451c1840da7df35adae4aa4aafdfd398744ba3f27e1ff83df0f45346577fbff9

Analysis

max time kernel
79s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

451c1840da7df35adae4aa4aafdfd398744ba3f27e1ff83df0f45346577fbff9.exe
Size

512KB
MD5

371e80f14faa3425c2f882d2c9fc124a
SHA1

d5f45374dfdae3e2b71ccf2f1707fc3cce3202ff
SHA256

451c1840da7df35adae4aa4aafdfd398744ba3f27e1ff83df0f45346577fbff9
SHA512

eeccacdad3b4895c55aff7da8660adb3577c102f0a066c48f9888e2b6de0abf1a8274edb541770afff7fe0d9c5061bfbeffed16dadd1f574445ede6f8833895a
SSDEEP

6144:aGLTe4rdQt383PQ///NR5fKr2n0MO3LPlkUCmVs5bPQ///NR5fjlt01PB93GxK:8r/Ng1/Nblt01PBExK

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	451c1840da7df35adae4aa4aafdfd398744ba3f27e1ff83df0f45346577fbff9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	451c1840da7df35adae4aa4aafdfd398744ba3f27e1ff83df0f45346577fbff9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdjfcecp.exe

Executes dropped EXE 39 IoCs

pid	Process
3900	Jplmmfmi.exe
4748	Jfffjqdf.exe
2612	Jpojcf32.exe
4440	Jdjfcecp.exe
2948	Jbocea32.exe
744	Kaqcbi32.exe
4552	Kilhgk32.exe
3912	Kbdmpqcb.exe
2340	Kkkdan32.exe
2768	Kphmie32.exe
3644	Kknafn32.exe
640	Kagichjo.exe
1052	Kajfig32.exe
2216	Kkbkamnl.exe
4680	Lpocjdld.exe
1172	Lkdggmlj.exe
1652	Ldmlpbbj.exe
3856	Laalifad.exe
4052	Lkiqbl32.exe
2808	Laciofpa.exe
1424	Lgpagm32.exe
4824	Laefdf32.exe
3468	Mnlfigcc.exe
2300	Mkpgck32.exe
3828	Mdiklqhm.exe
4464	Mnapdf32.exe
2820	Mcnhmm32.exe
8	Maohkd32.exe
4120	Mglack32.exe
3880	Mdpalp32.exe
4832	Njljefql.exe
4360	Nacbfdao.exe
4288	Nafokcol.exe
1828	Ncgkcl32.exe
4720	Nbhkac32.exe
4688	Ncihikcg.exe
2276	Njcpee32.exe
1404	Nqmhbpba.exe
2952	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jchbak32.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Ehifigof.dll	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Bbbjnidp.dll	451c1840da7df35adae4aa4aafdfd398744ba3f27e1ff83df0f45346577fbff9.exe
File opened for modification	C:\Windows\SysWOW64\Jdjfcecp.exe	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Ojmmkpmf.dll	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Jfffjqdf.exe	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Jpojcf32.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	Jplmmfmi.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Jdjfcecp.exe	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kknafn32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Jplmmfmi.exe	451c1840da7df35adae4aa4aafdfd398744ba3f27e1ff83df0f45346577fbff9.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Jplmmfmi.exe	451c1840da7df35adae4aa4aafdfd398744ba3f27e1ff83df0f45346577fbff9.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lkdggmlj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4664	2952	WerFault.exe	122

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olmeac32.dll"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	451c1840da7df35adae4aa4aafdfd398744ba3f27e1ff83df0f45346577fbff9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	451c1840da7df35adae4aa4aafdfd398744ba3f27e1ff83df0f45346577fbff9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	451c1840da7df35adae4aa4aafdfd398744ba3f27e1ff83df0f45346577fbff9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	451c1840da7df35adae4aa4aafdfd398744ba3f27e1ff83df0f45346577fbff9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlgol32.dll"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbjnidp.dll"	451c1840da7df35adae4aa4aafdfd398744ba3f27e1ff83df0f45346577fbff9.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3456 wrote to memory of 3900	3456	451c1840da7df35adae4aa4aafdfd398744ba3f27e1ff83df0f45346577fbff9.exe	82
PID 3456 wrote to memory of 3900	3456	451c1840da7df35adae4aa4aafdfd398744ba3f27e1ff83df0f45346577fbff9.exe	82
PID 3456 wrote to memory of 3900	3456	451c1840da7df35adae4aa4aafdfd398744ba3f27e1ff83df0f45346577fbff9.exe	82
PID 3900 wrote to memory of 4748	3900	Jplmmfmi.exe	83
PID 3900 wrote to memory of 4748	3900	Jplmmfmi.exe	83
PID 3900 wrote to memory of 4748	3900	Jplmmfmi.exe	83
PID 4748 wrote to memory of 2612	4748	Jfffjqdf.exe	84
PID 4748 wrote to memory of 2612	4748	Jfffjqdf.exe	84
PID 4748 wrote to memory of 2612	4748	Jfffjqdf.exe	84
PID 2612 wrote to memory of 4440	2612	Jpojcf32.exe	86
PID 2612 wrote to memory of 4440	2612	Jpojcf32.exe	86
PID 2612 wrote to memory of 4440	2612	Jpojcf32.exe	86
PID 4440 wrote to memory of 2948	4440	Jdjfcecp.exe	87
PID 4440 wrote to memory of 2948	4440	Jdjfcecp.exe	87
PID 4440 wrote to memory of 2948	4440	Jdjfcecp.exe	87
PID 2948 wrote to memory of 744	2948	Jbocea32.exe	89
PID 2948 wrote to memory of 744	2948	Jbocea32.exe	89
PID 2948 wrote to memory of 744	2948	Jbocea32.exe	89
PID 744 wrote to memory of 4552	744	Kaqcbi32.exe	90
PID 744 wrote to memory of 4552	744	Kaqcbi32.exe	90
PID 744 wrote to memory of 4552	744	Kaqcbi32.exe	90
PID 4552 wrote to memory of 3912	4552	Kilhgk32.exe	91
PID 4552 wrote to memory of 3912	4552	Kilhgk32.exe	91
PID 4552 wrote to memory of 3912	4552	Kilhgk32.exe	91
PID 3912 wrote to memory of 2340	3912	Kbdmpqcb.exe	92
PID 3912 wrote to memory of 2340	3912	Kbdmpqcb.exe	92
PID 3912 wrote to memory of 2340	3912	Kbdmpqcb.exe	92
PID 2340 wrote to memory of 2768	2340	Kkkdan32.exe	93
PID 2340 wrote to memory of 2768	2340	Kkkdan32.exe	93
PID 2340 wrote to memory of 2768	2340	Kkkdan32.exe	93
PID 2768 wrote to memory of 3644	2768	Kphmie32.exe	94
PID 2768 wrote to memory of 3644	2768	Kphmie32.exe	94
PID 2768 wrote to memory of 3644	2768	Kphmie32.exe	94
PID 3644 wrote to memory of 640	3644	Kknafn32.exe	95
PID 3644 wrote to memory of 640	3644	Kknafn32.exe	95
PID 3644 wrote to memory of 640	3644	Kknafn32.exe	95
PID 640 wrote to memory of 1052	640	Kagichjo.exe	96
PID 640 wrote to memory of 1052	640	Kagichjo.exe	96
PID 640 wrote to memory of 1052	640	Kagichjo.exe	96
PID 1052 wrote to memory of 2216	1052	Kajfig32.exe	97
PID 1052 wrote to memory of 2216	1052	Kajfig32.exe	97
PID 1052 wrote to memory of 2216	1052	Kajfig32.exe	97
PID 2216 wrote to memory of 4680	2216	Kkbkamnl.exe	98
PID 2216 wrote to memory of 4680	2216	Kkbkamnl.exe	98
PID 2216 wrote to memory of 4680	2216	Kkbkamnl.exe	98
PID 4680 wrote to memory of 1172	4680	Lpocjdld.exe	99
PID 4680 wrote to memory of 1172	4680	Lpocjdld.exe	99
PID 4680 wrote to memory of 1172	4680	Lpocjdld.exe	99
PID 1172 wrote to memory of 1652	1172	Lkdggmlj.exe	100
PID 1172 wrote to memory of 1652	1172	Lkdggmlj.exe	100
PID 1172 wrote to memory of 1652	1172	Lkdggmlj.exe	100
PID 1652 wrote to memory of 3856	1652	Ldmlpbbj.exe	101
PID 1652 wrote to memory of 3856	1652	Ldmlpbbj.exe	101
PID 1652 wrote to memory of 3856	1652	Ldmlpbbj.exe	101
PID 3856 wrote to memory of 4052	3856	Laalifad.exe	102
PID 3856 wrote to memory of 4052	3856	Laalifad.exe	102
PID 3856 wrote to memory of 4052	3856	Laalifad.exe	102
PID 4052 wrote to memory of 2808	4052	Lkiqbl32.exe	103
PID 4052 wrote to memory of 2808	4052	Lkiqbl32.exe	103
PID 4052 wrote to memory of 2808	4052	Lkiqbl32.exe	103
PID 2808 wrote to memory of 1424	2808	Laciofpa.exe	104
PID 2808 wrote to memory of 1424	2808	Laciofpa.exe	104
PID 2808 wrote to memory of 1424	2808	Laciofpa.exe	104
PID 1424 wrote to memory of 4824	1424	Lgpagm32.exe	105

C:\Users\Admin\AppData\Local\Temp\451c1840da7df35adae4aa4aafdfd398744ba3f27e1ff83df0f45346577fbff9.exe
"C:\Users\Admin\AppData\Local\Temp\451c1840da7df35adae4aa4aafdfd398744ba3f27e1ff83df0f45346577fbff9.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Windows\SysWOW64\Jplmmfmi.exe
  C:\Windows\system32\Jplmmfmi.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3900
- - C:\Windows\SysWOW64\Jfffjqdf.exe
    C:\Windows\system32\Jfffjqdf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4748
  - - C:\Windows\SysWOW64\Jpojcf32.exe
      C:\Windows\system32\Jpojcf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4440
      - C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3856
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3828
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2820
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:8
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        40⤵
        Executes dropped EXE
        
        PID:2952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 400
        41⤵
        Program crash
        
        PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2952 -ip 2952
1⤵
PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jbocea32.exe

Filesize
512KB

MD5
084b52ec2f2cb04da792c47820bd03e6

SHA1
19a9fdd62a6ee14407728d0c9ed3c43fc55f9770

SHA256
75b354c886c9875e039ee0d2d34ebc122d268558ea5974818b7bdf8b9ed5e9c4

SHA512
07011864096aefde046e5cb5f7962e7ff78364f48d26a802a3f9d2ccce0591ea4830877b37fe26b4d2fa1e02e599f6d93a86433f9161d273a64c5f347f8d6655

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
512KB

MD5
8461dac83a4c20ba127bded226cda918

SHA1
9533e24f03257d0365b16a08f887fc5b7ea9ddd8

SHA256
fad32f8aa6b34aaee6021f44d637c66e9156d62960a608422f621acb84aeaad2

SHA512
9bd062f7407d7694a0f420d7498b8304a548395128f1fc3fd6b3e7b4071e03b55d30f70a5ba1b9e6710bfbc76a7177ce6e0f11b055bddf99c6ee9f94bd2d5d53

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
512KB

MD5
0096bd7c75a20e6c37eef9e832310b8e

SHA1
5272f5fbc53531ea71119b704ea32b60868e4600

SHA256
6e20c0465bd511a55d20b6c750894c7ba82f8e295f498394d7bebe7c36136ee3

SHA512
ad1eecc5ae8abbb5360509cb313352d9c6d49d76a0cffac712159a677a1c9904d61b3a0fe6198a669a5e8a478d118a5dc42328597125e5ec4cf15f1c7ee4604c

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
512KB

MD5
123cd145f666d4ef34f6c2e4a83c003c

SHA1
2c20176aa6fc54567f58c4294e3d134c897bd4ae

SHA256
c194834ef14029045cc43cbe4889b5e12be333fd754a96a027083ac92749c4fd

SHA512
f9d186515890fd12438169f531c9043dcd68de88bbb622db58ebbe9e7b0c91f3c0d18992b6e91a002a9b968270a87604b31d7d50a7f1857705c7ab3c9b449c02

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
512KB

MD5
cd03a01aec60ce93886c9f1952616332

SHA1
991f9f90433e5640f4435af5bd1ef253966f22c6

SHA256
f28f9ae6f6e5d2108ab61848309637aede7d9552df50420f2808d54b4b64fa69

SHA512
cc308cb5b11d0d21cf0d7884f6227e48d3eeadec6abb879f8d877ea584bb88c72b432874b280978bb36c6d8421d6d0ed2bbde1ebd27a4b9ed9e2ee50fe40cb0b

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
512KB

MD5
328cd5ff4aee614a5bc2bbedfbf4d852

SHA1
86719423c47076b4a283a8307f50bc6d35ac57d0

SHA256
e5e015062b1db1ed09bdc91b9694f63f06503a4c3f48f06ffb64a878de3869ad

SHA512
68fccea74fa8e179ef36403f816632aa92cf90da805ac91721db5cbca6e6d4392a212707dcb22a4d61c1e4b40796ec2423bef14495c237d69e3ce670f5df9739

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
512KB

MD5
3326564d54ebaaa8ba835c8bc0d9211e

SHA1
d810e9327f0adf28074794509d7164a08b9998b2

SHA256
4626009a7ab2773c89d1c0fc58be0d1f133db6a4b1c66308a5ae233bff5064d8

SHA512
ebdee383f31e52a86dd18f3e96ababb101a21b86fd02f226805e339fee3f4ed058f9b05092fb421ed2ea33782637a557850ec8a1567843c928eea6d1b131bc60

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
512KB

MD5
71a84f9457bbb42c167e3f6a8c079786

SHA1
f440dc48538b192f102722cf49de48629f37f91d

SHA256
2d1c351b2823dc566af89aafc537a9e4131bd16cb727475f323459c47ec26f11

SHA512
719c1c23b99478a18ba91f6853a9ed8b4becaacff109fdc4d2600045f69aea154c04d110e3455c949140ddb359354a5261124e18dd6ffc77ef453804d2ea4af9

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
512KB

MD5
3af695014ba65e08ba7b4b202388d25e

SHA1
2c6366f857bf2889c8f1cbc5f277a166b88a6dc2

SHA256
980c6d05f500dd3d1a46ac50146c17e65a17075e4506bdb502715f7266bfaed8

SHA512
fe52a82519a1d17d9b0916d3aac342bb5e19582017ec67bf1343037e309ccc2641305d49a9f78497c4e4af69ef574a631ad099f237252573a2d3b316814e7d76

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
512KB

MD5
c6a26e7d90fab0ee49c32978c6647a3e

SHA1
6e55e6d9759914b7499e7ddb0d96592020d8c0eb

SHA256
77637d31e49c74e2f1948c648a2d1ed1b2523cccdc44f51c3c33b8d37250d2ae

SHA512
756e559348ab37b52a5a1b16cc59f6d45f061da155e8fef20b96d20019b470e8a8bd5bec5d96af9998e493922957920479d3160fc64caaba4b72e3ce4d92df7b

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
512KB

MD5
532b0dc74e639907d8a58a833f271de8

SHA1
97a66db6391123ea2c027f90aa63015c567371b2

SHA256
15da8bebb36d718eae03c36e18f6c8aebcf00da1c7590321cfdb81dfd4566143

SHA512
bf82ad1ad3065711b4a6dd7388bc4878a995423391aaf47d9c50e08da32f0e92f3e7762102ba25a71a6bb57fcd77d1ec00eac2f60be0d6974160a527a31cb1a2

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
512KB

MD5
b3ff6468cf9322b2eb0b9c5d4a721f26

SHA1
b91b20a070a5fb76ecea0eee866feec80acd0e8f

SHA256
dee5bab2b1a1e5b454fabdb1a1c987adacc82f5dc65acd0a11fc291ea7eab2c7

SHA512
81c06a30fe940aac291b8be2cd772be757d8665ddff718ac3fd1cb9fa94ff894384b0709d6e3fa66180336235c6766e65621d0a4c7c3cb765f3fabe79a9f8f3e

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
512KB

MD5
85acf6f65c9f0b101f925b16fe05254e

SHA1
16f91cf72bcd13652a993de7c9552c8498428e62

SHA256
9d5bdf3763649117705df26c9ea46cf4678ea8ac67d8a9ff6f1a088fd03bba2a

SHA512
f39128e870aea41728cf1e9c91abbf93219866f62c40f9435ca9499b7db24fb5c3b6ef4c6c735e96d63a7e8bff24745df0150ec7e44e63f9917704c74d7657b8

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
512KB

MD5
b2c4f09055aba242a93eb3858c15900d

SHA1
0fba6d291328ce182a51a3b592c8a4e7a3e123cb

SHA256
2b5fc1d526d7e48bda96c5a21109032ae69cbfe81fe9b171a4e1919e05a9aaba

SHA512
1c964d0f9c8664adbaa143b2e81700502f39d87082c71de706434f2c9864643a7b3b9485f0cd2e80f7af271dda36923904b6c3c7c9da85ce328ed572bedb0102

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
512KB

MD5
d16090534d68540bb3525ada260ab985

SHA1
137497a606a39e0d4725aade61423a9870aa7e28

SHA256
98c2de6b5e061006907fb1b1893dcee14d07cb2f79e2159afe39ace849c2fbf3

SHA512
166e9047defde3059e13c296e3f7f387c0c98b10d33909a03853f5d2487704c6a0385eb6ecb4c9d46664aba18193c257b00b445af3ddc097dd3973c2ab3c4e04

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
512KB

MD5
5723446674572141c0f9a1c7742cb0c0

SHA1
a0ce0d4e3b69f5b4e944e8b47c8d421fac51cba8

SHA256
c099aa2854013054bdb399de75317991132018addb10b306c396561556800335

SHA512
1522a265fe32c8ed5da3dd37aced92596b844a198bef2299a7da8f7acdae6a6d0872bb0b8fca706140f6a6d71b875a0a9ab2266061b12a3134105ba36bb024cb

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
512KB

MD5
9aa4aff0c8fd117fc1469ab9fc013a4c

SHA1
a250ca5ae57b6824a663c37ffa3152ccfd97e4d5

SHA256
038729242ced89ea480aa1c5fa285df1d8b0a3d2d05008a8bebe7bd805322e94

SHA512
36f69b9d8961fff6597ebe3c9f4353c0962d3b36422b49c9eb37546e3d98253d11cba6567e25abd0647218b7801f0d5f6fecc355a0c0f4b1fac6b7ec74f033fa

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
512KB

MD5
24d8606230e85b432ba1ade0141ab242

SHA1
543476c3c1c4c6c4b2074cfb0635a233c226e8af

SHA256
0b89975123291f4898b58d1ca752c657f9023a068db6033f76808182ee5e2d6c

SHA512
ea9cf0f855b49e0109fbea911fbf892b42ada731165c1aa34aaba938edba71d2f218978b9b0e1c641d7b7d6c5057a86882676eb79131cc80a0fb3e4bfc7a8d9e

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
512KB

MD5
548d7be5ebecc6f0f12dd95d0612464b

SHA1
04a03157307e3d5d2b96b8844794f4f3b38347ef

SHA256
61e2ecc0686e12c0d38c6476f50bfbae42bca950683831d9148ee67d0afc639f

SHA512
a07c2fdcfb3bf4acdf9c78a044f39790073b2e99ddd979d71737d5714517cbfbc38173ea90851a580cce89fde963a24064677c35e3db251ffc98eb43c07ed206

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
512KB

MD5
ed7f7d740577e9fda9fba247ba76d808

SHA1
fef1dcb71e34d88bfa723a2cbd3b4a6cc7923266

SHA256
850edc6ccaf664c74927db8692cbe6d7e76f1a6d69ad29bf3c2b686702bc2063

SHA512
55e4b987988ec6186878b8426f68b377f6135e6ad5f0aff04af51852c95aef715d6c69fd632f167afd42ac1618f911f5fc146feee4826e771178269be80f5eb9

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
512KB

MD5
2394aa1071beef64bc505326f08a57b5

SHA1
03d85580d88d9579ae71e928d3479f9328aef85c

SHA256
14334c9b3169960586a25ee404df087dc9906351c2fa5cec960ce0a79c7618c5

SHA512
8b9eb869f6d3773890ee9b274e1d703334fc34e494b4007aaa0daff8766a9e2d139e0e8af8551eea85c0458c4a49e54dc760b13bf4147a54bfb5b9a480d8b06b

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
512KB

MD5
6fc5e86bda942969ff69279071253fd6

SHA1
cbf1b85151dc456563e720071693df34cf1447c7

SHA256
81015e038411d3ab4fad415d69490a675687b2899bc3f85f3d11323bdfc5199d

SHA512
0cd32e4563c01a34c814fc13dba8754495f472cc1ab5ed77e6bd593f23f87114d5c60f98e986c26b8f9c19d4467a053aaf9dee9f380f7895ca21ef6146b01311

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
512KB

MD5
d18a06feb384ef0b7d2d1e66dea2e8cb

SHA1
80fded8c6a625ab6ab29df4075be6018a1b87eb6

SHA256
0c7826c9e8bda2f36b9ad9299981fb2a87965800616e7e0fc138aa4ca70db4d5

SHA512
20bd86578207dd0ca78d2a936e77efbc8a9834b5ed112adfaf0c66ff03c130713d67b2e1106cbccbfec40345788ae17f19f2d9b4d852c3ef3d1d90553b623e58

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
512KB

MD5
bbacfdde1e04a1bea477b95b2c093097

SHA1
3f528c00a3b36b56abc9d4611d79b4b6362c5ee7

SHA256
7e23ecb7ac1ec79e8dc2a8164b69bd7679866388ec6d1354b3bab5f702debccf

SHA512
cf49c31c55ee41b052afa78b0702ca8eee4e88baf0d7077bba6267f178b841cf43ba8e4211186a49b6bd1c801ef4b55ff794e2c6f5e2c34da0ea4e95e0407cd6

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
512KB

MD5
eafbb6d2cf87d80f1c0c818d79b65f05

SHA1
38513cd05966209f2372a51e49ee2bf43804ad63

SHA256
a832f482ab8936522b55fd2d1bdda12938d57ce2f6cc70115168f6afb51b2e71

SHA512
14da0a67a3f3b12ac8f167ceb7f0d8b5686d9f227ea17bb915fbf7da198b9b9138d30ddec6d6bb824a8c3f76a76d970474303c03406680f0d035dfdbb286e7a7

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
512KB

MD5
8e95d7fb2e71582237adba5495db0255

SHA1
dffad92ab6706a3a1b0c21ff9fe23800fa6397b1

SHA256
39b64eae27d3f0dd3ba3dd059c05fea547df950b5e91daccc398594ee83accba

SHA512
acc20c5b9489d90d53daab72968e109e42ecff3a6bd4b8a14fae7ae4b710e0d5257d58add821a1547f967d2752be67286a2fcf8eaa40dd68285fcb273cb0417c

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
512KB

MD5
82603450b3cfa84ff0b399b0481119d7

SHA1
9d1150f35b7b9d451fb2d28e2c587423edd88fbb

SHA256
6390bd8b4f63a983d3a046f0dea27f3625658dc41474b3566f988710a7ac0256

SHA512
38df434bb39eccb0fc68c4293933462870b35c77d088f167ae2c48d62bda48e3d3f934ac073ef44afd9655a3dda46688e188d1c27876b13c32b5445c30991b1c

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
512KB

MD5
6a9e943d755a32064bf0b1673c22113f

SHA1
5037fc14d0aeba413bcd5304d24eab8cb1999a4e

SHA256
7aa84059830f6721a480886e9f28bbe318f9e996e7b38679599c00eb2b6fd120

SHA512
4b044b38928771d98e3b87ff9da7a3046a0fcdc7b9d32cbba3109182121182c53654fc8356787b77ee5231966fbea9a0bcb69c7a376f0a386c09aacbf9a46c6c

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
512KB

MD5
eb16b4e4bfa207bac2ee41eb90dd4fbe

SHA1
4d693c85dd29814c38f4591e1a20866df90df1d6

SHA256
5400388828b977156cda244d5dac696d6cf64c81f1efeae019033babb69d6269

SHA512
46b5b994039a6f117fc85728c56327be099f88ec0f8fa8bbf13772bcc5aa788abaa83febc2c8973013d4b0563fae7936df61b281fbcb5f0443bc4344ed131ed6

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
512KB

MD5
0ec82e7a13c7a6357927a39e4d2110c5

SHA1
d20fbf341344156c651f00e16b9cedb65d5b8598

SHA256
9906723c881efaa083b5df39b76652398390a53815fc09ca6dfb5ac953482d5e

SHA512
e8afc0bc64551b32db1b421f228523f111245acaa25ae8835a25041c73e6be7b676174e7a4f8350befe1d9cdf1d6659567f48cc370e360002de6f9714d6596c6

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
512KB

MD5
219110164642383537c0252c62c2e92e

SHA1
61218582d7969fd8be97ce2f4306615b49d809f4

SHA256
7bb96f9ccb7777e69cbe52e2c38966700a0a729bcca042deb87cb760428147eb

SHA512
476068ea7133e90f4ce969065d44ab6ac5ef81e7a6f281f257a3af34ab695bfb77349e9a7ce09e02f94004d4606f229e73ce217dfdf4f1259ad252f30ca555a9

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
256KB

MD5
5ae7cb783efa6ba6521ff118820e33db

SHA1
1158fd41aba5e23ffa91847bc9cf8c56c6debd91

SHA256
b920b8418679d5a5406d2aac59f7d03a9351746dd62c11c1eafc071ce60a27bd

SHA512
9fcda57428b1ecf6d9a8a9a308a95e64318bddb0fad7d9cd6da79365653616f2c47410984eb3f36c3a25c7303eaf862bad3ffc38ea3307e625e82357111e4552

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
512KB

MD5
e70f508c933218f3f32e968316ba56eb

SHA1
0c4b5f34b77a4a0d3ca205506b8d92eb2e6f3b1a

SHA256
2d6827249f6f91da29d93d3b10df5f59f23116a824bc175f47bacec911ec5f7d

SHA512
5e60a0a59f5269d0d9606f06e11c5a098514e58c5422113c5b46cf22e4e7f158bd98737b8c8ca8a94b738b485aba4ed294ead101d3bd110c24110f60132e3aac

Download Submit
memory/8-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/8-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/640-355-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/640-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/744-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/744-367-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1052-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1052-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1172-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1172-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1404-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1404-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1424-337-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1424-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1652-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1652-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1828-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1828-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-351-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2300-331-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2300-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2340-361-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2340-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2808-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2808-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2948-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3456-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3456-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3456-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3468-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3468-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3644-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3644-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3828-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3828-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3856-343-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3856-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3880-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3880-319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3900-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3900-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3912-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3912-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4052-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4052-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4120-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4120-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4288-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4288-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4360-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4360-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4440-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4464-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4464-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4552-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4552-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4680-349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4680-121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4688-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4688-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4720-309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4720-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4748-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4824-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4824-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4832-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4832-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads