58b78a7c7cfaf460fce309541cf5b49dc896533f8edcca0022ecda4c9fbc0b39

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2024, 23:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

58b78a7c7cfaf460fce309541cf5b49dc896533f8edcca0022ecda4c9fbc0b39.exe
Size

232KB
MD5

e3a85cd90a637c94cb8514cf89eb28ea
SHA1

dfe4e8de8b7bd6614b00c139e99f28fd33c28bfb
SHA256

58b78a7c7cfaf460fce309541cf5b49dc896533f8edcca0022ecda4c9fbc0b39
SHA512

c2b79c0553a3efebb98a80a0052c92dadcbbf40479f818117700892283fc296918ebed71c68c7b20484f5d60c9e5bca6aa02002709dd9daddb07a435ccbb9aef
SSDEEP

3072:Lgv+7xg3kZ8LD7usluTXp6UF5wzec+tZOnU1/s5HH0AU/yRvS3u121TzlbNRfzPX:sv+7q3kGD6s21L7/s50z/Wa3/PNlPX

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	58b78a7c7cfaf460fce309541cf5b49dc896533f8edcca0022ecda4c9fbc0b39.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	58b78a7c7cfaf460fce309541cf5b49dc896533f8edcca0022ecda4c9fbc0b39.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe

Executes dropped EXE 26 IoCs

pid	Process
1448	Kkbkamnl.exe
2748	Ldkojb32.exe
3432	Lgikfn32.exe
5096	Lkdggmlj.exe
3848	Lkgdml32.exe
1860	Ldohebqh.exe
4372	Lkiqbl32.exe
1640	Ldaeka32.exe
5016	Lphfpbdi.exe
540	Mjqjih32.exe
2716	Mgekbljc.exe
4616	Mdiklqhm.exe
4456	Mkbchk32.exe
3668	Mgidml32.exe
384	Mpaifalo.exe
1420	Mcpebmkb.exe
3324	Mjjmog32.exe
2028	Mdpalp32.exe
4580	Njljefql.exe
1600	Nklfoi32.exe
3948	Njogjfoj.exe
3632	Nafokcol.exe
2952	Nkncdifl.exe
3424	Nkqpjidj.exe
3588	Ncldnkae.exe
1256	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	58b78a7c7cfaf460fce309541cf5b49dc896533f8edcca0022ecda4c9fbc0b39.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	58b78a7c7cfaf460fce309541cf5b49dc896533f8edcca0022ecda4c9fbc0b39.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3180	1256	WerFault.exe	110

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	58b78a7c7cfaf460fce309541cf5b49dc896533f8edcca0022ecda4c9fbc0b39.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	58b78a7c7cfaf460fce309541cf5b49dc896533f8edcca0022ecda4c9fbc0b39.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	58b78a7c7cfaf460fce309541cf5b49dc896533f8edcca0022ecda4c9fbc0b39.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	58b78a7c7cfaf460fce309541cf5b49dc896533f8edcca0022ecda4c9fbc0b39.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4688 wrote to memory of 1448	4688	58b78a7c7cfaf460fce309541cf5b49dc896533f8edcca0022ecda4c9fbc0b39.exe	82
PID 4688 wrote to memory of 1448	4688	58b78a7c7cfaf460fce309541cf5b49dc896533f8edcca0022ecda4c9fbc0b39.exe	82
PID 4688 wrote to memory of 1448	4688	58b78a7c7cfaf460fce309541cf5b49dc896533f8edcca0022ecda4c9fbc0b39.exe	82
PID 1448 wrote to memory of 2748	1448	Kkbkamnl.exe	83
PID 1448 wrote to memory of 2748	1448	Kkbkamnl.exe	83
PID 1448 wrote to memory of 2748	1448	Kkbkamnl.exe	83
PID 2748 wrote to memory of 3432	2748	Ldkojb32.exe	84
PID 2748 wrote to memory of 3432	2748	Ldkojb32.exe	84
PID 2748 wrote to memory of 3432	2748	Ldkojb32.exe	84
PID 3432 wrote to memory of 5096	3432	Lgikfn32.exe	85
PID 3432 wrote to memory of 5096	3432	Lgikfn32.exe	85
PID 3432 wrote to memory of 5096	3432	Lgikfn32.exe	85
PID 5096 wrote to memory of 3848	5096	Lkdggmlj.exe	86
PID 5096 wrote to memory of 3848	5096	Lkdggmlj.exe	86
PID 5096 wrote to memory of 3848	5096	Lkdggmlj.exe	86
PID 3848 wrote to memory of 1860	3848	Lkgdml32.exe	87
PID 3848 wrote to memory of 1860	3848	Lkgdml32.exe	87
PID 3848 wrote to memory of 1860	3848	Lkgdml32.exe	87
PID 1860 wrote to memory of 4372	1860	Ldohebqh.exe	89
PID 1860 wrote to memory of 4372	1860	Ldohebqh.exe	89
PID 1860 wrote to memory of 4372	1860	Ldohebqh.exe	89
PID 4372 wrote to memory of 1640	4372	Lkiqbl32.exe	91
PID 4372 wrote to memory of 1640	4372	Lkiqbl32.exe	91
PID 4372 wrote to memory of 1640	4372	Lkiqbl32.exe	91
PID 1640 wrote to memory of 5016	1640	Ldaeka32.exe	92
PID 1640 wrote to memory of 5016	1640	Ldaeka32.exe	92
PID 1640 wrote to memory of 5016	1640	Ldaeka32.exe	92
PID 5016 wrote to memory of 540	5016	Lphfpbdi.exe	93
PID 5016 wrote to memory of 540	5016	Lphfpbdi.exe	93
PID 5016 wrote to memory of 540	5016	Lphfpbdi.exe	93
PID 540 wrote to memory of 2716	540	Mjqjih32.exe	94
PID 540 wrote to memory of 2716	540	Mjqjih32.exe	94
PID 540 wrote to memory of 2716	540	Mjqjih32.exe	94
PID 2716 wrote to memory of 4616	2716	Mgekbljc.exe	96
PID 2716 wrote to memory of 4616	2716	Mgekbljc.exe	96
PID 2716 wrote to memory of 4616	2716	Mgekbljc.exe	96
PID 4616 wrote to memory of 4456	4616	Mdiklqhm.exe	97
PID 4616 wrote to memory of 4456	4616	Mdiklqhm.exe	97
PID 4616 wrote to memory of 4456	4616	Mdiklqhm.exe	97
PID 4456 wrote to memory of 3668	4456	Mkbchk32.exe	98
PID 4456 wrote to memory of 3668	4456	Mkbchk32.exe	98
PID 4456 wrote to memory of 3668	4456	Mkbchk32.exe	98
PID 3668 wrote to memory of 384	3668	Mgidml32.exe	99
PID 3668 wrote to memory of 384	3668	Mgidml32.exe	99
PID 3668 wrote to memory of 384	3668	Mgidml32.exe	99
PID 384 wrote to memory of 1420	384	Mpaifalo.exe	100
PID 384 wrote to memory of 1420	384	Mpaifalo.exe	100
PID 384 wrote to memory of 1420	384	Mpaifalo.exe	100
PID 1420 wrote to memory of 3324	1420	Mcpebmkb.exe	101
PID 1420 wrote to memory of 3324	1420	Mcpebmkb.exe	101
PID 1420 wrote to memory of 3324	1420	Mcpebmkb.exe	101
PID 3324 wrote to memory of 2028	3324	Mjjmog32.exe	102
PID 3324 wrote to memory of 2028	3324	Mjjmog32.exe	102
PID 3324 wrote to memory of 2028	3324	Mjjmog32.exe	102
PID 2028 wrote to memory of 4580	2028	Mdpalp32.exe	103
PID 2028 wrote to memory of 4580	2028	Mdpalp32.exe	103
PID 2028 wrote to memory of 4580	2028	Mdpalp32.exe	103
PID 4580 wrote to memory of 1600	4580	Njljefql.exe	104
PID 4580 wrote to memory of 1600	4580	Njljefql.exe	104
PID 4580 wrote to memory of 1600	4580	Njljefql.exe	104
PID 1600 wrote to memory of 3948	1600	Nklfoi32.exe	105
PID 1600 wrote to memory of 3948	1600	Nklfoi32.exe	105
PID 1600 wrote to memory of 3948	1600	Nklfoi32.exe	105
PID 3948 wrote to memory of 3632	3948	Njogjfoj.exe	106

C:\Users\Admin\AppData\Local\Temp\58b78a7c7cfaf460fce309541cf5b49dc896533f8edcca0022ecda4c9fbc0b39.exe
"C:\Users\Admin\AppData\Local\Temp\58b78a7c7cfaf460fce309541cf5b49dc896533f8edcca0022ecda4c9fbc0b39.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4688
- C:\Windows\SysWOW64\Kkbkamnl.exe
  C:\Windows\system32\Kkbkamnl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Windows\SysWOW64\Ldkojb32.exe
    C:\Windows\system32\Ldkojb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\SysWOW64\Lgikfn32.exe
      C:\Windows\system32\Lgikfn32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3432
    - - C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5096
      - C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3424
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        27⤵
        Executes dropped EXE
        
        PID:1256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 400
        28⤵
        Program crash
        
        PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1256 -ip 1256
1⤵
PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
232KB

MD5
394b694f20a32604b89a95c9998be99b

SHA1
b02d351e9de395b5e8075d0aef77cce8a2e651a3

SHA256
ecedac7b39abfa753967e311b3d70cadc04891067b8f950f9daea1e7a1ad79eb

SHA512
d18565796aa0f2fad7efd461d87e8e5d78380760e72c1834159a0b53a7831fb4d2f9d05c740660ad1a15b3adea0625e499c37198f823f0ba3fd10b8eca033b9b

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
232KB

MD5
e69e8a523631631e9ac06dea25de01f3

SHA1
8cc820d383c8ffbfe9c48ac69e948e4ff0467a47

SHA256
8cbe0553ac7e5e9813909804e033c919643a84a2cb4789a895a44909ce7a53a9

SHA512
252db8167aa004052c443d1232dee9f5dfd2a561295bf5316a82e0b2e78d45ccb608d008980dc70fa104a867da6c7a26b90eed11e6f5d74cfe14f8919d53e430

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
232KB

MD5
c4556b49655a9530cc7beb835d361621

SHA1
78efda3cb7fe1a8d2eea24fa7455fd0558dff24c

SHA256
ba3ac6c6b88929b4a9ddd13e2f974e044234557ad279c5af33f884beb0ea6cd0

SHA512
87d62a6a5526d0e62c76354d9883a76876e9c921cb33701c2a596a3ce4a8e2777c57cf4b451eb6e75dd586b7f39d9d1c7ecc86cf22b2df977c13a6c4103ad512

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
232KB

MD5
7243e301c2704e8cef369b5998f90863

SHA1
7968eab30cf3f7b0e43e76667a6711f6b4e9fa85

SHA256
0fe1852695759c4a8724c4b3cf674372d73e85860abfffda0c80b819883234d9

SHA512
34f90bf3a10d4cd0191646b4176c4c270f08bd10026ace920b7b24e6a3eedb2c53731ffeed80e85c2afbaf51d8b2c2781b9aee59189c62c376a0f04a8de2fe0b

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
232KB

MD5
62fbb540be787609b7643faaf00aca74

SHA1
b1fc11634f511f2c6bcdd0ad713bc9917ca4742f

SHA256
5304b04986a267d016a0687abfceee486e11113f4b43558e44d79483355ba011

SHA512
548fdb2efa5acbe850bc3239dea5415e7ae49e7edbe0779b9839dd3959cd24ca3f30c8a453a53288665f61a52ce8583ed252b23e76f1ec845ba1656edc91da30

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
232KB

MD5
bee37fcfdc4e9d26bac0906b038b17d1

SHA1
23529adf84837c70cd271ec8d28f48c8cec5b307

SHA256
171712d867499ba48ef54fc3d9ed37e5910aca8e367f7157199373614076b295

SHA512
7e4214d62883266bbc5c2c58724edec6d8db0e77fbc5ffa441ee4d0ac7272efa16773243d902803c006ad3ef95963e7a600259abcb3d47fce9dd07ad39e5fc25

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
232KB

MD5
f82850788aa3d3abaac961067135a58a

SHA1
0d0bbeac6e79b4dc2f6d14c58f6b4e400df28b94

SHA256
f118cfe7c7b41666848ce268577e6277c53dbda935933093ff363fe27c983621

SHA512
1123d139dac8a9cbe5bf7c551d65e6941c09b2ca5741907aa819df32623b35a13c2679ece8ee867c3f785f0ea95742b5d9353833b840dfe5bb40ce62869c55ba

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
232KB

MD5
9709b12985ccd81ef3d03bdc809968f0

SHA1
75e6fcee1e334358dac85c3e2602fc0a7f8c89a9

SHA256
6f054787a5083ecfa31cabf3009393c3151b07014f80311e03f092aecfc5fdee

SHA512
13b59034c192ce390ed6dbce0f5cd02b0fa2a8e141f81b7eec6c1663bb9881f3bf604802c749d9842fffe884452f562d1d28a8554563755589a69cfdf5d8207c

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
232KB

MD5
23bca37015b2b06e00657202a4bda8c0

SHA1
b15c4ee9b7dcedbb66e469873c880552520fd585

SHA256
375839c79e93b92ee34aa7ead8fa79edd66e68d2ed44bdec79e14df492d4f30a

SHA512
fe71196075db2fa873e2d8ee76f486e529a6b1fedc94e37d184974aee98505e5abf0f752d8ca10131f03b5065dbb332b014960fe4516cb4886b4c56c9e60b738

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
232KB

MD5
92ce52ea724a450b36174f90a3914b8b

SHA1
c199b0e480d7f6129f2288484a590b88c3819631

SHA256
8942cb9d9189aafad7288e4febb733613cf81ba78aa736889dd31190fbf864f1

SHA512
eb1801aa94dd1c04c7b47cadbac49ed6f16910b35cff2d046856f668204b60616f5988b7fa9756dd99b73c0b101f4778d3b8e1ca9327faadab52ac2cc1797ada

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
232KB

MD5
4074ece0bbad17ec47137e16751451ec

SHA1
245de650492e7282ca8d612f94539ec555fedf9b

SHA256
90373d256d6ecafe9c651fb4458d497be4232cb8fa4a2240aca29c3e9b370fc0

SHA512
7db7283996dd81c64c5cda2889c4729287132b37c652107dcf94fd153fa171adf80b9776eecf3d6eab1be7d0f272dab6c23459d7fa1326ddc1053a0404186053

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
232KB

MD5
60d82473acb95838faea2506acd95c2f

SHA1
2cb2735427505a89f7fe22c7b4d3d50f3b3d3c14

SHA256
e9d29d0f5bf48172f084e4fb7df14ae01dce9c17798682af29cb37d8f963cab6

SHA512
2adabb1afea183897d2dcfa2c52769e43851aac94e5122c7afaa89bedb0e2635cff4683c8d9243a5ff1000531593f55b8d539f8b2f981d74a8972e53d10691e4

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
232KB

MD5
98aca9fc574cfbfbc259e486109a899f

SHA1
3c364d8f33e49b6da7373c8f13c3369769b118dd

SHA256
7a6243e5d577686ab31d6e9ae9e6c11cdd8c19b69b189d47dd15b88fe83cb9da

SHA512
d8df2c7b085db494d8174cf0cb9f62eff99234f2ffbeba18a5f85cc2a62fc4197b762c588bb9838256d9298e8247b54dc8f6dbf3fa39b2ad2fc96de174af44e6

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
232KB

MD5
2dbcc47fc2cccb1fc1d73946144765de

SHA1
ec1b23286d72be5680a71b6fd17d481fb05487e9

SHA256
8315ac1760dc60c83aa7f98cf1ca1f0e793aed8486340ecb28ee3f66e6c92ace

SHA512
41d8f6cb49e0cbd14f6d1622ab3115ad4ca9c3a2b88c7a3905428904b50027d59b87d6ecf5312c5ffa0d99829751474ef48b8563a6469c06250739a877b50cd4

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
232KB

MD5
e24e0ec8bf95e5db93176597af765e8c

SHA1
a93ab2aa0495025250588c1d27cc16728795b9d2

SHA256
42dd4e6a2a7805cc924b21b7ea2ada58a3945ef86da12ea4d0cd0c340dde68e7

SHA512
a7e4860ddbd98b0537ede1271cfd9b2930580aa6a0549b17855cb9faac59aca6718764f9e54a1e65c3421de7179c4b265850d9958ab1d760650ec5ca7cd6740d

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
232KB

MD5
ddbbb88f5771ec6fc71d6c9fe8cb7407

SHA1
ced1c906beaea097370471a6608c730698178e55

SHA256
51db1a6500dcdd495019d21a168a50a2fc6d4c6d266f49f742bf1938364dfe49

SHA512
e63b777a1b2d0fc3298e9c9e705a23e210bd7a460be68bd28ce8a73adc42ad08c8b4300059ea2d3ececfa4e96badcd69e3e58f5fc955c8ceb3bb767c8d7504a2

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
232KB

MD5
52270e9ffc3975753cd075e6e07a40e7

SHA1
61ad0e33efd3f11f62aa82b640c56dea6b3de077

SHA256
1049cdb579ccf3f90231326c84fb1785110b03432795a51eb8b9754d7ac81c8d

SHA512
ab95c2ec58a88ce92ab9d50b99046ea71b6660e34a2db443408bb770c0ee47dbfd1fa93d9efaa3f0a8cb648f2cf43be0d159031d40c79777c38444c386dfd66d

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
232KB

MD5
114a64943260428ab2fbb8753631a53c

SHA1
fe7966c1e4e8c9ee6d4046476b0f57e8a0a87ccf

SHA256
0321c6db52acd610d8bfe75b760f92a8564fa6a8086010f62ebd82e65aa21674

SHA512
744dd7154b9d12db6de678d645f28c294d810c76a52e02e6ed27037f7d29f6f590b56250ffbc0b28e4a516f03ea132112ba7ec6f8fa61fe1e5ee23604fca62e5

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
232KB

MD5
0b5e2345074d8b44eb1afe28d6f5ff41

SHA1
b7a576e2f7de83be59a89a6e3e95759f0ff7909d

SHA256
d7bebbe37868713c3277211e2b3317d748bf4da722b4f2808efd5f980aeb3241

SHA512
98faf9322c00039826457996483cbbe49d1e8f5699784741ba745e061bd5286241d03115e2b5fa1f0fbe281a10b8a4cd256937800c27de6694b856102e78e8b5

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
232KB

MD5
7d831a66c47065f4096ed5539c14b37e

SHA1
79b40236dc6be7e4bee2637fc183194827e7f051

SHA256
e08d28f1bfb57dac9511b88528a7ea7abd3e661a735d703222c0e249dac408cc

SHA512
372da07243dca9727ea7a5826c2ac245c11ea826308cbb006af797ec1c4a5bb88679b058c9a403000a3621da2503a0481b7e14c09f5ee87df705ba2bf5ec86fe

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
232KB

MD5
e889877a6b4c35d085bc1ef5bd6fd94b

SHA1
d08b1a33b83798d1b1fe4ec52a5b6849ef685158

SHA256
153ee398fb3ff0024e80f115e529185fa66042be47d55137face4996d504863d

SHA512
ad5334ffafc39ad7764a26b010ebae7aa5c2555d74edb6077d8acd011f581d5fba1106cd9949cef7912a1bf752fea14de3ce4e0fe3b2415b22242b947614ffd3

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
232KB

MD5
42202c4db90479da2eda24504f9750ff

SHA1
1ed9ddf9e15123b5fcb182f8cd24db0faa217b53

SHA256
aceec557f08c67cb4f1dd44866340ab9d06a5c4a96b70c509709f137b038e414

SHA512
7056d4feafbce6caf4b0a4c12b20aba77aaa73b99b6416db9c6e9c71381545fd48cc7ecbcad279e86724cfb7baaa458bb97a12e73eff059a036cb22180ad1706

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
232KB

MD5
ee6f618a52041e3cd1125d32e56fe83f

SHA1
47faca44782377d5cbd35b1163b140078f7af465

SHA256
248f36b7fa2422861874b55ad67919080e1ae6ac469c4e52813271fcb0eeda84

SHA512
b60559d98d3a7f9970e95ef49f807f55346bcc88aa6becf18cc940ff3b0f3ed1c71ae65813443bc7ea97463ecf2ca68c251c666c43a08aa80b6b8cb6abe6b97e

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
232KB

MD5
2d959746064bba68ba65e9a367edef2f

SHA1
20c7f2499cb895f039fdd5b2252223cddb10e2a6

SHA256
d28a3c0e1161823394bebdffbdd5ec0a7cac6159dc2aa4efb69902b3cd5bdf39

SHA512
9f7990822605a175656ba9e5a7f45777100202ab1d232d619d2b609811b9a1bccf35a35418c44128eeb309d289a8419f8735c91cecc9f1fb755bd0317bc18285

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
232KB

MD5
f5d20c44a3812fb0bf5a72882128e206

SHA1
a50e0f9418273adb8e4f32a5eefc5ab5dc565bbc

SHA256
95cd0fc2b3bdecad87215e3e711f18b4d313457b805b1baeb753f114af80ac5e

SHA512
a1113e505ccfedfeccbab5cd4a77641a1c041702b92c24056e9056e139f7df4656615822c2606ff34c2a863bc884d7fa8f69521a735fee85a92e9152e6ece8d3

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
232KB

MD5
42c80c34f6b29739f7d24ad270739497

SHA1
e659a70176cb21fcf12e6cab954a01cd2a5a8c03

SHA256
c56577ac5bbce7d3812db68ab8cb97d1bb76ac4147afb20e58bb483f4cb88563

SHA512
7a8abc1d32ada0b5e564bf8ac6d20fa24064ff0a4ba66380bb90f327cf3fd5fc426fd7cb8add9911ba3162358a20fc93d239a225632e1ee3a1a4f4775d282c40

Download Submit
memory/384-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/384-228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/540-238-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/540-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1256-210-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1256-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1420-132-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1448-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1448-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1600-165-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1640-242-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1640-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1860-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1860-246-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2028-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2716-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2716-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2748-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2748-253-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2952-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2952-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3324-225-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3324-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3424-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3424-214-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3432-251-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3432-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3588-213-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3588-203-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3632-218-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3632-180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3668-230-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3668-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3848-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3848-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3948-172-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4372-244-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4372-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4456-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4456-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4580-222-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4580-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4616-234-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4616-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4688-257-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4688-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5016-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5016-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5096-36-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads