ce46ce8541ef1c0266aa1d68fa775a53c66237fe81ab111abacda4325de18604

Analysis

max time kernel
55s
max time network
49s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30/04/2024, 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce46ce8541ef1c0266aa1d68fa775a53c66237fe81ab111abacda4325de18604.exe
Size

256KB
MD5

233a4c3e64fe6486997dcdd5a38362d2
SHA1

720a995378850dd917c82c9a3a364d56edbf2fa9
SHA256

ce46ce8541ef1c0266aa1d68fa775a53c66237fe81ab111abacda4325de18604
SHA512

cda8e2a6a28a4662401a54795ecc4f9cd003ddeb0c6ac5bbfe49fde7a8f0fc92c237a0b9d180d5394d724b5cb1c29abf3275616e944c59324912ba5be46ca6c4
SSDEEP

6144:pnI6hJbTlSTYaT15f7o+STYaT15fAK8yL:pnI6nATYapJoTYapz8yL

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ce46ce8541ef1c0266aa1d68fa775a53c66237fe81ab111abacda4325de18604.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ce46ce8541ef1c0266aa1d68fa775a53c66237fe81ab111abacda4325de18604.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe

Executes dropped EXE 52 IoCs

pid	Process
1716	Ldkojb32.exe
1520	Lkdggmlj.exe
460	Lmccchkn.exe
1352	Ldmlpbbj.exe
4532	Lgkhlnbn.exe
744	Lkgdml32.exe
3544	Lnepih32.exe
1712	Laalifad.exe
1912	Lilanioo.exe
1236	Lcdegnep.exe
332	Lnjjdgee.exe
2180	Lddbqa32.exe
2428	Lknjmkdo.exe
1628	Mjqjih32.exe
4552	Mpkbebbf.exe
4668	Mjcgohig.exe
4836	Mcklgm32.exe
4608	Mgghhlhq.exe
4628	Mpolqa32.exe
3652	Mkepnjng.exe
904	Mpaifalo.exe
2184	Mglack32.exe
4604	Mnfipekh.exe
2400	Mpdelajl.exe
528	Mcbahlip.exe
4252	Nkjjij32.exe
4236	Njljefql.exe
1248	Nqfbaq32.exe
444	Ndbnboqb.exe
2108	Ngpjnkpf.exe
1400	Nklfoi32.exe
4292	Njogjfoj.exe
464	Nnjbke32.exe
968	Nafokcol.exe
2744	Nqiogp32.exe
4784	Ncgkcl32.exe
1444	Ngcgcjnc.exe
4612	Nkncdifl.exe
1088	Njacpf32.exe
884	Nnmopdep.exe
2464	Nbhkac32.exe
4540	Ndghmo32.exe
428	Ncihikcg.exe
2592	Ngedij32.exe
2016	Nkqpjidj.exe
4460	Nnolfdcn.exe
1692	Nnolfdcn.exe
4748	Nbkhfc32.exe
1932	Nqmhbpba.exe
548	Ndidbn32.exe
2384	Ncldnkae.exe
4048	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Cknpkhch.dll	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nkncdifl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4080	4048	WerFault.exe	137

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ce46ce8541ef1c0266aa1d68fa775a53c66237fe81ab111abacda4325de18604.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	ce46ce8541ef1c0266aa1d68fa775a53c66237fe81ab111abacda4325de18604.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 1716	4788	ce46ce8541ef1c0266aa1d68fa775a53c66237fe81ab111abacda4325de18604.exe	83
PID 4788 wrote to memory of 1716	4788	ce46ce8541ef1c0266aa1d68fa775a53c66237fe81ab111abacda4325de18604.exe	83
PID 4788 wrote to memory of 1716	4788	ce46ce8541ef1c0266aa1d68fa775a53c66237fe81ab111abacda4325de18604.exe	83
PID 1716 wrote to memory of 1520	1716	Ldkojb32.exe	84
PID 1716 wrote to memory of 1520	1716	Ldkojb32.exe	84
PID 1716 wrote to memory of 1520	1716	Ldkojb32.exe	84
PID 1520 wrote to memory of 460	1520	Lkdggmlj.exe	85
PID 1520 wrote to memory of 460	1520	Lkdggmlj.exe	85
PID 1520 wrote to memory of 460	1520	Lkdggmlj.exe	85
PID 460 wrote to memory of 1352	460	Lmccchkn.exe	86
PID 460 wrote to memory of 1352	460	Lmccchkn.exe	86
PID 460 wrote to memory of 1352	460	Lmccchkn.exe	86
PID 1352 wrote to memory of 4532	1352	Ldmlpbbj.exe	87
PID 1352 wrote to memory of 4532	1352	Ldmlpbbj.exe	87
PID 1352 wrote to memory of 4532	1352	Ldmlpbbj.exe	87
PID 4532 wrote to memory of 744	4532	Lgkhlnbn.exe	88
PID 4532 wrote to memory of 744	4532	Lgkhlnbn.exe	88
PID 4532 wrote to memory of 744	4532	Lgkhlnbn.exe	88
PID 744 wrote to memory of 3544	744	Lkgdml32.exe	89
PID 744 wrote to memory of 3544	744	Lkgdml32.exe	89
PID 744 wrote to memory of 3544	744	Lkgdml32.exe	89
PID 3544 wrote to memory of 1712	3544	Lnepih32.exe	90
PID 3544 wrote to memory of 1712	3544	Lnepih32.exe	90
PID 3544 wrote to memory of 1712	3544	Lnepih32.exe	90
PID 1712 wrote to memory of 1912	1712	Laalifad.exe	91
PID 1712 wrote to memory of 1912	1712	Laalifad.exe	91
PID 1712 wrote to memory of 1912	1712	Laalifad.exe	91
PID 1912 wrote to memory of 1236	1912	Lilanioo.exe	92
PID 1912 wrote to memory of 1236	1912	Lilanioo.exe	92
PID 1912 wrote to memory of 1236	1912	Lilanioo.exe	92
PID 1236 wrote to memory of 332	1236	Lcdegnep.exe	94
PID 1236 wrote to memory of 332	1236	Lcdegnep.exe	94
PID 1236 wrote to memory of 332	1236	Lcdegnep.exe	94
PID 332 wrote to memory of 2180	332	Lnjjdgee.exe	95
PID 332 wrote to memory of 2180	332	Lnjjdgee.exe	95
PID 332 wrote to memory of 2180	332	Lnjjdgee.exe	95
PID 2180 wrote to memory of 2428	2180	Lddbqa32.exe	97
PID 2180 wrote to memory of 2428	2180	Lddbqa32.exe	97
PID 2180 wrote to memory of 2428	2180	Lddbqa32.exe	97
PID 2428 wrote to memory of 1628	2428	Lknjmkdo.exe	98
PID 2428 wrote to memory of 1628	2428	Lknjmkdo.exe	98
PID 2428 wrote to memory of 1628	2428	Lknjmkdo.exe	98
PID 1628 wrote to memory of 4552	1628	Mjqjih32.exe	99
PID 1628 wrote to memory of 4552	1628	Mjqjih32.exe	99
PID 1628 wrote to memory of 4552	1628	Mjqjih32.exe	99
PID 4552 wrote to memory of 4668	4552	Mpkbebbf.exe	100
PID 4552 wrote to memory of 4668	4552	Mpkbebbf.exe	100
PID 4552 wrote to memory of 4668	4552	Mpkbebbf.exe	100
PID 4668 wrote to memory of 4836	4668	Mjcgohig.exe	101
PID 4668 wrote to memory of 4836	4668	Mjcgohig.exe	101
PID 4668 wrote to memory of 4836	4668	Mjcgohig.exe	101
PID 4836 wrote to memory of 4608	4836	Mcklgm32.exe	102
PID 4836 wrote to memory of 4608	4836	Mcklgm32.exe	102
PID 4836 wrote to memory of 4608	4836	Mcklgm32.exe	102
PID 4608 wrote to memory of 4628	4608	Mgghhlhq.exe	104
PID 4608 wrote to memory of 4628	4608	Mgghhlhq.exe	104
PID 4608 wrote to memory of 4628	4608	Mgghhlhq.exe	104
PID 4628 wrote to memory of 3652	4628	Mpolqa32.exe	105
PID 4628 wrote to memory of 3652	4628	Mpolqa32.exe	105
PID 4628 wrote to memory of 3652	4628	Mpolqa32.exe	105
PID 3652 wrote to memory of 904	3652	Mkepnjng.exe	106
PID 3652 wrote to memory of 904	3652	Mkepnjng.exe	106
PID 3652 wrote to memory of 904	3652	Mkepnjng.exe	106
PID 904 wrote to memory of 2184	904	Mpaifalo.exe	107

C:\Users\Admin\AppData\Local\Temp\ce46ce8541ef1c0266aa1d68fa775a53c66237fe81ab111abacda4325de18604.exe
"C:\Users\Admin\AppData\Local\Temp\ce46ce8541ef1c0266aa1d68fa775a53c66237fe81ab111abacda4325de18604.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Windows\SysWOW64\Ldkojb32.exe
  C:\Windows\system32\Ldkojb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\SysWOW64\Lkdggmlj.exe
    C:\Windows\system32\Lkdggmlj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\SysWOW64\Lmccchkn.exe
      C:\Windows\system32\Lmccchkn.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:460
    - - C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1352
      - C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:904
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2400
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:528
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4252
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4236
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1248
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:444
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2108
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1400
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4612
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2592
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1692
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4748
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        53⤵
        Executes dropped EXE
        
        PID:4048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 224
        54⤵
        Program crash
        
        PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4048 -ip 4048
1⤵
PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laalifad.exe

Filesize
256KB

MD5
27bf667ad61b7914bffc73f808138698

SHA1
0521774247cb766512786b14f59222cd92e86886

SHA256
190bcd7bf5c582b55ee179ff6748ef31e95faf36e8af25eaf2443b1de6a9b554

SHA512
4c78cf748c7a7a320256e9c9c85c192479e66ee3bae1322d03d6a6cbcfa7accc44ab0e148e5a3d66057a9f128ee7467c40660f666cef905515fa4408be620352

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
256KB

MD5
ae55e38d425d1c70b23b53cb99b23584

SHA1
dfa73be503d2f20993e6842f443c5322546f2411

SHA256
23f3918e9d88118511c01c1b5387780cc29b12c01805a110bad5b6e4474e313f

SHA512
9bac5cd9f85b6d3b4ebf013d3755c23f03fbec6b312ef279838a30903d4a7eb04ec56c968fed037de5591bfe0f79b39183cbae520f445fd3fff6d99fa49f5301

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
256KB

MD5
d39b326147cb3d5b6104b6858b46f5f1

SHA1
59e8fce6c23790781fd2aa0b8c5649f2ae34f718

SHA256
522693e07a854e7a55752fbcb1975ba8b8afbc6229a2755ebc4d007c1f6054a0

SHA512
2e52a5dc33b3648c390ad17fb6588e73d88fd4e3bfd1de84ce4dab12a628cc24aa4a2a6ca6324aa93bd18488a621392381734000cabd4736394c3878e48740ce

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
256KB

MD5
4ceb9ecc3fcc7ce71d9633c04a894e20

SHA1
c43258a9002ea7b478a1b8079f42aaad2aee3fd8

SHA256
ceb6307a142e326f2c64b30976fb6fc691d60fe0cf351d0263e2945055c96eff

SHA512
189022993259cf051a3bc3c1f0e4f07c3ce5ebb890b5c6a61cc0c6663fc580a1f567f244850ce11d9dd434a4a3333597d43d410644da363d0851025cace5eba2

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
256KB

MD5
277858826403988cbf0a34140ca61d13

SHA1
e56f92f524752f39320198ca62dc82f8ae3cf1f7

SHA256
eb1442f607d1ef08af34f7f786437dc4d85790438fe27687eba14a1e6403bff4

SHA512
0628e8e812ca16e3c4fe9ff0b1ed374dac16e6e48d7bf2b72e319d6483cf1d6399446bc349dc6c8398e033ec5bc12b1f864bd29508aa13d7a572f1895fe86b76

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
256KB

MD5
a61859fc9d342d8f90b5f8adc113849a

SHA1
42794bf8305d6a5280c9220a769b7f0956ef3a68

SHA256
d40c1bcd383862cd42a4a34b1694feb09b7aa470dd80e0a78bf656999c38d339

SHA512
945a6e29e13b41f1ffa04ba92ce7985458bad6a696c4f1679363921143e244c84f88fe5008b7bf9232ac1a00378e0426f76af3b49cfef686a8dad3efcea128f4

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
256KB

MD5
24e789c2d1b0bbdb687e49658af00d0a

SHA1
f2fec3d694fd73697a565c9346fe69b10a4347e4

SHA256
c623e7430268e86b910f70b675a559b7cbf75cb44e9ba5d7fffd39e30384ccb5

SHA512
da9d03fb446b80e6224f8ec75e1e41dbc3a88bb53a5d924ddbeb6b53c41465ea47043f1d20674f99acbf8925cb3367725ddce8b0c81418f091297266cbeef917

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
256KB

MD5
3a8de26265026a601b379051705b3b1b

SHA1
f8931f371a01194097af6cff7a102935b6191a3b

SHA256
0c4e272b726fb6cfd41cc0d9020cde9dd830222ec56e5f74d66ba19b3a986274

SHA512
96f69de8d7b417fc3f7cae1e1193348034baba5828ce752ffa295017c63536a9bece599cc6fdc54f10dee2b05ddf403be67211122e39a596bcc575bf2f4b18e9

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
256KB

MD5
cf67d490a46200cd1b253af706d6352a

SHA1
ddada3846a8898255b90450bb136b9c215057902

SHA256
27d2fe50f3a3f0b8eaee40aab28c1ff5a0a557871d1068cf7f645503c200d1f4

SHA512
20c76e7e014a90924a58205ba5fa4aa54b4cbcfb133e1605d15c0a094931bd7dbe49bbd1456c4541f9d480b7b49d7437301ab7c1a72385d5ec1b3974ba0ba149

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
256KB

MD5
5616ea31d23f38ca02fcd6de8a94fc0c

SHA1
9d1dc78f5c4c565150698de716397c4f8fdbd7e1

SHA256
98865ad20d420796a1015589fd8d6b101730f3a334979e04c263a04b9f3c6e31

SHA512
c663e4548633d26911591f4f5774649d727ed1e774069364fa32fa5b5506605bc28f644170b8f63ac8c10e291971380c38768f26ff320ef383dd64f24c68d059

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
256KB

MD5
f9317a9a0f95c96ae40a4e58fdd2d59d

SHA1
8229dfa210f567047408f59dee38e1afa0ac216c

SHA256
8e24db1cb7103f47f29434426fa4577d0cc51328d1b58a1c7118b9a43fceefef

SHA512
2179aa74e0af2e7a11651b4a6530266fa6fd5fa6561f7b2e86d3c0d7306948953f6f89493988f4a228ec4d9e8a21de2cb51988cef1d5bd2ccadd03147fa03dd9

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
256KB

MD5
e4cf138887c28a7540573451de8415f5

SHA1
f386fbe7bdb0d5471889cd8e6717a3d849d8bc12

SHA256
0923852a0263ceb37409115640fc4c7e903edc2993779df58ffaa15bb16ee42d

SHA512
1f1040f7e12d437344b8321db47b10b47c413e8f31264f97a02aafd2e8a9e7f3ac0b4b602e4f8eca48b6cda1e533fb80effa8a455741c840b2378bed13ca4acc

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
256KB

MD5
a4ae741a769fd27ba17a2d39701a01d1

SHA1
05297f0316a7c453f0f9da88b88c4f2b8cb1c62a

SHA256
76c379897ff2481e6ab2cedba6daae434dea450a8425a076e03856fbfdb895eb

SHA512
eaf588026101cd99a5e4fd0a36ca574469b1d51a5f72cf9669ff84df51d70185629c67601ca6404a46163ea530a4fdb446225cb8756b3abef5ab76fd22465901

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
256KB

MD5
d5036ace3d2f0a049cfb3297fcbab8c9

SHA1
d1cb23d42630701a3ac66cf437e566efdf3aa7a3

SHA256
65292928a8dc986b5784ab1ef421928f9a68c714ff8e447bbab4bcee8a0f1666

SHA512
c61b515c1c040a23f56cc54ab36a130b2babde679ba9f59a8d842bc7ee0db58c32fb9ab9a6d7c41e8a2fd2b6ed383a95ecb626cf064b557ba0a503221f707602

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
256KB

MD5
785c01cc69d1a44fa47901657bf2a067

SHA1
1905c18ee6e7670b4443cdd0f8569d871326b72f

SHA256
e40b7e3714f1d0d95dc601bd0960273d1ffa31b3998246bd90cb64b1f6ea855b

SHA512
e916996429f92df5eaf3fca9056ae9dd73316e93f6d7084aae61bb6c1f391b0a52730c607442e66bafc59b39c0a162c6a93d2e29481664d80cdec829e135bc90

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
256KB

MD5
ca9a24917104158d4ee24f2dc2a9bf1b

SHA1
cc66ea6210f21bca01fa161eac5fd8c06d4f2428

SHA256
667ea3ecbe5d1645940dc5c3a455ff9c575e0f422a710883a0f3f7934fbb1939

SHA512
87b2e66d07e5811265011968deb9a0dd236ebe3ec7953f57a211e4fe10e5e89cda9ddd666964bebffe5a8adf55ea4fa5694198cb069832ce3584d6cc49ac796b

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
256KB

MD5
146c778d04e56911305ee17bf650112b

SHA1
6ce68a2ac0f8f15d0ebfb44d25320eb7360d3184

SHA256
b51569eea5abf35b18bc95840d000764767c256722620cf418e7eb21f636cbce

SHA512
0537130e04215d500708f06ad35a3dc672fcadd56bc43a199f915e6fabcd024147615f5a46d3abd73077fe6096376ea2297b938cc07a11b95201f7801890e3b0

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
256KB

MD5
fb248a05d11879007f848ce622aa827b

SHA1
e35e3ff5a8c5b2029a726fe5be7a067179e782bf

SHA256
80ece9784d1ab9139ea116a1947b12068ef10c3f8be2be9c7326cbd125adbab5

SHA512
c4a39ae219a734e4a4c6a54906a4e8566fb51282e2a395be905622693268964674df4f75111ad0f098ba3a989bacd64046bacb577cfc6e36cb7462d27ecf1be4

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
256KB

MD5
4d07ca894fea17f0ac4edacd57a4701b

SHA1
ca63da6f40784d4f3bf179f34eb15d7e244457d8

SHA256
82f3658f4491068a4ac8ce0c632e7309315e33030be3c4380e67e72cf58099b7

SHA512
56a19408055eb3f94d951de33869f27251395a36e643a145ca27a390f7c396dbbf75d5577cd2182453cc204ac189f7e80b15e31a1410fa53dd91dc724f2cd859

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
256KB

MD5
1d781046e9b25d4ea3a1806047b80ce1

SHA1
8640caff5bfb4cbfaac620af7b9c10eb83819dfa

SHA256
8eead7a3671e26580135441a4f57c1fae7dcbfd4f69fc3989fbafe07e504c439

SHA512
8e490cd041a7dfbf7df3ecd2070f137d502f3e929b999b645b91cf5e49ec8a7fbfcc7cfee45408692ea167c72ffe0305b6a403fe19fa9dd6fdbaa24cb7461426

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
256KB

MD5
e2675406bfc391ee503e99c5556ac904

SHA1
110f33d413efb383f70386a02aa50e8e72232504

SHA256
df7d9d1e2364c885ca8ca6e6a0643170013a999872a1361099e175998f6cc824

SHA512
97f197896f37dfe5692e4638b5c87673903669dc4c7bcce8d4aa1aa9176a2492dc83d97e38e516852e5095f242d929981b0b036812d14c0eb20ea8fc58878e86

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
256KB

MD5
66391426727b05303a98c72d729157c8

SHA1
96b74041b7903678bf1e8ebb2c01766065e82c2b

SHA256
00f02030ee65dbe1dd2b516e89f9a216500ff2ab63c0e9ff4bedbeb080b94fdf

SHA512
9d1f550c8381cae77b75d413eb344ba1ee35a5e7e73b8c3c208d8f88ce48901669d85f827417b0dc1025060ce5ba2b9c224d82719bcd838b45392e70c5554973

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
256KB

MD5
935979b654f7fcc7a95a21a992abb587

SHA1
9013b8667f80a826f2f73c7448c4f47d00206482

SHA256
572e2b3b519bd6e7dc176d4bb6a0a5635accbdb2409adb5ad5e765cb3d2cca7d

SHA512
6204a969a13b5c0b225443ef2f07bd6696175f0ecbc6908c669b639d1c9b04dc2c84e729556d2c0fc751152f79b8ead8e30ed9f7a41377d7331ddc16d8474334

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
256KB

MD5
cb576c4858d4a9a57045f46848f62645

SHA1
9d4469b778bca66801ab8b6f51abbbfa08fc8590

SHA256
620d121ec93c5c5b249f4f11a194be33f469b180c8c09f391addf62c65f0c90a

SHA512
d745d451e26f765442f6ad437844c3301d5c810e949eff830b4808154e4a33ddf3d10d4c588a373e62a5f2e0718744d7218ae674846f251b5d69319c3eec7002

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
256KB

MD5
15031f8d0f424936169c268e5321c327

SHA1
f5c291dc50c58000536bd2d7b59d247ba58b7e81

SHA256
768a119c6e40ed22f80f233a75e8a61cc79572b75fc183e506e5b91c56552707

SHA512
b16192e43df9891d47a19534eb35ea2974dd1edbdbe9fb6779bd20814e777ec92dc5f97e1d23231a58dd061bd1f626f7ac82f2c99d71b4fd316455e668994e33

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
256KB

MD5
5a251dab4e1c065f6327a515784f1fde

SHA1
3ed8fa40169e33dc30c5a80996a494a77eadec2a

SHA256
b0a5d397a85dd27130cdb5bcbaad2a5d98a93a96efe3c56292d099ac917ef436

SHA512
28cd18724690226db2990df287141b2d09d51e13ae7cb248d3d872607d93ccf617e228182eac3127068fa6ef538fd5cea255f8dcafc08a028c4c36799537c54b

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
256KB

MD5
3cc12367f814cd5f424cd396b6834dbe

SHA1
b37dbfb36a7ccd08c384838f06e25c2fcbd013f7

SHA256
146c03b8019983efb80b0000c7615e26e221d0b292745d28cf02b2309c390647

SHA512
e62bda36d45911decfe4979129cc96c34615c4b1322360fd445d78e500aa1649a4402612223e1f1311b712923ef12bff778632e9a920df832856b6f1657b247e

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
256KB

MD5
794f63115479cb829c9628c417518208

SHA1
7223e72a24d737e1469c07d5e45c87cdb8d6369e

SHA256
f1262595739b26696b4b6a4d0595112000fa9b08268c02de241ec3580cbf2263

SHA512
d2930730ba378d7beb959f084bc1f9f9571b5666c31e05adc862a3ff6e47ab12b582fa9dac6f83831827ee5fb886a0c56655b2415b85151b91e404f7f8171922

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
256KB

MD5
84c430282643baaf820aef8b5853379b

SHA1
60fe4bb92b6dfe503e37176f88db7bec29c9958a

SHA256
50eaffdf949a3b9581154e88fe0db30f99277bd0bd65cb137878309def1a3dc6

SHA512
2e198cb198525864bc798ff7ec8fea94d4fded7f05ece15b674e15ab54cabc772d6f65f38f80e0ddc24670386a42323429762a6b6b5006a7da2df60ff4989044

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
256KB

MD5
21dad351915eee44c25dc0d7b90d81c7

SHA1
6f7214c07e1681008c3ed55abca02ffcdac8ff74

SHA256
26aaeaf2f5fc6e9a669d1ea3981b189fbb29c44572f1afa72b949a6844b8577a

SHA512
db1df0ffd963c03b1fbc7c9986e72c69bd675cad40a43710e36c8e9b86a418bd2bf7003dbbd60acff194109e847a09942fc730a0832114806569a4e164f84029

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
256KB

MD5
8184d37988976af57dee144db2a4ce8d

SHA1
30438a7d5c9f3e330751c66c7e3432e24b84dca1

SHA256
30344a26b7c2810eb1d89c4e4e491dfd6cbf7c15e5e572d1d0671256fa6d51e6

SHA512
1909769622315bab311a06169f7710700bfb17cd0ed212629089905f22a54a9697192e1f255ba5bff15a8bfa2788bd38513d1ac5def9edd5fe32ec436d9ad2f5

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
256KB

MD5
6126856bb237973781f4f0d0eae36727

SHA1
a1a5225e505aad0d636c806e3a9bc1332dabdba0

SHA256
0e84b3c3c4c10b7565572392e21a977e3828deb6cedb15c584bbf5b02b721adf

SHA512
963879f219d160c879d90cdfc94e9f17adeecfb3f242da8834638853c65c11ce8f96b31e418f527420ad80409e35044ec2da1e37585c2eccd34d9e778cccc865

Download Submit
memory/332-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/332-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/428-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/444-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/460-115-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/460-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/528-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/528-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/884-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/904-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/904-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1088-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1248-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-124-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1400-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1520-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1520-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1712-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1712-150-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1716-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1716-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2428-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2428-110-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2592-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-62-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3652-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3652-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4236-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4252-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-195-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4608-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4608-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-428-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4668-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4668-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4784-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4788-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4788-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-142-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads