85a18168ba4734ac6f4833224076ce076eb5c4751b7f6c2b58fc953e2427ba91

Analysis

max time kernel
134s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 00:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

85a18168ba4734ac6f4833224076ce076eb5c4751b7f6c2b58fc953e2427ba91.exe
Size

63KB
MD5

16cccf9f318fdb106064e824d59682d9
SHA1

a217f9dc24d765578e818c817679e170ce1fc5a1
SHA256

85a18168ba4734ac6f4833224076ce076eb5c4751b7f6c2b58fc953e2427ba91
SHA512

5b6e4ab70fa1a1fe4f2731fe037a003f57914b71bef1198ddfa87654c434bdc91102f2b09c5ea3c8c8af8036eef9f3c022b868870796f804e640074331f8716c
SSDEEP

768:TrYFH5CqOqtiKFG0xdc/PFowaRm1hAmKGNxZaGOF6rWR77YGDVNKngQu/1H5knX4:/YbCqOeiKoGOPFoRGN85bPS9H1juIZo

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	85a18168ba4734ac6f4833224076ce076eb5c4751b7f6c2b58fc953e2427ba91.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe

Executes dropped EXE 49 IoCs

pid	Process
3828	Kckbqpnj.exe
2360	Kkbkamnl.exe
2552	Liekmj32.exe
1184	Lalcng32.exe
3032	Ldkojb32.exe
1128	Lgikfn32.exe
3268	Liggbi32.exe
4004	Ldmlpbbj.exe
4000	Lkgdml32.exe
5012	Laalifad.exe
3636	Lcbiao32.exe
1344	Lilanioo.exe
5052	Lpfijcfl.exe
4480	Lcdegnep.exe
3216	Lklnhlfb.exe
4948	Laefdf32.exe
4392	Lddbqa32.exe
1844	Lknjmkdo.exe
376	Mnlfigcc.exe
4452	Mpkbebbf.exe
708	Mgekbljc.exe
1308	Mnocof32.exe
4252	Mpmokb32.exe
1648	Mgghhlhq.exe
3852	Mnapdf32.exe
3416	Mpolqa32.exe
2888	Mkepnjng.exe
2952	Mncmjfmk.exe
384	Mdmegp32.exe
1680	Mkgmcjld.exe
4316	Maaepd32.exe
4620	Mcbahlip.exe
996	Njljefql.exe
4632	Nacbfdao.exe
4584	Nqfbaq32.exe
4160	Ngpjnkpf.exe
5076	Nklfoi32.exe
2652	Nnjbke32.exe
4684	Nqiogp32.exe
2756	Ncgkcl32.exe
4376	Nkncdifl.exe
1028	Nnmopdep.exe
4816	Nbhkac32.exe
4476	Ndghmo32.exe
872	Ncihikcg.exe
1924	Njcpee32.exe
1160	Nbkhfc32.exe
4836	Ndidbn32.exe
5100	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	85a18168ba4734ac6f4833224076ce076eb5c4751b7f6c2b58fc953e2427ba91.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	85a18168ba4734ac6f4833224076ce076eb5c4751b7f6c2b58fc953e2427ba91.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Laalifad.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	85a18168ba4734ac6f4833224076ce076eb5c4751b7f6c2b58fc953e2427ba91.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mpolqa32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2964	5100	WerFault.exe	133

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	85a18168ba4734ac6f4833224076ce076eb5c4751b7f6c2b58fc953e2427ba91.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	85a18168ba4734ac6f4833224076ce076eb5c4751b7f6c2b58fc953e2427ba91.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	85a18168ba4734ac6f4833224076ce076eb5c4751b7f6c2b58fc953e2427ba91.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 3828	4116	85a18168ba4734ac6f4833224076ce076eb5c4751b7f6c2b58fc953e2427ba91.exe	82
PID 4116 wrote to memory of 3828	4116	85a18168ba4734ac6f4833224076ce076eb5c4751b7f6c2b58fc953e2427ba91.exe	82
PID 4116 wrote to memory of 3828	4116	85a18168ba4734ac6f4833224076ce076eb5c4751b7f6c2b58fc953e2427ba91.exe	82
PID 3828 wrote to memory of 2360	3828	Kckbqpnj.exe	83
PID 3828 wrote to memory of 2360	3828	Kckbqpnj.exe	83
PID 3828 wrote to memory of 2360	3828	Kckbqpnj.exe	83
PID 2360 wrote to memory of 2552	2360	Kkbkamnl.exe	84
PID 2360 wrote to memory of 2552	2360	Kkbkamnl.exe	84
PID 2360 wrote to memory of 2552	2360	Kkbkamnl.exe	84
PID 2552 wrote to memory of 1184	2552	Liekmj32.exe	85
PID 2552 wrote to memory of 1184	2552	Liekmj32.exe	85
PID 2552 wrote to memory of 1184	2552	Liekmj32.exe	85
PID 1184 wrote to memory of 3032	1184	Lalcng32.exe	86
PID 1184 wrote to memory of 3032	1184	Lalcng32.exe	86
PID 1184 wrote to memory of 3032	1184	Lalcng32.exe	86
PID 3032 wrote to memory of 1128	3032	Ldkojb32.exe	87
PID 3032 wrote to memory of 1128	3032	Ldkojb32.exe	87
PID 3032 wrote to memory of 1128	3032	Ldkojb32.exe	87
PID 1128 wrote to memory of 3268	1128	Lgikfn32.exe	88
PID 1128 wrote to memory of 3268	1128	Lgikfn32.exe	88
PID 1128 wrote to memory of 3268	1128	Lgikfn32.exe	88
PID 3268 wrote to memory of 4004	3268	Liggbi32.exe	89
PID 3268 wrote to memory of 4004	3268	Liggbi32.exe	89
PID 3268 wrote to memory of 4004	3268	Liggbi32.exe	89
PID 4004 wrote to memory of 4000	4004	Ldmlpbbj.exe	90
PID 4004 wrote to memory of 4000	4004	Ldmlpbbj.exe	90
PID 4004 wrote to memory of 4000	4004	Ldmlpbbj.exe	90
PID 4000 wrote to memory of 5012	4000	Lkgdml32.exe	91
PID 4000 wrote to memory of 5012	4000	Lkgdml32.exe	91
PID 4000 wrote to memory of 5012	4000	Lkgdml32.exe	91
PID 5012 wrote to memory of 3636	5012	Laalifad.exe	92
PID 5012 wrote to memory of 3636	5012	Laalifad.exe	92
PID 5012 wrote to memory of 3636	5012	Laalifad.exe	92
PID 3636 wrote to memory of 1344	3636	Lcbiao32.exe	93
PID 3636 wrote to memory of 1344	3636	Lcbiao32.exe	93
PID 3636 wrote to memory of 1344	3636	Lcbiao32.exe	93
PID 1344 wrote to memory of 5052	1344	Lilanioo.exe	94
PID 1344 wrote to memory of 5052	1344	Lilanioo.exe	94
PID 1344 wrote to memory of 5052	1344	Lilanioo.exe	94
PID 5052 wrote to memory of 4480	5052	Lpfijcfl.exe	95
PID 5052 wrote to memory of 4480	5052	Lpfijcfl.exe	95
PID 5052 wrote to memory of 4480	5052	Lpfijcfl.exe	95
PID 4480 wrote to memory of 3216	4480	Lcdegnep.exe	96
PID 4480 wrote to memory of 3216	4480	Lcdegnep.exe	96
PID 4480 wrote to memory of 3216	4480	Lcdegnep.exe	96
PID 3216 wrote to memory of 4948	3216	Lklnhlfb.exe	97
PID 3216 wrote to memory of 4948	3216	Lklnhlfb.exe	97
PID 3216 wrote to memory of 4948	3216	Lklnhlfb.exe	97
PID 4948 wrote to memory of 4392	4948	Laefdf32.exe	98
PID 4948 wrote to memory of 4392	4948	Laefdf32.exe	98
PID 4948 wrote to memory of 4392	4948	Laefdf32.exe	98
PID 4392 wrote to memory of 1844	4392	Lddbqa32.exe	99
PID 4392 wrote to memory of 1844	4392	Lddbqa32.exe	99
PID 4392 wrote to memory of 1844	4392	Lddbqa32.exe	99
PID 1844 wrote to memory of 376	1844	Lknjmkdo.exe	100
PID 1844 wrote to memory of 376	1844	Lknjmkdo.exe	100
PID 1844 wrote to memory of 376	1844	Lknjmkdo.exe	100
PID 376 wrote to memory of 4452	376	Mnlfigcc.exe	101
PID 376 wrote to memory of 4452	376	Mnlfigcc.exe	101
PID 376 wrote to memory of 4452	376	Mnlfigcc.exe	101
PID 4452 wrote to memory of 708	4452	Mpkbebbf.exe	102
PID 4452 wrote to memory of 708	4452	Mpkbebbf.exe	102
PID 4452 wrote to memory of 708	4452	Mpkbebbf.exe	102
PID 708 wrote to memory of 1308	708	Mgekbljc.exe	104

C:\Users\Admin\AppData\Local\Temp\85a18168ba4734ac6f4833224076ce076eb5c4751b7f6c2b58fc953e2427ba91.exe
"C:\Users\Admin\AppData\Local\Temp\85a18168ba4734ac6f4833224076ce076eb5c4751b7f6c2b58fc953e2427ba91.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Windows\SysWOW64\Kckbqpnj.exe
  C:\Windows\system32\Kckbqpnj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Windows\SysWOW64\Kkbkamnl.exe
    C:\Windows\system32\Kkbkamnl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Windows\SysWOW64\Liekmj32.exe
      C:\Windows\system32\Liekmj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1184
      - C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4252
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1648
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3852
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3416
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2888
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4620
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4160
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4684
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1160
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        50⤵
        Executes dropped EXE
        
        PID:5100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 432
        51⤵
        Program crash
        
        PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5100 -ip 5100
1⤵
PID:3952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
63KB

MD5
3f12e71442c20adadebc99ac29218bd4

SHA1
ab271db062a378e469995bfd0ba747da7d2d3b97

SHA256
33ff0220216435d4907fca984e04b30801dc8d22927f211c74295e9aa1e7cfb2

SHA512
867820d7d606080db1b4cc32432b2bd235800dc66331f08bd60ab55a0545f784c23cfd0c8c19f03b95a64fd04cd8fb4e290f4006586958ae7191b6e34906bf5c

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
63KB

MD5
fe43778fd4855ce9489e161cb2f89bac

SHA1
a0f7256404e6371f46ca16991fb71b5e350cf405

SHA256
e75286098edfbfacebedb8d64de05f6883bc6e84102d346c5277023126d7bf81

SHA512
8daa56cd785d5e48a4525c69bd5123155284b46a40bdac50ad73f2d02280a0cab7138db6739809ca610c0116e50a50594e3e6972f153788ff438a668f5aee95d

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
63KB

MD5
b3c496e5a7f8cf607779af5ee33ced56

SHA1
dd0da841a4a856a66f1c379ceb96ef86f5e1759b

SHA256
d675e53e343e9b36ce1bad6d034f61e422f9bb7f7a7a9de4e20e878d5d13e966

SHA512
552852be0d0ab6be21a3d21b0e16b2b20daf282e4de0ba4fe4e5ca71f2ea2f3a8baea6e485546ecd50f46cd1124b2b66a9cd57da1ff88a608a84f03e61144ede

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
63KB

MD5
97ea33f55469e21296b4a79ae9e24c74

SHA1
5e5973e0089828d87bc76cb0031a87cc4c4d9191

SHA256
afdfc9307e4bb83721c95dc7ea10cd45d671f215795e7c28c24d7163f7bf0539

SHA512
917dbc2adc01afa55eb3093f40925cf72a75e46a272a5a6ebdb730903f61efe6017f40a64bb640fe730273000ef9058e62b5e75e7abdfb11bfbf2ebe1ee4e421

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
63KB

MD5
b8b055165294c993492e236031b1e7bb

SHA1
1f68bc11a028dafdaacafc498326b69e0a486760

SHA256
a54412822975cc45b7d6c957b46c77bc394e0b183a7b387197b980f7f574ed40

SHA512
cc0192dabe2efb7ca590db822a2bfc13674a2369a4fc336fa4ff5e7ab2f7a64e790195b185b496302f4eea2c2a89244295538f06ee79af4cadcb58a7eb2be2bc

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
63KB

MD5
6be740da0ee59a8de18a14528c076540

SHA1
16ba1fa2e1f2f53ea40b8df7ae0515528b82253f

SHA256
fbf5be8a4c680c8b902077641cb09c802475752ba8a902d91a6c61bc1c4abf2c

SHA512
7cfc3b4f1acd6b201054602e244f26ba2fce5336c3ee57a8bae80e0e5e72820ab143972e51eb49ae3f0820f7619d17d92c3a2e5507ff2ad6c5b528e13cf1684b

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
63KB

MD5
ad90b3bd16b94ccf004170d69558cddb

SHA1
52d079b1d7261e25df43c50c75937dd2dd3ce09a

SHA256
429a8ddf23e099abd3b2c4edc8690c9780bdddc4c6cba3d314e607834e8302aa

SHA512
4e2bb6610373d6803c4d4fccff45f89b43091589271f1d319e79a40f867612eac04635161faedc3045094bac4378839e20be1063d0492b0f2d083f2b3fc7b943

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
63KB

MD5
d3973e080958749ae7e0bf2d1321daec

SHA1
d7a29350dc01294b91aefb19e523a0b852b1090e

SHA256
052e989360b81104ce1338caee04c5c4a75834185269dddebcf33c020fe608af

SHA512
05fcae7316f0444d1a139368bad0523a15dbf8203981153a7686e9d81210ffd375e39305ad1117b6850c150c347e3ce7b241259d8afe3442c893e1e24d758a33

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
63KB

MD5
6fbd39da8878ad4d8999d10fc2b4b24b

SHA1
f3154d56ba6133e5d1fa53f99fde2cf5f10a296f

SHA256
b78a112f9f60de97b8b651be7c38e7fe7e46a9767b6c784cd4fab7528414ce12

SHA512
87dfa3e2f757f811fb99077b5456382db844457a0f38d46ca9fd2fb21b0caeed26729e404a171bebcf104075f10274ca4f57ef9b5a108f60c268ccb584cea69e

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
63KB

MD5
4ce69f3d5ba1f9fd8e48f94944aa5096

SHA1
6e64cbceafd377674f043403635b400f610f65ac

SHA256
ebbedfec5cdd94a3151fe5dd86057312542615345a80694864d526c94b8fd274

SHA512
cd4475dc497d1e27cf72579acd364e523ec836f1e17c21ab3081cd0c5afd0a80af3f661050aaeb617bed8ec706005cc204170542fedd5aa2188a72a9464e4269

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
63KB

MD5
dc06b1f6a775b6d061645c59fb7f511f

SHA1
f4d269a68dfb1e2b83345e86723960fdd6125928

SHA256
834670e930bc459b14da5a5c5e041f25b520350c64b3116ed7b5fc276aa032a1

SHA512
222e080a8eefc685139e832f22c9291453b50cd65fab7b5c7940c17c1a052467e7f676b849b0e28b8fbd1f36cddf6d069b2d63848d1d5f8063f864a51ea009a1

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
63KB

MD5
e1aa728b3f74203578862aca329ff3a3

SHA1
bcbcf1e17dd8adc9431606b0ed8c42055e18ebb0

SHA256
3961da6e5cca32d112e8ccdf141e37de2940919519b11b221d248f55e0888889

SHA512
81e9f5b0a87a944180fb55b3b050fb9abf79f4dca55747ec0eb271843d9607f58f70a9472a4054bb4871362032cdafdd6f3f3e2ed2bba760b84fafcc96eb9582

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
63KB

MD5
aaab023f0e82bf8429244fc7c000a477

SHA1
19d21d3cfa3a3cfea8b6e150bd3a7c56d5aa8750

SHA256
09714bcefa13366bf1be7038fba5f84a1baac44c08bb4f0e6a3a1b3522a070f3

SHA512
3fc0b6b319f46eddda1baa8fbc7d32f8190ca6044fd840cbd72f184dcc7d7fd7eb9d5afbf8b68cd2148e4ec8a85c7abf1b21fbf4378cd0f505d25c915f9f0258

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
63KB

MD5
621aa918ec781542bde88dfd27e90f0c

SHA1
a4af66c654ac1c86660352b83529038032abc1e5

SHA256
18f74b8994658cc0cc9221fae8a6f645bf7707d40f201c762bb5b0ef2d3cbd1f

SHA512
f22b0e472d67ff68efe36df66d7378d758dc03bb0a0d7fa45d48eb699df7fc52c2282141179dab48373105019f1cc2a8bc12d4164f669e1e96394c2177e48066

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
63KB

MD5
85fc9ccc105c9f2dd06e331d1d82bc5f

SHA1
156d7e5cc84023fc24bcbe9fb15b86b11feb99f2

SHA256
8600cc641cce005d667d571abbf45f54160ed98369a18abcf4f4e768df399920

SHA512
9204cfc90688aa120c38fc4d02739b0e533ec49b7955b3b473239772b2248541cb50056980d29ebf1702063a6f3e4fff90d6105480e8d0d53e5b1eda3f06f746

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
63KB

MD5
8c174f34b59a45a2ab44173039d7cc47

SHA1
fa864031c15bb383c611e01c3c7d095285bd182a

SHA256
21e977bb0df9500bcf300813c53fdb78a12b886d2e77fcc25a4267641db6bb89

SHA512
c545c477caffa1a361a14800aefd3b6acc17d7e24ddb02f01e678baf43942b858450bd7f0a399df026bd805b9b91e4513b1d709a2e0a413af23227388322e2bc

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
63KB

MD5
810389e972567b4dd804bd2dced6ae2d

SHA1
5a82deb8b58b040671851a4ce9a2c74b4cc33420

SHA256
d942d845ed2c39a4fd4e95a5c336a37ee5f699ffa079d4727f5978ab2754e0a9

SHA512
7d2576421d4d284b5dde7b08cff6395e7952ae6af9ce2afec3d5ae6cb6e1d891a1fcb209835bb5ea1005d3a052a7e2cd759c2d18a507e491ae8c20efaa7fe026

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
63KB

MD5
12bdd8e3ad8673b6741e3c1c2695124c

SHA1
3e9b7502fb18e0806510e7146e63f95a82701378

SHA256
6e634dd3aade3a86cd1b785bdc340e624ceb7ee322c6ed14ae2dac02011baabe

SHA512
7135a95fd230a1a074a54bca1488b878d883000889e058f3e1bf4b19c74a99c59a2d2a9027f2c8899391b0290f5fcf11cf3212c738e22f43406d1b366d7f525e

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
63KB

MD5
db347029ad2234da6ccbe3c2f3662c64

SHA1
52a9ae48e6c279635538e2e0933ee3f9e0fd2b96

SHA256
7ff787c8f076f2aec54e19ad4c04f6c6d4ea418d7f7a882a70bf7ec77bcc36ed

SHA512
f01253b8dd088bc678cdb8ddb2e543140d74e3c66050b54f6d6708bc367c90007000ba8581e46c936f90619b5a5e3b6e3d81307263e88d86e49d08b991ad103c

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
63KB

MD5
9ac292774504e8ceecb1679c9e46fa5e

SHA1
de41fff9a278048e720bf443536c8925db6c57be

SHA256
fd1b443b043114fdb749ee1e6297ecdbfedf08408e0680e2509873eb4f258e93

SHA512
7b160d26a82f8af9b1f79c50a0aa3c7ec64aa9136a968a3cd1ab512b834eb336f0bf6897d571cef4bfa1458d3701383b212e41bc6a7fd28dbf6a4051c9d28025

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
63KB

MD5
9a099d6a08156983cabee35060711a01

SHA1
77101c443228fe559ab6a0ccaf893e24e87166fb

SHA256
35776ed0bf43fbf140afba1c98a2dce457240c04fa4a10683637244125bb1f06

SHA512
2ec8a986dc3ed8799b39495d57ccefb0e9c9bc162fc74fda981c3924387104064d9bee0fa717e9217a04d9d113d57f8fc4000c33cc3e93c2f43bb9b1d7df785c

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
63KB

MD5
6b975a32073f6c7d4b6af88653041b38

SHA1
ccffbd98c90c3dd669c3a7fa903cc9460c282ba8

SHA256
c8da597135d6d1039040939822fe83536eb3bdb90e3f17d4fff086a76b3dd498

SHA512
8ab91748b76c4d55aa8d3ff9cb8508998b3963ba44b827222964094aa3ccc1ff2667ea0787fd89e03377ce2a20ce08f3ddd16bd533691d0b9d085a540637216a

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
63KB

MD5
7c6442d69814fab3d4caa255a13f52fc

SHA1
158898b830dbd805261a52d8a7c943756f08ccd3

SHA256
f95e69240d45609a351cdfe2a2bc7d9403f5267d874cb9a275e8ce6cebd3eb6d

SHA512
c41915cd75caabc1eba658a6429cbe0d4d043de9ac1d5867eb58ea66619383123998118323be9ac4cc34c6f9e361a16b19aca3cad5fa2dc3729ee90e5783b8cd

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
63KB

MD5
5cb1effe34466b0da61b9655056b3ffe

SHA1
5251ef38852ada148f36dce6ea1fe26ebbb727bf

SHA256
d3dab8231427e0de122016ae0fd25c35a03d68ae62acd9b88ffe296eb0337f52

SHA512
591ad33666eb7ab03add54d446800ba3bac95540de773f0688f044a6de14d6db5e296945e31b78f9cb5d0a3967372da7ddbda249404296c2d0c0a2055f5053e4

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
63KB

MD5
d1d3d9c650bc4ef74cb9bb1ab3fa1674

SHA1
d83dbcc8b3c0f03b3133961c90eafbd30220b531

SHA256
3786dc2faf438700975a0e961b157e90987882dc55b69fb2835ffc6e3bca8ed0

SHA512
da5127b2a2989df23f9786731f24ca7cb12ea547147e1328b41cb1327cb7a08ad1d637c7c27cd66707d3369ec87dd77b1fa11d0a2b0fa887bc3a934e80d56dab

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
63KB

MD5
27d6907c77e9e209bed1e9a8db25222d

SHA1
af441fd3f1f3b72ca42e4df0549b0c0cab929684

SHA256
aefbd712fad342f80baab9d40d3c0fba77b904425625ccf2dda109e1581beb35

SHA512
e8b4fc3e1110f727f69710535f8a9f03fe12f5f37febd6ac5c13c6a55b5d9ea38892bedcf7fb6ba81e1830169047ded431e88998df756dd06c312a35aaabcf01

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
63KB

MD5
348d5dbfce95256ccad309f4fcec0688

SHA1
bd49ded204db214145bd31a2676fc15e84c250ae

SHA256
14db6dbfa0f583b5e07fa00a3369b3b5868063b71d463a58408b634c149b9c8a

SHA512
fc50e6e1b21e57d115e8871851e014f7d83548cfcd8d31b04b594457d4e2f556c979f0ec275043b7d51430d1278079ed9135db122ba2be9b5198fe5d98c9d96a

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
63KB

MD5
375da52686686b004b0870bfbd564d0f

SHA1
3f48fc581fa72e88a0a1a4bd564a89ea0afd4c17

SHA256
edd987e756639455b2d24cd36a0948277603ae16821ca3f0cbf22d0cd7a59bb7

SHA512
e8e2aa2909bfde4a291f97850de0a90d6774f76dd5a8c6145cb9cb260b82da2d081e30f349d6d6e9245d5106b06b2803d0cf16d1574c462bd9c80e287ecce361

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
63KB

MD5
5d9c32c263b12ac9642cef5907bc448b

SHA1
026a275ef5a3434f5cb30d2d484cfe8ac6afb3c5

SHA256
f6fed8ab6b3720456f221fe2a57a70065d4f7822c09b0e50c700da49720c1e28

SHA512
b7ab7c1db3e70f273b45864f9ab5771c3ea14a26da0b74e73ae02de8463b11c5d9db924e13c96d14afd0fce8e2050f152efd32c933262f2777a12df8ec5a5aae

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
63KB

MD5
69236bb421ba0a6c830721c300a05df3

SHA1
b4ec2225f9f850461cd26ed2260360beee9d9b49

SHA256
1df25e00a84b00069eebbd26885cd301ec752a55b997d0fe0d275a4d5975c74e

SHA512
8b9adf205791b224ca6762aba1f4f48a06b8624a60d18d5b8fa67b953836a3b8cfcd0b266204a20f8d6ce9ab4819e6c4e7270d6278f559f7480ec873c0815c11

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
63KB

MD5
063995617c87c06491042ec0ce2ad703

SHA1
b8dee9b918a7d509657d68354e703b477d1e5718

SHA256
acd3c6f46edbf821780c0bcea0d8c3d90b56902bc2448c9c87bcd404da62365b

SHA512
42419666faecb68f300c60f92a3d88321965b783850ec0da9c530bdf772806f18b9362830c2a8fe09c799d8cc93d806ff8ec6f101a9927056c1e0b7baf4fa5a7

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
63KB

MD5
a8541c19f39701262961c51ee3b96e46

SHA1
79927792b66b94db211a572547fbf8bc202fdb1b

SHA256
4d74b2a20dc6eada21550ee94b2cdfe5140133ab7d534af08cfa6c160d9b15cf

SHA512
4b0ce4b599a2a0bbfd7449da56786d965c35cdc848b555943a90902f4a1bbfb6f5d490708ad79f3b6ffe4dbda363666f25fa351d4ff8d6376d71f101672edfcb

Download Submit
memory/376-157-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/384-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/384-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/708-168-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/708-410-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/872-367-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/872-335-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/996-386-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/996-267-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1028-371-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1028-321-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1128-49-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1128-438-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1160-362-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1160-349-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1184-37-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1308-408-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1308-177-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1344-426-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1344-97-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1648-193-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1648-404-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1680-241-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1680-392-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1844-415-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1844-145-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1924-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2360-445-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2360-17-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2552-443-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2552-25-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2652-378-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2652-293-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2756-305-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2756-374-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2888-398-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2888-217-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2952-396-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2952-225-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3032-41-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3032-440-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3216-121-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3216-420-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3268-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3268-57-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3416-400-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3416-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3636-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3636-428-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3828-447-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3828-13-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3852-402-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3852-204-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4000-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4000-432-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4004-434-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4004-65-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4116-449-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4116-6-0x0000000000434000-0x0000000000435000-memory.dmp

Filesize
4KB

Download
memory/4116-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4160-381-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4160-281-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4252-406-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4252-185-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4316-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4316-390-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4376-315-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4392-137-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4392-417-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4452-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4452-164-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4476-333-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4480-422-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4480-113-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4584-275-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4584-383-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4620-257-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4620-388-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4632-273-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4684-299-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4684-376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4816-327-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4836-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4836-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4948-133-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5012-430-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5012-81-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5052-424-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5052-105-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5076-291-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5100-359-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5100-360-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads