1f8045e3b25f52426f300c42bb293879897145ab07d5f721a53cd21ab4cb82b3

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f8045e3b25f52426f300c42bb293879897145ab07d5f721a53cd21ab4cb82b3.exe
Size

48KB
MD5

ff748b2163489db736773fc49bc72907
SHA1

29baae2e3cd6e95271aa331d88f134e4cc81ec85
SHA256

1f8045e3b25f52426f300c42bb293879897145ab07d5f721a53cd21ab4cb82b3
SHA512

6b3142f1b9c920fee12294bab45eecee6e7e06b166738e2ef47b4bb9e4d1dea6d5965c78786816e92600075a5edfc586e22156a3732a22df7f95b0d8c2516c18
SSDEEP

768:mTQLhCPFfUzzQfiE5VN++HLf0tBdCyneRxwqIbU/1H5:L8Uzy5NHgT8yneoq/

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1f8045e3b25f52426f300c42bb293879897145ab07d5f721a53cd21ab4cb82b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe

Executes dropped EXE 41 IoCs

pid	Process
3660	Liggbi32.exe
912	Laopdgcg.exe
5064	Ldmlpbbj.exe
3748	Lijdhiaa.exe
2420	Laalifad.exe
1388	Lcbiao32.exe
4996	Lilanioo.exe
3448	Lpfijcfl.exe
1768	Lgpagm32.exe
2264	Lklnhlfb.exe
4308	Laefdf32.exe
4348	Lcgblncm.exe
2848	Mjqjih32.exe
2724	Mpkbebbf.exe
1064	Mgekbljc.exe
4352	Mjcgohig.exe
4132	Mpmokb32.exe
1040	Mcklgm32.exe
1356	Mkbchk32.exe
2276	Mnapdf32.exe
332	Mdkhapfj.exe
2304	Mkepnjng.exe
4220	Mncmjfmk.exe
2516	Mpaifalo.exe
2440	Mdmegp32.exe
2164	Mkgmcjld.exe
4028	Mdpalp32.exe
376	Nkjjij32.exe
3616	Nacbfdao.exe
4836	Nceonl32.exe
3860	Nklfoi32.exe
2996	Nnjbke32.exe
1468	Ncgkcl32.exe
4240	Nkncdifl.exe
640	Nnmopdep.exe
2232	Nqklmpdd.exe
3464	Ncihikcg.exe
4608	Njcpee32.exe
1988	Nbkhfc32.exe
3708	Ncldnkae.exe
1892	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	1f8045e3b25f52426f300c42bb293879897145ab07d5f721a53cd21ab4cb82b3.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1148	1892	WerFault.exe	125

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	1f8045e3b25f52426f300c42bb293879897145ab07d5f721a53cd21ab4cb82b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Laopdgcg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4216 wrote to memory of 3660	4216	1f8045e3b25f52426f300c42bb293879897145ab07d5f721a53cd21ab4cb82b3.exe	82
PID 4216 wrote to memory of 3660	4216	1f8045e3b25f52426f300c42bb293879897145ab07d5f721a53cd21ab4cb82b3.exe	82
PID 4216 wrote to memory of 3660	4216	1f8045e3b25f52426f300c42bb293879897145ab07d5f721a53cd21ab4cb82b3.exe	82
PID 3660 wrote to memory of 912	3660	Liggbi32.exe	83
PID 3660 wrote to memory of 912	3660	Liggbi32.exe	83
PID 3660 wrote to memory of 912	3660	Liggbi32.exe	83
PID 912 wrote to memory of 5064	912	Laopdgcg.exe	84
PID 912 wrote to memory of 5064	912	Laopdgcg.exe	84
PID 912 wrote to memory of 5064	912	Laopdgcg.exe	84
PID 5064 wrote to memory of 3748	5064	Ldmlpbbj.exe	85
PID 5064 wrote to memory of 3748	5064	Ldmlpbbj.exe	85
PID 5064 wrote to memory of 3748	5064	Ldmlpbbj.exe	85
PID 3748 wrote to memory of 2420	3748	Lijdhiaa.exe	86
PID 3748 wrote to memory of 2420	3748	Lijdhiaa.exe	86
PID 3748 wrote to memory of 2420	3748	Lijdhiaa.exe	86
PID 2420 wrote to memory of 1388	2420	Laalifad.exe	87
PID 2420 wrote to memory of 1388	2420	Laalifad.exe	87
PID 2420 wrote to memory of 1388	2420	Laalifad.exe	87
PID 1388 wrote to memory of 4996	1388	Lcbiao32.exe	88
PID 1388 wrote to memory of 4996	1388	Lcbiao32.exe	88
PID 1388 wrote to memory of 4996	1388	Lcbiao32.exe	88
PID 4996 wrote to memory of 3448	4996	Lilanioo.exe	89
PID 4996 wrote to memory of 3448	4996	Lilanioo.exe	89
PID 4996 wrote to memory of 3448	4996	Lilanioo.exe	89
PID 3448 wrote to memory of 1768	3448	Lpfijcfl.exe	90
PID 3448 wrote to memory of 1768	3448	Lpfijcfl.exe	90
PID 3448 wrote to memory of 1768	3448	Lpfijcfl.exe	90
PID 1768 wrote to memory of 2264	1768	Lgpagm32.exe	91
PID 1768 wrote to memory of 2264	1768	Lgpagm32.exe	91
PID 1768 wrote to memory of 2264	1768	Lgpagm32.exe	91
PID 2264 wrote to memory of 4308	2264	Lklnhlfb.exe	92
PID 2264 wrote to memory of 4308	2264	Lklnhlfb.exe	92
PID 2264 wrote to memory of 4308	2264	Lklnhlfb.exe	92
PID 4308 wrote to memory of 4348	4308	Laefdf32.exe	93
PID 4308 wrote to memory of 4348	4308	Laefdf32.exe	93
PID 4308 wrote to memory of 4348	4308	Laefdf32.exe	93
PID 4348 wrote to memory of 2848	4348	Lcgblncm.exe	94
PID 4348 wrote to memory of 2848	4348	Lcgblncm.exe	94
PID 4348 wrote to memory of 2848	4348	Lcgblncm.exe	94
PID 2848 wrote to memory of 2724	2848	Mjqjih32.exe	95
PID 2848 wrote to memory of 2724	2848	Mjqjih32.exe	95
PID 2848 wrote to memory of 2724	2848	Mjqjih32.exe	95
PID 2724 wrote to memory of 1064	2724	Mpkbebbf.exe	96
PID 2724 wrote to memory of 1064	2724	Mpkbebbf.exe	96
PID 2724 wrote to memory of 1064	2724	Mpkbebbf.exe	96
PID 1064 wrote to memory of 4352	1064	Mgekbljc.exe	97
PID 1064 wrote to memory of 4352	1064	Mgekbljc.exe	97
PID 1064 wrote to memory of 4352	1064	Mgekbljc.exe	97
PID 4352 wrote to memory of 4132	4352	Mjcgohig.exe	98
PID 4352 wrote to memory of 4132	4352	Mjcgohig.exe	98
PID 4352 wrote to memory of 4132	4352	Mjcgohig.exe	98
PID 4132 wrote to memory of 1040	4132	Mpmokb32.exe	99
PID 4132 wrote to memory of 1040	4132	Mpmokb32.exe	99
PID 4132 wrote to memory of 1040	4132	Mpmokb32.exe	99
PID 1040 wrote to memory of 1356	1040	Mcklgm32.exe	100
PID 1040 wrote to memory of 1356	1040	Mcklgm32.exe	100
PID 1040 wrote to memory of 1356	1040	Mcklgm32.exe	100
PID 1356 wrote to memory of 2276	1356	Mkbchk32.exe	101
PID 1356 wrote to memory of 2276	1356	Mkbchk32.exe	101
PID 1356 wrote to memory of 2276	1356	Mkbchk32.exe	101
PID 2276 wrote to memory of 332	2276	Mnapdf32.exe	102
PID 2276 wrote to memory of 332	2276	Mnapdf32.exe	102
PID 2276 wrote to memory of 332	2276	Mnapdf32.exe	102
PID 332 wrote to memory of 2304	332	Mdkhapfj.exe	103

C:\Users\Admin\AppData\Local\Temp\1f8045e3b25f52426f300c42bb293879897145ab07d5f721a53cd21ab4cb82b3.exe
"C:\Users\Admin\AppData\Local\Temp\1f8045e3b25f52426f300c42bb293879897145ab07d5f721a53cd21ab4cb82b3.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Windows\SysWOW64\Liggbi32.exe
  C:\Windows\system32\Liggbi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3660
- - C:\Windows\SysWOW64\Laopdgcg.exe
    C:\Windows\system32\Laopdgcg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:912
  - - C:\Windows\SysWOW64\Ldmlpbbj.exe
      C:\Windows\system32\Ldmlpbbj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:5064
    - - C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3748
      - C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4240
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3464
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        42⤵
        Executes dropped EXE
        
        PID:1892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 400
        43⤵
        Program crash
        
        PID:1148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1892 -ip 1892
1⤵
PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laalifad.exe

Filesize
48KB

MD5
0f027918df3b0c3a4beaf7930e6dcc7b

SHA1
12d01822f44bd96d1a79ec4feaee28c88ec84b2d

SHA256
30e9097a67a30fb5dd8454dddf3f472410ea9f1971df28b9a37ca95ab8e6333a

SHA512
4cc2852e553db23d471613b35fcdfe6710f9b0a30c9d0fc2a30d4c930542e0394e217b2404dbdec6c382a3ec23affeac3f0a6a85decadbea982ad6c232d12090

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
48KB

MD5
3d1b88bb778355413eb352d22f335e5f

SHA1
fd08a84bc4e005c034ec417c45a7ad7be79bb66c

SHA256
49697ccc56d7a3f567d0fdef2ab5291b85efd6c82fc00b833bbbd014b4bdadd7

SHA512
6deab5d6a6e5c43c8ff7dfcf4e7f2b6324534b16043c3c580b9fe1edddec77b6a8f4be913014fd5d276fe4415e1310d1ea29c66e85d12e93c2f9f9f69ba2d865

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
48KB

MD5
a143d78fd832d35bc08edf78ef544f28

SHA1
89a1b8e7dc24afa8c2556a6e063e96808ffe9e3d

SHA256
5179bc6660dc8372bcb09333d0d93780501de6bdf65eb65f45e141f6ac05be6a

SHA512
2c69a0f97d19d094e97c275cdc44e57a3f2f68a7d6a729cef4c49789755d1b0b583806688ed168d715bd03f34def481bc683fe26e82a8e32d68ae24ebb7bf605

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
48KB

MD5
4a523d3a88dda155fa41ce09cc6cc0da

SHA1
2a12f979937c4f974952386f01950bd5c1c4dd86

SHA256
8f69aab8186201938655283cc485b4dc6e5df75e435ce3a5da45f224485a7b44

SHA512
333a2995f737a2d8e6831ad240b7169683570365f40ceb0eec886d0c881398f5ace825870bb897b685debb8d0957550bfdc607b8de26fea50036be4654a3df73

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
48KB

MD5
d0f2bea326ae61a0f3ab9250a77745a5

SHA1
289f4d8429773057c4135e073c11b3aa2092502e

SHA256
9e6dc906864f86a63342e16abfe0f1ae857278d48fa8ca3eb9b6ea3177993798

SHA512
8fe96514c5ffca48651c99bb578d951e144f97dd043a955871aaa34483042f316a09b71169b8d3064c88c93f614c6d3509d0b822451f0ba4b635f11f6fa00877

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
48KB

MD5
7cb0550dd9d4141374037162816f678a

SHA1
2f92e52ac2c514971bdf071053b2c582bd1e73b1

SHA256
3d5e6d14fea982482c9ca62feb8548a23cdad04135be8ec7115d94fda71719cc

SHA512
8b6a6db86d1c618b8e33770b94e89cc183c837afc7ce5d4614ebe220d68b003d34e48c931c56a0b807d0091fa6579b6e1985a008e493f284fd100d61df0a0129

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
48KB

MD5
b940f7fde5583f998dfaba02559cb2f7

SHA1
af81ce0ca0df0b477d39976176b6d410593580ab

SHA256
ced12fe35a9014ced23b23286550e0b76c23d2df6695dab18e9d6ac438283c8a

SHA512
85c7d5806bbf50856090cd399f0feb53c98369d8174e8bcb514cbf7a8c551d89932b363d9e24a8c5612ac210e7e38777b09fc81812ece5d565975990bcdc549f

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
48KB

MD5
177a1da0a7e4bfcf64c102324df648cb

SHA1
2df13184f5d9c0072da39c3bc28680cd15689151

SHA256
6f4fe6857a0d68abc3d7b9441efdb0b687ddfb1a2e16661b5562244c80be7595

SHA512
dd3f55a223d032133e1ea3e15f72f2cef8e31e5f7441286cbf8deff3e607943933849967a557acfe9a4104c24aea11e8c098c75fe4f6db2c2ee3199e4565a62b

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
48KB

MD5
f639f514b7059f5a0d73542e1b062c6f

SHA1
ab474a62587580f52d783c7569a239c1adac688f

SHA256
4b29cfcd169e8ce1e8c1262081ea4d59997ae611bab06c1b2944a316ce9ea6a1

SHA512
9904f800143f00e91212eabaa72cce328b6cdc25d3ee91426d37a859979915aebdd5a65f01cd2d40060b6704eeda26eb7566c9610b0f915f6fe987d9dce10b3d

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
48KB

MD5
ed20a7d00f0aa7c3fcee1f142de7b5a2

SHA1
0069a8394220cb7d20eb2a321b08e9d790f18800

SHA256
9a50be9614fdc736bf507c406905883333e8b3fd74d968e22a9482f53f7f2268

SHA512
21e6827cd206980f2e751e140be112f54f3a34137c6cb8cfc87cafe6d9b6a292ff54a9476e0f70301510b4ec3c6422a8e79f5ce1a6a641ac3b15d1149c0245fa

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
48KB

MD5
1d6e00a7eb8a72076a3df659b3d04749

SHA1
5fdea91c524a37ad04b100ad39819e14375849f9

SHA256
6185da4084ee29c681353ace313aa5461e48c87ce411cbff8741fc0af0e8a001

SHA512
9faaa0ec790d8bb4a175e1ed066942238dd18825beb0a66a372c717c8eaf477e516ee006c648ca12f0df442b33c621e6cf2b44b2c00d9a79e1c673eb66bbcf8a

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
48KB

MD5
f7d4c9c2a1cd5c28cf9bddf6034e2b1a

SHA1
974d0ecfc597610571d26587c785ebaec49f2fce

SHA256
2891197ea91e6fe9ffeb036f8db82a8f3deb1ad7ed62e68133ce84c39e99828c

SHA512
06d9e380044c58340a0a140cccd84db1784fcb26165a058bee178c16aa69a3958dbf159b88a31a114e5dd28d54b9ea32a5fece733b01e14a108df3611e61e2b1

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
48KB

MD5
b1a837d24c99765b23b0a78e0ab8da08

SHA1
08d9cad3681a4482a30af16b42e5f6a07d04a623

SHA256
fcc7b09470fcf3d1d35febed3a4515408bba7278707d1537eeddb7ca3763e5cf

SHA512
462d98704deef925198efdaf4a7df749f40a6d4f9542415aaa77c490d443250eb729950dbd8985777b36bc1182fd5cbbe32b39c8654428decc0312f0bb3d3fab

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
48KB

MD5
42a65724eeb97bc8287937c3dcbb5389

SHA1
a677c558e46012e283b69eba3dac7153f903d763

SHA256
9bc3345bb0961f1ad517f089ef63a66a24b784701a1d9d6221f2e11b7292d2fc

SHA512
e648716d003c23c9a409908bd4f8d0d6361b2ebbc4fa77f419b82fb891feb93e75c88b49b608251df748dc56f7d0553d72cce0c2bfea0ef9f7dd184f534cae79

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
48KB

MD5
612837d49194f8b521551c8b4d4ed83b

SHA1
dbaa533c7d1024507f46b40ef812f06359f58666

SHA256
15fe98ddedc76ede93544f042b30098ee426a1d0ea488294c627af577470b440

SHA512
f2b2d4dcf4df5b7cb350735e9786a5aca726f26e6ad05c04e0127705489de27973da43f03e924c0185fb48253f8747b2d7182289c149210c47ebc1729d2fe298

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
48KB

MD5
fe1de01779e3b4f5669c61ffbaf30711

SHA1
acaffb94902d53b0a78a2c3bdb6e8060c868ec5f

SHA256
c0c6f5f9f67e53da09dfd2c1edf3f225289e826710f6f0939aca944371154bb9

SHA512
ba029ab8ced9b479d8f25469cdf8523bbccc55bd7a00dc9b7842fe5e39a5bbf2286f2308ce002c2e4be3be9740a9796ef4c62af51486a1510169cf11ada56be0

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
48KB

MD5
144da7cb83cf1b6df112ec2c5b0ffb56

SHA1
b1ae56a72c3713496d56be46bdb267f7964174fc

SHA256
1fe515d80b9a751a24ab9c9fc1d0280ca09885083200b7d6c9d9f42dc0fc9750

SHA512
78c471d2a9c9b9fbdef0fa89cfec981b8c2f2ab0690f0ac636c3d72128d95328858e462b7d8e2a1ebecc1f2940318c3b13e862d01ab417a28033f4eafacd7753

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
48KB

MD5
fcd44640f01ad3da6c9eac6220b1da8a

SHA1
c6dcec99edcfb39048fcf85b75bebad82a84764b

SHA256
11163818d4017424f14b281ac27407e826678aee5e73dc20ff144763575bb782

SHA512
f432d9351c7a687ddb35a22a674ea1580574c174040cce300daff4c6003274128fb5dd11007b79f111588a9f0c3bbc0dd02e246519bf54c666776d7e5e96eacd

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
48KB

MD5
72d3395b58673ae653c3bd7a77c0f26f

SHA1
ea90273d64d87f704b15039b36f44c6407ea31fb

SHA256
e31fca96255cd4ccd643a178c8305ebb38e8062b59202cf389af500b61eed668

SHA512
96a1035e882da8ef5b3b9a8ba0be6f0479857a98ea0496be74a840f26192b1c165ef7c9f87d13a69c551c95de74e7c438da68db9726f1c856dd5c355d7fb25af

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
48KB

MD5
1c44bf167e8006559e1156bf19546d9e

SHA1
bc911a5d2fa852e74a9ef23237f7a134ec689af8

SHA256
0c1d7fdd1a95e5edbc236205b8d71edd4e2dbfd609bde200bd387645b3673f21

SHA512
3dc584b1c40b4af9557d99a0065a63a94d408c7d9e181b8c5c2c1326bc3575352cffe27fa6b6b77222a2184d002aec8550ee38772c4bb38994a85531fd70c424

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
48KB

MD5
667a5bc7e16de206700e8f50e92a974e

SHA1
9863a8ce51600f29f97800bf6cb2bf6e8eb8e3af

SHA256
2f39af93b2b8732927f23ad577a8efac071c73299093c1a447f6e1a233854466

SHA512
8b9f16edba51ad1eb72026ef6d81f67f47843091a42eeb7aec06607c4f2a8e2f6f7b4d3cdc290a7ddef42923d6c71eaaee9c3b524ac61567f6e18fea7cacbeb3

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
48KB

MD5
60944255d2d1431c855888480ef9ade7

SHA1
8023bc7d06be2ad80c1c92efeb15dd5d7e6900ad

SHA256
595873f8e9a82dc9c650fcaa50fe05a23c1c0ded592cf7c9e85b74f3b245fa6f

SHA512
fefb6195aa6c7d7788832b25e2475d728a8b30447c56d7030aeb7086ae69598e2595d948c0993ca62a783ce769c6d9fffdce30cd4b41b5932dfe5994f9fa089a

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
48KB

MD5
d3c459cb816f9273e69fe7541cfc44a1

SHA1
5f1468c0169474dfdef9492cde8cffc8d9751b3f

SHA256
e6f65d410193f789f6c8d87cae0da002a80d84d7134b273204e0c24e35754805

SHA512
fa6d3119a0e9e21778639b6a7ed926dcd57ab5a5b4b298662d48dbe4cd934fcc72f4eca8673b9fd6b2d037ffd9c8e49b9e549681055e115178c6e050614c360a

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
48KB

MD5
0bacb6ac02a5407e841e31487a40b5b0

SHA1
fe57567d5d521f813521efcb40843ff8a6e2fa05

SHA256
67e73b402ffb52f851806bdff62f5e93c991186b5d3992be8e19515810cddd09

SHA512
352c3116d8f61f76fff9ffaadc1010eb95fd455876d70ba6b2d9016d6ff62a1a585436b2af9016e90d6d14109c700e5aec47315fe618d53935a55091b8847e16

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
48KB

MD5
85ecdec825131da76a9cab93d836ec6d

SHA1
e099f4ba51671b66aa529dabc7ff7dba274c96b9

SHA256
c538d95a8ba6fa7b74a849f45d35f238d7b5d33ca509a7357b59c29e610ba480

SHA512
7e64e7b57ddd395e1d3d5616d0891c2f512fa1ec22e2e3f0e7cd57826c46ed93415e24050516d8847a49e4193d9c9fc55e2101054070e7ad1221c04276d96307

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
48KB

MD5
8df556c44e6254ec8567767f161a4c4d

SHA1
0d5c6c1bb5293e2b9115b545b451f3a9aeef66cb

SHA256
311444b0f0f17786ceb352cd43b3d3b3125f049a49f8145f6b98a08475869920

SHA512
8da1f4c064190f7f51341a5e6a34aa1c618ed60fceaec443c8f40b32cc572f46208bff4e23774844632e0498b80780504db296a9cb5c78e77483f096a3935b75

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
48KB

MD5
08c4b8699e96ff04e3767a3e9784d8db

SHA1
8a15e45d655a2bf40abb6099aa466578923e41bb

SHA256
3aa35d21ef040c3c329383030ab3fbe435257a98cf5567ac124bb866e62d29ae

SHA512
749a9f2854562ecc9b863609a4516c6539f2ffee4e1847e2aae94193a922b91c37852e3c956fba2b8ef21890f5f9018802b596abe5e55f3f08fd839c2ad88eff

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
48KB

MD5
491acc64d3db74d42d2cead92b6c8cd3

SHA1
93608722770f73c60d0923713543cec36980f4a7

SHA256
2eda910a49a88528b85798d9678d7de0e8f5329ea4b091298bf272462d2dc69a

SHA512
34c54935e3c8651be04775a8439d2280509edfdeeb3e510594c3a35a803a98113da3baff92db74d5c0168596e196dc78c582efc594ff675e6f9170b589b26d53

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
48KB

MD5
d5fa1a6cc21b2cf92ecd2151438728a4

SHA1
3971a6f620c430fa51d6e828ea52bc59c972943f

SHA256
33209e83387ce237bc0d63801aa396c7aea439aaa8fc2f91e3510bcb3b2da8fd

SHA512
b2cc9ab428355b6851e52550a9f16f27d13ab31f1bfb4a895743e73fe9753d19d1e26f2a0026651624a22debce0eda8f42fd39111600f6c5fe71b1e210598817

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
48KB

MD5
86a6ec8ebedcdf16cbfa76cd95b55112

SHA1
fc6ceb2d581ee6ec58440749b327f025d16dc535

SHA256
fb577411cd91aabd6d45f331d4fa78cc12d682d6e7289e8a11a83fb03d0a79b3

SHA512
fef03bf6ed396e9116689fd9956c722ce5d75d70ce76724ce6fca5dda488961244afaa2c82559c35aa283e2656773f4d5fc72e7b1fa265376f3497501ea5a3f8

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
48KB

MD5
58cd248c2d494a38a94637be1370c4f1

SHA1
614fb1fa824f9efef7718adbe38cc2d1c3955d2a

SHA256
518fa275052e4852e3eaab2ee1d5d3605583320118ff5090712cb705f9896d11

SHA512
75abc88822f364653dc7336819d6548d1a3c180ac9055fe1bcc4d1eb5cea3dcd72195e210919bbb65e2fe5334f9f6519e3a705a09211eaa46cf5d2b3f32b2ebf

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
48KB

MD5
9298498ad83bfaa4467c129441d32fb7

SHA1
9c75d85f8ac8a223f95f21a2cfdc333c06a960bc

SHA256
10265bcb23dbdcfda99a2bc4a09d8cf58647bf374e1fa90ea02db13273556a14

SHA512
065570c7d7c0b186678a2031720cbedb2e3553fb4fbda97c2ebed1a072b44ad04e3a9a062baac95e5a0663008f59aa1a98740d671b0718f7738b02508ea7126d

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
48KB

MD5
6c943e38171790777341ec7634567cf5

SHA1
a77013133a2b75706922183fedf417ace2f92ca9

SHA256
d96f13e9f27501c28f6eb98d8c53f15b58b37cf0d3d866fe0ab63c10bc344c75

SHA512
698fd41d77d0e5cbaf7e5523cd734ee336c8405b9ddaab70dc5d773bd15984c40129202e33f19db688740b2857d1cca597d2a577fbc3cce4eacb190efa3f3ca2

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
48KB

MD5
e01767ffbf501967f9ef15e8cabcde97

SHA1
399b065ea0326ce069128737e4ab05fa3516788a

SHA256
26e1d01d1532b5506de627945a32e9ff72324d112ee2f03ca0c89921aa4570e1

SHA512
1254fa340553ca0e8db4ce8f49745b47c8c8bcd963560f94f7d11948d6c797b7e5e8aaa57a124da3d499c55ec4a183efedad1c942b18831ab0c0c750a0b126bb

Download Submit
memory/332-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/332-347-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/376-333-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/376-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/640-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/640-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/912-385-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/912-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1040-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1040-353-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1064-124-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1064-359-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1356-351-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1356-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1388-377-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1388-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1468-324-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1468-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1768-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1768-371-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1892-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1892-312-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1988-315-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1988-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2164-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2164-337-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2232-284-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2264-369-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2264-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2276-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2276-349-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2304-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2304-345-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2420-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2420-379-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2440-339-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2440-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2516-341-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2516-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-361-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2848-363-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2848-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2996-326-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2996-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3448-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3448-373-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3464-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3464-319-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3616-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3616-331-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3660-13-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3708-308-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3748-381-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3748-36-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3860-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3860-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4028-335-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4028-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4132-355-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4132-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4216-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4216-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4220-343-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4220-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4240-272-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4308-367-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4308-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4348-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4348-365-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4352-357-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4352-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4608-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4608-318-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4836-245-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4996-375-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4996-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5064-383-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5064-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads