ae1cf53750a08281349ff1532eddc1bb28ef8dfcc6271c9b65d6f59ea3d721a9

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27-07-2024 01:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d3faf4343b4f6db3db4c65047da16e0N.exe
Size

64KB
MD5

7d3faf4343b4f6db3db4c65047da16e0
SHA1

b90edd2a158808120955c3c3cf683c34f5ff9760
SHA256

ae1cf53750a08281349ff1532eddc1bb28ef8dfcc6271c9b65d6f59ea3d721a9
SHA512

aca83e439b005eef1766622b966bae101127fab9ce53139fbb1fb7615d68482b1f4ef16933a4dbdcafe39ced2328cfd86911aaded7fe17fef19962e0f8d91f6d
SSDEEP

1536:AGgqmyZSIIylBvnnF24R1rmnGSiz2L3AMCeW:A4Y6F2o2RT3pW

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7d3faf4343b4f6db3db4c65047da16e0N.exeLcojjmea.exeMeppiblm.exeNgibaj32.exeLaegiq32.exeMlaeonld.exeNpagjpcd.exeNiebhf32.exeLcagpl32.exeMieeibkn.exeMbmjah32.exeModkfi32.exeLfbpag32.exeLbiqfied.exeNgfflj32.exeNmbknddp.exeLfpclh32.exeNkpegi32.exeMdacop32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	7d3faf4343b4f6db3db4c65047da16e0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcojjmea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meppiblm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laegiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlaeonld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcagpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mieeibkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbmjah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbmjah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Modkfi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfbpag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbiqfied.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbiqfied.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Meppiblm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmbknddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfpclh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mieeibkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkpegi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7d3faf4343b4f6db3db4c65047da16e0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdacop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkpegi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcagpl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfpclh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfbpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdacop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcojjmea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laegiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlaeonld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Modkfi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niebhf32.exe

Executes dropped EXE 19 IoCs

Processes:

Lcojjmea.exeLcagpl32.exeLfpclh32.exeLaegiq32.exeLfbpag32.exeLbiqfied.exeMlaeonld.exeMieeibkn.exeMbmjah32.exeModkfi32.exeMdacop32.exeMeppiblm.exeNkpegi32.exeNgfflj32.exeNiebhf32.exeNgibaj32.exeNmbknddp.exeNpagjpcd.exeNlhgoqhh.exe

pid	process
2884	Lcojjmea.exe
2852	Lcagpl32.exe
2828	Lfpclh32.exe
3068	Laegiq32.exe
600	Lfbpag32.exe
1500	Lbiqfied.exe
2072	Mlaeonld.exe
2136	Mieeibkn.exe
2504	Mbmjah32.exe
1572	Modkfi32.exe
2212	Mdacop32.exe
1960	Meppiblm.exe
2108	Nkpegi32.exe
2192	Ngfflj32.exe
1028	Niebhf32.exe
1948	Ngibaj32.exe
1652	Nmbknddp.exe
1644	Npagjpcd.exe
1568	Nlhgoqhh.exe

Loads dropped DLL 38 IoCs

Processes:

7d3faf4343b4f6db3db4c65047da16e0N.exeLcojjmea.exeLcagpl32.exeLfpclh32.exeLaegiq32.exeLfbpag32.exeLbiqfied.exeMlaeonld.exeMieeibkn.exeMbmjah32.exeModkfi32.exeMdacop32.exeMeppiblm.exeNkpegi32.exeNgfflj32.exeNiebhf32.exeNgibaj32.exeNmbknddp.exeNpagjpcd.exe

pid	process
2840	7d3faf4343b4f6db3db4c65047da16e0N.exe
2840	7d3faf4343b4f6db3db4c65047da16e0N.exe
2884	Lcojjmea.exe
2884	Lcojjmea.exe
2852	Lcagpl32.exe
2852	Lcagpl32.exe
2828	Lfpclh32.exe
2828	Lfpclh32.exe
3068	Laegiq32.exe
3068	Laegiq32.exe
600	Lfbpag32.exe
600	Lfbpag32.exe
1500	Lbiqfied.exe
1500	Lbiqfied.exe
2072	Mlaeonld.exe
2072	Mlaeonld.exe
2136	Mieeibkn.exe
2136	Mieeibkn.exe
2504	Mbmjah32.exe
2504	Mbmjah32.exe
1572	Modkfi32.exe
1572	Modkfi32.exe
2212	Mdacop32.exe
2212	Mdacop32.exe
1960	Meppiblm.exe
1960	Meppiblm.exe
2108	Nkpegi32.exe
2108	Nkpegi32.exe
2192	Ngfflj32.exe
2192	Ngfflj32.exe
1028	Niebhf32.exe
1028	Niebhf32.exe
1948	Ngibaj32.exe
1948	Ngibaj32.exe
1652	Nmbknddp.exe
1652	Nmbknddp.exe
1644	Npagjpcd.exe
1644	Npagjpcd.exe

Drops file in System32 directory 57 IoCs

Processes:

Mdacop32.exeMeppiblm.exeNgibaj32.exeLfpclh32.exeLaegiq32.exeMieeibkn.exeMbmjah32.exeModkfi32.exeNkpegi32.exeNpagjpcd.exeLcojjmea.exeLbiqfied.exeMlaeonld.exeLcagpl32.exeNmbknddp.exe7d3faf4343b4f6db3db4c65047da16e0N.exeNiebhf32.exeLfbpag32.exeNgfflj32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Lhajpc32.dll	Mdacop32.exe
File opened for modification	C:\Windows\SysWOW64\Nkpegi32.exe	Meppiblm.exe
File created	C:\Windows\SysWOW64\Ngoohnkj.dll	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Aadlcdpk.dll	Lfpclh32.exe
File created	C:\Windows\SysWOW64\Lfbpag32.exe	Laegiq32.exe
File created	C:\Windows\SysWOW64\Mbmjah32.exe	Mieeibkn.exe
File opened for modification	C:\Windows\SysWOW64\Meppiblm.exe	Mdacop32.exe
File created	C:\Windows\SysWOW64\Iggbhk32.dll	Mbmjah32.exe
File created	C:\Windows\SysWOW64\Mdacop32.exe	Modkfi32.exe
File created	C:\Windows\SysWOW64\Hljdna32.dll	Nkpegi32.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Npagjpcd.exe
File created	C:\Windows\SysWOW64\Lcagpl32.exe	Lcojjmea.exe
File created	C:\Windows\SysWOW64\Mlaeonld.exe	Lbiqfied.exe
File opened for modification	C:\Windows\SysWOW64\Mieeibkn.exe	Mlaeonld.exe
File opened for modification	C:\Windows\SysWOW64\Mbmjah32.exe	Mieeibkn.exe
File created	C:\Windows\SysWOW64\Hnecbc32.dll	Lcagpl32.exe
File opened for modification	C:\Windows\SysWOW64\Modkfi32.exe	Mbmjah32.exe
File created	C:\Windows\SysWOW64\Npagjpcd.exe	Nmbknddp.exe
File created	C:\Windows\SysWOW64\Lcojjmea.exe	7d3faf4343b4f6db3db4c65047da16e0N.exe
File opened for modification	C:\Windows\SysWOW64\Lfbpag32.exe	Laegiq32.exe
File opened for modification	C:\Windows\SysWOW64\Mdacop32.exe	Modkfi32.exe
File created	C:\Windows\SysWOW64\Ngibaj32.exe	Niebhf32.exe
File opened for modification	C:\Windows\SysWOW64\Lcagpl32.exe	Lcojjmea.exe
File opened for modification	C:\Windows\SysWOW64\Lfpclh32.exe	Lcagpl32.exe
File created	C:\Windows\SysWOW64\Modkfi32.exe	Mbmjah32.exe
File created	C:\Windows\SysWOW64\Djmffb32.dll	Lcojjmea.exe
File created	C:\Windows\SysWOW64\Lbiqfied.exe	Lfbpag32.exe
File created	C:\Windows\SysWOW64\Jmbckb32.dll	Niebhf32.exe
File created	C:\Windows\SysWOW64\Nmbknddp.exe	Ngibaj32.exe
File opened for modification	C:\Windows\SysWOW64\Laegiq32.exe	Lfpclh32.exe
File opened for modification	C:\Windows\SysWOW64\Mlaeonld.exe	Lbiqfied.exe
File created	C:\Windows\SysWOW64\Laegiq32.exe	Lfpclh32.exe
File created	C:\Windows\SysWOW64\Mieeibkn.exe	Mlaeonld.exe
File created	C:\Windows\SysWOW64\Mahqjm32.dll	Nmbknddp.exe
File created	C:\Windows\SysWOW64\Nffjeaid.dll	7d3faf4343b4f6db3db4c65047da16e0N.exe
File created	C:\Windows\SysWOW64\Niebhf32.exe	Ngfflj32.exe
File created	C:\Windows\SysWOW64\Fcihoc32.dll	Ngfflj32.exe
File created	C:\Windows\SysWOW64\Ajdlmi32.dll	Mlaeonld.exe
File created	C:\Windows\SysWOW64\Pdlbongd.dll	Modkfi32.exe
File opened for modification	C:\Windows\SysWOW64\Niebhf32.exe	Ngfflj32.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Npagjpcd.exe
File created	C:\Windows\SysWOW64\Meppiblm.exe	Mdacop32.exe
File created	C:\Windows\SysWOW64\Nkpegi32.exe	Meppiblm.exe
File created	C:\Windows\SysWOW64\Lfpclh32.exe	Lcagpl32.exe
File created	C:\Windows\SysWOW64\Khqpfa32.dll	Laegiq32.exe
File created	C:\Windows\SysWOW64\Njfppiho.dll	Mieeibkn.exe
File created	C:\Windows\SysWOW64\Afdignjb.dll	Meppiblm.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Npagjpcd.exe
File opened for modification	C:\Windows\SysWOW64\Ngibaj32.exe	Niebhf32.exe
File opened for modification	C:\Windows\SysWOW64\Nmbknddp.exe	Ngibaj32.exe
File opened for modification	C:\Windows\SysWOW64\Lbiqfied.exe	Lfbpag32.exe
File created	C:\Windows\SysWOW64\Pecomlgc.dll	Lbiqfied.exe
File created	C:\Windows\SysWOW64\Ngfflj32.exe	Nkpegi32.exe
File opened for modification	C:\Windows\SysWOW64\Npagjpcd.exe	Nmbknddp.exe
File opened for modification	C:\Windows\SysWOW64\Lcojjmea.exe	7d3faf4343b4f6db3db4c65047da16e0N.exe
File created	C:\Windows\SysWOW64\Poceplpj.dll	Lfbpag32.exe
File opened for modification	C:\Windows\SysWOW64\Ngfflj32.exe	Nkpegi32.exe

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Mbmjah32.exeMeppiblm.exeNgibaj32.exeLfpclh32.exeLfbpag32.exeNpagjpcd.exeNlhgoqhh.exeMdacop32.exeNkpegi32.exeMlaeonld.exeMieeibkn.exeNgfflj32.exeLcojjmea.exeLaegiq32.exeLbiqfied.exeModkfi32.exeNiebhf32.exeNmbknddp.exe7d3faf4343b4f6db3db4c65047da16e0N.exeLcagpl32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbmjah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meppiblm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngibaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfpclh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfbpag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npagjpcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdacop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkpegi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlaeonld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mieeibkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngfflj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcojjmea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laegiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbiqfied.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Modkfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niebhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmbknddp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7d3faf4343b4f6db3db4c65047da16e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcagpl32.exe

Modifies registry class 60 IoCs

Processes:

7d3faf4343b4f6db3db4c65047da16e0N.exeLfpclh32.exeMieeibkn.exeNkpegi32.exeNiebhf32.exeLcojjmea.exeLcagpl32.exeLaegiq32.exeLfbpag32.exeLbiqfied.exeMlaeonld.exeMdacop32.exeMeppiblm.exeNgibaj32.exeNgfflj32.exeMbmjah32.exeModkfi32.exeNmbknddp.exeNpagjpcd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	7d3faf4343b4f6db3db4c65047da16e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfpclh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njfppiho.dll"	Mieeibkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkpegi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffjeaid.dll"	7d3faf4343b4f6db3db4c65047da16e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcojjmea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcagpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laegiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mieeibkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mieeibkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hljdna32.dll"	Nkpegi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	7d3faf4343b4f6db3db4c65047da16e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poceplpj.dll"	Lfbpag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbiqfied.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlaeonld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhajpc32.dll"	Mdacop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Niebhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	7d3faf4343b4f6db3db4c65047da16e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aadlcdpk.dll"	Lfpclh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfpclh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khqpfa32.dll"	Laegiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afdignjb.dll"	Meppiblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngoohnkj.dll"	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	7d3faf4343b4f6db3db4c65047da16e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Meppiblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcojjmea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnecbc32.dll"	Lcagpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbmjah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Meppiblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfbpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbiqfied.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Modkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	7d3faf4343b4f6db3db4c65047da16e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Modkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcagpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laegiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pecomlgc.dll"	Lbiqfied.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iggbhk32.dll"	Mbmjah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdacop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkpegi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbckb32.dll"	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfbpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajdlmi32.dll"	Mlaeonld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlaeonld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mbmjah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdacop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmbknddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mahqjm32.dll"	Nmbknddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdlbongd.dll"	Modkfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmffb32.dll"	Lcojjmea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcihoc32.dll"	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npagjpcd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2840 wrote to memory of 2884	2840	7d3faf4343b4f6db3db4c65047da16e0N.exe	Lcojjmea.exe
PID 2840 wrote to memory of 2884	2840	7d3faf4343b4f6db3db4c65047da16e0N.exe	Lcojjmea.exe
PID 2840 wrote to memory of 2884	2840	7d3faf4343b4f6db3db4c65047da16e0N.exe	Lcojjmea.exe
PID 2840 wrote to memory of 2884	2840	7d3faf4343b4f6db3db4c65047da16e0N.exe	Lcojjmea.exe
PID 2884 wrote to memory of 2852	2884	Lcojjmea.exe	Lcagpl32.exe
PID 2884 wrote to memory of 2852	2884	Lcojjmea.exe	Lcagpl32.exe
PID 2884 wrote to memory of 2852	2884	Lcojjmea.exe	Lcagpl32.exe
PID 2884 wrote to memory of 2852	2884	Lcojjmea.exe	Lcagpl32.exe
PID 2852 wrote to memory of 2828	2852	Lcagpl32.exe	Lfpclh32.exe
PID 2852 wrote to memory of 2828	2852	Lcagpl32.exe	Lfpclh32.exe
PID 2852 wrote to memory of 2828	2852	Lcagpl32.exe	Lfpclh32.exe
PID 2852 wrote to memory of 2828	2852	Lcagpl32.exe	Lfpclh32.exe
PID 2828 wrote to memory of 3068	2828	Lfpclh32.exe	Laegiq32.exe
PID 2828 wrote to memory of 3068	2828	Lfpclh32.exe	Laegiq32.exe
PID 2828 wrote to memory of 3068	2828	Lfpclh32.exe	Laegiq32.exe
PID 2828 wrote to memory of 3068	2828	Lfpclh32.exe	Laegiq32.exe
PID 3068 wrote to memory of 600	3068	Laegiq32.exe	Lfbpag32.exe
PID 3068 wrote to memory of 600	3068	Laegiq32.exe	Lfbpag32.exe
PID 3068 wrote to memory of 600	3068	Laegiq32.exe	Lfbpag32.exe
PID 3068 wrote to memory of 600	3068	Laegiq32.exe	Lfbpag32.exe
PID 600 wrote to memory of 1500	600	Lfbpag32.exe	Lbiqfied.exe
PID 600 wrote to memory of 1500	600	Lfbpag32.exe	Lbiqfied.exe
PID 600 wrote to memory of 1500	600	Lfbpag32.exe	Lbiqfied.exe
PID 600 wrote to memory of 1500	600	Lfbpag32.exe	Lbiqfied.exe
PID 1500 wrote to memory of 2072	1500	Lbiqfied.exe	Mlaeonld.exe
PID 1500 wrote to memory of 2072	1500	Lbiqfied.exe	Mlaeonld.exe
PID 1500 wrote to memory of 2072	1500	Lbiqfied.exe	Mlaeonld.exe
PID 1500 wrote to memory of 2072	1500	Lbiqfied.exe	Mlaeonld.exe
PID 2072 wrote to memory of 2136	2072	Mlaeonld.exe	Mieeibkn.exe
PID 2072 wrote to memory of 2136	2072	Mlaeonld.exe	Mieeibkn.exe
PID 2072 wrote to memory of 2136	2072	Mlaeonld.exe	Mieeibkn.exe
PID 2072 wrote to memory of 2136	2072	Mlaeonld.exe	Mieeibkn.exe
PID 2136 wrote to memory of 2504	2136	Mieeibkn.exe	Mbmjah32.exe
PID 2136 wrote to memory of 2504	2136	Mieeibkn.exe	Mbmjah32.exe
PID 2136 wrote to memory of 2504	2136	Mieeibkn.exe	Mbmjah32.exe
PID 2136 wrote to memory of 2504	2136	Mieeibkn.exe	Mbmjah32.exe
PID 2504 wrote to memory of 1572	2504	Mbmjah32.exe	Modkfi32.exe
PID 2504 wrote to memory of 1572	2504	Mbmjah32.exe	Modkfi32.exe
PID 2504 wrote to memory of 1572	2504	Mbmjah32.exe	Modkfi32.exe
PID 2504 wrote to memory of 1572	2504	Mbmjah32.exe	Modkfi32.exe
PID 1572 wrote to memory of 2212	1572	Modkfi32.exe	Mdacop32.exe
PID 1572 wrote to memory of 2212	1572	Modkfi32.exe	Mdacop32.exe
PID 1572 wrote to memory of 2212	1572	Modkfi32.exe	Mdacop32.exe
PID 1572 wrote to memory of 2212	1572	Modkfi32.exe	Mdacop32.exe
PID 2212 wrote to memory of 1960	2212	Mdacop32.exe	Meppiblm.exe
PID 2212 wrote to memory of 1960	2212	Mdacop32.exe	Meppiblm.exe
PID 2212 wrote to memory of 1960	2212	Mdacop32.exe	Meppiblm.exe
PID 2212 wrote to memory of 1960	2212	Mdacop32.exe	Meppiblm.exe
PID 1960 wrote to memory of 2108	1960	Meppiblm.exe	Nkpegi32.exe
PID 1960 wrote to memory of 2108	1960	Meppiblm.exe	Nkpegi32.exe
PID 1960 wrote to memory of 2108	1960	Meppiblm.exe	Nkpegi32.exe
PID 1960 wrote to memory of 2108	1960	Meppiblm.exe	Nkpegi32.exe
PID 2108 wrote to memory of 2192	2108	Nkpegi32.exe	Ngfflj32.exe
PID 2108 wrote to memory of 2192	2108	Nkpegi32.exe	Ngfflj32.exe
PID 2108 wrote to memory of 2192	2108	Nkpegi32.exe	Ngfflj32.exe
PID 2108 wrote to memory of 2192	2108	Nkpegi32.exe	Ngfflj32.exe
PID 2192 wrote to memory of 1028	2192	Ngfflj32.exe	Niebhf32.exe
PID 2192 wrote to memory of 1028	2192	Ngfflj32.exe	Niebhf32.exe
PID 2192 wrote to memory of 1028	2192	Ngfflj32.exe	Niebhf32.exe
PID 2192 wrote to memory of 1028	2192	Ngfflj32.exe	Niebhf32.exe
PID 1028 wrote to memory of 1948	1028	Niebhf32.exe	Ngibaj32.exe
PID 1028 wrote to memory of 1948	1028	Niebhf32.exe	Ngibaj32.exe
PID 1028 wrote to memory of 1948	1028	Niebhf32.exe	Ngibaj32.exe
PID 1028 wrote to memory of 1948	1028	Niebhf32.exe	Ngibaj32.exe

C:\Users\Admin\AppData\Local\Temp\7d3faf4343b4f6db3db4c65047da16e0N.exe
"C:\Users\Admin\AppData\Local\Temp\7d3faf4343b4f6db3db4c65047da16e0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\SysWOW64\Lcojjmea.exe
C:\Windows\system32\Lcojjmea.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\SysWOW64\Lcagpl32.exe
C:\Windows\system32\Lcagpl32.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2852

C:\Windows\SysWOW64\Lfpclh32.exe
C:\Windows\system32\Lfpclh32.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2828

C:\Windows\SysWOW64\Laegiq32.exe
C:\Windows\system32\Laegiq32.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\SysWOW64\Lfbpag32.exe
C:\Windows\system32\Lfbpag32.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:600

C:\Windows\SysWOW64\Lbiqfied.exe
C:\Windows\system32\Lbiqfied.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\SysWOW64\Mlaeonld.exe
C:\Windows\system32\Mlaeonld.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\SysWOW64\Mieeibkn.exe
C:\Windows\system32\Mieeibkn.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\SysWOW64\Mbmjah32.exe
C:\Windows\system32\Mbmjah32.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\SysWOW64\Modkfi32.exe
C:\Windows\system32\Modkfi32.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\SysWOW64\Mdacop32.exe
C:\Windows\system32\Mdacop32.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\SysWOW64\Meppiblm.exe
C:\Windows\system32\Meppiblm.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\Nkpegi32.exe
C:\Windows\system32\Nkpegi32.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2108

C:\Windows\SysWOW64\Ngfflj32.exe
C:\Windows\system32\Ngfflj32.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\SysWOW64\Niebhf32.exe
C:\Windows\system32\Niebhf32.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\SysWOW64\Ngibaj32.exe
C:\Windows\system32\Ngibaj32.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1948

C:\Windows\SysWOW64\Nmbknddp.exe
C:\Windows\system32\Nmbknddp.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1652

C:\Windows\SysWOW64\Npagjpcd.exe
C:\Windows\system32\Npagjpcd.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1644

C:\Windows\SysWOW64\Nlhgoqhh.exe
C:\Windows\system32\Nlhgoqhh.exe
20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1568

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laegiq32.exe
Filesize
64KB

MD5
1efd2d7e34444c5f8fec926a6515bec1

SHA1
565ca5b5869f8874615e20c3c2b77c0692970609

SHA256
ac54212fb23499441b28ad2e91863dde2f422da30f2961e3ca15e6fde1f379de

SHA512
ad4be3da175253b6bc32744243ae608f6bc31bf5c26a05ba09eb8113fe36dc2dd9f5289da78b5c39a19ebc6350011a510bd6f9fc2fb7de3dc2d284e4321c1c43

Download Submit
C:\Windows\SysWOW64\Lcagpl32.exe
Filesize
64KB

MD5
406f0589ae1c002e87b3897c099f5d91

SHA1
cc5719779448665db6d96a5a3a8b021740faaafa

SHA256
fe2d1f2ed43b5c248123a4caf53610a83f66f7a03c3598e452f3495a20ae0362

SHA512
5d010f69954dcf233e5f8dd71fee6dcff0e8c5cff3114426e5640bc694566f61fa9986bea707536226249dae733212120f573159ba9761624e388077911d2561

Download Submit
C:\Windows\SysWOW64\Lcojjmea.exe
Filesize
64KB

MD5
27d2380e97c3392dd3c500ad742f1189

SHA1
02c78c38f4954dc0457715603492d9a49dd98519

SHA256
78e4f698489d795c756de171041ae9d2a3647855a544b871563bcf35fbfff55a

SHA512
96a854d35a224116e08d37cf012be49bc1320b22af00716fdf5afbe11e7ee9e9bc0f8e4572e94aabd2917bc75d40d3ec5b1769ef798bcb07fd8bb45d794e148f

Download Submit
C:\Windows\SysWOW64\Lfbpag32.exe
Filesize
64KB

MD5
56c0592d28296b74ce308f8b47554bea

SHA1
47938d1a0e1e0675437d200324a178f944cfdeef

SHA256
61a81f4c459d9dfea7590edfca5c9de762b37c0615fd0d2250bccdefe94de427

SHA512
2acd0bf203e82941cc061c4ed1af839a4b75b80dd58b05875cc52a9d1f9a6b7fe9ea3112185ca1bd7cd3c7c1acf9f1a0910439460783b38083e7c76ddcce8669

Download Submit
C:\Windows\SysWOW64\Lfpclh32.exe
Filesize
64KB

MD5
50b563df27a4a6c8e973b53ace585022

SHA1
16ae578d085c6394412580ec79d667cc742a4859

SHA256
831b4d1784fe4c464dd7393f58d2fb0ec04f0adc2f651463399def4f2f225a9d

SHA512
440ae7bc880dd1acc76066ec9a3345af52967adbcf24d83732da5a52b96f8db3d843b38b13507139c1e2342025490e39d7c0eba69143499c15c650edca540c7e

Download Submit
C:\Windows\SysWOW64\Mlaeonld.exe
Filesize
64KB

MD5
0b5e4c5aab968a65754e93c51ad94791

SHA1
7862d652f3154e824061a490704085546502f663

SHA256
5b7b330113a628511e47fafc299bc24a3fe26021e83177ac3293bf387064e8ad

SHA512
cd4799e6a1aac28adc21bad7034183a7638c9e76b48e33162fb2649b7090fbabe2594538f27db477db352ded5d7051764fd001544e47d1b18580d735e67f8cf4

Download Submit
C:\Windows\SysWOW64\Ngibaj32.exe
Filesize
64KB

MD5
a227070f51c47816428aafe99ceb6816

SHA1
3cb22eba87e21e4ffa59bb489326ca75128d1bff

SHA256
f5569740873a7e2f3bd80d64e93a313f283e04258aa62f72ff2b981305cb67ab

SHA512
ba5803f4280a3034ca34d7c8022f4e815a8eb75b9070317d42ee358ebeb57c65618193df2751ace30db1d17be331e1af7b6cf710bd58b1cbb2ca9766f92fbd6b

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe
Filesize
64KB

MD5
c10d7b113f8a0f3847694807585f45ba

SHA1
d5b32bd201223efd13267fe3355da0b8c367c364

SHA256
a246c54d0092d55e585a10c6d99f2ba35a6b87327ded722a92ac7a3a779afd3a

SHA512
c476663f0a9730dab73e590dcbacf847a3a33061aaf77a731ac38a1719eeffc5bad8e722e36ee544decf2f8ed6ee41c52b8b6528c79e8090c4cf6026b2484501

Download Submit
C:\Windows\SysWOW64\Nmbknddp.exe
Filesize
64KB

MD5
b09c68dda15190cbb2a5a5345d8d4a94

SHA1
41fff6310502e9d3291ae7839349b0e3b61c0df3

SHA256
e2b197eb45aa1e56f7c53fd7aed579fcb4af9a53769cb418d419eaf2780c936f

SHA512
4a3862edffbce710acae3fb87d68980f9983fe3661c5ac25b1b43e368a27ae2dfaa6ce8fc72e5c95a72d23b5f73e5238c068221d6d680f2b67c572a020176eae

Download Submit
C:\Windows\SysWOW64\Npagjpcd.exe
Filesize
64KB

MD5
750c5727a86df915678dea83c9071733

SHA1
352864a2ecf7dac2fc907103b7307618c5ee075c

SHA256
7b65cea14c5cbdc0a625b93c1f2ac9fca9bacbbf6daf032fa60068635f2db0b9

SHA512
a1df652e2ce75fad67609dafa7fda690ffd72e56ab216f3293ad7efd945c254d5cf0fb61ac0d8fc108d28984dce51a8b4d413dc104b297a4b5eb19bbf30606ed

Download Submit
\Windows\SysWOW64\Lbiqfied.exe
Filesize
64KB

MD5
a900a8d63bed3a4ff2d28296b688f77f

SHA1
55355afc0ac0be1adad9cd5d35a41fdd4a2c3b47

SHA256
81218f4aacc7e59c4c3e4c7405cb00b4123b422f60d899e9fc9cbdc0c15326e5

SHA512
8000f3753e78626d5bdb258dfd121ce85ce373796aa7d2e327f273341a2a9e2a81d920e5cd075a8c34a8fad58cee33a3e828206165d736e0488a5e51b40d01e9

Download Submit
\Windows\SysWOW64\Mbmjah32.exe
Filesize
64KB

MD5
d9b6a38c0d9d905d678b711fd8d721dc

SHA1
c54298e2fc1d80300fd2cb8aee99f7903364f90d

SHA256
62a39c5f3355812871f23c2c3802c73afd0a491b877a9c4e48bae8b51cda0ed1

SHA512
68d34cdaee574f9b57a169edf7d20c9deb028191d7be84633bb7c36e5aec51c5515f7f3c625b3905a9c7299fb71cf98823fd0d95a689ebacb6e18e1f10be8932

Download Submit
\Windows\SysWOW64\Mdacop32.exe
Filesize
64KB

MD5
f066a48ecb344e74d6af57cb14d40460

SHA1
ac3f372e5c7f2f6c4487600438363b5e4184dbfb

SHA256
16cad545037f15f4e7fa872231f78130f3090cce5398dd9eb11323f29dfb4fbb

SHA512
3faf0fcea90c663564153e6fe4d41cf297e062769c3990efee5f23edb60fc686bc9bcc496fbfbc8823a1eacfffb62fcf7c8a98da2a2083c990a1b208150caec4

Download Submit
\Windows\SysWOW64\Meppiblm.exe
Filesize
64KB

MD5
905e4c82b09c33970578edb7526851c9

SHA1
13c2e8f56cadf45e690acc390334fcc1cc390738

SHA256
dac948dce0026a2ac7f57e0cbbe34b32f129269eb264d38c2fc770b7b4c0ac71

SHA512
22c48a5688d3a4b1f82af4189e2e4cf41f933c045d13c8e0a268dd377c3d682776330a19bd6cb03ff2cd3411030d4eba05f6a9281f270c5d39eff88a4a542373

Download Submit
\Windows\SysWOW64\Mieeibkn.exe
Filesize
64KB

MD5
72c59628805dc5cab696bb3fee08d9af

SHA1
c9e29cb7f95473462399f9946568a14880356c3c

SHA256
10d124d423789c034485462b3afdf05cfb29e43cfda3528f3a057f26e7305605

SHA512
cec6cb2b1455e090185081365fa9229ffe96c0296527f5f7ad6fd4ac3ddbbfe671826dc3a215e315d64d750651ee16f4e49b07700880a1dddfdd1ab202a9c7ce

Download Submit
\Windows\SysWOW64\Modkfi32.exe
Filesize
64KB

MD5
7cc5257636e1a4860098a8f3587727ed

SHA1
657991eafa34f0cdd4d47272a1b152623f960b71

SHA256
227b5eaf26b03ce875a33610d717ceffe3f5ceeb6e2986a175926b8abcdd1ac0

SHA512
70224cfb9daaabd2a126b5ac69d8e868adf97262512d3a21dd8e46ee5e92e0c59f1e2a94ba9060946459dac1086c11317a0b71d092076d82a37d12570bba4848

Download Submit
\Windows\SysWOW64\Ngfflj32.exe
Filesize
64KB

MD5
bfb1154a6db2b4ef97376046d410cf82

SHA1
fd004f98e0d95f376914fdea6d1887bb98068852

SHA256
be4c72345a2e200cf78e8295ced73ebb58457f806274d5040ca51a30ddb3f10b

SHA512
c831499433f4d23cccb388c957c3fdb35f0814e22c2fb5470e78b325e4cba2b8e79ff92ae8911503d5a5ddbf5560e11719e9be7d2b75b062640094e2638553e4

Download Submit
\Windows\SysWOW64\Niebhf32.exe
Filesize
64KB

MD5
c1a8cf9016ffd1a65fbf6e7f67062dc0

SHA1
fb4a63f8459dbe90f2d74c29aae980bbfcfcf850

SHA256
78e8dc65f26324ae088f39deb48852fc63dac037762c9f6d017cf956a1c7dc0e

SHA512
77902b95528a57b2703c7ff468023739664603dd7d5e9702082bac4e98b6b87c53eee61af438c0f67709ac4c25762baa376ef46d4e32d5519f6756344f536322

Download Submit
\Windows\SysWOW64\Nkpegi32.exe
Filesize
64KB

MD5
efde48e62763dc8b93007db4381b4c26

SHA1
510ad2c187e2c72191ba91c180a0f2453e8c0366

SHA256
49f50a90c0754cb451889c186bb733316992a1495bf6491afe4cbd3ff41b6e41

SHA512
78c06ac990495ec49d9d7c56cbf575d1c15e226f4c2706bdfb8a7fa805bc152229c2f187045c39d2d01e4e7e89aa95103224e51103065c1a80523c6dab9a8b97

Download Submit
memory/600-69-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/600-82-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/600-254-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1028-203-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1028-247-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1500-94-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1568-253-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1572-137-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1572-249-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1644-235-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1644-244-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1652-245-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1652-226-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1948-221-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1960-162-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1960-248-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2072-257-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2072-96-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2108-188-0x0000000000260000-0x000000000029A000-memory.dmp

Filesize
232KB

Download
memory/2108-176-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2108-246-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2136-251-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2136-109-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2192-201-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2212-157-0x0000000001F30000-0x0000000001F6A000-memory.dmp

Filesize
232KB

Download
memory/2212-252-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2212-150-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2504-250-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2504-134-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2504-122-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2828-41-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2828-54-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2828-256-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2840-258-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2840-13-0x0000000000440000-0x000000000047A000-memory.dmp

Filesize
232KB

Download
memory/2840-12-0x0000000000440000-0x000000000047A000-memory.dmp

Filesize
232KB

Download
memory/2840-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2852-33-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2884-259-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2884-14-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2884-32-0x0000000000300000-0x000000000033A000-memory.dmp

Filesize
232KB

Download
memory/3068-255-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3068-56-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3068-68-0x0000000000280000-0x00000000002BA000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads