4f69310a85ed617b24c02636ca581f44d650f5fb66e0e2d7dd453d9d42af7599

Analysis

max time kernel
141s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04-05-2024 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f69310a85ed617b24c02636ca581f44d650f5fb66e0e2d7dd453d9d42af7599.exe
Size

192KB
MD5

beb00d45088b591f744a9d21780cf15c
SHA1

5bcf2bebaed1d2c283735419f4cc07e071689e65
SHA256

4f69310a85ed617b24c02636ca581f44d650f5fb66e0e2d7dd453d9d42af7599
SHA512

79ef574bc4a3055353b045e70c49849906c4d890ae2e5a4edb8249f1519981efa4d42dee91f41f7433e5a155055820edc48fcbe012740293eb4d77ae002c6fba
SSDEEP

3072:ULzQhzxhQrIBO/rMoHZEm+Dd1AZoUBW3FJeRuaWNXmgu+tAcrbFAJc+RsUi1aVDw:ULTrh/rzVsdWZHEFJ7aWN1rtMsP

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	4f69310a85ed617b24c02636ca581f44d650f5fb66e0e2d7dd453d9d42af7599.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4f69310a85ed617b24c02636ca581f44d650f5fb66e0e2d7dd453d9d42af7599.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe

Executes dropped EXE 39 IoCs

pid	Process
2208	Laopdgcg.exe
3104	Ldmlpbbj.exe
4380	Lgkhlnbn.exe
2780	Lijdhiaa.exe
4436	Lnepih32.exe
4064	Lpcmec32.exe
4996	Lgneampk.exe
4188	Lilanioo.exe
3864	Laciofpa.exe
1908	Lpfijcfl.exe
4508	Ljnnch32.exe
4588	Laefdf32.exe
3584	Lcgblncm.exe
4124	Mjqjih32.exe
5028	Mpkbebbf.exe
744	Mdfofakp.exe
4432	Mgekbljc.exe
2772	Majopeii.exe
4860	Mgghhlhq.exe
1960	Mamleegg.exe
552	Mpolqa32.exe
4252	Mjhqjg32.exe
4896	Maohkd32.exe
2732	Mcpebmkb.exe
4672	Mpdelajl.exe
4416	Mcbahlip.exe
2364	Nacbfdao.exe
4464	Ngpjnkpf.exe
1904	Nklfoi32.exe
632	Nnjbke32.exe
2756	Nddkgonp.exe
3744	Njacpf32.exe
1396	Ndghmo32.exe
2120	Ngedij32.exe
4960	Nkqpjidj.exe
2144	Nnolfdcn.exe
4604	Nqmhbpba.exe
2672	Nggqoj32.exe
5004	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	4f69310a85ed617b24c02636ca581f44d650f5fb66e0e2d7dd453d9d42af7599.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	4f69310a85ed617b24c02636ca581f44d650f5fb66e0e2d7dd453d9d42af7599.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Lpcmec32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
548	5004	WerFault.exe	126

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	4f69310a85ed617b24c02636ca581f44d650f5fb66e0e2d7dd453d9d42af7599.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	4f69310a85ed617b24c02636ca581f44d650f5fb66e0e2d7dd453d9d42af7599.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	4f69310a85ed617b24c02636ca581f44d650f5fb66e0e2d7dd453d9d42af7599.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	4f69310a85ed617b24c02636ca581f44d650f5fb66e0e2d7dd453d9d42af7599.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	4f69310a85ed617b24c02636ca581f44d650f5fb66e0e2d7dd453d9d42af7599.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 2208	4536	4f69310a85ed617b24c02636ca581f44d650f5fb66e0e2d7dd453d9d42af7599.exe	85
PID 4536 wrote to memory of 2208	4536	4f69310a85ed617b24c02636ca581f44d650f5fb66e0e2d7dd453d9d42af7599.exe	85
PID 4536 wrote to memory of 2208	4536	4f69310a85ed617b24c02636ca581f44d650f5fb66e0e2d7dd453d9d42af7599.exe	85
PID 2208 wrote to memory of 3104	2208	Laopdgcg.exe	86
PID 2208 wrote to memory of 3104	2208	Laopdgcg.exe	86
PID 2208 wrote to memory of 3104	2208	Laopdgcg.exe	86
PID 3104 wrote to memory of 4380	3104	Ldmlpbbj.exe	87
PID 3104 wrote to memory of 4380	3104	Ldmlpbbj.exe	87
PID 3104 wrote to memory of 4380	3104	Ldmlpbbj.exe	87
PID 4380 wrote to memory of 2780	4380	Lgkhlnbn.exe	88
PID 4380 wrote to memory of 2780	4380	Lgkhlnbn.exe	88
PID 4380 wrote to memory of 2780	4380	Lgkhlnbn.exe	88
PID 2780 wrote to memory of 4436	2780	Lijdhiaa.exe	89
PID 2780 wrote to memory of 4436	2780	Lijdhiaa.exe	89
PID 2780 wrote to memory of 4436	2780	Lijdhiaa.exe	89
PID 4436 wrote to memory of 4064	4436	Lnepih32.exe	90
PID 4436 wrote to memory of 4064	4436	Lnepih32.exe	90
PID 4436 wrote to memory of 4064	4436	Lnepih32.exe	90
PID 4064 wrote to memory of 4996	4064	Lpcmec32.exe	91
PID 4064 wrote to memory of 4996	4064	Lpcmec32.exe	91
PID 4064 wrote to memory of 4996	4064	Lpcmec32.exe	91
PID 4996 wrote to memory of 4188	4996	Lgneampk.exe	92
PID 4996 wrote to memory of 4188	4996	Lgneampk.exe	92
PID 4996 wrote to memory of 4188	4996	Lgneampk.exe	92
PID 4188 wrote to memory of 3864	4188	Lilanioo.exe	93
PID 4188 wrote to memory of 3864	4188	Lilanioo.exe	93
PID 4188 wrote to memory of 3864	4188	Lilanioo.exe	93
PID 3864 wrote to memory of 1908	3864	Laciofpa.exe	94
PID 3864 wrote to memory of 1908	3864	Laciofpa.exe	94
PID 3864 wrote to memory of 1908	3864	Laciofpa.exe	94
PID 1908 wrote to memory of 4508	1908	Lpfijcfl.exe	96
PID 1908 wrote to memory of 4508	1908	Lpfijcfl.exe	96
PID 1908 wrote to memory of 4508	1908	Lpfijcfl.exe	96
PID 4508 wrote to memory of 4588	4508	Ljnnch32.exe	97
PID 4508 wrote to memory of 4588	4508	Ljnnch32.exe	97
PID 4508 wrote to memory of 4588	4508	Ljnnch32.exe	97
PID 4588 wrote to memory of 3584	4588	Laefdf32.exe	98
PID 4588 wrote to memory of 3584	4588	Laefdf32.exe	98
PID 4588 wrote to memory of 3584	4588	Laefdf32.exe	98
PID 3584 wrote to memory of 4124	3584	Lcgblncm.exe	99
PID 3584 wrote to memory of 4124	3584	Lcgblncm.exe	99
PID 3584 wrote to memory of 4124	3584	Lcgblncm.exe	99
PID 4124 wrote to memory of 5028	4124	Mjqjih32.exe	100
PID 4124 wrote to memory of 5028	4124	Mjqjih32.exe	100
PID 4124 wrote to memory of 5028	4124	Mjqjih32.exe	100
PID 5028 wrote to memory of 744	5028	Mpkbebbf.exe	102
PID 5028 wrote to memory of 744	5028	Mpkbebbf.exe	102
PID 5028 wrote to memory of 744	5028	Mpkbebbf.exe	102
PID 744 wrote to memory of 4432	744	Mdfofakp.exe	103
PID 744 wrote to memory of 4432	744	Mdfofakp.exe	103
PID 744 wrote to memory of 4432	744	Mdfofakp.exe	103
PID 4432 wrote to memory of 2772	4432	Mgekbljc.exe	104
PID 4432 wrote to memory of 2772	4432	Mgekbljc.exe	104
PID 4432 wrote to memory of 2772	4432	Mgekbljc.exe	104
PID 2772 wrote to memory of 4860	2772	Majopeii.exe	105
PID 2772 wrote to memory of 4860	2772	Majopeii.exe	105
PID 2772 wrote to memory of 4860	2772	Majopeii.exe	105
PID 4860 wrote to memory of 1960	4860	Mgghhlhq.exe	107
PID 4860 wrote to memory of 1960	4860	Mgghhlhq.exe	107
PID 4860 wrote to memory of 1960	4860	Mgghhlhq.exe	107
PID 1960 wrote to memory of 552	1960	Mamleegg.exe	108
PID 1960 wrote to memory of 552	1960	Mamleegg.exe	108
PID 1960 wrote to memory of 552	1960	Mamleegg.exe	108
PID 552 wrote to memory of 4252	552	Mpolqa32.exe	109

C:\Users\Admin\AppData\Local\Temp\4f69310a85ed617b24c02636ca581f44d650f5fb66e0e2d7dd453d9d42af7599.exe
"C:\Users\Admin\AppData\Local\Temp\4f69310a85ed617b24c02636ca581f44d650f5fb66e0e2d7dd453d9d42af7599.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Windows\SysWOW64\Laopdgcg.exe
  C:\Windows\system32\Laopdgcg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\SysWOW64\Ldmlpbbj.exe
    C:\Windows\system32\Ldmlpbbj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3104
  - - C:\Windows\SysWOW64\Lgkhlnbn.exe
      C:\Windows\system32\Lgkhlnbn.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4380
    - - C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
      - C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3864
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4252
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4672
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4464
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3744
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        40⤵
        Executes dropped EXE
        
        PID:5004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 420
        41⤵
        Program crash
        
        PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5004 -ip 5004
1⤵
PID:348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laciofpa.exe

Filesize
192KB

MD5
6c18c607feaac1d5962578e7e2dc25ca

SHA1
b1084272afe8d940b4fb3b30b431ec76b77e92d8

SHA256
cd37e61b4976517bccd225d43613f42d352c18facb1ed1549d2258f8dad92217

SHA512
8aaf5dc996c84a95ddbd8e4a59b88aecb0ce61bfbf2bcaa08c0efac2f84ccbe864fc89be2c5aa17c565273180b7c3137aebc5f49945116566cc39c5c317448a0

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
192KB

MD5
ed9b9a03ef53983d08abb526e3d3937b

SHA1
60c4e7a383186152aa42030aff71e6b0bffc3455

SHA256
af020297d5f92c2b8c67a03ca41d4554d04270cd702917e091e7592328b558bb

SHA512
4e60ddd924e3aa97e26c0d72a1652c9cdb9245ab2d0c0cf2a326dc3b55e302ee7c76f81501b4684d250d57a4abb130bbbaef34fcf47b7a77312cc423d801f144

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
192KB

MD5
6b29e33827afdeda7b02f26ad39757a6

SHA1
98a837fd4f88ec1fc7e12163782b9581a16ec0bd

SHA256
6f30bfe655150a876b72f70b86ad74d698c310273d5b3629c882062f737cb6d9

SHA512
6efb353c12274f7f93b0e690f4aa8bf17cb1c12ed1beb072a958ab92be982bafb8697e8f3250b72394756ef7fc08ea06a928d8c98df91377b8565646fad3cad7

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
192KB

MD5
3a245008914dabadc1b1fdd8c8bb5eb8

SHA1
1be3eb084e9d81c3d3c69179c31b31eeb6c11bd3

SHA256
ff16eb58fdc76d030070a73b33fbe94226258f761288c85815a9ba331e2934db

SHA512
9143b52d791a52c058b175944c5ffec80432b61fd733f47b01f4cb09497b48690fda3df3aedc26d57780fa78621bd701277a98ee2c974bc2cf15486bf4f07612

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
192KB

MD5
4a7cbaa62b20baa1c1f9e755c83e6251

SHA1
00a2f11342fcbed80241a13f2f474cd94701404f

SHA256
209e57009aa8564c9d10cd91da54db2c1aebc1c0fa7474ee783eff6cf15290d5

SHA512
99490cb3f6cad9f3fff773ad5786163d9759fa0076faf6293610a090246059715b8e26586622bb4fc7b9fc79daa1ad2f2ddb2a0725d834737ce59d787a12e29d

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
192KB

MD5
8482c486719896be2bc0e80b3a0034f2

SHA1
365384a02ad09098111c2daf9c54668570ec24c6

SHA256
27895f10d4aba33eb825c83c4315b9854ca398fdee043ee8c290add75d6943f6

SHA512
3d5e8e7a6fa5b488fe3925c5ba67f4e37486cab295c0f5e08f66cf906b8cdc8c01033f0dfcf0da372c366321f4919a179ed49263d747be028a2fc409282fdb2c

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
192KB

MD5
06bcd91d6262c23a9863977e7900c14b

SHA1
7c9f65b0b3da0dcf68711c70a45dadb2e2b60380

SHA256
3b6139d7217b782d857f389a71873e189c1129f069ee6a33e4d055d0134cfe2a

SHA512
e9d811297590cfeb14e747d72cf71c6b4a93c9ad3d3ab0704987165be541a02efe290f88691640b654371ae5b66e9c2d42cf9137f80ba00402e5fce76f1b28da

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
192KB

MD5
2dab6025db62b1d010d25948e4a929db

SHA1
e17b2ed84ddc212c38f89b8a6ac3ab6760a0e316

SHA256
15ee72574d4637dedac22844fe2efb733d516eb76ce59e8835f7b5341810757c

SHA512
b95601750dd6512a92c0e23934a4244f3c0173c8f50e6b932f4d477939d1d35f74ac8912e3be06d37796681274971990c73f05321e950441786df20d2cc7a036

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
192KB

MD5
fb0d4b7acef67a5f69e865dd35bfd3ec

SHA1
60ea4cbb2bb30a6dafbe30b10a9c85a47fbbb9eb

SHA256
e41f26c1e3557ad48e44c06db6ffdc9215bcd81324864847f42413859b6396e5

SHA512
6b87d33c687e5bdbd01449a7b40073c12fea8d07ab42950e0aa75fe863dae8e33d448232f03a551098184352c8eeacb9c35b322ad8da009c0cd9a226f2a682c6

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
192KB

MD5
abd622c1557e7bd164dc89f0ae0238b5

SHA1
cdae69ae159e95ecf4029786adb61a9e855e1b5a

SHA256
76cdf4f72df39f9b4de3b905dbb114a3d22ca1ad3cd279696c9544d3c9456e0b

SHA512
00450defff379fd5be6b6d5b03732bfde01ff83f8dbea14905b493238da0626f8a92c95e54266e3fa47dbf556f32367e15170dde7a35219f0a6026e8903bfe1b

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
192KB

MD5
5675b9ad12347bbba50e49a2d504749b

SHA1
c63f34bd925a194c32b024e803957067f1ab2a7d

SHA256
4215ae2c92226f84bcb2a36667736c1daae1902cca50883d0eeb7d53e25a285d

SHA512
9596ebb7de929cad1e2c01b71760e5171d615c6e794211b4c92323d22991748fd6cfe93b4b52880a952a09b92ff9db70b4e18b139f6480f0bceae21c5ff7a5e7

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
192KB

MD5
f00d83e94e273e5ecbe80b1d22d1f02e

SHA1
588e1257299b764168bcb8c966e23f9422a52a4e

SHA256
ca03be0640b72ac60e1eabf310623dcf8d91222a72b3d0227fbbaf906dfa07d0

SHA512
eeaf9256c3abe00b187b0d765130b831cb756d884f4ee3137c8cf2c21ced173c133932712a08de59e548c7177cfbf99e3f4abdc0d6ab67efa7bcc38ed6e4cb98

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
192KB

MD5
58423b0fd6cd84ec48c0349950163587

SHA1
9277019aeea3af32473bb032933d48cf9f10efa9

SHA256
fa7820a2e2d0cd0701a1919de5c287d39870c90f450a001e209a2cd04bc91a04

SHA512
ef1f036a783f462259f329d6d572c541ce3c446506aee479373016c8ef5a5059ce2d2add036fa1737a13d9078e8dff2b088700ea282f12b4c6cb28381cdd3dc5

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
192KB

MD5
514c80041865e55354c2dacb1300e459

SHA1
d892bd3cea79ca5f8984d9f84c563c6a24b2f625

SHA256
644872c4ee76bfd65f04c70dc1c4570b4da62cac00a21fdbf62dcb760d881a3d

SHA512
f757070d7f8e40e3d6ab55684365a4535344448ae69cdbc0fba68da8eb064e72a4ff530a852a763e67c414652adeaddd05bff7bffe8b30af54ead8f60bc901e2

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
192KB

MD5
97523dabbf5da4daf713acd41b0266a0

SHA1
7b9279d9969be6a3cc253ef1362c3f1cc932185c

SHA256
d4e4dde44329e7cc84c9409fd264ea4445297f7e6cb1c86c94edc6880ce2a92a

SHA512
9f67ffba125a67bb5219d1052685d5a6870efe6298aa1f62a2391d4404457493d739e0d1090945588138bfa6f15f7387172c990af4b6274cbb3aaabbc1486ef9

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
192KB

MD5
82db5f0b9445300010990191502fbe9e

SHA1
d65b4c6fccdd2935ebf5118db4e5075fd22310e3

SHA256
fb28a1080b26f32bfdc1dd65ad6976fb8d7176196708428d23ec17c991f67677

SHA512
4e7c6e3e17e4f75f8aefed77c306c6f052f74d3792611fcb111dddb92578127e58b8bc55e889d42228c168889365a17999a9c052d2d1142ea405498624ea1bcc

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
192KB

MD5
1f875e6591c322ee418533125a021b0e

SHA1
24e62a86970d779c2bbf946ff9dcef6c58c229c6

SHA256
dc612d436be139cbe4c66193a1749a8e1041ca3d3eea2b0045fc25cdd8977b48

SHA512
6ff09f4cff05a70527e99ea4e66b6925eff42c0501d4bf6ae87f0a0a4882c51e9380745d1279cad6b84f97016cf03a4a490fb2c209b06f167dec5c0355d53a01

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
192KB

MD5
06800a7674ceb2e2f757b0e2aa29a579

SHA1
8a06769be4d3bf261e250ca06fbea5a9d8e8f83c

SHA256
2cbc5fd01cb9d2a31abfe5872292eeb39df467782b038bd6c743f463f7f04da2

SHA512
9961c89799401cc4ceb40bf7afcb3e2220cef8ca950a1e7813bf06c76c5394e8fe1e8ceb9f3310c6ec457aa6b700a54701fae9895e454e723f55f5293e88d052

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
192KB

MD5
21a0b41c5669a3976cecf6b594ea7372

SHA1
9e38241cc76864a240f2c623f6d4a83e96de89a5

SHA256
18672ad18983b4d947bf0142811e6167e6e9d5486178cd1a338b44ed75f6c985

SHA512
3dc6f573f55f0e132b30defb3c0289b4ac83c0d9a3a080fc71a7389d6f88c16bfa4bdf051ba0f1c2945266234521c2a2eaefb1b3752051563768ce3f0d1abd89

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
192KB

MD5
3e6aa585b5849bcee63df37226a95af1

SHA1
13d35252f54bd87d85f2c9ec06e2cb93e35647d2

SHA256
57762e262696202f7533ae2a6a05d0564507fe2dbb54ad608f6a7dcc40e8d8c9

SHA512
e78ca6d5155e0f5c35f9bd9f2b75e71345f0954e68b1266188916452ce3e54e8f95a3c5b632695edd7caaf8e347fe911ab2a0447006a9e08d70bf210535915ac

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
192KB

MD5
aa6e3221b5ce09bfe1418390cb4b7c59

SHA1
27bae36dc65218073fbd381f73633cf5b8821191

SHA256
9501a9a3aa52aaf45aa45094543d872e6934aef2f99cf560721be73e17ac61c0

SHA512
cb843fb4e2640dd8ae414afbead1b7cdf5e04195200011fff544a9951ca7dda3e7810f0c56878fad7eb8d79d84347a2bab49189276d5b313143c0c62af36187f

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
192KB

MD5
dcbb560183211cacf9a32d0f80519887

SHA1
922a3f7c088109388bfb1c645f12683347ea6bda

SHA256
289d667a58d72a9ad31c6188c36367d0da5a21f2752cd37b86f4632834f747fe

SHA512
957d2de475e90c8cee539c91562d0ff158f70ab4e22a5d87b49dc54cec41ed345445a6d8d91ac7d028ebe98ab187984622d55404626eea37fbc0a0bf1faee6d3

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
192KB

MD5
757c4471f16818b07599945a4db1cd22

SHA1
524ddf69d1bb246521c4980f940a014b1dfd0b03

SHA256
768f4982db3c805a730d2a347401ea30b2b6db0510c5616a2c04168c941b2cc8

SHA512
ed7e8ff656baa8ff1b30bf100a5a06d1cb2db98141d94973b7136bb10917e2e39754885acaa33b895b45be12a4c66703bd0fde1e4693a4a446daab9edcd0ea9c

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
192KB

MD5
a126e2333fcdbcdc633bda887f2e9cc2

SHA1
7ef7f1ac738daace05ac2c4f2870ae87036f8811

SHA256
cc5bdd64a0aa0071ee840e6b966a26e7307188b98d5bf7206d4f6138e6f3d166

SHA512
c2940b564021ff239bbbe817581fb2e4c1aa225825adc67787727a63db0652419a86923920256a53a4f2dc312f7c2aab0d16659ce72c7ab928ec5e150287e566

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
192KB

MD5
c03ab412b94b69b2c747cbd3077a0a72

SHA1
02d0b0da580813747500c788312c16205b0e2df6

SHA256
1b02fbeb6d8892dd7fee70fa1db214788ef5746b573b98996d66bb5a0d9cf835

SHA512
a676a42daa867d0d3a9d536123515d1f63c66d3e606ec9d3b70c9a08d3d38fe6c1c088c3bda84acc527463b4a114cec543082f1f8ec33011486893450aa8fef0

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
192KB

MD5
592d14c971b45ab20c45542fab917b31

SHA1
7484b7531194cd3be669145330d9668841a7fdc5

SHA256
57f6f76421c686f6edc2a6e3e687a93a076bb6a84eb15fa6c78ced21163f8585

SHA512
8fbe85363d510ab113e2d36a2de6dd7f47a8d4784735455d3a352d8ea0bab84a600f64e3f18307c486e777d6024874142cbab18625c35cc1a5ab8c0d87d4e0cd

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
192KB

MD5
57fe7a65ba114c279cf4df4db3900073

SHA1
975902ac7aee31f510815e4c7bafcceaa596737d

SHA256
6abeac306d382720d3f876d9dc9f2e74aeb3e8b48e7fbe9292a533d5deb0acba

SHA512
28a4db73b3f5c69948cdd53b58b743c5caf0816366482ad8cc662babc78958f34e932aaeb3aba3d2b70b61c202ead3bde5e132f80ae00071aca662f68d29451c

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
192KB

MD5
d4805848fc8cae9a647168fdda756807

SHA1
145a1cab5a0746000ded5c29fc64c9046b2fd396

SHA256
242b13e0394148297d899a174d537df0886c021f09c338898b7f6d36e4c5d3c4

SHA512
fa0c0410d04b4041c372b6bd4083d13ecd6b8b2e299d446bc97f7a9ad3e7318d813a835fb79de398ad3b7cf40f7636df76ac4b69343ee5ee0030d036fc945d60

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
192KB

MD5
5e170e100fef91c4511ece31dceb371b

SHA1
becc0dd8c41fda9061ce3c70daee65d4de833aee

SHA256
8ca0f2ba95426ef94db234ea25e98b3ecdc594301ef40d773c84be0cff47c47e

SHA512
d9f5c7f85debb47a7c8a5702f393177b122879188b44dbf5cfb91ee95ce1af7534fc0fe1a6cbcad9c818070e525a0b5289973db809f91001040b7569f343e077

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
192KB

MD5
8f830908178cad2cee600a9612aa43c4

SHA1
2a6087352853160225c15924a1afc4f1f35b03a1

SHA256
1f1bbffb9816dea5878dafd4a0d7d5673ab679968c0a5f6cb4b8316ce0bc6842

SHA512
0723abe3772ca601b808fc4726c7ce747ed779b9468f7bcc1beefc18003717ed0bff88503cd234db15535cc012868ffb575c0c33fbc975095a50bfa9d3657218

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
192KB

MD5
b122416f3abb527a3d18f44b40394bcc

SHA1
9a0cb3801d50f54cbc7bcc0935b2551fb78f943d

SHA256
458cb433bf71a50d407308a350545a8807cececc82e8967d86763478a2d86a2c

SHA512
9eee112cc1d3ee0e87a05d5b74c64f6eb20b9db248cff7b1770f6e3d7a4be05951ac3389bd62d44e1015b927fe8a71acecbc39698c1c299d24a83b668873a692

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
192KB

MD5
cb84b793bd4de97e59fffc24d1f2fcb5

SHA1
f506152917c51c734d821dee31a33347e4f68910

SHA256
3a19f4cdfd3a03d3a09fb249379034de94ef4f85b9b753882674d572dc26dbc3

SHA512
13f8f550a5f68baec9e1be59ff5c7aa30372cdea1042136316a3137682e7c2566b8e2ec7971f8686e89e219cfd240c78ba4c8bb2535036adb8ba1a50795abc95

Download Submit
C:\Windows\SysWOW64\Nngcpm32.dll

Filesize
7KB

MD5
a9908a6f8b720daf950a416cb0fc3225

SHA1
dc047e0c563d5ea5ca5e9f1c9c3480da68527e40

SHA256
9902d450b36a1f522d8177394b40c2ed1dc5250d12c001795b7dc72f5c9adac5

SHA512
3059f34bf86ff833812b1172aaeab8427808f9004ffe568e78c8e4c508ea4a834d78e7c4c928227dea99fab6442604f969035f875fe0efc620e0fbfee8c7dcdc

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
192KB

MD5
7d99e040153286c881b8574d26923b75

SHA1
1ab67a928976a59ad2186784839d5d13a5c4368f

SHA256
a813b2cb45a7da070e458257cd91b0dc890052767673a3860136eb339be7ddf0

SHA512
7ffc51edb05d7ecc836982a96683b03655ec4e898139e54ade0763da98cacacf8803a066a9c36944f8eb8c694acf568a24190a8555d6833186455dbc61038019

Download Submit
memory/552-177-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/552-264-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/632-261-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/744-220-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/744-132-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1396-281-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1396-326-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1904-253-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1908-81-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1908-171-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1960-172-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2120-293-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2144-307-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2208-89-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2208-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2364-308-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2364-230-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2672-320-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2732-291-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2732-204-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2756-328-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2756-265-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2772-239-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2772-150-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2780-36-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3104-98-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3104-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3584-195-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3584-107-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3744-276-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3744-327-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3864-76-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3864-157-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4064-131-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4064-48-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4124-115-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4124-203-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4188-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4188-148-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4252-186-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4252-274-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4380-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4416-221-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4416-306-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4432-229-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4432-141-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4436-45-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4464-318-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4464-240-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4508-93-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4508-176-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4536-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4536-4-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4588-102-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4588-185-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4604-324-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4604-313-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4672-294-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4672-215-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4860-158-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4860-252-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4896-199-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4960-295-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4960-325-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4996-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4996-140-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5004-322-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5004-323-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5028-123-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5028-212-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads