18798e7619c2057a55c90857a8f0172c2034ed4c7386d18c4350a11de7183ef4

Analysis

max time kernel
141s
max time network
60s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 16:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e357f4ce09bc66375515aa3113eacdd5.exe
Size

64KB
MD5

e357f4ce09bc66375515aa3113eacdd5
SHA1

7eb3e55df081a236e6a4ac246e69ec5cc0a3cb31
SHA256

18798e7619c2057a55c90857a8f0172c2034ed4c7386d18c4350a11de7183ef4
SHA512

c98a2a896e9f9c618fa86506845119fe005c832234ad14196eda54c004fbe146b12c743c685cd6c61a4e63c1df9cb7ce5a1f24bb36c59ff6c78f613cb8b3eda0
SSDEEP

768:GCGpTAnqpBXbcXxWnh6ZknOfaj8im8mbj2p/1H5mbXdnhgYZZTum80ZIAPE:GCGpTFBX4Tuj8iO2LYZCYrum8SPE

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e357f4ce09bc66375515aa3113eacdd5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e357f4ce09bc66375515aa3113eacdd5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe

Executes dropped EXE 29 IoCs

pid	Process
1096	Mahbje32.exe
4856	Mciobn32.exe
4500	Mjcgohig.exe
2024	Majopeii.exe
3396	Mcklgm32.exe
512	Mkbchk32.exe
4520	Mnapdf32.exe
3908	Mdkhapfj.exe
2348	Mgidml32.exe
3680	Mncmjfmk.exe
368	Mpaifalo.exe
2036	Mglack32.exe
2576	Mjjmog32.exe
4784	Maaepd32.exe
1480	Mdpalp32.exe
856	Mgnnhk32.exe
2228	Njljefql.exe
1676	Nacbfdao.exe
4544	Nceonl32.exe
4820	Njogjfoj.exe
3580	Nafokcol.exe
3108	Ncgkcl32.exe
3552	Njacpf32.exe
3028	Nbhkac32.exe
5044	Ngedij32.exe
2396	Njcpee32.exe
1556	Nqmhbpba.exe
3164	Ncldnkae.exe
4904	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	e357f4ce09bc66375515aa3113eacdd5.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	e357f4ce09bc66375515aa3113eacdd5.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mcklgm32.exe

Program crash 1 IoCs

pid	pid_target	Process
1540	4904	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e357f4ce09bc66375515aa3113eacdd5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	e357f4ce09bc66375515aa3113eacdd5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e357f4ce09bc66375515aa3113eacdd5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e357f4ce09bc66375515aa3113eacdd5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e357f4ce09bc66375515aa3113eacdd5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4144 wrote to memory of 1096	4144	e357f4ce09bc66375515aa3113eacdd5.exe	64
PID 4144 wrote to memory of 1096	4144	e357f4ce09bc66375515aa3113eacdd5.exe	64
PID 4144 wrote to memory of 1096	4144	e357f4ce09bc66375515aa3113eacdd5.exe	64
PID 1096 wrote to memory of 4856	1096	Mahbje32.exe	63
PID 1096 wrote to memory of 4856	1096	Mahbje32.exe	63
PID 1096 wrote to memory of 4856	1096	Mahbje32.exe	63
PID 4856 wrote to memory of 4500	4856	Mciobn32.exe	26
PID 4856 wrote to memory of 4500	4856	Mciobn32.exe	26
PID 4856 wrote to memory of 4500	4856	Mciobn32.exe	26
PID 4500 wrote to memory of 2024	4500	Mjcgohig.exe	60
PID 4500 wrote to memory of 2024	4500	Mjcgohig.exe	60
PID 4500 wrote to memory of 2024	4500	Mjcgohig.exe	60
PID 2024 wrote to memory of 3396	2024	Majopeii.exe	59
PID 2024 wrote to memory of 3396	2024	Majopeii.exe	59
PID 2024 wrote to memory of 3396	2024	Majopeii.exe	59
PID 3396 wrote to memory of 512	3396	Mcklgm32.exe	58
PID 3396 wrote to memory of 512	3396	Mcklgm32.exe	58
PID 3396 wrote to memory of 512	3396	Mcklgm32.exe	58
PID 512 wrote to memory of 4520	512	Mkbchk32.exe	57
PID 512 wrote to memory of 4520	512	Mkbchk32.exe	57
PID 512 wrote to memory of 4520	512	Mkbchk32.exe	57
PID 4520 wrote to memory of 3908	4520	Mnapdf32.exe	56
PID 4520 wrote to memory of 3908	4520	Mnapdf32.exe	56
PID 4520 wrote to memory of 3908	4520	Mnapdf32.exe	56
PID 3908 wrote to memory of 2348	3908	Mdkhapfj.exe	55
PID 3908 wrote to memory of 2348	3908	Mdkhapfj.exe	55
PID 3908 wrote to memory of 2348	3908	Mdkhapfj.exe	55
PID 2348 wrote to memory of 3680	2348	Mgidml32.exe	51
PID 2348 wrote to memory of 3680	2348	Mgidml32.exe	51
PID 2348 wrote to memory of 3680	2348	Mgidml32.exe	51
PID 3680 wrote to memory of 368	3680	Mncmjfmk.exe	50
PID 3680 wrote to memory of 368	3680	Mncmjfmk.exe	50
PID 3680 wrote to memory of 368	3680	Mncmjfmk.exe	50
PID 368 wrote to memory of 2036	368	Mpaifalo.exe	49
PID 368 wrote to memory of 2036	368	Mpaifalo.exe	49
PID 368 wrote to memory of 2036	368	Mpaifalo.exe	49
PID 2036 wrote to memory of 2576	2036	Mglack32.exe	48
PID 2036 wrote to memory of 2576	2036	Mglack32.exe	48
PID 2036 wrote to memory of 2576	2036	Mglack32.exe	48
PID 2576 wrote to memory of 4784	2576	Mjjmog32.exe	47
PID 2576 wrote to memory of 4784	2576	Mjjmog32.exe	47
PID 2576 wrote to memory of 4784	2576	Mjjmog32.exe	47
PID 4784 wrote to memory of 1480	4784	Maaepd32.exe	46
PID 4784 wrote to memory of 1480	4784	Maaepd32.exe	46
PID 4784 wrote to memory of 1480	4784	Maaepd32.exe	46
PID 1480 wrote to memory of 856	1480	Mdpalp32.exe	45
PID 1480 wrote to memory of 856	1480	Mdpalp32.exe	45
PID 1480 wrote to memory of 856	1480	Mdpalp32.exe	45
PID 856 wrote to memory of 2228	856	Mgnnhk32.exe	44
PID 856 wrote to memory of 2228	856	Mgnnhk32.exe	44
PID 856 wrote to memory of 2228	856	Mgnnhk32.exe	44
PID 2228 wrote to memory of 1676	2228	Njljefql.exe	43
PID 2228 wrote to memory of 1676	2228	Njljefql.exe	43
PID 2228 wrote to memory of 1676	2228	Njljefql.exe	43
PID 1676 wrote to memory of 4544	1676	Nacbfdao.exe	41
PID 1676 wrote to memory of 4544	1676	Nacbfdao.exe	41
PID 1676 wrote to memory of 4544	1676	Nacbfdao.exe	41
PID 4544 wrote to memory of 4820	4544	Nceonl32.exe	40
PID 4544 wrote to memory of 4820	4544	Nceonl32.exe	40
PID 4544 wrote to memory of 4820	4544	Nceonl32.exe	40
PID 4820 wrote to memory of 3580	4820	Njogjfoj.exe	39
PID 4820 wrote to memory of 3580	4820	Njogjfoj.exe	39
PID 4820 wrote to memory of 3580	4820	Njogjfoj.exe	39
PID 3580 wrote to memory of 3108	3580	Nafokcol.exe	27

C:\Users\Admin\AppData\Local\Temp\e357f4ce09bc66375515aa3113eacdd5.exe
"C:\Users\Admin\AppData\Local\Temp\e357f4ce09bc66375515aa3113eacdd5.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4144
- C:\Windows\SysWOW64\Mahbje32.exe
  C:\Windows\system32\Mahbje32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1096

C:\Windows\SysWOW64\Mjcgohig.exe
C:\Windows\system32\Mjcgohig.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Windows\SysWOW64\Majopeii.exe
  C:\Windows\system32\Majopeii.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2024

C:\Windows\SysWOW64\Ncgkcl32.exe
C:\Windows\system32\Ncgkcl32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3108
- C:\Windows\SysWOW64\Njacpf32.exe
  C:\Windows\system32\Njacpf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 4904 -ip 4904
1⤵
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 408
1⤵
- Program crash
PID:1540

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
1⤵
- Executes dropped EXE
PID:4904

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3164

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1556

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2396

C:\Windows\SysWOW64\Ngedij32.exe
C:\Windows\system32\Ngedij32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5044

C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3028

C:\Windows\SysWOW64\Nafokcol.exe
C:\Windows\system32\Nafokcol.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3580

C:\Windows\SysWOW64\Njogjfoj.exe
C:\Windows\system32\Njogjfoj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4820

C:\Windows\SysWOW64\Nceonl32.exe
C:\Windows\system32\Nceonl32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4544

C:\Windows\SysWOW64\Nacbfdao.exe
C:\Windows\system32\Nacbfdao.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\Njljefql.exe
C:\Windows\system32\Njljefql.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\SysWOW64\Mgnnhk32.exe
C:\Windows\system32\Mgnnhk32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SysWOW64\Mdpalp32.exe
C:\Windows\system32\Mdpalp32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\Maaepd32.exe
C:\Windows\system32\Maaepd32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4784

C:\Windows\SysWOW64\Mjjmog32.exe
C:\Windows\system32\Mjjmog32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\SysWOW64\Mglack32.exe
C:\Windows\system32\Mglack32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\Mpaifalo.exe
C:\Windows\system32\Mpaifalo.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:368

C:\Windows\SysWOW64\Mncmjfmk.exe
C:\Windows\system32\Mncmjfmk.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3680

C:\Windows\SysWOW64\Mgidml32.exe
C:\Windows\system32\Mgidml32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\SysWOW64\Mdkhapfj.exe
C:\Windows\system32\Mdkhapfj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3908

C:\Windows\SysWOW64\Mnapdf32.exe
C:\Windows\system32\Mnapdf32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4520

C:\Windows\SysWOW64\Mkbchk32.exe
C:\Windows\system32\Mkbchk32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:512

C:\Windows\SysWOW64\Mcklgm32.exe
C:\Windows\system32\Mcklgm32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3396

C:\Windows\SysWOW64\Mciobn32.exe
C:\Windows\system32\Mciobn32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Maaepd32.exe

Filesize
64KB

MD5
2592a1344242b86d945f127a415e5942

SHA1
8d973ba80743a19034b39e4ca0794bb470b64f2d

SHA256
09eb891e6a64456cb28b0d3afb8b7fe1f6ef600849a44d55696b5d11762b5912

SHA512
3353e5fa0e707b34db0c80bf362f730c3d037b1060b96aa38c6dee86f5180b04037cede705e536d0811dd7a602f7e2a3f09924832f1d4eb25549f51fa8ea5e02

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
64KB

MD5
067823a6ecca0b0d9c9006afa21bc8d9

SHA1
76c95bcb7968d7d2c27159bd42d206b728aa4f1a

SHA256
c66af908ca5c0404294d2562f6237cd3103692e5c5e39eb25d6609c6d992a610

SHA512
d8d6f964b1fc8dbf895c3dcfd7a68d96dbf7ad9e368ce44207880172d0833d16b6feb0e32ac7ff61e90e0cdc057722d0bca39d3485ba01811fcc67f127a20892

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
64KB

MD5
cfe12febf852f90f7688a3cfd0c297c3

SHA1
079b4bf84ee740e1320f20569d843854f49787d0

SHA256
d9133ce30c07f2109247ffee8a14caddd4dc33210fbe123493e8b795a2f47784

SHA512
576583d431c5aa8ddb6b549bdc0c40e1069c61448cdb2cdb89fa39dbca6c955caff491cb4a54b36b0a61083b05e7e4427f12afe6388095b102ae64ec8e2599c0

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
64KB

MD5
bf3d4a71a8f83b011d08bb289982cd80

SHA1
806c9930be27c84f8fc3e75d1e35d7d1fcfd76e2

SHA256
3dd8e03564e17782aa0de009bf28a5c956b9bcdb6882cc59e564d0e5c921a9f4

SHA512
0f4cc8e14e02176e38e34c2698b2187965cfe98b007c0e92778db0a16304faa924edd6b0db362e54acc5b377e8f188b6fb938fe4604bd0a4bf8a4141751f9edc

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
64KB

MD5
833ad851242122d6839c16a5483d2059

SHA1
2637446fb06331b32af7383e78212f29b8796808

SHA256
7a7c416ba0279033d9777138c3105072c5bbe7bca730fcdca68bbee0ba8ed9d9

SHA512
4466bfd5966d0f8d398db6c383588be35a50254b04060183173dc70f65f2c830daab573dce10e3bda0330118f58f42b99349444eadd12c259630694a1d236f5a

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
64KB

MD5
cca7039a98a77ce0ae6b9ff92ff71063

SHA1
f02a4b9126ccad1a19a0c4a64cf94cd9bafa7f81

SHA256
049fc79f3761980777babb0237b74ea130ba7b8f0856ff0b1ceedbdabb0bf48f

SHA512
7329a2e789903c504a03c996bb5685e3fcb99cf2b5b2b4eab4508f3f85594fb05f39a0b56fed4ef7a2b773adc87f75ffc58ca0ffe72303461351dc25abaedc2a

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
64KB

MD5
79b229e84810b37c9f524a698ddae2c9

SHA1
ebeee889799e5e0888a23193114e80cb2e8d58af

SHA256
cc051c4628033bb4820596df1ed1919d5759de4a77ea3ef90eaa86b3e5256e1d

SHA512
65ae21a2eb061384597a0c1f0f1e93970ab8d3cb2e046c0c4a7ad4216113775ca68cf1c502e317d2404db235d0048bdedf84518a1f88578f028bbd12cab66749

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
16KB

MD5
dae4b0d1e0f43b94e27e8ef9b9962db5

SHA1
e25d964f4fb028121ebea167747dd159d9a8dbfa

SHA256
ddcda454f45439fe8477eb4841198ce67ca7c4edb772739ebb20a2a3abfd7c48

SHA512
69f2f714b3c9b84f35fbccc3b3d2596ed632fc5f2d1bff4d7803ef67c80cbb2c067940eeb2c79a50c3b382d32458205fd878f544891696932a3e12ddd1421e99

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
64KB

MD5
51f3826f008ef32eeee267a3ea6c9f21

SHA1
854ed4d8041a950d60ca370bd7fdcb2c97612977

SHA256
03771fbb4e67ee6ae80b69ddfa781bf594801c996e5a3cff74e60be6c13bffe4

SHA512
2dc0a8fbac125a17f506a1d2864a5535884c7467749916696b72e1cc4488f41d38a363485ed29d1f978b2f2dfef69b82247b293f0adab941d1b898ab793f0fa4

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
64KB

MD5
0959639665bc403af664b01b5576427a

SHA1
383540a9a5c9a9373cba9d0e0cf06c705b6661f0

SHA256
2d520268375aa1428170b627da0c5cc24a1d249726782dfafadcb4efe7e3ff6e

SHA512
7599044fada1aef83c104849959cbd551e3b667182b97096dad9daf971f369233ea1a02b4c6799a14a79f46dbee1c45bbe1b984a9313da1c94b5e642eed846e3

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
44KB

MD5
e17b9a1ac98b58c150f6335a925306a1

SHA1
5c45b9e19fbe5624a9b3d7d0a9120a896e68ce9b

SHA256
ba60ba712977bc268bad8f11db805f9f168091f1657882ef32bc4668bc219344

SHA512
fa087e656d44049561c8e06de331178816a4a7d36cca44044123d36823f430042d4a701beca022e41f98fb072936b01d2a64e38bbe00e863d4ef6f3eab19848c

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
64KB

MD5
632bcf6ee7aedbdf88c73ac17392d7b4

SHA1
26726a5061bdf4664c60d885c4bc8eec5f996db0

SHA256
9156295ea9f565027e0d8a904070c16a21cb2e0d1ff6627f44ad2911f23fcc4c

SHA512
4076cb43a036a28dcb63768f141b8dd2a5faa5074b4e1bc3506caeae9ba2beef739e47552ea51c36bb0133db26fcfe898024d6f521de08fb97bb5f6555469a47

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
64KB

MD5
f69f72e920c0f39ba74acba62250c33c

SHA1
67a0321b82bc8710919f284053d62cdf5c6c9e3d

SHA256
7e1c6608f51be2ce663ea411d84d1142ceac55fab72e1a44abfe245328094371

SHA512
f75d71833a6720e7608f84511280584090b1a86ab2631efade396ecae889543793a1af1919d389af6f38b14eb86d42b6e7edfaa688a2e1e08585296c92d4426e

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
15KB

MD5
2ee0d3c09e9f62afd5d05af5e3fea8c4

SHA1
f0abb6d60ee25d241e234d4ae4b324b3df37a420

SHA256
5e394cbef20ceee40d903f2e3a268dae6dbca86b175e4b99ac8340ed3806d84b

SHA512
67adf6bd7bcf46a95679c62c48779dc207680ee893a6e7109f16bd7d87f88c2edb0d2b32fc0600ad437f1fcba81881b6b839c3387dce47a2b25d99f6453af30b

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
64KB

MD5
7ac8aad67d2a061d72be94821642ee1e

SHA1
6e0c2db3e748e7bbda644f95eb8064444762209d

SHA256
8b2635c11bf7259a3d05c476cc4cf2652c03c3476b0ef4210ead14136cdf1604

SHA512
120eb51883c540643930f86c84d7c7c8d8e819474e522f89e325d9b976ff1957cddb3abe72debe5628304bd5d5d4908f1de53c11c1a86163c8e813a408045d2d

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
64KB

MD5
03adf9ff5c336e877861a886738ceedb

SHA1
751c3ebf0c4eb8c6b0fc6a06a3389df8b647bb1c

SHA256
078fb6ce496184ac8b8d13db8f3bcfbd24cc74314bc0faa6e930f6f3edf114b2

SHA512
fbf0a7cb26c88894ddd826b141e4d4f379944607bd1f8ef82347c5681b25411a36390fb17c12147f69f23b78e1cd233746646aab5b65cd068cb88022ad904a85

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
58KB

MD5
5157e51cc0e195195ff2e423583d33f5

SHA1
e82732fdae2257b38b672919c7edaa63ed2c326a

SHA256
963b8944d2bbeb2321b15a7fb15590e328d527b7547b9ebd7bceace71cdcb4fc

SHA512
b7df088392f2658d34ea34f73faf486101db914f7a1f307405bddeece7af02004abf04ea9fdd41f749895467761240c1259ebe19486c25d58965f58568db6424

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
64KB

MD5
0d3c391fa845e727106606aa09afdd41

SHA1
191a976585589b8867298884ef8e6f3ee2d83b0c

SHA256
962c52873677f48214d551fbb4306e5ed32164377b28ab74369433ad82b00c79

SHA512
982200de32b0e6e6859ec884c99e122664669065901e52478780e9e1019f50479f78ab2d15d7062ec6f8c28615e89829a3dd7a6330195fd9baa8078ddba27947

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
7KB

MD5
18b16087e223434fbae61199b363d0b9

SHA1
c4a62f6b87499a9b3f0f7845390b709e8849b9ed

SHA256
a288dc14142188d6a99c6c4bf1c0d137b198b104e2176d558b02312d1fb010eb

SHA512
3f1387269ae92590d9aea49e1e241aad5118df39c21151bad77556021721b7da7a36c64b6cdbf54e66b3a93641aa47732072b03d7bbc25f08389edadcc8ed1cd

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
64KB

MD5
8e774a6619c260742b2d22af1c858b1b

SHA1
b6f06c8f084b8d29f100949bc8c7bd72759617ca

SHA256
208e903919665fa45be15fa21e066d31b4a1fdb91f5d8e58d44783a2aecc09a7

SHA512
c7ab8395a7d86ea0f18d3473f2a0083657a97b30e5e6cd3544a39de2483e94bcaf82b86e78979d4484f9a00fb56f186298c85406946c036dffc64510499b50b3

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
64KB

MD5
9515114f24af4e3efb81c722cd2d2f07

SHA1
083b429dee74d5d6d7f4c1014d79539b1bb758eb

SHA256
7d1c22576ef61db71630e51e72883e9749458265a522dea409fd7cba8ac4f3ac

SHA512
7d415bf34f1113b4a6ab6ac2f4e7e7b7a68d8de5463a4bceceeab3d27593389fc1df639c11b01ff8c58d9275b5d6b83c8d81ed5280e718b725aa274a37e7cf66

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
61KB

MD5
f5cb770c6771fe5452065b2656a218a1

SHA1
85d67575003f87e679549ea19e227eec4bad04f3

SHA256
6fe90d6c4ac8ae7def66cb3e05651eb3e150f9666ce2e8abc088e5a9afe9b6f6

SHA512
940a636815a9eae82e89f43f7a5570f29344399d83cbacf3f303fbb46f089bcdce716fb499490577408cf6adca82a5145a9059949b87753ba6c4fe201d5d4aa4

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
26KB

MD5
36e0a43c4b7797a05abfd3eb955a3cac

SHA1
22fb89afe20ae7ae4f2286e3a39efd378f7528af

SHA256
d9215e57747c445d3a63a84047a3c5db01900d8974e0f81e834e466e9bca5cef

SHA512
be1e8a92c48b14ea46a4f8020c5bd55b3b52569abede4416e0b30b1916c5eaefc39bfdd7a109e0d6ea07f9784c076d2e288b65482cfeb3f56b82c44a322586f3

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
425B

MD5
e7c655582317ba81feaef6b734a10bbf

SHA1
5770d8d6dbeaa0d601f235fa499ab435b143b942

SHA256
1523f3b2c09dcd1bac4a83aa8a28c6b1a6b32a61e2e25aeae8559e050f65ebb2

SHA512
7cacd0496bff64e5c7ee0bd9262306f6becc71a48817a27a4625f9dd3a5ff35b9445d6e91fc3cb31b684ae52dc089fab38d069d944d76c8dd1459591b1be569a

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
64KB

MD5
9f08d1ad59f928f539fb24be93f6a9a0

SHA1
7c92518fde62c2d1bad946208fd8bf76bfcaf9f8

SHA256
0c6187a418aa1fe2a586825c41aa304a059c7bb5380e300bb848ddb33851d166

SHA512
2f2e20e6c507db3d72dc20447d9c38424936c06c987313edafdf8949ed070b51a1537da65e04f0c0f0e2edc000913352cd18ea852fcdbd12aa02fd7605c7ceba

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
49KB

MD5
19de658ed82cbb40342e4f29fa0ddad5

SHA1
b116c40ec92295036283b34e5125b4cb9c032a6e

SHA256
21e4712fb46d1e08c1078e6f95997d3482bfebd50003b0a62c7a10c339fa6928

SHA512
41b3f714af86edb813338fb8ed7624374d63d150688e185baffe10219c7bc6c31d64fc8ba6456406641cb947fc42c6b896ab304fb4c01bafdc5c0fa530c09af8

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
16KB

MD5
a63a5e025c38dd01488731cf2c358903

SHA1
1487afa4bfdbae64bc57997080e51fbe3676494c

SHA256
62390cd83ada76e0bd436fed14c6da49c0d92f702c55c45b0c219ba3feaf408a

SHA512
8e870595d534999d046c919db790beaea933f2f1e448701e57808fcd1ad24b195e5138ff451349cae12d2c09004ea50b9aa5b58aa5b932b3b903fe0cbbf91aa2

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
49KB

MD5
91aa3c5187afe3bd5a80c4abb4496912

SHA1
aa5073cf3518dcc6d443acf5edbc5853adfd298f

SHA256
51872921e8817f237549b2d0fbb36e6e5a1fb0e3d52132bb2139b9f18d1991f7

SHA512
421e61a484d9b1605da1c6ff68667aeba01a6e03ff7042667f4eac1abd1160585e79e6c315a2468feaf8fb5a8a194d5a3587d4d45bc8411241f70f820b869629

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
64KB

MD5
93ef6d16e2c27d96c09006973e89d523

SHA1
6bb97d52eef2b380a8849ab789ad51711649a923

SHA256
c4c8610488470ea135c30f6d60e6b9b11f3206302a10d9711416bd8404ad3ac6

SHA512
1d7ce2b3baacaf2ae93e33833ba5cbb6f908ac64f10dbe0c8fcc5c518f91b8fc9c0adb833c0145a1cfb4d91f9bd16c7ee60c2384a99cd3af50e249453cfb8245

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
64KB

MD5
4003a98d413d1d37a3fc14643ce32e86

SHA1
1c998f6501f32de0681b844f01ef228888e5aee8

SHA256
ad1cffcdef6c152a531f598327c0fa77b55ef123cd80a61282b52118f1cb0626

SHA512
7c1a4edbbd712ceb4545242cf8f7fb53e48270ee0cd8f62720bb33a1e79af5c6ec18ef568c8070c1c3922c63879ca0c1a889c36c695092172c90661e0c8445f4

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
23KB

MD5
c880d63ce61448448ec32db8785ffd56

SHA1
04fb229c2f3c8f718d46b6019f8eeee2c8245d96

SHA256
b4aeb26c5cb72081df4566d2be5d0093c194527af4addfb6c7d190e93321075d

SHA512
175f2a9df365c6cf9c3d59260c135be1ba0e854eba4a406df10d53222fbd7b047a4835aa81f4a9ce7a0fda16dd0c2bc804f91e14a1ad17c5161b91da38b41968

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
12KB

MD5
f492e68c1bbb0f661fe9f0a3494e7153

SHA1
3048e51289fbfda2f7d2a87fce983a012d9c7e90

SHA256
ee1f0f8141d7a0fb9cbf80ca84255f360ef4f14b5fa63a94bbc9a1482928d2b6

SHA512
954ad8cb1e875978729f496c072bc62ac27c8dfe53ee4bb40edd1ed28c2bfbe358025c7552802fdce6cfa442b91fe3f631ea50db7bfcff79ebe2d4efe07d5c77

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
10KB

MD5
a6fb771772ca729009579988c3297724

SHA1
2a63988b526cf6903d2789ca38514aa06f4838e3

SHA256
5412b39166b6b6eded077bfa66164814f3e026cb65f485230ce095124b029168

SHA512
4afb8bb7e266149b40a9adf33999dd42e94c39e206da116934259439a5dfdf151b46d8b7afd6f37f3ec0c9c348cf17c2c52b4774b1bf10fef9b44bbd76d5cc3b

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
29KB

MD5
815bce9b0ec961773c3fc7f84a4e1c50

SHA1
bafe29d53e07d7beab5b4468f291cdd351094277

SHA256
2bd142ca77c1c3a044aa7946fd7e2ae02db168d1d7b7397b7ecafab44c58cf35

SHA512
b921f294e95a8a89f9fb0ea88c89734019a9eeb6e9ce2cd67b21990776fb0505efd0f0954d395411b3c7f8380f006503eb166253f5d5822aa1418d2f856cc31f

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
1KB

MD5
538943421eec854457776924ca710dcc

SHA1
bbfc6c365e5752500e4df9265528b313cc514c62

SHA256
b972ae0e040c167384b627abb2f62f4f3d56addee92cec9e7a8259f1b6de2d44

SHA512
f64e578e978c059d3e163f973e7ef514458ba834244bcf581eb329ad9dd67af236daea2a6606954f2b78e15346e7f77bc4b50f635bc7b4c2870708e462200796

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
37KB

MD5
6370951946a81def1aff622da25f3afe

SHA1
22af3e148bc9c08998df3a212610ef4b0ba286e1

SHA256
796b5fa91f428fd7b56401a8b3a5db46a1e9734b98a9f237ac53443eb26b4360

SHA512
60ce6c0f5ad490078baa9604bcdd5fca067193affbc3e5d8ab56f879dbce50f8a4c3cc47b2ba0088267e2996888c3f34ca201a82caf7f4887475db544ffadae1

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
40KB

MD5
55ccfade0e84cdf6b6daeaf40709336f

SHA1
711bf2035821a1853c9dce4b614b7161b2046ae3

SHA256
8e9b3a89ce3a5874e19c0436373f3f3f7bbc5f7269f848da08b9bf84ead5de84

SHA512
c7d4d89a52fa324e5f7f6ff7d879c096038c8a6ba375905dffd72d26ca5c3a78a15b47fe4ddc9db55a433acdcdeb9c8836f31fc80f2224e8c7da6a16cdbcfec3

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
64KB

MD5
af906f6cb15f00a2f1af6d7733ac6a16

SHA1
47f507898d295f2017da51ac0abf2d6cf93893c8

SHA256
123fc2567c37548d7b5a58f25577f5674d15c3a740f40337c15fd4369c340de7

SHA512
2f40551a41c6ec992f4f179f6923715ee05e004a27ff7c8a5c89325898264bfc611eb2647bda18c9ed6e1394a7459ad07dd193e39deb374185dde53d02ef1a2d

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
4KB

MD5
915c9573cf5bc125a53a31ea0ee09c0e

SHA1
1e67df3114c29093aad29c35fac55c488e0d1768

SHA256
d9884aa2c25b3f54537f402edf921bedc4e58ef45fff0bcc331a3bcfc13c5539

SHA512
e489d595e0eb80ead2ee54609ecc9e3372b903133dfd326580fbbae86cb08b78354e9363361195153d86aa4e994e5c50355a9a1fe3c78eeb14bc5617c8d256d6

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
64KB

MD5
3d74ac949a948e04a363bf4f43a6050d

SHA1
752ea152859e13087925e5545e894ec9efd64995

SHA256
ef0a74e5901df66d8cc642113d403cd5962eeb47a060902bea34e42b9647d173

SHA512
4593a58809aa865eb54ece92752afbaaa280603c0a545107766ca00bff2cc08f1da2095491495b23fd9ac08ef7f46b9572069c67f4812d43f76925a03590d1b9

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
16KB

MD5
9d687091f8440129362aa81a5214431a

SHA1
808120707f0ba0d686a6b6ba0f5171d8711b6c08

SHA256
7f7e83c652959f2a271a06ee7c58b31860535ac10f9e59f9bae32c73d18cde9f

SHA512
0436d666940bbe655ee116121e802c08ba2f0b745d89241bf04d33f80f0f7f1560d0d9cda034dc4e1b753b888b1eb4b9f514d5e5d468cf14f692dd94c2031e22

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
9KB

MD5
e12ac157469efac1b196470ca3b7e01a

SHA1
bd1310f9dac6580852e6b9a653d18c1745f3da84

SHA256
bd8ae0e84016ea9a40077fb63627b686c6c269ca3523fbc9fcb950a6cf615262

SHA512
19271b3dfb7caa9615ec6b517ee7e09b17b09df8e0d433a44fbb403d3854897af6b91111d7de18b088163788418589d7fb6bac137072d0c26c88d02a88bce63a

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
2KB

MD5
0dbf61387967e24e9a3cbca791b527db

SHA1
462c51004d2be57e23b78741373cd53852b6c9f5

SHA256
be112bc72d3bbee021079fb61918e98e540b92c1752508e2724dbb2f6eda74c3

SHA512
0b11fccbef99a1c623fc4a896a062262427e7a9cf0f2c3cdd1ece7b63ab4ae1ac182a8c2a87fadafc01425f7ee0a708af2e354df48c67ffcd7241a3a31964f31

Download Submit
memory/368-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/368-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/512-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/512-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1096-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1096-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1480-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1480-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3108-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3108-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3164-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3396-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3396-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3552-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3552-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3580-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3580-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3680-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3680-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3908-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3908-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4144-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4144-6-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4784-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads