8d6db9f3b5dfddcf816910d28c510c33c47caf21f1e4928c83a53509b6374626

Analysis

max time kernel
147s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06-01-2024 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec16271399ce33c282aa11e248083680.exe
Size

443KB
MD5

ec16271399ce33c282aa11e248083680
SHA1

bcaaa18bf1258f3e4d5b0ebdcf1ea2d3ac9a2d39
SHA256

8d6db9f3b5dfddcf816910d28c510c33c47caf21f1e4928c83a53509b6374626
SHA512

80771137459be33d997bd156c77c37b584f94ce02b3854aa6cb39b5e0318abae6dfcf2dfd380f1af115f2a91945389ba3b8816410d1f35b447bff25b8e3d2eb6
SSDEEP

6144:WW95FBb7zeXmRL13n4GAI13n4GAvs0PEpNF0pNO021fv13n4GA3uKjwszeXmOEgs:D9bh1J1HJ1Uj+HiPj

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ec16271399ce33c282aa11e248083680.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ec16271399ce33c282aa11e248083680.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe

Executes dropped EXE 28 IoCs

pid	Process
3684	Lknjmkdo.exe
1464	Mnlfigcc.exe
3764	Mciobn32.exe
1632	Mkpgck32.exe
2256	Mnocof32.exe
4272	Majopeii.exe
4428	Mdiklqhm.exe
1840	Mjeddggd.exe
4632	Mamleegg.exe
2564	Mdkhapfj.exe
2532	Mkepnjng.exe
4324	Mpaifalo.exe
5084	Mcpebmkb.exe
1488	Mjjmog32.exe
3796	Mpdelajl.exe
8	Mcbahlip.exe
1268	Njljefql.exe
5072	Ndbnboqb.exe
4276	Ngpjnkpf.exe
3552	Njogjfoj.exe
4424	Nafokcol.exe
1508	Nddkgonp.exe
3176	Njacpf32.exe
4472	Nqklmpdd.exe
2752	Nkqpjidj.exe
4992	Nbkhfc32.exe
4348	Ncldnkae.exe
3304	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	ec16271399ce33c282aa11e248083680.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	ec16271399ce33c282aa11e248083680.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe

Program crash 1 IoCs

pid	pid_target	Process
2232	3304	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ec16271399ce33c282aa11e248083680.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ec16271399ce33c282aa11e248083680.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ec16271399ce33c282aa11e248083680.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	ec16271399ce33c282aa11e248083680.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ec16271399ce33c282aa11e248083680.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4976 wrote to memory of 3684	4976	ec16271399ce33c282aa11e248083680.exe	50
PID 4976 wrote to memory of 3684	4976	ec16271399ce33c282aa11e248083680.exe	50
PID 4976 wrote to memory of 3684	4976	ec16271399ce33c282aa11e248083680.exe	50
PID 3684 wrote to memory of 1464	3684	Lknjmkdo.exe	17
PID 3684 wrote to memory of 1464	3684	Lknjmkdo.exe	17
PID 3684 wrote to memory of 1464	3684	Lknjmkdo.exe	17
PID 1464 wrote to memory of 3764	1464	Mnlfigcc.exe	49
PID 1464 wrote to memory of 3764	1464	Mnlfigcc.exe	49
PID 1464 wrote to memory of 3764	1464	Mnlfigcc.exe	49
PID 3764 wrote to memory of 1632	3764	Mciobn32.exe	48
PID 3764 wrote to memory of 1632	3764	Mciobn32.exe	48
PID 3764 wrote to memory of 1632	3764	Mciobn32.exe	48
PID 1632 wrote to memory of 2256	1632	Mkpgck32.exe	47
PID 1632 wrote to memory of 2256	1632	Mkpgck32.exe	47
PID 1632 wrote to memory of 2256	1632	Mkpgck32.exe	47
PID 2256 wrote to memory of 4272	2256	Mnocof32.exe	46
PID 2256 wrote to memory of 4272	2256	Mnocof32.exe	46
PID 2256 wrote to memory of 4272	2256	Mnocof32.exe	46
PID 4272 wrote to memory of 4428	4272	Majopeii.exe	45
PID 4272 wrote to memory of 4428	4272	Majopeii.exe	45
PID 4272 wrote to memory of 4428	4272	Majopeii.exe	45
PID 4428 wrote to memory of 1840	4428	Mdiklqhm.exe	44
PID 4428 wrote to memory of 1840	4428	Mdiklqhm.exe	44
PID 4428 wrote to memory of 1840	4428	Mdiklqhm.exe	44
PID 1840 wrote to memory of 4632	1840	Mjeddggd.exe	42
PID 1840 wrote to memory of 4632	1840	Mjeddggd.exe	42
PID 1840 wrote to memory of 4632	1840	Mjeddggd.exe	42
PID 4632 wrote to memory of 2564	4632	Mamleegg.exe	41
PID 4632 wrote to memory of 2564	4632	Mamleegg.exe	41
PID 4632 wrote to memory of 2564	4632	Mamleegg.exe	41
PID 2564 wrote to memory of 2532	2564	Mdkhapfj.exe	40
PID 2564 wrote to memory of 2532	2564	Mdkhapfj.exe	40
PID 2564 wrote to memory of 2532	2564	Mdkhapfj.exe	40
PID 2532 wrote to memory of 4324	2532	Mkepnjng.exe	39
PID 2532 wrote to memory of 4324	2532	Mkepnjng.exe	39
PID 2532 wrote to memory of 4324	2532	Mkepnjng.exe	39
PID 4324 wrote to memory of 5084	4324	Mpaifalo.exe	38
PID 4324 wrote to memory of 5084	4324	Mpaifalo.exe	38
PID 4324 wrote to memory of 5084	4324	Mpaifalo.exe	38
PID 5084 wrote to memory of 1488	5084	Mcpebmkb.exe	37
PID 5084 wrote to memory of 1488	5084	Mcpebmkb.exe	37
PID 5084 wrote to memory of 1488	5084	Mcpebmkb.exe	37
PID 1488 wrote to memory of 3796	1488	Mjjmog32.exe	35
PID 1488 wrote to memory of 3796	1488	Mjjmog32.exe	35
PID 1488 wrote to memory of 3796	1488	Mjjmog32.exe	35
PID 3796 wrote to memory of 8	3796	Mpdelajl.exe	34
PID 3796 wrote to memory of 8	3796	Mpdelajl.exe	34
PID 3796 wrote to memory of 8	3796	Mpdelajl.exe	34
PID 8 wrote to memory of 1268	8	Mcbahlip.exe	33
PID 8 wrote to memory of 1268	8	Mcbahlip.exe	33
PID 8 wrote to memory of 1268	8	Mcbahlip.exe	33
PID 1268 wrote to memory of 5072	1268	Njljefql.exe	18
PID 1268 wrote to memory of 5072	1268	Njljefql.exe	18
PID 1268 wrote to memory of 5072	1268	Njljefql.exe	18
PID 5072 wrote to memory of 4276	5072	Ndbnboqb.exe	32
PID 5072 wrote to memory of 4276	5072	Ndbnboqb.exe	32
PID 5072 wrote to memory of 4276	5072	Ndbnboqb.exe	32
PID 4276 wrote to memory of 3552	4276	Ngpjnkpf.exe	19
PID 4276 wrote to memory of 3552	4276	Ngpjnkpf.exe	19
PID 4276 wrote to memory of 3552	4276	Ngpjnkpf.exe	19
PID 3552 wrote to memory of 4424	3552	Njogjfoj.exe	30
PID 3552 wrote to memory of 4424	3552	Njogjfoj.exe	30
PID 3552 wrote to memory of 4424	3552	Njogjfoj.exe	30
PID 4424 wrote to memory of 1508	4424	Nafokcol.exe	29

C:\Users\Admin\AppData\Local\Temp\ec16271399ce33c282aa11e248083680.exe
"C:\Users\Admin\AppData\Local\Temp\ec16271399ce33c282aa11e248083680.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Windows\SysWOW64\Lknjmkdo.exe
  C:\Windows\system32\Lknjmkdo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3684

C:\Windows\SysWOW64\Mnlfigcc.exe
C:\Windows\system32\Mnlfigcc.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Windows\SysWOW64\Mciobn32.exe
  C:\Windows\system32\Mciobn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3764

C:\Windows\SysWOW64\Ndbnboqb.exe
C:\Windows\system32\Ndbnboqb.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Windows\SysWOW64\Ngpjnkpf.exe
  C:\Windows\system32\Ngpjnkpf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4276

C:\Windows\SysWOW64\Njogjfoj.exe
C:\Windows\system32\Njogjfoj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3552
- C:\Windows\SysWOW64\Nafokcol.exe
  C:\Windows\system32\Nafokcol.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4424

C:\Windows\SysWOW64\Njacpf32.exe
C:\Windows\system32\Njacpf32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3176
- C:\Windows\SysWOW64\Nqklmpdd.exe
  C:\Windows\system32\Nqklmpdd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:4472

C:\Windows\SysWOW64\Nkqpjidj.exe
C:\Windows\system32\Nkqpjidj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2752
- C:\Windows\SysWOW64\Nbkhfc32.exe
  C:\Windows\system32\Nbkhfc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3304 -ip 3304
1⤵
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 408
1⤵
- Program crash
PID:2232

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
1⤵
- Executes dropped EXE
PID:3304

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4348

C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1508

C:\Windows\SysWOW64\Njljefql.exe
C:\Windows\system32\Njljefql.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\SysWOW64\Mcbahlip.exe
C:\Windows\system32\Mcbahlip.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:8

C:\Windows\SysWOW64\Mpdelajl.exe
C:\Windows\system32\Mpdelajl.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3796

C:\Windows\SysWOW64\Mjjmog32.exe
C:\Windows\system32\Mjjmog32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\Mcpebmkb.exe
C:\Windows\system32\Mcpebmkb.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5084

C:\Windows\SysWOW64\Mpaifalo.exe
C:\Windows\system32\Mpaifalo.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4324

C:\Windows\SysWOW64\Mkepnjng.exe
C:\Windows\system32\Mkepnjng.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2532

C:\Windows\SysWOW64\Mdkhapfj.exe
C:\Windows\system32\Mdkhapfj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\SysWOW64\Mamleegg.exe
C:\Windows\system32\Mamleegg.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4632

C:\Windows\SysWOW64\Mjeddggd.exe
C:\Windows\system32\Mjeddggd.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\SysWOW64\Mdiklqhm.exe
C:\Windows\system32\Mdiklqhm.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4428

C:\Windows\SysWOW64\Majopeii.exe
C:\Windows\system32\Majopeii.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4272

C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
443KB

MD5
24930735a87ad8707dea73230cbac029

SHA1
dee27823b6eaf37c03192863a4151d41a64a9d3c

SHA256
0a4487244b4150449c68016e94068e0ad598ac09b27a2bb457a3bffa2cae7e67

SHA512
5f38bab98438e9ec9b350f7982597d96e3c388e4c0129148166783cf1029f1ac4af897b9fdc36777df1c246469024066e78bf2bd1112bef212f90b660029d608

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
115KB

MD5
467380eef47c54681dd1a6b4012925ed

SHA1
6db940582fd0a46098f57127101a58d4154fbc9a

SHA256
d2a720ed6d60101d7543b27c2a5c270e0ed705dfd54e0af9cac6758042f4dfea

SHA512
3a0d8e966fa5592cec9b9a7b3661574d0dc15ae69ed1acd4d930dd1f216af2eddf12d4c4c9155b243c0037e323c44fe038aebb312acdaca9787fdb61eed63b52

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
137KB

MD5
de2658bf9625693beb20102ddef910dd

SHA1
ff71859ec924bca1938cdf29f089dcf5af6d1c59

SHA256
b693cb37621190967fff88ad5497aaa2adb389b4878b6e981d7b39ce32e71374

SHA512
cdb7cd8016be531abf0dbf5622b73fbf1d15c3b5701b79c2fd991e99bdcdf13ef8f5513c7844f171c95095ce1dcf0b5302a4089c4ae92c0b0aa7aa6dcff39379

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
84KB

MD5
e09869601667d3c44a8dcfed3bd6163d

SHA1
a1969234bf0c452f64c467f87c17e5776986ac91

SHA256
2d17741211d5077d13eb469a9dd9f1f56b5d11e71cabef2cd73d636f91529769

SHA512
4e45e1fb394b94eb351afbdf46f06802b3664000f5ca795fc2827d7e844699f240ee4ad68aa58905901a5f3db6c91053e0267ee6518880dd49f83055799aad1d

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
83KB

MD5
2d377930006ff0b8a7bb7359ef0e2143

SHA1
e57c5be44f401ae01a00d9f179a88384cd2a41df

SHA256
e6a0d9b5a1507f39e173c01bbd45ae84791f13de6b0fb9129687b77a40019774

SHA512
f4b2815f2960dbe3daaf328fe0fc33828f8e23e689ec7a8fc233c90d578113ef07f0c4376e982143c9636662edba2a7976a36f60e27ab89905abfc49961f43d5

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
144KB

MD5
5d1f97bc226e251313a377ba50b9ebb7

SHA1
7042b3425633793c45fdb0fdc41c329d519447b2

SHA256
8efcafcf1c52a7ff3e138f7714839c00064a34feb1ff04872cfb67850de4f60c

SHA512
a02f17d05495400a82692e71d349d7b6127fc10fc600792c93630852a1f475800b59c60a0de7aef8f330863c3394d7f36888b5a909e2b181f44b9b6b67041950

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
55KB

MD5
dddd15f20735773021149b860a26da07

SHA1
bee6f27f85faabd31147b0c67a5186cc73a7efb8

SHA256
f32ab8b6ab40b30b6a6d1e2c6df87d75e1ed8130608b4f837d6cde941a06a093

SHA512
4e692d59445ae1c19395fe1a5dd1b5573dac2260fc1ac161f133d7aeb477e4428f9c073f041592e42234b877226350e983e900b3a598501489c34bfebeb50f79

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
83KB

MD5
c42a866484ee1ca113f29d37b5012ab6

SHA1
7088e63326ea89734cf1cf0179d744ec8733ac7e

SHA256
3faba3634d93bdb1bab7cc9b0f0b216e632b180d0fc16fb6f31b07e1ab1a7c36

SHA512
cafbaa8f8bdbbc6c8e26fd0159d50e4695d7183d10fb317b7dce709ae50697c5702d64874be26fec523cec93844daf4ac99c9f6ecb6913e24f4a065346eec1f8

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
85KB

MD5
61b7d9b887bfe7923c94b8aeba023818

SHA1
041773038e1f73e488efe48595117d206d073f5b

SHA256
eacccf6ec67492a471edb1f2551d29bb7635c43a40cf712a1f3d7f6be4d263f9

SHA512
c7b60d561ba7c051bbe847c4763bb4ca24023eab0fc51acc87a1821a8be7c2b21bc2d3849a11dacdda019ef805125ef901a757050ecb5e106387606b0f887a85

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
89KB

MD5
a7cb049bfa648ae29b3af49680b13920

SHA1
fee3f1365a144ee087fc7fcaa4b3d051e202c6ce

SHA256
71a4faa40154bb96ce24a02cec6a32c6d0addbcd08ec6494ecb480b157ec6d28

SHA512
809148d0c1c3fef98795c2061c31a3b662c790d2f48229db95182e1cf67aaa747e47db92e6a50a57becd048f93d7c7791d2c6a6d21f1fae6eb5758a628565b53

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
163KB

MD5
2a5afb171fb0af5403e173f7a30506a7

SHA1
9095e6cebe690987d334d87b1916612bcab26c2b

SHA256
58791df9b41a63ca08f219d64c2395bf900e5305907407d40a9efc4ac8646dbb

SHA512
77715f8e0edee12c91729231b37aef4358893d798dc5e30acfb52a6053072c09c2b606304d283d81b0595024df245e0723e11e94e53d8e26c0701845d7062c00

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
142KB

MD5
8d42c1a88295b957e44086f6ebc5af38

SHA1
8173230e8c0285b8bf0e4a96ddfcd4fde3ed80f0

SHA256
32f373aa02326636476b16308c9a3c30fb6916ecca2767a51b65de4a5662ab78

SHA512
659988495adc940c3c5b9cc7d651d1d92bd7e423ae929b37021e60d407ceb50969aa1a8b82c2da1ffd27c1e7e355563c18f46de6a05a98f4d015a0edc5d7f28a

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
86KB

MD5
19147f19062054ef822f06ea87052292

SHA1
b79c90fde5e6a1c3e65ad72a70c4ba1cffedc5c8

SHA256
ccc47b260fdd6570f03679764eaee283b037b3a2c3be8eac14ba41d3ab72f873

SHA512
be4e7c540cae5bfe90f42dcf4733267461ba7f844eaf860ab2fcc03d9ebe51f5cf55ce7e2da5cb5cafd7f4541b8c3c124bc1a30b03a78edcdbdd93ed80271c17

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
106KB

MD5
183264f1cf987383db48f1a886bfeacd

SHA1
63094f9457e250f8a27b175b8c8e7d343fef5bdb

SHA256
fc56cc8e971e26cae591b5f4384b8de3e601623b51699f514799ed4c6da5b42e

SHA512
0fcd1d0736b2f27769d73e1dd495d3a1af8aa7ada49aaa1cadc5b137d9dbfa24948eff780b43fb83870e0484e97c27f452e7e9085feb0e55a96f2fa17d94abd9

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
90KB

MD5
626841be08b0d1593b430186d1e9a5af

SHA1
cf3778d07cc66e299de9a1b8664a3a9f7f41d08c

SHA256
08198bc61fed0e69d497ff1577f9e881b3c4fce9c421209e5086bd16e6c635c9

SHA512
e74a67d991cf8387eb3cbb1a85bc643f261b6570f9a579d0ab140e259374dfa38dc42094ae6bab049a8b7262483ee5af149b36f481c72e2c513aa2bdb36c3a57

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
121KB

MD5
9d9e1a5412d4fd6ebe67d5747111221c

SHA1
22269bde23aded3f948794646a72ff0564c94827

SHA256
70a86e867d4f110c92ba89f51e08a9d8c1711549ebee5fc73652dd8fe47b57a1

SHA512
20761284a4d6e6e255ba6e31695ce7faa1e5edb0e1c6dcd4ecf1ba7b85b2633cecb61bdf209fdfdce5989f6aabebba3a2ea1484379ffbd3ec9b25ac2b07181c5

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
147KB

MD5
999bea48c9ee39e0cb856fcc6cb43099

SHA1
c9b355874ab0a6b67a456a0c2368f9e5cdd200f6

SHA256
125cdb0a1d6f4359840fe1265e5bc68b154002fd3083330bb7cc4ecc570dfca1

SHA512
610efa8b199894c4d8d26e15966143074e74fdafc0152cd94ec02b6ea23677946b41c7f17c27fd1f6f37f256b2716a01c3e1d1ba74eb83504da6b133a99a6827

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
68KB

MD5
daa30a8c064400fa4249a8c2ed443525

SHA1
9fda840df479c533765e82ff5620504aed0b2dba

SHA256
5a962ce32b7946a258ae4830f3540a04332e7d66775edf32c054b8acbbb5ddcf

SHA512
0846170e3e8201e43788ac55614e8cddf2270518110ca1c777ef94a79f9da96ffa1e7bc7113692ab92471a22f9c2c1428ae118eaa09b17384a48bf7c9f22b382

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
86KB

MD5
a3f68345c04cdbf6323492aad4239604

SHA1
bf15256fec4d55e319defc938d696a225424d497

SHA256
343f2e2b4d40026a7f6ff9f1f95e1706489cd44f5700df1cc07963a98deb610f

SHA512
64844369fed32d4cfe1fb72f64d89fc0df2e7b6aeee2f8715bf2a750f06d0a7e0c9b43682b7fd8b9ac0e37af5f94459ce4461aceffc6d523053e938dfb9e1678

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
91KB

MD5
ce68e3e0ef6aff02fc7e3640b2d930e3

SHA1
8391f53c39ece63d70c3c91891f177a9132a2e49

SHA256
4ee145bfaee0d501756712c4e333946dcf362961e0307762369ca8e11dd7f46a

SHA512
04d68602c751ed3bc61f9d458aff329a78c965f19ede7f6a0c700a6c7ea3e242e5943b609bb45adf594770405aaf12e57ca6afd111bf33ce81d84464223554c0

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
89KB

MD5
6cfa34333e3ea2ecec12cd251cca757c

SHA1
c391af30ae25aff79a29ed918592466a2ac7ed75

SHA256
94798f045cfed3f78a76c83892c1fc093b917bdc01ae1c2e41faec566477065c

SHA512
9b0cc115a7201550f66e42a0e4b24af533f07fd0e89ffae0de7e741a6a180d7ea39577228971a8e836c708f74dfca3b7289923042ae0da36bebc5b68773042fd

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
155KB

MD5
d080371288609bd59b545dd9f13671f0

SHA1
ecb015f849bf6b9d62578c01865b21fb204c9f69

SHA256
23516b5d2f22a5f5faaa017cbdf4917b27dfa331afedfb05b56aafa0e9cf4aaf

SHA512
e3ca19dde9cba42a8f533a6d0d4dafb575985fe63c862df1e43ea4454d73656b5517b87f2ab8c0830a4ee71fec09579a77448c651276f49b791bc4cebed49c3c

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
141KB

MD5
e8f19e08f55abe325a9381febdfe2933

SHA1
e88ca1924911c596b40e1219bb18f42c18feeda1

SHA256
2cf815ce6b8a00a958b27821a7323ef94bf3cd91a194a151efa9a66da2e21ebe

SHA512
6d8cfb7934cdf50e1815f10a5822739284b91ea816b0cb08ecc47d01f9e881fd612ca9c57525c37e851735b6e2665a62c117e17136c9fa1ab3433c1849386927

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
92KB

MD5
69b730c3686a84a6e8004973a13c822b

SHA1
96f76440846949c706a2dd76003bd4953bc7792f

SHA256
8fc7d2c64bb0275071c89a3c985d6e0b982a7f82eb04c939aa0db6c7f35e79f6

SHA512
a67fa0256576e9252a85d9dbc28118ef6c8fb55051c1e745ead33acae04e0a85761fba532750f08001076ab183f8fdb696bf12655262895a614f25428b3853cc

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
137KB

MD5
06f0bfa17f1fa387937977e52339f630

SHA1
ce3e4a24dff80ec38fa8735415bdfb8878a97b9c

SHA256
56a515d5ce97c875aac30edb92930d8098dbf17b72806f1e1903f599d7ac078d

SHA512
f886e8861b359247ce42ddd596b3ddfe4de6808bd36f83b09c456f6e7cbfa7c61421db6e61bf61440c9fe8d3ee43a8489a174f7787439a1a200dc58f61eb3b6f

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
45KB

MD5
8682fd200939e8b5fa1285472d6a62b6

SHA1
fb741ae8e8ee596b8e824d5a6d6b46aa5a1406ae

SHA256
4ae67e57c6f1aa2afe171457712576aa88c67f2f14a33b818aac3637fa901e82

SHA512
fb1aaee74f2b26828c458ba2932029fc9a7a0cb29c022e6cbe2e16c09b7310ca01b05b6c6d9f9b37df0134877223ab24ca2361baad7fab9758e289eb2a6fc3e3

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
69KB

MD5
a84182d8a782fe26779af8768fc028d0

SHA1
f9ebfc8a5b2033f241cbc0f2e367b7e64abf5ae7

SHA256
683999bf8ae04af8fca32f2ca24eff2dbcff91b93c85e76419df46fa63bd4b2f

SHA512
ba7e8569e61849935acb2049806c2563b3979ac6a398881d132355abedb01d27170152b5185b91f695c38c85f2e0068921f01ab837af1c93f908a8c5b0da151e

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
77KB

MD5
0bf254526715a318d1e5ca857ca4800f

SHA1
c3fbb880a221460931eeb9b6721b27f085d5da42

SHA256
7a732259afeb6fe6d8e391bc6889d72b66526081b9bfb6b75705dce482e1a612

SHA512
5071dea2da65c1b959e41b41b3ce50ee092abf1e33987a0b62fb7ac2c2780d347189fb10f2a2ecc2fcbd4cacd83af1fa7afafadaf12dc13085616525461929d6

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
81KB

MD5
86c30825e446f9e7cff8860a46640287

SHA1
cf5537506051e4e0e24d95e98946ae9086e003ca

SHA256
7f2ca1e5147fa5225a6b328eaccf32d00fab4d79b98d0a14eec5039ee0d10760

SHA512
98a277e87d41c407617fc51127e3981d09b031a600ab2662557c3a3aff1b9d5cb0f97c5fdd98ac4e5a5e10950751f38a868596141aacc27c09d2b3d32c2c53de

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
106KB

MD5
f7f0da419e3f78dbc1e8470de4fe04f2

SHA1
0be379eb7f387d5f7b961100f68756e975453859

SHA256
a0c448bbb04fe2cd907284afcca9e7207224c5dc32095647e796766b10652652

SHA512
876751cf406686433f19f0fb12ae9fb6eddb8fc33f9cc11b8817894a7fa5c6909e3269311443ac0dd3181d6511d994916d9885c5f1e20c2fe3ae73af0f2ed5cd

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
35KB

MD5
238100fe2e14278825747cbb87a06f7b

SHA1
2d1783a9e4672958c4ea4b57e5be6e0f45ec5c4d

SHA256
9320937161a53a01b90b5f9cf5c2d827d8d1fff1d78f2e5f4aef52bf4e9862ec

SHA512
a44ee10cc2e0e24735656b443b6d59ce387a37c608e2b7a57d91ee3ac4a75c3cfafce8ccd63851337af69b44c7c2357b50c5aef40b1166dc22d1b8d6f7d1ee44

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
59KB

MD5
4c477c021cf3bff514815ee8b75a4142

SHA1
53763ccb7e126faa7e7c3998087733131aba1027

SHA256
8ef1ae5bf83c78e9170b0e40219e051c18c24a7aca6f64dca504725db893bc09

SHA512
58bcfeac31186f286404fde0393549799fed54a223692ff54339b0ed5cdf966e54ee06316cf49a5a5a07b3a86dcd871dd47452224fe4261d56cfe546c5e5cabc

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
92KB

MD5
b45aedff90ef9b300b2513e7d7507c5f

SHA1
137bc0b9e9e3e02350e921437d51558b12e39f76

SHA256
5da570d4a9bf899a24a38c5823782a32c251dda0ac9e5ca2cecab52ee8c4040e

SHA512
f336deae70e232c96134a92b1107e30fdbe17f27e105d07574b61a35eef43002a43613fb7b7f37ad5417f6f7e90d685e946b89394f1e6c6b1b4539511f8894bb

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
47KB

MD5
0549c3b90d9f17bebb5c80ffe6c3c10b

SHA1
9d506f3106b91b110472368ee12c278a5dc5711d

SHA256
75014c06446249d705e8875c7d8519d1201e2ce25b609c51e81f46ae5e3e0362

SHA512
1d78a6b6a478328984950c5eaf01384d386619c0a5371c856104692eec6773992235e82ccaac869555bdfecc3f100bd1308bca6f46e8d3032be57fdf7cc3bafc

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
135KB

MD5
116229c318262b0e583634f9df69e3b4

SHA1
050c6b2c1163f117a0a873c7395618bdc4dbd709

SHA256
bd798cbeef06dd2f9fbef9ab2be2cabf509a11b9c858ec494124c2ebc53c497a

SHA512
89f9af07637805d8963288d94c587ce173fa6552bfe80e51b840a347427c86626dbb0721e73eb5bbcf2b003cc52a784548c425355f0928b72ae13738504d248b

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
64KB

MD5
b8d32b9cf21ec478b614ba29defa5e31

SHA1
6f20904d4e285e53736fedf66e81046a5fe192ee

SHA256
b9389b07ef687d12a1ebd5595f0ec1a39cf0986e3bb4a20efba9d15558debdff

SHA512
a6a5af7ec9a4f98bea57638fe0c04483402edd03105ff26e73f491c2d5c0452c5e3c227bfb605ca44b9042a39320334895da29bb8ce16575e445ac4b6d37693b

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
115KB

MD5
d4b204b5de6c09ffd9ee327ae2b1acb5

SHA1
29f98b8b9c3a0c0a484bcca4db1e9e1db04bb237

SHA256
561f100aa5f4748e65a9adba7d355d98d485c03aea41cafd0a6cfdd7191a1e78

SHA512
13abb51c678be250161dcdb74d11bdd1bdf66e4cd08f94f45ec20177f8f9addf47a87b0396e2395bb1cd09f00d64c59faf5bb68680d69360f90a7eeb0366da3e

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
45KB

MD5
bf6e73f59a54b1b69f36eb9d7243cb11

SHA1
9079ca7b5fabfab40637bbf286d967f20f96f63c

SHA256
c39215771d4a657f117583377df6d317f779432cfc051c52d8ed328d77c1c8ea

SHA512
e981f58ee4a854d178013327c1294f4ab35492e379a721d08ac11431a6c3e8421a00500bc1f2507a1e75a077a7e08f7e5ad00961ce5f619c6089a7dbdf7ca6ef

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
94KB

MD5
c99660110b4b951f3ae506b0b0e498ec

SHA1
2638064fe148ca2f96202933ca9f16a3ab987a1c

SHA256
e773604bb4218b345cfae0b8665d8847e4192f75fc05f50d49dcaf2c428f8b15

SHA512
e1f1b54b379fd1c8fabf6fedb1e2f5d8e4db1c65148889be228e07a4e0dcf68551640c3cfc3d2a29febf1da5e27fb8544ed5cb98255089e582fa8e56c5d71cd9

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
79KB

MD5
b99dbcb95ff9b3bfe8f8a27102438c63

SHA1
5195f1870d343960b3e96121919ebdf3c980f41e

SHA256
155055f00e40e551e0249677ebe61f6e5b695a0ac29647cfe04095c84d61772b

SHA512
dce55600689a01b434bb31b57c8dd76e5588692bfc100de9d74c9df63119344f7daa7e0bf2c85b46412baed0bb2df803faf260bfe8ef0803305614089a2c0ed8

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
58KB

MD5
a48e5e08aa037f51048a89669f6363dd

SHA1
f332b1cd5bc262bfe56f9622e742fed89d35a06b

SHA256
77a27b52a971d260de71cf23d47885caa19824a5c5f17ed2ce54e2f6b1b96c26

SHA512
c93a5402b2e457b9f0b60931eeb3748021f0458e3e8515aec69a267cfcf9b5d8dbcef0c79297456238a1f76d2467bc7b88c01f31d5de9b6670892a3db5c374d5

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
101KB

MD5
160c4309a0cc1effdad0f30b337ab4bd

SHA1
1c1e5c9ec291d0e22bb7145d7fa6e4883917ab43

SHA256
08f0eb7d0bb0e2a1b8ca04005a8331143351a6dc7b7e90122dc563892341f93f

SHA512
c2fdf637e6c694f0e9eeb8d05c6a423f76495c94987d69af9905c3a96d46c9118b7330f385848578654049f03f067a5c7baf447b15702a48c3ef8c6faf9013c5

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
131KB

MD5
e857b478a8867d588fcd3d1a2202e5c1

SHA1
6f184b3dc7e23d8425844613490a333eb5763756

SHA256
3aec8ad52bdb36c071b9b79f0688c8ab2245b03a874a06c3df78c8052e0162b1

SHA512
592a7000745711212b66dbbd4386e7be1de1402a69f656318d7c7ba9e0b92957bef2fa7de37b818b63d15060c8a146889ca7430dea611ddbed51b535f58c7cdf

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
64KB

MD5
b800743d94ad95292292588f5085f961

SHA1
6836e0e74d9c4b707e5da4412d2b18c18c02b551

SHA256
40ec2fa3f8682351e1f2e0326adde62fad4848d4a4037e00e403837e50004ca9

SHA512
22b4cdd9ba45fffa93cd41fc7dfb8c1d63e4a2cb7e1a4137a980c2a6b249f56feddfeb01a376d61f9a3b2212308002cfe7ccf894b6a4eafdf28aa585b548f050

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
50KB

MD5
d1f4b75d4c00acfa51de3fe65d2e5af9

SHA1
2993ae23e8610f57bb1e73b7724c06121fa2fc7c

SHA256
06d3f5f7507a403860cef1e6c73e548b2e36037597162397ed91f37c9055dc1e

SHA512
a258c0934705f8c3683659693c541d45d10ffbd04b694b5a05d5cb53ed64412c119f8382555f265fbfc5d1f4406a13d6de89f56959173a41c49760b5566e0d4a

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
87KB

MD5
1c72cfebd629872959222d97955b016c

SHA1
1ea0bd1ed482ba8bd23bdba8e1a69bfd2647c318

SHA256
4521b0abbbf721838bbb7e79d8a121ef467001d91f75847778094974b07c49ce

SHA512
9983ff8de93e03540027a3232c50e1418d186d31dba720d288e1cb8f8f7e75bc859011e3a1babf813680bb8f7104b8f10bc02553836e7a83f21b712950deedeb

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
68KB

MD5
0ecb01243ae2d04cd320c07a647896b3

SHA1
22036138a483b635806eae734e93914b121c251d

SHA256
d8ff6fd98295418642eac4c16ee73fbaaf179e978106f91a10625d258014f56f

SHA512
cb6a0f1449963d4de278ce8350eaf9fd9e0bb67c7546d4ad0b09b25676c5d928e85b40b3fa40973dc320f524889060b9f6c5a6359b3fa6a863326f68114dac86

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
74KB

MD5
d22405ba5f5181ff74875e8f3b40f62b

SHA1
5347249f4c0dccf58c1be28acbe52b11543e1398

SHA256
21baea79d82e994cfbec2661ac597756558cff793feea1397a3aeaf873ad8f29

SHA512
7ac5de1e433fd8bc5274239fdb8fd86eab1ce64214663d2ec28664b455306a95b3b54699ff1acffa3eea7c1b46edfa6a23d2460166945be52e72afa0a562a19d

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
44KB

MD5
a8b4d79a5ee2e506edca4687d657a087

SHA1
71dbe8911ea78812d121bfe39cbc2c2ebc44e131

SHA256
3cefc0b280eec8ec3b08c0b24799df8589d21ceb6df8e68244318535b08a0898

SHA512
2a64d88bbab05235548ec04774fba8ea2b4b6ae63ff1bb22f2d83bca1dd3dc4bb86021290d7ee993ac31cfd75264675fbc66905b287c4c588bb50647bd70848c

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
100KB

MD5
eb0d5a4b872461d03da70e6ffc34e7f6

SHA1
601e4a156843edc01dc679c2d5d898f871f06f4a

SHA256
6a6e62630c19e66a2fa95a329796f12e869bbc2481872f88f90c06bb6319177d

SHA512
dabc3a1c62b91baf2c19bd6e5a0b2906e6dc265385443be3fa271784e8bf04e69bd86fc370926e55549b0bfb284be0179b20b971f4c2706797d56c6d2ea535ae

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
90KB

MD5
01634fa85802e58d4403e2958b32ff83

SHA1
7d561c51b1376945414ea66b491127e3efe7390a

SHA256
eeb6e2c7614287a3f884d4a4f8f6b5a4e7e2c98ec4044bb3d8d115c457b5d725

SHA512
451126f424e3d666b25769df62c01bbd5af0f7ab14d4ae0e760c0943b5348ac6a4280978f77e078a66c5e3be4d8915356a18c324a11bc48efe92d4e4a075496e

Download Submit
memory/8-252-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/8-129-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1268-137-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1268-250-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1464-17-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1464-280-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1488-256-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1488-113-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1508-240-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1508-181-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1632-276-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1632-36-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1840-268-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1840-64-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2256-41-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2256-274-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2532-89-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2532-262-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2564-264-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2752-206-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2752-233-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3176-189-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3176-238-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3304-225-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3304-228-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3552-161-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3552-244-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3684-282-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3684-13-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3764-278-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3764-25-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3796-121-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3796-254-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4272-49-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4272-272-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4276-246-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4276-157-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4324-260-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4324-97-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4348-217-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4348-229-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4424-169-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4424-242-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4428-57-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4428-270-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4472-236-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4472-193-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4632-74-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4632-266-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4976-283-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4976-284-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4976-0-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4976-81-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4976-1-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4992-209-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4992-232-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5072-145-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5072-248-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5084-258-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5084-105-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads