f26e19afd157c0157c6bd6bea03d04db30f67f9dfa9043713e200d1876b5115e

Analysis

max time kernel
91s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2024, 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f26e19afd157c0157c6bd6bea03d04db30f67f9dfa9043713e200d1876b5115e.exe
Size

182KB
MD5

2a854673d2c639329072143fec212dd3
SHA1

04d1f89ed11ac36e9be14973b5e453568c9cc556
SHA256

f26e19afd157c0157c6bd6bea03d04db30f67f9dfa9043713e200d1876b5115e
SHA512

e005a1e65f17850d86b0846c5e4a40c94372c584af2f3f3789ba130c3b8195528af8677df46a40289691d4d2a0f587222da9304e2d736dcc2f5bd43b81988ae9
SSDEEP

3072:Nav4n5rwdLj9z4j37nguPnVgA53+GpOc:NagQ9Mj3EiV6GpOc

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f26e19afd157c0157c6bd6bea03d04db30f67f9dfa9043713e200d1876b5115e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	f26e19afd157c0157c6bd6bea03d04db30f67f9dfa9043713e200d1876b5115e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe

Executes dropped EXE 26 IoCs

pid	Process
392	Lgneampk.exe
2876	Lilanioo.exe
3828	Laciofpa.exe
4948	Lcdegnep.exe
3452	Lnjjdgee.exe
900	Mjqjih32.exe
3432	Mgekbljc.exe
3996	Majopeii.exe
2236	Mkbchk32.exe
3208	Mamleegg.exe
2920	Mcnhmm32.exe
860	Mkepnjng.exe
2292	Mcpebmkb.exe
1020	Mnfipekh.exe
3128	Mpdelajl.exe
1844	Mcbahlip.exe
2512	Nnhfee32.exe
2060	Ndbnboqb.exe
760	Nklfoi32.exe
1680	Nqiogp32.exe
4412	Ncgkcl32.exe
3748	Njacpf32.exe
3836	Nkqpjidj.exe
3252	Nnolfdcn.exe
2836	Ndidbn32.exe
3196	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	f26e19afd157c0157c6bd6bea03d04db30f67f9dfa9043713e200d1876b5115e.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	f26e19afd157c0157c6bd6bea03d04db30f67f9dfa9043713e200d1876b5115e.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	f26e19afd157c0157c6bd6bea03d04db30f67f9dfa9043713e200d1876b5115e.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Laciofpa.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1268	3196	WerFault.exe	114

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	f26e19afd157c0157c6bd6bea03d04db30f67f9dfa9043713e200d1876b5115e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	f26e19afd157c0157c6bd6bea03d04db30f67f9dfa9043713e200d1876b5115e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	f26e19afd157c0157c6bd6bea03d04db30f67f9dfa9043713e200d1876b5115e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	f26e19afd157c0157c6bd6bea03d04db30f67f9dfa9043713e200d1876b5115e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	f26e19afd157c0157c6bd6bea03d04db30f67f9dfa9043713e200d1876b5115e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mjqjih32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 532 wrote to memory of 392	532	f26e19afd157c0157c6bd6bea03d04db30f67f9dfa9043713e200d1876b5115e.exe	86
PID 532 wrote to memory of 392	532	f26e19afd157c0157c6bd6bea03d04db30f67f9dfa9043713e200d1876b5115e.exe	86
PID 532 wrote to memory of 392	532	f26e19afd157c0157c6bd6bea03d04db30f67f9dfa9043713e200d1876b5115e.exe	86
PID 392 wrote to memory of 2876	392	Lgneampk.exe	87
PID 392 wrote to memory of 2876	392	Lgneampk.exe	87
PID 392 wrote to memory of 2876	392	Lgneampk.exe	87
PID 2876 wrote to memory of 3828	2876	Lilanioo.exe	88
PID 2876 wrote to memory of 3828	2876	Lilanioo.exe	88
PID 2876 wrote to memory of 3828	2876	Lilanioo.exe	88
PID 3828 wrote to memory of 4948	3828	Laciofpa.exe	89
PID 3828 wrote to memory of 4948	3828	Laciofpa.exe	89
PID 3828 wrote to memory of 4948	3828	Laciofpa.exe	89
PID 4948 wrote to memory of 3452	4948	Lcdegnep.exe	90
PID 4948 wrote to memory of 3452	4948	Lcdegnep.exe	90
PID 4948 wrote to memory of 3452	4948	Lcdegnep.exe	90
PID 3452 wrote to memory of 900	3452	Lnjjdgee.exe	93
PID 3452 wrote to memory of 900	3452	Lnjjdgee.exe	93
PID 3452 wrote to memory of 900	3452	Lnjjdgee.exe	93
PID 900 wrote to memory of 3432	900	Mjqjih32.exe	94
PID 900 wrote to memory of 3432	900	Mjqjih32.exe	94
PID 900 wrote to memory of 3432	900	Mjqjih32.exe	94
PID 3432 wrote to memory of 3996	3432	Mgekbljc.exe	95
PID 3432 wrote to memory of 3996	3432	Mgekbljc.exe	95
PID 3432 wrote to memory of 3996	3432	Mgekbljc.exe	95
PID 3996 wrote to memory of 2236	3996	Majopeii.exe	96
PID 3996 wrote to memory of 2236	3996	Majopeii.exe	96
PID 3996 wrote to memory of 2236	3996	Majopeii.exe	96
PID 2236 wrote to memory of 3208	2236	Mkbchk32.exe	97
PID 2236 wrote to memory of 3208	2236	Mkbchk32.exe	97
PID 2236 wrote to memory of 3208	2236	Mkbchk32.exe	97
PID 3208 wrote to memory of 2920	3208	Mamleegg.exe	98
PID 3208 wrote to memory of 2920	3208	Mamleegg.exe	98
PID 3208 wrote to memory of 2920	3208	Mamleegg.exe	98
PID 2920 wrote to memory of 860	2920	Mcnhmm32.exe	100
PID 2920 wrote to memory of 860	2920	Mcnhmm32.exe	100
PID 2920 wrote to memory of 860	2920	Mcnhmm32.exe	100
PID 860 wrote to memory of 2292	860	Mkepnjng.exe	101
PID 860 wrote to memory of 2292	860	Mkepnjng.exe	101
PID 860 wrote to memory of 2292	860	Mkepnjng.exe	101
PID 2292 wrote to memory of 1020	2292	Mcpebmkb.exe	102
PID 2292 wrote to memory of 1020	2292	Mcpebmkb.exe	102
PID 2292 wrote to memory of 1020	2292	Mcpebmkb.exe	102
PID 1020 wrote to memory of 3128	1020	Mnfipekh.exe	103
PID 1020 wrote to memory of 3128	1020	Mnfipekh.exe	103
PID 1020 wrote to memory of 3128	1020	Mnfipekh.exe	103
PID 3128 wrote to memory of 1844	3128	Mpdelajl.exe	104
PID 3128 wrote to memory of 1844	3128	Mpdelajl.exe	104
PID 3128 wrote to memory of 1844	3128	Mpdelajl.exe	104
PID 1844 wrote to memory of 2512	1844	Mcbahlip.exe	105
PID 1844 wrote to memory of 2512	1844	Mcbahlip.exe	105
PID 1844 wrote to memory of 2512	1844	Mcbahlip.exe	105
PID 2512 wrote to memory of 2060	2512	Nnhfee32.exe	106
PID 2512 wrote to memory of 2060	2512	Nnhfee32.exe	106
PID 2512 wrote to memory of 2060	2512	Nnhfee32.exe	106
PID 2060 wrote to memory of 760	2060	Ndbnboqb.exe	107
PID 2060 wrote to memory of 760	2060	Ndbnboqb.exe	107
PID 2060 wrote to memory of 760	2060	Ndbnboqb.exe	107
PID 760 wrote to memory of 1680	760	Nklfoi32.exe	108
PID 760 wrote to memory of 1680	760	Nklfoi32.exe	108
PID 760 wrote to memory of 1680	760	Nklfoi32.exe	108
PID 1680 wrote to memory of 4412	1680	Nqiogp32.exe	109
PID 1680 wrote to memory of 4412	1680	Nqiogp32.exe	109
PID 1680 wrote to memory of 4412	1680	Nqiogp32.exe	109
PID 4412 wrote to memory of 3748	4412	Ncgkcl32.exe	110

C:\Users\Admin\AppData\Local\Temp\f26e19afd157c0157c6bd6bea03d04db30f67f9dfa9043713e200d1876b5115e.exe
"C:\Users\Admin\AppData\Local\Temp\f26e19afd157c0157c6bd6bea03d04db30f67f9dfa9043713e200d1876b5115e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:532
- C:\Windows\SysWOW64\Lgneampk.exe
  C:\Windows\system32\Lgneampk.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:392
- - C:\Windows\SysWOW64\Lilanioo.exe
    C:\Windows\system32\Lilanioo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\SysWOW64\Laciofpa.exe
      C:\Windows\system32\Laciofpa.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3828
    - - C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4948
      - C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3836
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        27⤵
        Executes dropped EXE
        
        PID:3196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 400
        28⤵
        Program crash
        
        PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3196 -ip 3196
1⤵
PID:544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laciofpa.exe

Filesize
182KB

MD5
0e25fd9f1681c6182452ba667f6b5a22

SHA1
0e5937f5ea836799472a50031a2c76a742147372

SHA256
5569babf56b2b26b7cd73d7897974997ce2604550d119086cdf13c8e48b796ca

SHA512
04ddcbbcd05198c934cdb887cc75f5ffb360763e640ce424651e83908e96711d872641e494c7e2dff9dbfdb9794850e22a5db4ade4258440bd63a09eaa30c690

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
182KB

MD5
4358a683a997b9ebd7d21d9a0093579f

SHA1
577ab93a47df610aff3088a2d3285cb58ef7ba64

SHA256
4bc59b6a2bd0ffaeaf2e04c29101ac9c94fb85f98e25f67c9c109623035894c7

SHA512
ec6b0314bda6d3bd082cd3ad0445ad7b66888a554889508a94d6eb06e6030316b16425f02623e788a3206afe20647d05ef04c6cf265eab78896879ed5b590598

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
182KB

MD5
5d36c00635d2b673a9ee660e24cb9606

SHA1
7e54e2d603e66e81c8ed457878c0486851d56e2b

SHA256
5e8e61502f7da8cf5c2ad1d27034a67f15cd7fc704c404459ae0a689a39c1fde

SHA512
054994e4cc8e8a30813426c11d1dde40ca90fdf30460c79cfc58a940fe1fc8eef37f3a123a45b2f9915eb5624f574bf3437aed47996d85259fab28d86182b67d

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
182KB

MD5
7665839921c16f1c0dc3601ea48564b5

SHA1
ee204bf650bb0cc54c1e9be7f8b4548af48d1d41

SHA256
113e5dc06f9f1829347e0620ec4b33406131998622288716e482c30e6c315e26

SHA512
f4a4c35bf85b0234d7f3c57917ac17f9f246087e2d8f1d858bae0e7c0a772ec5d9deaecf7d2ada802afe3042fd926ad28dbdf9c6ec3021c94c820908bf47d436

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
182KB

MD5
440e3fd067b742fdf2f6dbb53ac7451e

SHA1
4a374f5d326a24b79257246b4715b989a1389e65

SHA256
6072262dae5686f71d11a252ff454aebee1c0b72010537f7b48a421431676e97

SHA512
5246f35ad3051985245627212ea49365ae10a897aa4051f941dfa403afe7e90b2f96c41b0e9fc5493e09511b4979b9b47d639925cefcddf2e36e86a0ee31bce6

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
182KB

MD5
b40b2e93abcb31693511094f06520fb4

SHA1
dd739f9cdea34840354a0d464d7bbbf7d1e1b858

SHA256
9a6e29b962e9da5ea17e0008cf8add29f7e77c5a171ff80a3492fa084b74a35b

SHA512
89f67a6995dbab470122f3804e6b928090ddb967753b7c5914950983ca2b0aff002cb50c95e5435462a5dd0a29cd80d60524e536380e19065b467d0ab4928880

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
182KB

MD5
54461a1a5a05ee9eb89c59fe5952d9d3

SHA1
b37bb86e6998863096513193bdd0437960d03a90

SHA256
88e38c682fa77460c5cc83f118b0c248e6af33abf89b1ab3b793e8be3882eeae

SHA512
b70179e2ef4d68924a93428fff1d192523a09bcda0cbcf89b443c59075ab9cea0525872ef2e34ab108eecad4842f11283a72ceeb1e084572e4c6587f1223b3a3

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
182KB

MD5
7b8ed86f5fcef131903ac22d94f8e7bf

SHA1
5ededf97ae67af312cb06dcb30b4949630e54b97

SHA256
09381692255e23bc92f19d4e05247f0da835bc09a6dfb2f6c7c2e77335895777

SHA512
cbc5f91e7044b9a044d39541ffaa2f67710d788bdc41363c54974725654b30add888b1cb1d1256712a197f77bfa1af4bd43804951a0334a9c0801a0f9fc227b9

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
182KB

MD5
2488839faac9e2de3e1e40a28a5e6a72

SHA1
b8149c0d1d150beddb7bc51a82aa56a025da62b4

SHA256
1f7cf7a8e0742e8a4eb3ddee5e3aa09c366113853e79f222ee5ad5f5693d16ab

SHA512
2dedf439cd599c5e0679b354e460ed20fbca3a42fb7642a56868efb9ac1d364bd30c0f00bd0f11c0f78c2cdc98ba1f7c1f440849502048c0213bc6d98cb68014

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
182KB

MD5
f20f448984fb7fcd99ac323d0606ba57

SHA1
d25fdbe1645b132e842774ddf9eae8e11c0fdf08

SHA256
38364fe5af2f1c9141c861521395c77f75c335d85089644773483174b6bf3351

SHA512
b541ed839eb5578fcfcf660b2f7f84061d1a010429c9ea8c33b04e25c3ede7b166f8a952f67a5539c3f19c7cbee149817c8e5b8fdf1ee4d8109c702a3280a0a9

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
182KB

MD5
d026a4e04f0691dcdee7040f19f0996e

SHA1
d1c0cfa78df3ea900f49be06887931b392612c68

SHA256
c3e8e982d05dc919f1b52cbdfea59050159100cc87203a7b02fa8159063d37e8

SHA512
d03d615f9249220777b526d897ae22a5207b1fe572baa530a0ac2a38808aedce192e7f71f6de7f5011e6bbe553a3884a86fc4b8344bdd61d6998abe5dda1e3a3

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
182KB

MD5
eb9cd4f3266bcbd830481b7d056307e8

SHA1
8422003b58590fddcaa32728f412d4f6fb26f54e

SHA256
ef7a5d0d1aaac1ceb38b520c889649fa1cb2ca39b4e57760b7175917f638882a

SHA512
60c7fc34fa7d4ebacc5565860f0649bd32fd6dc2e49c41a08c3f190e89563f894f2aab8a35e6cbbd7355cde1a9e4333dedde0c7828ddf20301b7f7c5a088e7b5

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
182KB

MD5
d7740022449525eaaf3afd440a477c47

SHA1
cefd2044445e55e6f20d03d5f37e36c53d003639

SHA256
f08d3619caade0f115ed56414f35d7a2df36edaab026d8e82211c1dc184ea620

SHA512
59f233f9cede39fe45975182a4a06101557108ce04fed1905e03c782ba9540248e32375ca615e85e6fc580ee8214f00853bc7a1edfe08db8aad20aff1f8585d3

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
182KB

MD5
fcea9815da0634ca1f0c8db71f38b24c

SHA1
cdad132781ba6cf160a8fc29d3aa2e5867824e9a

SHA256
8618da700aa127ff5f1da0e836dbb5d433ee6c6efcf94b9363394596e61d7450

SHA512
c5e49bc7a5298b606dbf604538ad872d0fa9e53f0d19969fe5932f8f6f7ce9413bdf9d7fb14862d592b6b8ecc13487c50a29be1f8a65845fe526e29ae77008ef

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
182KB

MD5
650b29308be01d178fe3cc99bd7e7925

SHA1
c101471193104a9ce254a932ce72c0cc6bcb66dc

SHA256
eafa832da9f02689e017e48c8a9733d7a28161112c9974794252056bffd44504

SHA512
7e43d4fb26f80d26445c35c0473571cde66bf616f411732c9f362f953598efeb039ecfc61c25941da3e15f93d6e99083e24b24dc843716ceab6d1b873dd7b88e

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
182KB

MD5
355d99ba640ddd578c60a66ad3d429c0

SHA1
66eb083a402c2231239272e7d2500ff58f937a18

SHA256
fdfea3cb77f84eebb72ace5069597d7ec17ddee89adf46e428ffcf643d2e28d9

SHA512
a61f5f29ac0590c9fc3a579cfc72e2394ed320fd72222c6fe0802c354d33f50603277283d6835e0f215ff669793b295d88bd8c9773a83816270ccb300aeb6d84

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
182KB

MD5
3969ffd84834da616db62ac67057166b

SHA1
af044157849d58781d299b6c5bbd76cada66038b

SHA256
33ce171923efe30a526b01bde8912375d823b89bfec6627d753f286ce070ad49

SHA512
cbf879ef9bc411fd549d38ea4b3024c700b2eb1e3c43254305c075eea0baddb4863c0983ade581d9ddf4cbe38751c14dae2725d4051f79b8e6a8c5bb36a976e9

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
182KB

MD5
38e101656cbc817b47ab4c761eef9cd6

SHA1
c57f8f371211610a5982249cb6c36e6fe4f8c963

SHA256
be6ce037bdd9bb07abd9b5979da760babbd3fa544608e1e77148e3174835258a

SHA512
001ce9c8f5cb5be86b115ffdffd0b581854b6a2218497fe5fc8809b6b35acef0801ad69465c90ec841c7f15123c1d18c83522bd9a9e61db276b190a0aaae52f2

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
182KB

MD5
23e2118559e4f5caa8cc241d91984709

SHA1
edf494df3b0310f02fc9d22e04103d78db5a4928

SHA256
57494e9b5437fc29c69d20e7861b96eaf4365ceb4a6d1ecae7bc37bf9bece28b

SHA512
94d8da670da35145b2c2c2bf5726102f0e0429c8f6b930a425cccb91f69ecb372ba286474ef1f92c242ad788f42a8a7eddb83e19b5fbe36dd5ebf5ee3dd69f5e

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
182KB

MD5
b84b673bf3d2cc1ca067b4f6638f3008

SHA1
79b4a88381a674ee7a7690afe7098913091c604d

SHA256
4f12de0d31f4469a0240a81dad8f635301c7426b1f7561aebfd0db7218af626a

SHA512
996520dbe01b4023163651d920ac45200752f3e4a6d07fc8209eea3296d9569559b5e171f2c3ee12ce2e57bcb72fd43fb123f93042df8db00cb6845602bc6e08

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
182KB

MD5
257dccba7e7fee8070eddab74a4b3f5a

SHA1
e6a74f5a2448a62903a732f405a0195d5b5266a3

SHA256
509782d09325f8c6964dfefda2fe76efddabc24771ec2cc0131be6369d4c9bdf

SHA512
eddf3c08ca01b14c734a0e5c077af149c66f6bbbd33b177f6446faa28e41dd4da85b6d376ad43d719c5550a45acf3b82ddab174b61dfcc0a399b0c53681df9e7

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
182KB

MD5
3aba9b15e85d72cd3d4bec361f493358

SHA1
04522f18aa4d6cb772998c74fb2c3a4112a3d49f

SHA256
dfd6db1e1fac47e1cf93c14b96e5fc9ce1d02093f5d740528ec00b40a14cb4a7

SHA512
93a6805ddc2a44cbc15ba092e88e2efdb74bcdf2d6f52267a6776695c89b8c8017329c948291fcfe49f6109c41c34e975ecc1d373af4324a1aabf769d835ed9f

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
182KB

MD5
d6a4fdf9763241500641718c64f89972

SHA1
ffbdc8acf8178f9f618b250a37e30ce9f6027687

SHA256
8279b46bfaaf5daee46a13ed09f1e5f83310b06c83282b864cf3f86314c070f6

SHA512
890093dc06ea9e0321d79917929ce62ff8a687f510c071e5464574a84fd9c9b9584be834d522100d36691e92b70b361521417de7f751471aa343903dd4692852

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
128KB

MD5
1b84bd1bd7b8f19f96a7f397e6659247

SHA1
80ae00b4798d414da53481555f933e71cc930eed

SHA256
77bcedc2e473d6fc14bb57e5452a24efe7fa8933dcd4ef8186581ceef6dfa8f6

SHA512
3125dd8633ebedc4c690b3edb834840d522568c23844fba1443eee5ff3054ed751e74bcab6726c526d628f3ccd2ca3a0d94161b9c9c38056eb70c53a71735e68

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
182KB

MD5
45cac83fd1a81424f82a334242c66fdf

SHA1
4182ef6aaaf04343119d1cd409ed15c4c3b290e6

SHA256
a75aeaddd55bfe4f6aa45c57f0e59068295ae0dc17d26d4a1016c796253b1154

SHA512
b66b6769f3b8cc4ed2a67d130ae149084a84acbf825e5ceab5f52bd72a91a5a3e117420e52a3c0b32e97e6a44076a8bb7db187c98f0d223b6b857fdb2e6b20b3

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
182KB

MD5
eaededabc0e0772e2815db74bd1e18de

SHA1
288c969088359d501ff756c1f41de313f75a7f9b

SHA256
d5af978e925635921b11860083fd5cce0f126bfacc1efcd89a1e3f0005c7f3d3

SHA512
ed3e8014dd909cdba140a69ade66aa71b486163cfa9d324fed400365d02e393f8b5399ef7a238992b6fbd097875fbcb3d9650cf1ba211565b16f1d69e4e85191

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
182KB

MD5
451663c3f6cb99fb9418051efcab42bf

SHA1
62c2f2b3cc1ae00c27a683a2992f8187ec044144

SHA256
6ba02cf639d9e847d2158c11ae4e5406a4d9bf3d6076ca31921dff03005a785d

SHA512
22ba273bf58b3ff08044b813b9079d1bcc378d79291e793cbf8ae8a90a1f464a2d9c243710a01dc70179cddedd0e0ce19f96860874b805152a016c59a8de5301

Download Submit
memory/392-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/532-5-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/532-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/900-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/900-155-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1020-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1844-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-77-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-110-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2512-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-22-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3128-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3208-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3208-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3252-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3252-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3432-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3432-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3748-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3748-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3828-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3828-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3836-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3836-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3996-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3996-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads