45dc53bcb6c92dd14662c2ced6741dd4a2a762f530a1124271cf690246fe3006

Analysis

max time kernel
134s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2024, 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45dc53bcb6c92dd14662c2ced6741dd4a2a762f530a1124271cf690246fe3006.exe
Size

96KB
MD5

a250a47bf693e0bacce0794ae8c9ef52
SHA1

4d3e71036c2f6d959b2cecf49673345d4acd2a43
SHA256

45dc53bcb6c92dd14662c2ced6741dd4a2a762f530a1124271cf690246fe3006
SHA512

bb4732c39f0bbe7564fa37e20c9503531f4e91d59faee7b165d35b2e0df368e61ab7b1152af84b3e4cbec420a31abae3a94b1e42a3e48740bca031dfdbe31627
SSDEEP

1536:51SQjay/5v+Rfn8rZz5uDNp4q2Lk1GPXuhiTMuZXGTIVefVDkryyAyqX:ijE5yUrZz5043aGPXuhuXGQmVDeCyqX

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	45dc53bcb6c92dd14662c2ced6741dd4a2a762f530a1124271cf690246fe3006.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe

Executes dropped EXE 38 IoCs

pid	Process
2196	Ldkojb32.exe
4956	Lgikfn32.exe
1880	Lpappc32.exe
3032	Lgkhlnbn.exe
4632	Lijdhiaa.exe
5056	Laalifad.exe
3256	Lpcmec32.exe
4924	Lkiqbl32.exe
560	Laciofpa.exe
2812	Lgpagm32.exe
3664	Lnjjdgee.exe
4220	Lphfpbdi.exe
3288	Lknjmkdo.exe
3212	Mnlfigcc.exe
1028	Mciobn32.exe
4860	Mjcgohig.exe
4988	Majopeii.exe
872	Mkbchk32.exe
4920	Mamleegg.exe
2980	Mcnhmm32.exe
3956	Mjhqjg32.exe
5100	Mpaifalo.exe
664	Mglack32.exe
2928	Mjjmog32.exe
4876	Maaepd32.exe
4564	Mcbahlip.exe
448	Nnhfee32.exe
1592	Ndbnboqb.exe
4928	Nceonl32.exe
4328	Njogjfoj.exe
3920	Nqiogp32.exe
1640	Ngcgcjnc.exe
1572	Nbhkac32.exe
4664	Ndghmo32.exe
2720	Ngedij32.exe
3432	Njcpee32.exe
4796	Ndidbn32.exe
908	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	45dc53bcb6c92dd14662c2ced6741dd4a2a762f530a1124271cf690246fe3006.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	45dc53bcb6c92dd14662c2ced6741dd4a2a762f530a1124271cf690246fe3006.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2556	908	WerFault.exe	122

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	45dc53bcb6c92dd14662c2ced6741dd4a2a762f530a1124271cf690246fe3006.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	45dc53bcb6c92dd14662c2ced6741dd4a2a762f530a1124271cf690246fe3006.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	45dc53bcb6c92dd14662c2ced6741dd4a2a762f530a1124271cf690246fe3006.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 2196	3480	45dc53bcb6c92dd14662c2ced6741dd4a2a762f530a1124271cf690246fe3006.exe	82
PID 3480 wrote to memory of 2196	3480	45dc53bcb6c92dd14662c2ced6741dd4a2a762f530a1124271cf690246fe3006.exe	82
PID 3480 wrote to memory of 2196	3480	45dc53bcb6c92dd14662c2ced6741dd4a2a762f530a1124271cf690246fe3006.exe	82
PID 2196 wrote to memory of 4956	2196	Ldkojb32.exe	83
PID 2196 wrote to memory of 4956	2196	Ldkojb32.exe	83
PID 2196 wrote to memory of 4956	2196	Ldkojb32.exe	83
PID 4956 wrote to memory of 1880	4956	Lgikfn32.exe	84
PID 4956 wrote to memory of 1880	4956	Lgikfn32.exe	84
PID 4956 wrote to memory of 1880	4956	Lgikfn32.exe	84
PID 1880 wrote to memory of 3032	1880	Lpappc32.exe	85
PID 1880 wrote to memory of 3032	1880	Lpappc32.exe	85
PID 1880 wrote to memory of 3032	1880	Lpappc32.exe	85
PID 3032 wrote to memory of 4632	3032	Lgkhlnbn.exe	86
PID 3032 wrote to memory of 4632	3032	Lgkhlnbn.exe	86
PID 3032 wrote to memory of 4632	3032	Lgkhlnbn.exe	86
PID 4632 wrote to memory of 5056	4632	Lijdhiaa.exe	87
PID 4632 wrote to memory of 5056	4632	Lijdhiaa.exe	87
PID 4632 wrote to memory of 5056	4632	Lijdhiaa.exe	87
PID 5056 wrote to memory of 3256	5056	Laalifad.exe	88
PID 5056 wrote to memory of 3256	5056	Laalifad.exe	88
PID 5056 wrote to memory of 3256	5056	Laalifad.exe	88
PID 3256 wrote to memory of 4924	3256	Lpcmec32.exe	89
PID 3256 wrote to memory of 4924	3256	Lpcmec32.exe	89
PID 3256 wrote to memory of 4924	3256	Lpcmec32.exe	89
PID 4924 wrote to memory of 560	4924	Lkiqbl32.exe	91
PID 4924 wrote to memory of 560	4924	Lkiqbl32.exe	91
PID 4924 wrote to memory of 560	4924	Lkiqbl32.exe	91
PID 560 wrote to memory of 2812	560	Laciofpa.exe	92
PID 560 wrote to memory of 2812	560	Laciofpa.exe	92
PID 560 wrote to memory of 2812	560	Laciofpa.exe	92
PID 2812 wrote to memory of 3664	2812	Lgpagm32.exe	93
PID 2812 wrote to memory of 3664	2812	Lgpagm32.exe	93
PID 2812 wrote to memory of 3664	2812	Lgpagm32.exe	93
PID 3664 wrote to memory of 4220	3664	Lnjjdgee.exe	94
PID 3664 wrote to memory of 4220	3664	Lnjjdgee.exe	94
PID 3664 wrote to memory of 4220	3664	Lnjjdgee.exe	94
PID 4220 wrote to memory of 3288	4220	Lphfpbdi.exe	95
PID 4220 wrote to memory of 3288	4220	Lphfpbdi.exe	95
PID 4220 wrote to memory of 3288	4220	Lphfpbdi.exe	95
PID 3288 wrote to memory of 3212	3288	Lknjmkdo.exe	96
PID 3288 wrote to memory of 3212	3288	Lknjmkdo.exe	96
PID 3288 wrote to memory of 3212	3288	Lknjmkdo.exe	96
PID 3212 wrote to memory of 1028	3212	Mnlfigcc.exe	97
PID 3212 wrote to memory of 1028	3212	Mnlfigcc.exe	97
PID 3212 wrote to memory of 1028	3212	Mnlfigcc.exe	97
PID 1028 wrote to memory of 4860	1028	Mciobn32.exe	98
PID 1028 wrote to memory of 4860	1028	Mciobn32.exe	98
PID 1028 wrote to memory of 4860	1028	Mciobn32.exe	98
PID 4860 wrote to memory of 4988	4860	Mjcgohig.exe	99
PID 4860 wrote to memory of 4988	4860	Mjcgohig.exe	99
PID 4860 wrote to memory of 4988	4860	Mjcgohig.exe	99
PID 4988 wrote to memory of 872	4988	Majopeii.exe	101
PID 4988 wrote to memory of 872	4988	Majopeii.exe	101
PID 4988 wrote to memory of 872	4988	Majopeii.exe	101
PID 872 wrote to memory of 4920	872	Mkbchk32.exe	102
PID 872 wrote to memory of 4920	872	Mkbchk32.exe	102
PID 872 wrote to memory of 4920	872	Mkbchk32.exe	102
PID 4920 wrote to memory of 2980	4920	Mamleegg.exe	103
PID 4920 wrote to memory of 2980	4920	Mamleegg.exe	103
PID 4920 wrote to memory of 2980	4920	Mamleegg.exe	103
PID 2980 wrote to memory of 3956	2980	Mcnhmm32.exe	104
PID 2980 wrote to memory of 3956	2980	Mcnhmm32.exe	104
PID 2980 wrote to memory of 3956	2980	Mcnhmm32.exe	104
PID 3956 wrote to memory of 5100	3956	Mjhqjg32.exe	105

C:\Users\Admin\AppData\Local\Temp\45dc53bcb6c92dd14662c2ced6741dd4a2a762f530a1124271cf690246fe3006.exe
"C:\Users\Admin\AppData\Local\Temp\45dc53bcb6c92dd14662c2ced6741dd4a2a762f530a1124271cf690246fe3006.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Windows\SysWOW64\Ldkojb32.exe
  C:\Windows\system32\Ldkojb32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\SysWOW64\Lgikfn32.exe
    C:\Windows\system32\Lgikfn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4956
  - - C:\Windows\SysWOW64\Lpappc32.exe
      C:\Windows\system32\Lpappc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1880
    - - C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
      - C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:560
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:664
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1572
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        39⤵
        Executes dropped EXE
        
        PID:908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 400
        40⤵
        Program crash
        
        PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 908 -ip 908
1⤵
PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laalifad.exe

Filesize
96KB

MD5
0c1f25d9d557418e50da79ec0226a953

SHA1
feffb4a1165c5c11cda37986a78a16eaa591cab2

SHA256
925e220b1bb7ffbc23a2a57ae44abc447fa2a291590bf3125243e9375b1bba33

SHA512
a967d02e257782e881d4dc9c0ccf4f3b4489f3b47426597abd387807c4f1c5063a88e876e70f0abd8426f0996b4fe1611c005a938fd9bbf6542a0ef939d37c3c

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
96KB

MD5
d8fd49cc2c2f30efe75c2fc6f202f429

SHA1
70efb0e0287e171016780c9a86bb61b08aeabce2

SHA256
00890135c2f22a103a346143bfe9319814ccff11090a18289753af9b0967246f

SHA512
4d73a33f01c08b6db77b4ef080607a07b0b0755e1d5d6d926ecb2bd28a755659a1c36d810f3d136c4b1a2100a837b28188941579edce529cf8c44242879321db

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
96KB

MD5
e493cb73d7fe582814f3d2c99a20c135

SHA1
4a95c4f55042aed6cbd26c2e1caa108adf39c02f

SHA256
4db552294ee51121a30b6d6236b0f005b0b45438d74458991750dffd64046e0f

SHA512
8ed2d17d1b114d477881c914476de7faad4df7ba853426854a18bda9539c88872cfbefef87eea552e607fc46cc93eee6a0d40954b740b872cabea2f5a5fedd8f

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
96KB

MD5
c98172dbd8e6aa819f44ce63c226dda0

SHA1
12198404384cac75dd05ca86c7c95807756d8d38

SHA256
66f8653e0c32574793a3c9703f8585e3fca2789217a76cedf8426053a9b23b78

SHA512
9daa45577145081ecc82bccdc1509a1f5e377f02f52412f0d01c2fee26602fcd05de85aa41c907e52d5b464c1712962de3e8ef3de7c2faa5a927c2434d9ac2f6

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
96KB

MD5
fb8a0059091fe56f58143adcf74494f8

SHA1
49eb53ef29cce9b778a88edb6e19dd97fcc6e3ca

SHA256
c93cb51a508b9725be00202e591a30c0c12af188f0124b911f15a086950a2ffe

SHA512
a79565241967a6c02576b4998fa89762ea9048d100b541d7d7829d9ce1092eef92c43e725db40400331c84021e901e5221b3b8a81602d82a6da79f01eb6c4e44

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
96KB

MD5
2694a392efefbc9b6e066426b59e315e

SHA1
1e24097f316c40347bcf77b6f3f47735e9a221a0

SHA256
56015d6eb0645242bb1c111e86532071a65abc9995236c9017c7b5caf6e54fb2

SHA512
40f7ffa8ed89cd8b4b997cdda15cbde4c2f01705d5c431618a46fa59f42be3e018eae940b258029deb96bfe18dc87fe33c89e2cec186272d85e6901804a86edb

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
96KB

MD5
29a1399c47b2bb8a1c4fdbc570cea086

SHA1
44e1a17158ce34ca494228fb4283e6f69203ef14

SHA256
c77672afbba87acc2cc0d994857cc9f00630edb2f2eb47c472cc38b246a04836

SHA512
6efe4d8f0d8d9173e44ab45e26ad69ab38094b9d210047f449427a52643bbe13a10af28d857bb97d5f7109efa67b308772ea344f5da9ada1be5ab5bee1178ed1

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
96KB

MD5
3ad1adb1eb2b03ae85bd40d73eeb5372

SHA1
1bacccab8a0f72c2c4043cfa5e6ed941a4016c6a

SHA256
6b079ad38c652fa37e69d609737e4ee42a0ad9235da3c52f23de2579c13e1264

SHA512
125f791becd4e03c4af208e6c2e42fc158104ce9a10a8f57d786302c6b7e2a32264cc90aa45280a6de71e104ce9699587846fd39f0bd96df3ca351309b474c64

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
96KB

MD5
41c3cd413645e63277b02b5e187bf1a8

SHA1
58c496590dbf33028e67d1dc00d6f4dceeda0323

SHA256
03d6df1e598c4d3dfd7e4af236a5b308fbf7da35988cb7f9237e6d26737cb69f

SHA512
5f95fc98b6d8bb8942d0b6002a2696f2109f265e78d8cc4f00a4918d6d33ad1cd22ddacf9a57128bf8970ae12b524750a1493938e809690eec393adbcb11371b

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
96KB

MD5
761c79dd533e403c32ab642fee664cf9

SHA1
0e5f425f5f3a90edcfa84692558db08dcb55db56

SHA256
19a5215f35a77014279d51bc17db66fb583f867b83987d7b019f7687af121016

SHA512
81cb5140eed5278c96db4fe07c8b118b3343d711e82f65285b68ae5d0ec3b63ced250137af957c35118560dffd612a12d61569b75c1501b1f89152bfe2ef111b

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
96KB

MD5
ede53292d46a1d8eeb74a9ea3119fade

SHA1
8ed574ee1cb5829bed27b5eac7eb2ddc0b132c5d

SHA256
2ceb345e9d9b76b0a729a7b28c21a120d20b1b8c2a66fc06f3da7fcb7e8470ed

SHA512
80e3a4331841d7c1cba641ed1c085e9224a577e0b4c28b3987eec29051fde37d8abf95a2ffddfdf2c4bf2344fcad3978b4d31d662b32958bd8bdd384d0f82f38

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
96KB

MD5
a551f093ee8a32225e298a886aa1ce8a

SHA1
243b6c893641429d89b2419f71670b60cceb00e7

SHA256
a92d4a4dfccc1d4b0101e3a70bacdf31e927b8ffda2475738fa9ed85414dfffb

SHA512
856000179cdacdf59fa56e7167a8a64a64b83ba73d69c864383af23260491bad37b518a14908955bd78f67ead66b3ae9f27c76361df30c80f98f093580439cb6

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
96KB

MD5
5f53ecda399b2a08ecbaab0ec6f8d408

SHA1
e8111abda049944915290eaf448664ef6630df96

SHA256
42b4175f2a369e0f66bd69fac26c835ee55f113e750cd54cb552dc19acfd14ac

SHA512
10afa3363b45dc22892c1040f6cd0f92d07d417f4cb9ed1bf5f70f355348bc52eae06c5b4e468de5527e6dbfbe50063e7c101ca21b31b597bad0ac1dd9318ffb

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
96KB

MD5
d3bccbee0f2da2980f61db0287cdb0bd

SHA1
879c17ce0213fbbbfaed31da89098380516d76fe

SHA256
83ef1fe28432f58e2a4f33a2591d9302dde7e3048dfcbc8c018dae4cf428094c

SHA512
70c991688b023340d2eef88a9e1f4df5ad3bd68e656af3e4cc2b3918080f00974d1596f3a214337701ceeeb38311e28a94b39ed6b8815873927fba771ce7aa62

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
96KB

MD5
00d53ec062361d06ffb01b59ab04b2d4

SHA1
13a727bc06cf02b57b6236c29ade87005aa79540

SHA256
b05a7c8941beffb17b03a6f4ddb0ce4ede14a5a2d9fa0d962ee7c2751bfa0ff0

SHA512
045fbdb3abbe18008411fa531da80eb70f6ede446241b59225dae921c5c4a71d6e7cd0c3d13ee9af73046f077d8050fcd73c25cdce86bb84fa2086e7054127e6

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
96KB

MD5
c17ce9daa0254667dea58f67b87c4cd7

SHA1
6108944f658e72dca4f66f6d0092fc241b81bfbc

SHA256
0ba5c1303013972bb250a8d4f97177d4275076f44fea9e182294252cb098c662

SHA512
25d086e6211f18d8b8368adc20c23f5f816447304055d13533262327dcd1e7dfdd1dfa342051246bf61941dfde37c2191b0b1634fdd8943e944737e6c661f957

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
96KB

MD5
bfa6ed6eeb4a877d1b0fe6a20c91fd36

SHA1
6ecbec3bcd2ecae9a1062fcc84af571308a7a23c

SHA256
48e727baa610eec196280ce71810a5e62695293661b08f4f260b5413a4c82324

SHA512
6288a801ac399940945043870688bb44b0dbb647f93784ed249c00d42555f74f099ef19c459ecb73fa58c2da533d50af4abdbf511c21a2ca9105ee3db4dc8f3a

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
96KB

MD5
3561c385133344609a853b24010a09ec

SHA1
dcbe2cb3c256f4d48810b7120d84c1f6721c1d48

SHA256
10f6673935e8a8bbb15176a60655a95c4d24104c3ac4a9b20d045eb0c408d726

SHA512
90d6528301a66bbd062232f63a842dcbef6dd89743cc9ffc025f47c9f9c75209aa710462cf54bfaee3948899f922a53d9cc0cf1363b92f8c6f4d5621c77eda0f

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
96KB

MD5
a5bbea97af0e2a9c040922e553bc5201

SHA1
533633e204734de5e518d5dab3bb94ddefe59606

SHA256
c7c3e76c189f2174bdb5354a567b86ce27c50ecb5b86ad8f5f4a1cf1eb39fcca

SHA512
89b293f7edfbd168887040aee88bea9a98e65ae7aaf4d2bfe64ff1aff73b7baf9dacf1ef0202ad4d52c9f75715a0533d5a24409fd9c6de5acc9c90c2226beb89

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
96KB

MD5
96a0cff4f5a841f265ce2e49f7fea6ff

SHA1
719affbd64b06749bda741c767fa48df0572bcb5

SHA256
56a05e8ed12d7b852623d01ad9d65c680f10d112332b4437e57df48120ed2920

SHA512
ed843512a9f767336c65e280e5a18afef32d479858a0927f2e3f3f0adb2a3bc8bff4d648b5834a7f287719bfd05528bb4428694fe1bee32e9e9f6dbad7c81cd1

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
96KB

MD5
aa0918430caa7917834bcfedf105a78c

SHA1
d68370feec5560f53d02be2a4cfa40195f57e9a8

SHA256
711027117ac830d3c28f7383cdadf8006afb1468d7dcf5564b8b19b79eda5a40

SHA512
563a7e242f2d194e8d3f9e041a42309e4dea732b36e087c82de65f3965064aa678ffb6241c52b033faeff1aa0bc7fc45f43a714554eb5999d42fceebd7f65653

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
96KB

MD5
8f34ea0652093565160898c1fc497350

SHA1
d7b30b990b48c2c7a7485326fee25df71c3ea98f

SHA256
3763986319ee2f50169fac2d6835c587626827d3dc9ce965eac856a6a753c009

SHA512
de269f29fa5ff874219ea317a5bc5b0fd41c0f7672648de99c09f0455829b0956b4c4fe46522c4541c0656a2a62776f2f6fa69399b1381b5820aab9544c1e21a

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
96KB

MD5
0b6518ae48ff7faf6cbaa35ed3fcc5cb

SHA1
ebc693ead277e3d58910e56a1e16598bb1caadd2

SHA256
dedba6c2a6324c9a8e7072f6ad6792ae179ebb16f0ec5521e2ede564563966bc

SHA512
f4de0ec31460a5168e0214dac28ab4796225e0d682bd7b4f678f1c9d2fc7e5cb4af3f5ba78ceb021c6167a334f29503ed6024e221925ade2f73ff68cd5a7aa28

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
96KB

MD5
f4a13f8ceb1d8afdf539e473a8c1f884

SHA1
390cfb4adf0253e4e380b47df28010b87e32c224

SHA256
ae59dc27c24cb5bf8ad5d3db76d7629ab820f2213fef8a5adf282dfa3e6de8a3

SHA512
d8f40e4a06871249405995f381bd6aae1207c8ed3a669f0887ed0d3f76b8821f69d29fa86c9463f7e4e8cc09473af1a52c911bb93b2ebb7ca7216c476b14a6e4

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
96KB

MD5
3292fad5e045660f6ac266209b4c5c07

SHA1
60d1c13a56b5c2fd5822be6f690b67ca12f5d973

SHA256
8e04ce1cf2c4de340d5a5ebbe165adc15eb3c66dfba04fb5e90ae37335775443

SHA512
22c24c545a37fdb4ae5533809e28b8c32788389b6446e53e43f1de9f0b968e72af23f1b27e6d54f6082c1672025509cab1cdaca0fd416db553a2b57bc598e5b3

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
96KB

MD5
68d2df23b50c9446dac1fa3feebd26d2

SHA1
c8ea046ff851bb13b3a17289deea9f944c5897f4

SHA256
b601f042559a9300f52d47be901f7f7ba2548a2e08943b1cc548959357d5bd63

SHA512
ac44917281665b0a2e2291c5208ea7711635a6e7eccc637db047ae8d6e05634356d9d656e4f1894e3853e47b6149ae93a5aa818813502e1c6721273a70cd4604

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
96KB

MD5
2498bda0be843d57b4d775b060ccc688

SHA1
3b350591b82983ec74044e2cf70be04562978238

SHA256
26bca9f8b6aa4ed985ab81ed6f54da1cb68e441be56780ff768947d63261ebbf

SHA512
0c67ea498492bb6a7a84ddf4560606987d7a49fcb39aabc487b726f164f42c68136c25a0e77a1b44b8e298ca7a7820e05647e49818d1f2e1cb7067899a3d19b2

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
96KB

MD5
60d1461fc79f183adb8cb6449465cffe

SHA1
4c8a4c2129132ee32c1547bed5a82d7535be0e31

SHA256
70796ee31dad69b0f0eb7e23a29fe20fafb593e5555c3013ee7c12ebc555f438

SHA512
c1c3c3ba72f64c1025c9460eadab672d5225de4fd210e92d67ab057ed8efb5f52606cd482a7afec3ae9eb42c414c9dc32869aa11882e7ab9790aba606ac65b84

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
96KB

MD5
e91684b36da365442b6ebd6d3ef076e9

SHA1
dd87d181fa7dfcfedc4411a10f190464020c6bc7

SHA256
3e74c15125c21b713ae1c26ad1592e7312a9d440bfa4ae80317646f091e8d720

SHA512
510087ce7131163089a648dc6cf41bfa99f4140e55fef3e7292bbca03722ffa26a2f5d49cf74ded9e2d0b5e51be7470e4919bb02f7a0553b17c635e2ff573f5d

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
96KB

MD5
96532933771767baa7caf656d84ab351

SHA1
1d41af7dd0c35e37556b4e69c9f5839d661baa1e

SHA256
b6424cfca255ae509384b87dd8035cfcf06a36e6cd94a14d795ae2742f16a2cf

SHA512
1089f12c4ad873229bc01e463f93abf3acf46ce891d1993a7b8179b8069c17bd984449ae5480695addaca15657cd3f31da50a24bc875923d7a0ca38202edb665

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
96KB

MD5
a98adafbc39c6e747c2cf7066f5825a8

SHA1
0ed4a8eaefbb3151c1f75747e73dc14b83ef3561

SHA256
8f26c14303d51ecb6842386b1c0d1e5aace407c5ad071b8f5ebfbe2e5a589c0e

SHA512
483c239fc7f67f2cf875ab507c8cf74abc7afd46e8f88a76e4e5135455ce79b734c404cbad464123d16d7c1ac7dbf8ecdd8e86fb59e43383ff1684c33499e335

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
96KB

MD5
f653a1bbc30522def456a7780e8ace95

SHA1
a657eac8fea0767ac0c683bf84ac9167d7c48c7a

SHA256
c0c0399ea4c656371a6bdbd8acba0a853a99a471767d7af29437c7ce0f6114df

SHA512
ecd97bf54fa1ebafa92fcf0db86e82de4b0dacb05ec66f32e85176d954f15eeaa6a7a764a8ef43a0538044c5e2bd71c613e4e2233cd92736cb967b37bfd871a5

Download Submit
memory/448-301-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/448-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/560-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/560-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/664-189-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/872-308-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/872-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/908-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1028-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1028-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1572-267-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1592-300-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1592-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1640-297-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1640-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1880-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1880-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2196-325-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2196-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2720-280-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2812-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2812-316-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2928-198-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2980-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2980-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3032-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3032-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3212-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3212-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3256-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3256-319-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3288-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3288-313-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3432-285-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3480-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3480-326-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3480-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3664-315-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3664-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3920-296-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3920-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3956-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3956-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4220-314-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4220-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4328-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4328-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4564-302-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4564-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4632-321-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4632-45-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4664-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4664-295-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4796-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4796-294-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4860-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4860-310-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4876-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4876-303-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4920-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4920-307-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4924-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4924-318-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4928-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4928-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4956-324-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4956-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4988-309-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4988-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5056-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5056-320-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5100-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5100-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads