8d433c23a4a06129e4b009bf81340c8bd7632562a92e27425049b8120eb550c5

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 00:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8d433c23a4a06129e4b009bf81340c8bd7632562a92e27425049b8120eb550c5.exe
Size

128KB
MD5

cbfccec60cc8f773b777c166ac8b2225
SHA1

a88308c325b92c3e79308f3554c973c23987fc3a
SHA256

8d433c23a4a06129e4b009bf81340c8bd7632562a92e27425049b8120eb550c5
SHA512

476d842acb1eda08110e46f72022ec6884071d9260f7138f324971efcbd036ec1adacc94e928ae2002615a95ac504dd0c8157f3e6a5b8c1d6780b10d8be26a76
SSDEEP

3072:dhtw0ud9vmzrxYm7AcE/+EWa6iYBy1AerDtsr3vhqhEN4MAH+mbp:dhtw02mK3WaJ4y1AelhEN4Mujp

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	8d433c23a4a06129e4b009bf81340c8bd7632562a92e27425049b8120eb550c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8d433c23a4a06129e4b009bf81340c8bd7632562a92e27425049b8120eb550c5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe

Executes dropped EXE 34 IoCs

pid	Process
4460	Lkgdml32.exe
800	Laalifad.exe
2308	Lcbiao32.exe
1600	Lkiqbl32.exe
1840	Lpfijcfl.exe
2312	Ljnnch32.exe
4684	Lphfpbdi.exe
3952	Lknjmkdo.exe
1464	Mnlfigcc.exe
1576	Mciobn32.exe
2272	Mjcgohig.exe
860	Mdiklqhm.exe
2156	Mgghhlhq.exe
308	Mamleegg.exe
2236	Mdkhapfj.exe
4824	Mkepnjng.exe
4220	Mncmjfmk.exe
4488	Mcpebmkb.exe
2420	Mkgmcjld.exe
4448	Maaepd32.exe
1732	Mcbahlip.exe
1412	Nnhfee32.exe
2872	Ndbnboqb.exe
2772	Ngpjnkpf.exe
5080	Nafokcol.exe
3280	Ncgkcl32.exe
2648	Ngcgcjnc.exe
1764	Nnmopdep.exe
2116	Nqklmpdd.exe
4536	Ngedij32.exe
4960	Njcpee32.exe
3208	Nbkhfc32.exe
1052	Ncldnkae.exe
1688	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	8d433c23a4a06129e4b009bf81340c8bd7632562a92e27425049b8120eb550c5.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Laalifad.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4380	1688	WerFault.exe	118

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	8d433c23a4a06129e4b009bf81340c8bd7632562a92e27425049b8120eb550c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	8d433c23a4a06129e4b009bf81340c8bd7632562a92e27425049b8120eb550c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	8d433c23a4a06129e4b009bf81340c8bd7632562a92e27425049b8120eb550c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	8d433c23a4a06129e4b009bf81340c8bd7632562a92e27425049b8120eb550c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkgmcjld.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 100 wrote to memory of 4460	100	8d433c23a4a06129e4b009bf81340c8bd7632562a92e27425049b8120eb550c5.exe	83
PID 100 wrote to memory of 4460	100	8d433c23a4a06129e4b009bf81340c8bd7632562a92e27425049b8120eb550c5.exe	83
PID 100 wrote to memory of 4460	100	8d433c23a4a06129e4b009bf81340c8bd7632562a92e27425049b8120eb550c5.exe	83
PID 4460 wrote to memory of 800	4460	Lkgdml32.exe	84
PID 4460 wrote to memory of 800	4460	Lkgdml32.exe	84
PID 4460 wrote to memory of 800	4460	Lkgdml32.exe	84
PID 800 wrote to memory of 2308	800	Laalifad.exe	85
PID 800 wrote to memory of 2308	800	Laalifad.exe	85
PID 800 wrote to memory of 2308	800	Laalifad.exe	85
PID 2308 wrote to memory of 1600	2308	Lcbiao32.exe	86
PID 2308 wrote to memory of 1600	2308	Lcbiao32.exe	86
PID 2308 wrote to memory of 1600	2308	Lcbiao32.exe	86
PID 1600 wrote to memory of 1840	1600	Lkiqbl32.exe	87
PID 1600 wrote to memory of 1840	1600	Lkiqbl32.exe	87
PID 1600 wrote to memory of 1840	1600	Lkiqbl32.exe	87
PID 1840 wrote to memory of 2312	1840	Lpfijcfl.exe	88
PID 1840 wrote to memory of 2312	1840	Lpfijcfl.exe	88
PID 1840 wrote to memory of 2312	1840	Lpfijcfl.exe	88
PID 2312 wrote to memory of 4684	2312	Ljnnch32.exe	89
PID 2312 wrote to memory of 4684	2312	Ljnnch32.exe	89
PID 2312 wrote to memory of 4684	2312	Ljnnch32.exe	89
PID 4684 wrote to memory of 3952	4684	Lphfpbdi.exe	90
PID 4684 wrote to memory of 3952	4684	Lphfpbdi.exe	90
PID 4684 wrote to memory of 3952	4684	Lphfpbdi.exe	90
PID 3952 wrote to memory of 1464	3952	Lknjmkdo.exe	91
PID 3952 wrote to memory of 1464	3952	Lknjmkdo.exe	91
PID 3952 wrote to memory of 1464	3952	Lknjmkdo.exe	91
PID 1464 wrote to memory of 1576	1464	Mnlfigcc.exe	92
PID 1464 wrote to memory of 1576	1464	Mnlfigcc.exe	92
PID 1464 wrote to memory of 1576	1464	Mnlfigcc.exe	92
PID 1576 wrote to memory of 2272	1576	Mciobn32.exe	93
PID 1576 wrote to memory of 2272	1576	Mciobn32.exe	93
PID 1576 wrote to memory of 2272	1576	Mciobn32.exe	93
PID 2272 wrote to memory of 860	2272	Mjcgohig.exe	95
PID 2272 wrote to memory of 860	2272	Mjcgohig.exe	95
PID 2272 wrote to memory of 860	2272	Mjcgohig.exe	95
PID 860 wrote to memory of 2156	860	Mdiklqhm.exe	96
PID 860 wrote to memory of 2156	860	Mdiklqhm.exe	96
PID 860 wrote to memory of 2156	860	Mdiklqhm.exe	96
PID 2156 wrote to memory of 308	2156	Mgghhlhq.exe	97
PID 2156 wrote to memory of 308	2156	Mgghhlhq.exe	97
PID 2156 wrote to memory of 308	2156	Mgghhlhq.exe	97
PID 308 wrote to memory of 2236	308	Mamleegg.exe	98
PID 308 wrote to memory of 2236	308	Mamleegg.exe	98
PID 308 wrote to memory of 2236	308	Mamleegg.exe	98
PID 2236 wrote to memory of 4824	2236	Mdkhapfj.exe	99
PID 2236 wrote to memory of 4824	2236	Mdkhapfj.exe	99
PID 2236 wrote to memory of 4824	2236	Mdkhapfj.exe	99
PID 4824 wrote to memory of 4220	4824	Mkepnjng.exe	100
PID 4824 wrote to memory of 4220	4824	Mkepnjng.exe	100
PID 4824 wrote to memory of 4220	4824	Mkepnjng.exe	100
PID 4220 wrote to memory of 4488	4220	Mncmjfmk.exe	101
PID 4220 wrote to memory of 4488	4220	Mncmjfmk.exe	101
PID 4220 wrote to memory of 4488	4220	Mncmjfmk.exe	101
PID 4488 wrote to memory of 2420	4488	Mcpebmkb.exe	102
PID 4488 wrote to memory of 2420	4488	Mcpebmkb.exe	102
PID 4488 wrote to memory of 2420	4488	Mcpebmkb.exe	102
PID 2420 wrote to memory of 4448	2420	Mkgmcjld.exe	103
PID 2420 wrote to memory of 4448	2420	Mkgmcjld.exe	103
PID 2420 wrote to memory of 4448	2420	Mkgmcjld.exe	103
PID 4448 wrote to memory of 1732	4448	Maaepd32.exe	104
PID 4448 wrote to memory of 1732	4448	Maaepd32.exe	104
PID 4448 wrote to memory of 1732	4448	Maaepd32.exe	104
PID 1732 wrote to memory of 1412	1732	Mcbahlip.exe	105

C:\Users\Admin\AppData\Local\Temp\8d433c23a4a06129e4b009bf81340c8bd7632562a92e27425049b8120eb550c5.exe
"C:\Users\Admin\AppData\Local\Temp\8d433c23a4a06129e4b009bf81340c8bd7632562a92e27425049b8120eb550c5.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:100
- C:\Windows\SysWOW64\Lkgdml32.exe
  C:\Windows\system32\Lkgdml32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Windows\SysWOW64\Laalifad.exe
    C:\Windows\system32\Laalifad.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:800
  - - C:\Windows\SysWOW64\Lcbiao32.exe
      C:\Windows\system32\Lcbiao32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2308
    - - C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1600
      - C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:308
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1764
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2116
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        35⤵
        Executes dropped EXE
        
        PID:1688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 412
        36⤵
        Program crash
        
        PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1688 -ip 1688
1⤵
PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laalifad.exe

Filesize
128KB

MD5
2e4287aba2bcc09618ba1aad2ca899a8

SHA1
27ee90748b43515a49ec804e193badae152cd926

SHA256
01c6292bce1f97f4a57a3b3f9de12846c5f32a94609b15a773352afa9effa1b4

SHA512
6a738a62c6fae314da3c017cc2935f8146fef9a0baeb80005f3200254b9823b00ab5f376a19634404871ec61f4f7160547d94e440aa811d74ef70808e073bf28

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
128KB

MD5
ce37ff96c2954341ebeda94f6359505f

SHA1
722504af10155f844a378cc959b8329eee0ddba7

SHA256
72a9e4a347f1475983b232a35442351f67c2156f2d1d679298341bf1fb2f55ac

SHA512
3bb92a8bf5336df25306dd70cc035be8f9fcb3bd5433baec8be3f3e28119d4e046c9afd83a13a2f7031d48d37fd6807e5c084c26538be0986485ba8226f7710c

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
128KB

MD5
94ae5623147d7af0b45ba127dd50a315

SHA1
26b43c842d74080a9a58e4191ff4c406db5c8d3b

SHA256
bcd548c63b636817617dae71b3b78da65463d79681ec82876ac7c8be555327cd

SHA512
da3cddc40b1c0d2a6ac7a3d093f52b4631e44aee9226d3a01acffb18ae0a5e685f6865efcbd37011ad88ec6ff3e42cbaf06d60c049e8828314285f7418eb4e75

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
128KB

MD5
23aa610bc33697c6c3e416f0b9658df1

SHA1
154c4dcc21d24541451e6b22416ba10946a902ac

SHA256
685467622cdacaca6090f082beb1aa5ca276d7aab817b6a3ec303f3d6a96b467

SHA512
a28b2b199651945098eaa34d18ede669a9fd5eaa6de9ec97491b406860a398ca959750cb42a9c8d1894cc82aac07af434c8047a9a4fac63ac6cbb82e114f091c

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
128KB

MD5
c4d479747f64bcdc55cd455284d2be0d

SHA1
6e9f0a5e21f11a7c18be4bed60c72fccd2c9e8c8

SHA256
076e6efb3ba5339895ea78701c54428ca4582e5a4b5d49c22b11f62be18830d5

SHA512
727cc560bcba860b164cf5046a033fb470b6a9eeb702e01b98b9473b164e2be864fbabc99da75ebe6df82c4876fb4773898c7b170eaa0b945b0b10c1d345366c

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
128KB

MD5
3a5017985d5e628dc9b0cdfa9ebf2115

SHA1
da69dd8e0873f8c6e547f78cb3a4202b2f589de7

SHA256
4eb2487bdfcf99727ba885545ca5641ba0d9aee5e03931688668ee05a3a472f0

SHA512
8b39ffdcfed1aece92c35c368567bad0e8e102287ca3c73dcb6b5a4b2ef4d6600511e29198f63d9d4e4f918d8185333164b48c41ccdc11eb86014d5848c48f3c

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
128KB

MD5
ec5e87cc726d97a73de7dd640b07d3ee

SHA1
0000d46af9d197a2bc4d2982c3a0abdf6218f0f0

SHA256
0fd3a065c47105dcf7a14fe334719abf923adb7e55f6eb5614caf71fb1859d04

SHA512
78e4b5de884583efd9919c5d19cfc8b3d4669ca9cf601cf35fc84202a0cd729a787f29e3e11d0d3e96064d56366f4e67ed202887c2a97945878d76dd6acabdbb

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
128KB

MD5
3c4ba0ee4a08bbe56eff77f17473747c

SHA1
6363b4edbf9bdf1689db42ae7629aa3fd6813a44

SHA256
38527f86f64808f19ae940402fd0381dbb998000c936ad88c2b04ec9f57b6a76

SHA512
fa5b6980c49a26baaf03bc09bf169bad50a14ff669a61d35d95fff974b829ab9d9ce82f69a5d6d7a0406d5d927c347217ce87e7baba9787d5a7faa18d9023f58

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
128KB

MD5
a2a66ab86d0ee24e363eb687c59a9ea3

SHA1
3f7540b33c984fa59d988adc68ce2c80267e7e16

SHA256
02343b51a16a276ea1278f43c4f97ef100ca64bf91670a29b87ca7b3dc8c4415

SHA512
1a8cf27fd3b0d9367d1eadfd82f12f999d9ec463cfa73ad4857dbceae25c09e415046fd2acc13c8b6cb36ddf8fbddb94e392d657c8b7c407e9d7beba78010249

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
128KB

MD5
21c054d382cfaacd77c3f74a1136d28d

SHA1
86b50903df5197a397599f4a71560882079ec4e2

SHA256
77c5da41a6891e84e9ba7f7c15f64c9b225bf9b7aded9033d9f5c3b5751af43d

SHA512
d3e6d70bd7aab93d5f611b8cc3feb84fa8606e639011181dbc02f5e1297840767ad51a9b1cea91a19ec6442219611d140c464e38eccbf4ddf1394c31bb76ee43

Download Submit
C:\Windows\SysWOW64\Mbaohn32.dll

Filesize
7KB

MD5
f6ea2076a130ac4aa23beebfe2a0f336

SHA1
fac329266ad22506d57f6294376767c558ada143

SHA256
bd4fd9c754bb11298718ad9cb1ef6716bebace19332d299ba34c5e1086b5c116

SHA512
603e4768eed0bf255ad496cc0e90011b457616ec764ecaa67885c1ada9fdca41da8be01df12b5ab815a5179eb5ddca98829e4854de2525e09b9f2cec1d3522db

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
128KB

MD5
81a2acce7ec5a0fb0812f0edc4af44f1

SHA1
caac3cd83431bb9cdeb57a19a841019a69ab7a23

SHA256
39ce7805dc74d08f9366a20e2610eccbf7022cb86ce7eb397b22aa4bde91b860

SHA512
566872797d45e77582bf9120862812e97309bd924031d4527fe10d23580f646f4cc9f0e56e0b373f9bd333e5c0558a3883553799e27225d0230d8328e4977ced

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
128KB

MD5
80e507af286cdec8dcfc86740f1b3f59

SHA1
7e9f096c3d46153233957de88ae4797157fdd552

SHA256
2f7578dc184ef07062104068c91e9b65b85099125f366aac66ea50bbf00ae75e

SHA512
ffd1f1a730156be592772819797ba7bc9902b0e1cc895d674894fb5fe2c096424146b8bb030650ee98f365ee86821c37dd49f7b34a8cd922e44ab0cd30ff8eb7

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
128KB

MD5
9dc5211d0f6506ef7417be7425bd3bb2

SHA1
57bec0d777641bfca64f3d990dc5934fd9aa268a

SHA256
a16f864133677ec230b06a6351540caa2d51a78ae7edbc29e179b2c8e0f1429c

SHA512
fb9e329bd0bd26ab18087ed88c62c039ea8bfa88b09d1479411983dbcbbb26b1864fd8361644dde6020483c971bea4467e29940d247704e425a26a667f26165d

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
128KB

MD5
d28acd888a7e8f5289bf3097a126be17

SHA1
15c62cd5ecaa77551e2e338479da0110eb7468bb

SHA256
052a5f72e83ec99b8981423c145375aeecbb6c6ada7a856191249c64e83138d9

SHA512
3094c8ffa60fd39aceb3bb52c1a99e8f3e7bafae512156c45e232816492569d22d321df7297ef213f4a5e9477dcd1b45603765ef83ad2b787f43e52fba73c99c

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
128KB

MD5
2256f5c31cc14721583873bfcc4c22fb

SHA1
811e99677e85bb06a6eade803a341686f5760bea

SHA256
b81f008e7a4bc043a21d145a9579fe83b3906c4c56b4ccab87a87496eaf81ef6

SHA512
81d1743289c24511dd6002b1039a26d3ae9aa8369ea571cdd28039ed5c1534fa272885896819183a75d35c491a229f9d7cc2296ccf480d928fb7b618ad4c31c4

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
128KB

MD5
ed20e568b7cdd4723c334f67e95e06b1

SHA1
a2c2c4ca15d1a22d2bae45b7f3ed307c84bdd2dc

SHA256
5285f7bfb0a631f09c62f53d0895fde28b9f70dd8080fb032f2c06c724b61942

SHA512
8920a4a96f489b42992ac6877dff82d9b0dfbb4a944511d008cd8d2d464d1f3d3b5b35c8f5822327285f092b926fcfe34d675bd2180ef8f14b552ffd40120d89

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
128KB

MD5
2a8dcce8846933822c221a58a28114e6

SHA1
5a7db6dccec29ee7a7aad528ebf002df973ad5d0

SHA256
c323e1ed060e9f599ca206cd9bd2ae9fe66b2a9742b47ff3abf81c4a1ebdf1b3

SHA512
f376d07f7a00331d1b94fc5b057ec486d6367ca300350e68c6c84f73a95a36b165880ea0df51f5e84b533076492f84d623f06042b234c24e5f8946a4bbe59e97

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
128KB

MD5
00d64d92ac9807be534e0a07f399738b

SHA1
f8debad6f13628799b61ace23dfa846b12b4c6df

SHA256
67866788c22d6cbb3057b754e818fe257675de523158b5bb8d104130105bb90a

SHA512
83d4883edb163fcaaa4b9e245a580e7692c5b30eac62db08a99c50c4a41114e605751f3d7e83880d86fc4273901f95f27708123512b0ebcb9034a9006920cf91

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
128KB

MD5
5a020a5a3f619c406b4d6997018eeb57

SHA1
0dd45de7d2abbcf36c52f68a944ed515147d5786

SHA256
ffe98a719971fa3824e4ee2a1c8ecd64a299e7891b136d521667d0024d5b6d30

SHA512
ef47e2c6ac3222ef5110cea55959675fc3a085deafdea2eb95312f54c4411a8638c808c891f92d3f8d7411612d9dcaaadd1b219502ec017aa1d8bead73756130

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
128KB

MD5
97fe9ef67f8eac84cae70618c269bd5a

SHA1
54937d41368b6128e3ed8a18cc23ba4facb650bc

SHA256
dc5678a6ab23a1f728f54010c4abe09bec401f9407ed4eed6a96b3d9e2cfde75

SHA512
22097b369dc0431defe315a20820b282697ab487b9746ee56f9ba3aaba2f1bfc03fc2cbcf68bd8e08d884d26766c6cf4b5e98c104c968250682ec04ff079f8cc

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
128KB

MD5
3038e00027f3cc922136b21ac0d2adbb

SHA1
ab328a0669e0feeab4be5976d439aa1d15331e3f

SHA256
fed99cfca6d112972f27b51f7a98c6ccfe2cce7cf74068841fb00d959f596cf2

SHA512
41e250ef0d00136bfc8d41c7a178d1dd366b82742e57e355dd7615fff6343eeab97c578752eb51facd0c478cd14875e94550e86baf560a52b38eeeb56e646a85

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
128KB

MD5
ddf16eedaab31ef39016e2da72e201b4

SHA1
1fa51fce099ce958f0236fcd3fdca8715310dfbb

SHA256
133c9dffa26d544c4162dac0f8868f252ab5b8a09eac3941ef8f0ef1af5fc641

SHA512
46f9bba988598a21cc0f10349f420e2d27646ad8b951fbef5080c61204ae36df6afba1508f4887d51879a39adeb16c74810b1f42fcc86f3334c42439bfc31704

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
128KB

MD5
4afe86c2560ddd425fe1849b1bebf752

SHA1
857345b41ed63432a8a756b77ec86164abfb89de

SHA256
019ad1a1f9141dec77d5b1172fecc29851bb20ad01a9ee549ab6cb36ab847cc3

SHA512
7a2d28ee975a06378a285719527fc7e8823dfa713157ab54c022375f0a38c680f4798239872ba18baa74a2b0f8f29b688d7773dc3bfef97c43f38cd9a889a6cf

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
128KB

MD5
976e282be9638a079a832ce6662296f2

SHA1
c97554c97dcb990ad8af68adec854b391ceea5dd

SHA256
cdefd7c7b18e028cd45b180818258bf05a3565b11fd258800f9bb939afad7ec9

SHA512
4c3c68a20fba1739b1b137b913d8b937785db76637d90fffb7f4ad47f8879c0d5c07d7717278206c1c7190f5925295724ac7e5114c7570392b06e90acaa3c357

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
128KB

MD5
6649bc23d4ee817756781e29479469e9

SHA1
59de9075735ff5b21699fbb34009d826146a4ac5

SHA256
decbf49fdbecd7c61de923b746812272a5217e1c444bf9575fd5a1dd63fb9367

SHA512
80cc077fd72d5c74f4a6885aace731f6f2cd362c25710cbc64e5ec64c109d906833fed78c0a42e4cc1cbca97ae5b62ff0e88994e683a64704d376e5765c20313

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
128KB

MD5
485bc485ec2a8a87ddba88754874c7bf

SHA1
375939dd3497b21bb45d2d21ad915279fad5c000

SHA256
ae8568fe654b3e329638fa1396526754c6469b976998fcfeb52209845825a1eb

SHA512
26ed6cbef06bed660df22eb3c65e5e2b43408062f3a37fb30229defa55650547c78943f1cc2fbc60a06b5321055801952a8b98a646f9e084a787c13710e23313

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
128KB

MD5
bea0170cbc883cf397bb33f8314498ca

SHA1
87084c07fb015fae5c17cc01f52275e01a219dfb

SHA256
62122f3ec9e5e68ac23d88c85df092c9037c7b3644961183704a11cb447a5d5d

SHA512
604e4a040b7d5e496b2e2155a2863a253a3e927f2c0ec3ad0015a490c8e2434cd4da73a78dae7bd419dca84d965af4cba8c9da80098658a94300b74bf449cd22

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
128KB

MD5
1043ddd5a99c99e25261375c9dba6a0d

SHA1
ae69286fe81e9925911e4e624fa419ce920e89cd

SHA256
6db3b42876bd7b4a48993ea3f9b96ad8ebaff2a5e2dd613040868b843981be26

SHA512
55a6772048b2401a6cc1251402c056bd31bb8d9ee3a9ab2aaff025104fd514f9896f7aec521e9aeaf2e7eb6168861709516950c8bc5e0f6b59dabe1b3afda934

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
128KB

MD5
04b22b96f21177ac3032db699e0f20b2

SHA1
0ff1751d2d3dac1d747ef74c36a935cc94e58071

SHA256
3be8e04d7ebe5503651b6712af41c31c0715a23257eadf24e00987fd9b9b50e3

SHA512
c4812741bacbd29d53926b8aff05bbdb8e851c447cf6a7bd14f553f3e425b7b1dd2b15b0c488568cd7ab7377332c4537f4521f4578fab151dea2decdaf71f2e8

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
128KB

MD5
0597093be6a55ca473b72a272319b654

SHA1
3ef96beb296ec5570d799315f5302504dc5b8461

SHA256
639c7ee840caa9a8c6fecf720c8f5f61b6c6a860e588941c4aa0d62c02c37c42

SHA512
47744369dda4a0967ddfdca23bcca9dbf4fd7255c87ba6a5d2a39f113877c23fc17f70c2dd408e4a44940e660074cdcba093ece686177e0ca05e5d39a7362edb

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
128KB

MD5
b5597370b4897dd556544e7fd5b03652

SHA1
1880ede6916f6aa6a17bf1a2260859f3103527ee

SHA256
e992aa2c5ff74f6b9cf10ed9d95b08989ba313c75dff84da7ade6a8b47e65e0f

SHA512
92c4f736b71c57e59414a421bdf189695d8e7d4c89b6b8277c554be47288c84f2d57d4daa05f803d5d4b2e724e6c838ad0bd61de7460286b144ec92fb8a7dbc0

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
128KB

MD5
a7f3a21d56a9181a8d5a710575dc2ea9

SHA1
781f7696b9187bdd6b460892f72609af3088b310

SHA256
0fa683f2786c3450d6edb2bec71245e71adeeb8a3125485fb685d6acb70d9615

SHA512
2acd161407316a7e5cf43759df8be48b5e5920eef81a14216a7ef068dd03a54423d085f94c012ae221a9765ebeb05db143e206222da1cf68f1e3c8b2b04061e9

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
128KB

MD5
edc9de74c294fce764109b6a17ba44a2

SHA1
e689c7900238350fb33089ef236369a7e8c9f56a

SHA256
93b7f77c243a0047deca2636292dd004cf3c63eb1f47ce2b7f4536a8a827ad9f

SHA512
81b677c801c1703362e1f79221788f1050c7ad2b1c40b38f772473467b9c57807c570df1fe5a44317b879f50d94c54c9a622d166ea960da381ca64666f01cc9a

Download Submit
memory/100-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/100-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/308-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/308-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/800-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/800-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/860-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/860-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1052-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1052-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1412-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1412-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1464-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1464-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1576-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1576-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1688-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1688-271-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1732-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1732-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1764-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1764-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1840-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1840-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2116-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2156-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2156-107-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2236-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2236-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2272-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2272-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2308-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2308-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2312-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2312-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2420-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2420-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2648-222-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-288-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3208-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3208-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3280-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3280-282-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3952-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3952-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4220-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4220-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4460-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4488-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4488-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4536-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4684-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4684-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4824-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4824-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4960-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5080-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5080-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads