb

SHA1
31e0f634a416c0a5fa5439145abb1451d082208d

SHA256
4954abaa3d2f665569a72320c09b82d6bea7014fab74ca9b9a805bcf585593b4

SHA512
76b86dafab165106a203c09e297305328b81af6b9e2276ace9488c1c4094c34b01d2b5bebfdae1d720f7a29b16bd512bbac2815f4f202cda2e67f8fb0c546cb0

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
128KB

MD5
399a07bd8a80f15e281c30e32e5bca45

SHA1
a40195ac4aad8cfd3a3bb6c4a483ac7c35f40ae9

SHA256
c45aeba5c0a459ce91d753869de2c30c9a51fedd24a020dd998149cbca561a45

SHA512
144b12b07dbc4d03f168a2ca6aae4108585ebeca7501f81a4ffd3621db287d31934aad8a6834559d7f7eb03cbacc2263baffa254c65b83cfe775b2c184262ad2

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
128KB

MD5
4aff3c9d58c3ccdbe279f66cb915a8a0

SHA1
ee3829eb07739040e8a1e3f83f3e1133818e9581

SHA256
c8bc2f0762b6a4faaf9dcd44c3d46f55430b9984bd838b7cd023232043913bc4

SHA512
3653bc89187b58d0f37ee3fd0ddc6fb0c3ef7d168e9b4a9f48368f50b045726f761fb20e04fc0b987ba3d1f637dd468d0667e9a40f8fa9aed1ccadcff67c3afe

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
128KB

MD5
7f0eb7debbdf2adca1d01197ba368c56

SHA1
04fbad0174fd1f0dd427b0aa68f7b053f2b6450b

SHA256
5388913f75e3eb1274bf47b69eccd83531a462bb8bb3e722e58f113f8edec65d

SHA512
e180a4666852accc6588f5fe3248ab4fc0a6c5408bfdf4729d0acdffaf80e9750881d88bdae1e1e9d4c9934b42256cbd0014e28752ac22950451f16ba6873170

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
128KB

MD5
3383957eee1fa3986598e13f710f25e1

SHA1
cd06c22fa47e99fba7d0f9dd375c1c0664a9d287

SHA256
aa91104a092c065cd6a306d029bbf9f98eb4f4918de6c65ec8b1b56366ab739d

SHA512
83e0ee1eaab09f57bd338b7d30af8eb8b1038a66805ac3618c2818cb0eaaa283a609c09780244653e10f8672f598b23c896e4a351f054372a4a85b7086ca4b14

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
128KB

MD5
40ac3de9a44373bb9925321a5063c0f2

SHA1
11821a5364e7701d28f6977d6cef53898f42051c

SHA256
d2141196f8239dba062efb25fdeb8b4d51179acae0893bc1c53703b33d4bd8fb

SHA512
1dc542d1f64cb7a38fdba76770a3e3ee8b0095d3fa03421f22601ab487c47226f005b0c1c177adc355e70076f371ea25ac45c4465e2f8d68244971d686e18624

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
128KB

MD5
5181b95af51ae3db23b5b61a73c0cd54

SHA1
8394ff089a09499bdb9a0a01fb857ddcab73df24

SHA256
43cefa06cf040fb207466cf325877ef80d9f0a4179b247e096ccc8631144645c

SHA512
b730e79b61c11a68d43a8b8572f76f3a3209dc6ec03e303e259b0d6ec1593450d9effe905fa3e6aff81a9231d5e00959cff0159a5f81558ed7cce5543b2a9969

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
128KB

MD5
bf123b3ea342ad0d6d22cd114e0c92e3

SHA1
c3f2de5177bb5ff1641d2ab4dad613c7ddb2687c

SHA256
b6676310b7ecffbd4c173473e290a6cb917ae7889d15638b8081ff9685b72c0d

SHA512
f33ac2fce871ef3232555fabff2b99e8b45f7f29dc694c46f8ae3b8aed845dc112f644c9d569d6a4bce26b11fa8af55a232c9f13da02b83c1ce44fca7fbcd67e

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
128KB

MD5
e3a1177e70d6aa88f8c6049da1c642af

SHA1
6a00c64666e0c01960a31db234b144d5870f9fae

SHA256
aee8e63313f2a24eb8de40f1a2fbea48e2e19b38493060fba61309950b98121e

SHA512
6e156adcf880a9d3ea2786fbeba2b757fe40cd719c8bc2bc9e5af8d34871a05e0011fec027d74c5d06816c6105b4318f1ae98a324edd05679130a4979b88c332

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
128KB

MD5
5de5f9dc6ee70d57e483a284ed107b6b

SHA1
96d8f0c48ac4829611fdf4829c89b3eeb4e0814d

SHA256
a499aac3fbd5460e86f4427cf03513e7af39ac3f65210b78b14b08211843b344

SHA512
6555244cbc28c02772078ab92315a1d696f2d33b11d29fd3ae7c2329129fc672bebdde7622a72ceb8d14c2fbeacba1bd4943b7e91f97c2216d2600a7e1a91604

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
128KB

MD5
c9f11166e11b76a72336ced42160e47f

SHA1
c736b6b3f5d8dc6929c786490facd004755c11fb

SHA256
ca9b4db6ec38930a468f6a1043128c4d899fb09a0cf1edde29126de20b2fa77a

SHA512
e8aa16438e3b5f6472bd993fe5ab8baa9d9dd1db41bb82403a01f181e71bfe7aa3286d537cfedaf34e2867bb920b1c2b8173b2906c90bf98ae878e9474b54083

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
128KB

MD5
2b9fb988bc152aff6c1a9ef53d755793

SHA1
df429c260af45e360228e1d175729088514c4d20

SHA256
f3efb07dc3733245408ed98026a7c3c3a265b8dac477358e4c1b13edb8280faa

SHA512
a2fcb64f217b9de4d05b89faee24ba9a863bebf4da3074ded1ba14fe6e88cc423c2bd41f98732da43459b6ffed6ce6459be220224b71fa24a558085534a275cc

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
128KB

MD5
9fc1f56cc868763899723a6f7f84ab12

SHA1
74e6b5e108e1eb6c0f249fc99afd708eaf7db543

SHA256
c003fa50083ad7cc8eea77963bd7c1564f0d3442311be48e478bfc503211523c

SHA512
76ab97cd613769deefe5d14885935be89cd4b75cdbaacdf2553a572e63e5689612422b4bd2365c500d52fb0104290f0e5f285705872dfc318c2f1222c8111a7c

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
128KB

MD5
20320dd34ffc33d7c17c2ce3248c5949

SHA1
318cbbd460b27a8ac3ce1910040d445e499cb260

SHA256
681b9d30aa45b5c554cc6f0a95285971357f4115e0dcc7cdc01f08792b45f94b

SHA512
e221d6b85e855fae15f2763e2653ef29e6cfa85722fa563fb5c571ae847ecef7308c8e913b5182f0a31a9c49d27ea18a27ca98500297af013786f89f7a2c07e9

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
128KB

MD5
ec7e51fc38b7a278ff10193461153e02

SHA1
f9f8034200aec27b1c915826f04cdb84153fc039

SHA256
b991578b20f251fd69896941cb2ab40d3b7d1c82c08e2828731a83de4952e11b

SHA512
b1991e20a24f58630487fa3efe3eb688be8be3febeb7612d9f5a22b74707440f9929f36c845ac605b6057d18df7106de94f49407f39908c0fa4a2623f7b5be9f

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
128KB

MD5
17c265c9ed25ee869becb6e33092720f

SHA1
b67a06b32bb15f752437fa5f875fda08467a128c

SHA256
34cfc3eb7cda4e15c20039ee1450a1a8902ea96a8ae7613debaeea7e459defda

SHA512
00f3562cfeaee2faf70ac05082c328af397736c5fe48d3218325028db3566a9b2c75d79bd293f5965b3b47631a76a74390351fc5fb448860dd551312760e9ca8

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
128KB

MD5
feabf29ff8eb166128eb88c632145382

SHA1
2ce3a3eae2d1e03777677dd8522c5684734593fb

SHA256
32859d729a1030888b01a5cfb4b72d1668ff24dad69a3c04168b29604f760745

SHA512
4c3c7296e9bb12178bf85f38e36d5db0ca8abe2a1625630ec1458ffeca92b99c83107d170295919cbd8820ef2438f25ed47a513e211e7102551490b735e13769

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
128KB

MD5
f561ef150e4997dd3e02559f03df1f46

SHA1
14d49cf183f9d366acca4de00a75c43c44717cf2

SHA256
e0899fb6fdf9dfe05d24bebeadc6153c4d120b9f19d350e93fd95a66b542c0bb

SHA512
e1e9f6aa38cfb10da86649fd9b5cfd6fe37157f14195a3739f987ca6c3865893b5db8c14118782fb3267b4d4a2c35254e9db68feddbf5d0fa7aca89dc4027034

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
128KB

MD5
015eaf17015021ee28949c60aa582634

SHA1
42037bf181343e207b665b20a857cfee11492014

SHA256
d9481138e46b0ea31b1a5ef72e9c228f681bb5820321b8ae9f52693afada66e0

SHA512
cadaec89c4d095d9e13cd46ba26235f856ceea581fdef37332ba1b8ae21a05f1bcc7c2523220f79632cf8b9ef2b31b9909405426312b4ea40e565b13e22e162d

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
128KB

MD5
c1d2fc69549e62df265fc9419b88fc9f

SHA1
ff0870d36972c4b8405b74c2614ddad56080c7c9

SHA256
9c27de07c9b55e9f7961e58dda3875ce737bccc88f79ad37c417cd20507da006

SHA512
fbace58d8641aa74373c542363206a8bb0da9c687f810d890040922156ab9b347bf9ff55dfe2e47270e7bd752cba2faa98294476645f20a514ef59ee99468b9b

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
128KB

MD5
b6459e4f95b4b5d0fb065a659b87902b

SHA1
c3661e3b18fa7ae67b91ca0c4f1eb9cdf0d4d77a

SHA256
8ecd08e9a97204901b2178de0df71846fbf9a2dcdb5cc0bc984893221346f95c

SHA512
8da16837c83e04c7fbfe57744f5d496667c5966f1a942641333a1dfed91768c436099a50af358c96aad02bfbd88686813c1fc9273f7b8d5b2331986ca676c6d4

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
128KB

MD5
a7bbd68110a013bf4a889b09f6dea63a

SHA1
76304f4dfcfde19bfec6c684982d323fac8ca308

SHA256
5b4bf9c4280ca6215626b69078deb53cd25996a2409b4834f459ef604ecf97ab

SHA512
42854fed8394e76cbe9fe43e463ea55e7b774b0e7fce852dfa1c87274e189ff28834010d4916a515dacc6ee4fd2d4768ae2170ca0d237674d4909de923622476

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
128KB

MD5
730e207fe62075fb18cc3a918b98c55c

SHA1
fda122efe359d8a6c9612419bc01e8ce610b00eb

SHA256
7ff32859042245af90f63bed24c15b7978c5c492b23d0ddc3cd85c1f4fd0546f

SHA512
25bc55f27012e9ed1914516b85791ffc70ca039ac35834897aedafbb2da75684db66e9ff221cec070cec5506ad63ebfe0bcd8abf7accd6a5f7f2c5fa5fc3fdbb

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
128KB

MD5
9aebcc447221a335db044108786ae2e0

SHA1
e08cb34e0af3f41e042b15b1b363a04bc0c772e4

SHA256
46b9a5c25bdea1dd8df2ba2d6d089912f4759951f6dd8e57db194b52e7a4c95b

SHA512
d4f1112dc08c5b06cba7c2b40d51ca81f496e740c941f15cb761d93e706c9204baffa0d76cea35c292b106b14cae0f301db440c0721361b6307d6f87cc2760a4

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
128KB

MD5
d676ee0cb85f1b10c8bc8f6001dc0a6e

SHA1
59ba2718124d6a958e983753dcce7910a28d6926

SHA256
6b6821a689007d896e2c822b4cbc734488d4fdfdd773c4f51f732e3e7ed1b9ca

SHA512
bf7a6d57aeb730845e780d87a5496935bbdaeb7c625dea90e4ff257994b9358423e37aeb04d57a4503238fde3c925aa08e6ee601a9d2d79a80e8c1166a8a7e23

Download Submit
C:\Windows\SysWOW64\Ogijli32.dll

Filesize
7KB

MD5
780777300e335caab3238cd4e8189a83

SHA1
4f000b716534799fb337bdd1c33381f470548650

SHA256
0acfbb10a9db522421a2d1014699de6fc9d427f80f2ee2be5e3443ed29ba9a49

SHA512
679ff209748243dd0c82d8de568118f7a0c2c8e6aa3acf6c54d206cc3c6e5898f1ff901cbe1323114e4c8941c608b4f0115d1366fb312cdb078d446ffc3aac61

Download Submit
memory/228-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/228-337-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/320-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/320-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/920-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/920-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1312-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1312-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1400-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1400-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1692-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1692-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1696-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1696-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1900-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1900-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1920-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1920-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1980-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1980-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2008-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2008-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2040-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2040-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2136-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2136-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2732-344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2732-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2900-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2900-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3024-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3024-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3312-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3312-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3412-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3412-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3540-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3540-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3704-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3704-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3708-164-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3772-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3772-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3780-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3780-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3992-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3992-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4180-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4180-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4276-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4276-309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4352-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4352-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4476-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4476-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4512-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4512-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4580-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4584-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4584-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4668-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4668-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4684-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4684-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4724-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4724-319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4840-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4840-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4884-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4884-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-331-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads