bfd489f225e4adb601ff95842c71653f5f5ee67e8fd3ddd9185ec598854f2cfc

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2024, 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfd489f225e4adb601ff95842c71653f5f5ee67e8fd3ddd9185ec598854f2cfc.exe
Size

99KB
MD5

e1feb09f493c4f39adffe5bbd0f819cc
SHA1

bf3880647b53de9b29d20ac9393044381704ce6c
SHA256

bfd489f225e4adb601ff95842c71653f5f5ee67e8fd3ddd9185ec598854f2cfc
SHA512

aa5fd2cb4c8ed3a534fb6a5b45c547c31819e203972974eed1591947013e9785304929488b17443fa2cf257dcdb70aaf55a80f739103fe38303cb1a0f9d4fd06
SSDEEP

3072:vdBZrBw40fkZNheycpwoTRBmDRGGurhUI:v5kpKm7UI

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	bfd489f225e4adb601ff95842c71653f5f5ee67e8fd3ddd9185ec598854f2cfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe

Executes dropped EXE 38 IoCs

pid	Process
684	Liekmj32.exe
60	Lpocjdld.exe
3692	Ldkojb32.exe
908	Liggbi32.exe
4624	Lpappc32.exe
5064	Lgkhlnbn.exe
2576	Lijdhiaa.exe
3428	Lpcmec32.exe
1700	Lkiqbl32.exe
1820	Lnhmng32.exe
932	Lpfijcfl.exe
2236	Lcdegnep.exe
4912	Lcgblncm.exe
1472	Lknjmkdo.exe
3656	Mnlfigcc.exe
3584	Mpkbebbf.exe
3884	Mnocof32.exe
1084	Mpmokb32.exe
4896	Mnapdf32.exe
860	Mcnhmm32.exe
64	Mkepnjng.exe
1652	Mpaifalo.exe
2108	Mcpebmkb.exe
4016	Mkgmcjld.exe
2704	Mjjmog32.exe
4756	Mcbahlip.exe
3716	Nkjjij32.exe
2340	Nnhfee32.exe
3336	Ndbnboqb.exe
3188	Njogjfoj.exe
4436	Nnjbke32.exe
4356	Ngcgcjnc.exe
3988	Nbhkac32.exe
1496	Ncihikcg.exe
5044	Njcpee32.exe
3612	Nbkhfc32.exe
4840	Ndidbn32.exe
5080	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	bfd489f225e4adb601ff95842c71653f5f5ee67e8fd3ddd9185ec598854f2cfc.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Lpappc32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nnhfee32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3268	5080	WerFault.exe	122

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	bfd489f225e4adb601ff95842c71653f5f5ee67e8fd3ddd9185ec598854f2cfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	bfd489f225e4adb601ff95842c71653f5f5ee67e8fd3ddd9185ec598854f2cfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	bfd489f225e4adb601ff95842c71653f5f5ee67e8fd3ddd9185ec598854f2cfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njcpee32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 684	3496	bfd489f225e4adb601ff95842c71653f5f5ee67e8fd3ddd9185ec598854f2cfc.exe	82
PID 3496 wrote to memory of 684	3496	bfd489f225e4adb601ff95842c71653f5f5ee67e8fd3ddd9185ec598854f2cfc.exe	82
PID 3496 wrote to memory of 684	3496	bfd489f225e4adb601ff95842c71653f5f5ee67e8fd3ddd9185ec598854f2cfc.exe	82
PID 684 wrote to memory of 60	684	Liekmj32.exe	83
PID 684 wrote to memory of 60	684	Liekmj32.exe	83
PID 684 wrote to memory of 60	684	Liekmj32.exe	83
PID 60 wrote to memory of 3692	60	Lpocjdld.exe	84
PID 60 wrote to memory of 3692	60	Lpocjdld.exe	84
PID 60 wrote to memory of 3692	60	Lpocjdld.exe	84
PID 3692 wrote to memory of 908	3692	Ldkojb32.exe	85
PID 3692 wrote to memory of 908	3692	Ldkojb32.exe	85
PID 3692 wrote to memory of 908	3692	Ldkojb32.exe	85
PID 908 wrote to memory of 4624	908	Liggbi32.exe	87
PID 908 wrote to memory of 4624	908	Liggbi32.exe	87
PID 908 wrote to memory of 4624	908	Liggbi32.exe	87
PID 4624 wrote to memory of 5064	4624	Lpappc32.exe	88
PID 4624 wrote to memory of 5064	4624	Lpappc32.exe	88
PID 4624 wrote to memory of 5064	4624	Lpappc32.exe	88
PID 5064 wrote to memory of 2576	5064	Lgkhlnbn.exe	90
PID 5064 wrote to memory of 2576	5064	Lgkhlnbn.exe	90
PID 5064 wrote to memory of 2576	5064	Lgkhlnbn.exe	90
PID 2576 wrote to memory of 3428	2576	Lijdhiaa.exe	91
PID 2576 wrote to memory of 3428	2576	Lijdhiaa.exe	91
PID 2576 wrote to memory of 3428	2576	Lijdhiaa.exe	91
PID 3428 wrote to memory of 1700	3428	Lpcmec32.exe	92
PID 3428 wrote to memory of 1700	3428	Lpcmec32.exe	92
PID 3428 wrote to memory of 1700	3428	Lpcmec32.exe	92
PID 1700 wrote to memory of 1820	1700	Lkiqbl32.exe	93
PID 1700 wrote to memory of 1820	1700	Lkiqbl32.exe	93
PID 1700 wrote to memory of 1820	1700	Lkiqbl32.exe	93
PID 1820 wrote to memory of 932	1820	Lnhmng32.exe	95
PID 1820 wrote to memory of 932	1820	Lnhmng32.exe	95
PID 1820 wrote to memory of 932	1820	Lnhmng32.exe	95
PID 932 wrote to memory of 2236	932	Lpfijcfl.exe	96
PID 932 wrote to memory of 2236	932	Lpfijcfl.exe	96
PID 932 wrote to memory of 2236	932	Lpfijcfl.exe	96
PID 2236 wrote to memory of 4912	2236	Lcdegnep.exe	97
PID 2236 wrote to memory of 4912	2236	Lcdegnep.exe	97
PID 2236 wrote to memory of 4912	2236	Lcdegnep.exe	97
PID 4912 wrote to memory of 1472	4912	Lcgblncm.exe	98
PID 4912 wrote to memory of 1472	4912	Lcgblncm.exe	98
PID 4912 wrote to memory of 1472	4912	Lcgblncm.exe	98
PID 1472 wrote to memory of 3656	1472	Lknjmkdo.exe	99
PID 1472 wrote to memory of 3656	1472	Lknjmkdo.exe	99
PID 1472 wrote to memory of 3656	1472	Lknjmkdo.exe	99
PID 3656 wrote to memory of 3584	3656	Mnlfigcc.exe	100
PID 3656 wrote to memory of 3584	3656	Mnlfigcc.exe	100
PID 3656 wrote to memory of 3584	3656	Mnlfigcc.exe	100
PID 3584 wrote to memory of 3884	3584	Mpkbebbf.exe	101
PID 3584 wrote to memory of 3884	3584	Mpkbebbf.exe	101
PID 3584 wrote to memory of 3884	3584	Mpkbebbf.exe	101
PID 3884 wrote to memory of 1084	3884	Mnocof32.exe	102
PID 3884 wrote to memory of 1084	3884	Mnocof32.exe	102
PID 3884 wrote to memory of 1084	3884	Mnocof32.exe	102
PID 1084 wrote to memory of 4896	1084	Mpmokb32.exe	103
PID 1084 wrote to memory of 4896	1084	Mpmokb32.exe	103
PID 1084 wrote to memory of 4896	1084	Mpmokb32.exe	103
PID 4896 wrote to memory of 860	4896	Mnapdf32.exe	104
PID 4896 wrote to memory of 860	4896	Mnapdf32.exe	104
PID 4896 wrote to memory of 860	4896	Mnapdf32.exe	104
PID 860 wrote to memory of 64	860	Mcnhmm32.exe	105
PID 860 wrote to memory of 64	860	Mcnhmm32.exe	105
PID 860 wrote to memory of 64	860	Mcnhmm32.exe	105
PID 64 wrote to memory of 1652	64	Mkepnjng.exe	106

C:\Users\Admin\AppData\Local\Temp\bfd489f225e4adb601ff95842c71653f5f5ee67e8fd3ddd9185ec598854f2cfc.exe
"C:\Users\Admin\AppData\Local\Temp\bfd489f225e4adb601ff95842c71653f5f5ee67e8fd3ddd9185ec598854f2cfc.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Windows\SysWOW64\Liekmj32.exe
  C:\Windows\system32\Liekmj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Windows\SysWOW64\Lpocjdld.exe
    C:\Windows\system32\Lpocjdld.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:60
  - - C:\Windows\SysWOW64\Ldkojb32.exe
      C:\Windows\system32\Ldkojb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3692
    - - C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:908
      - C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4436
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        39⤵
        Executes dropped EXE
        
        PID:5080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 416
        40⤵
        Program crash
        
        PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5080 -ip 5080
1⤵
PID:4216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
99KB

MD5
22dea1a441762445840bcf44a013d69d

SHA1
ce93dbce72bef2e6b66d77a9bb84eebfee2f2204

SHA256
7a44c882130658392dc2aaccd25029198758d93f125a6f083ae6bc280f9dd6c9

SHA512
a479d5de4b28b2e1b997eb3ead466cd340ff4d43ef59befe31ffbee86f5259314540fa22f37f349829e9fe070d024901384585bca70422970b08e1446366450d

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
99KB

MD5
5c8e1ad6a56f093a2619a4519fd7869d

SHA1
6cd463ab94589482eeebc665d613dbbede0d51b9

SHA256
233d204017433b82abe80ebad2ac2aace456f5201dc54adcf8fd9197ab476dc3

SHA512
ead8b9146653f4d3c9f8a78b814a2082a4685ac664eaa9e2140b1ba1b0a4c1c0ccd7b8e0466142d7bbac5671868d44f42ea397a8470671414d7c7e1a8548fb83

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
99KB

MD5
8e16283690788a26f26ac227246f93db

SHA1
ad8b274f2525b836755eec0ccd0825d4f6b7101f

SHA256
5f433fde588a9572d11e12bff56e2ce30dd7f2ce5f86d4dc195c24995cfe429f

SHA512
12a0fc4d906a8cac4944cf972f42e0f383d6366a76f5c6ca2c8b665c5dbdd6059e977573c96f85ff0e523b4f03a68844a35d593babf814dfb009094bc119c719

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
99KB

MD5
77c1b8c7fd0d9efef505539c703ded82

SHA1
b8c687f1569decefb83e3dec888671ae79b7ad4e

SHA256
cf13676b8792ef4275721d850f1050656525f80b7c81f6726fa03c3e978db03e

SHA512
b2e647365af8899af6cdb9d42f47a5eb5271264c927dd1aef7298996bd38160d927d1b1d67e8554c4203b76a182ced8b3799314c77501b2622b303d7b921d821

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
99KB

MD5
034b9786cc1d2610e3f33349e4b69af3

SHA1
11462abd48a33013fc44787b3048277b5a4fb44b

SHA256
e92622f369c5dd5b89153ec8a5b16d994e273c5fab0ec821b6ff2774bb8b40a9

SHA512
73c9969d2a4767925882d95457af9bd25affa7c2703fe20b6c422fc8938155dd21f4280baae8ad2c5c949a3830b6024179063ebfe62e65ba4c6ef92ccd2f59c8

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
99KB

MD5
2aea70dbb3ff38f37e39be50d075b8d5

SHA1
df042fe1bad4b727469b581f433b421144ecb276

SHA256
34ba31e8f92526d1afe54f26d3c45d1a030db3bc6207f4ba596342b99e0750ed

SHA512
e2b2781049d374d877c592254d64814866a8bb49fe97a42cb3ea052cf7f2ed0d14cc027c66a5070abcc14c65ca60ffe7e8a7036ef3e47e70f6b8e3417a1e933b

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
99KB

MD5
732748859f160b5418db63a719f2973f

SHA1
9afa19c7151d1c0028fb1d082f98660cab9079ad

SHA256
6ee348969589a81ead84822edf71fecb112b9c156d1487bde07259d02f68ad2b

SHA512
85d6101b53d3b7abd6dc01b2a9c0b29222b064b3e022ebd23463ecc3ca8779b1652d6b7b46f024e60714be96181c610838d7b082713323741545c43b4b311c59

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
99KB

MD5
0d94897b946deef159e57b442bb26587

SHA1
e50a323eef3eee79391d4e8cccdba7191eb59260

SHA256
358e45c025bd62b7df5aca17ab1426e2c1768e52b16bf42c27a6f22658d7bd0f

SHA512
70e7d1dd4fa042fdb17eadef92c1ca5dcfe46210d97fe5ebf79d49a6c0e203b8337a878ec3cdb684a1160199c289179b04218af568349981d31b5622e983ac62

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
99KB

MD5
0dbdbfb2d43c734728422761c8e54273

SHA1
dbfa8884477407969b155a74c20f45b6294b5f9c

SHA256
9bc495c68d6b78c46778ee835971f764ca9c6051da2509e06855073786b62e4f

SHA512
c87bcdfb244b9aa063d6668c4c4780b5871900944b4c0365d3ef323754d901fe9f351274b6ea6ee336d658819611c9b55ac78635555ae45b7a983b77ca861df8

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
99KB

MD5
45adacb7c545fc20fd120040bb613051

SHA1
3c990686b25ddb55badab6445d824c27cd1c8446

SHA256
f016b1891ff1b5fc80324dbf2335f15c7db50484d5c879317343a3e182007326

SHA512
7f60cb148203a7d2f159a524c88b69a88ec2bf2464d83073bb3186c9a5fe95451d10653a81eb8869a41d0bd83a517fd18a4eeecfc6b4b05d48c0e835e374bc03

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
99KB

MD5
e4fe1cf6e6666ad3220f773076f2ddfc

SHA1
6bcce9a26884626607ca2f938f804b566dcef54b

SHA256
3d4f6ff0fb33f05bb8065cf6f64b14d2cff2d9350f27c1646a5b4f2ac66cd148

SHA512
805d7101d6615fb1893d81c365294c14c4b73fd05d599ba27945a698a918d1a69076ad30f9d87e3d387091bb87d3261e8cc221f0968fd2aeded54cf61a9ff902

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
99KB

MD5
45c48d94b8650b198bbb5b3d0d8879b1

SHA1
a4382e786e0cffcb7d90e7c8caa9403ab24708b4

SHA256
54ff9c2271127b6e5d71d9170b99d3d452f8ecdd655c38a01dd975ce0271429a

SHA512
d08719c0ac21ccb526feee72732f81b245e7265de68ff6f48cd23b13e54aba5eb802522cf1342280c472631b1292c1864f4ca498f224a5eb46d74a44d78d5d79

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
99KB

MD5
b931b717c8c1657edb005d36967b7bc3

SHA1
94451ae0ac599a4fa33f90f70b091491943c4c99

SHA256
46ab24a4a5b19f285aae727b2a3363d9692c10cbf9300831786931b713381bfc

SHA512
146abffeb61b1f1ea07156949d4402eb80c28aaa06b9c367344f0e9264c39bf23f3aedb711c7e917a90952f1b75ef3344aa91182a1dedb35314731b6337823fa

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
99KB

MD5
48f13eaaa4db959e8929fb11fd31ce40

SHA1
621f4b162dcf1b506adcc1c5b5044a948a572c59

SHA256
0f56c362ad0bff56fecd10c64521b86cfa06af626b0dd8dedbad2be1346b3cc2

SHA512
224c1f8a0426bad052905363018369da6852691c11804cdb904f6097c6e57ac338084b5300ecd888f32fcea1d5c3c5556605557f7092be06d761280df0fde351

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
99KB

MD5
b80c071cd275f71ff9d1a10bf7851567

SHA1
818a29c9d78eb372b3adb06886d8cdc7a4c5750f

SHA256
d0a5f9fbabfc1db1a55dfebc8dee1b805d374ab96a67c19905bb8ac5d92863e9

SHA512
fbf3f6e389a54062388f308778aa317f1ef758711b233a178c79f0dfd55c3ade284d0dcdaeced9ce1743d53350ba40658d3114299177a91a4996769f6f84f016

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
99KB

MD5
77049302350d25993f1bf483c3e97197

SHA1
87f296813d8fa53b0f0d3cf7ccaee0eab89615a6

SHA256
c4395e4f031e09260dccfe7c9c4fd3619fcce6ffe6d880d1ef5e5ab643d51a8a

SHA512
57b20025d0103f2dab0ddb51884ff2905dcdf5fbf81151444133969b18cb5b8210efe96492514fd9a7ae5408f7f729dedb72c5459468be44d6bd58582cdf82d2

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
99KB

MD5
f84a34f869945d6a2b0dc4dd431a4410

SHA1
cb63d36a0a67a5a7f6c91d5271303f25ad1d6161

SHA256
e64860d8664f4e052d84193cd69e6643c937bee98ceb547eea293ccce2f130c7

SHA512
e2d3a58983cb44f12dac165fa71d4cbe0384da4d0ca895ea06e7716e2845f8ba7e002eb9024fd29b6f1d6a6acaf6c313f8cdd145d2b3878d1cdbf2f39ad1bfe1

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
99KB

MD5
b9f9609980809b0d7ed9064cc82cad3c

SHA1
39ff71308cfabedb1c73389a71d5384eb96027f3

SHA256
a5170fb2739fa1b8580a91c059beb6f11d56f1eb918a65c88ac99e411fabeba4

SHA512
b2b5f65db7abd5f1948aebc04493f66121d04c3f59a99dcfc7fcacb477598471540ce0d163c1bbf5733dd1a04cc07a79ccb8873c108648f9762056d40ae22d60

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
99KB

MD5
d1a5172cc49b1ab6f2ece57b77c8501e

SHA1
bdf27b84ff28982f15412b675d27ac0a7c80c04e

SHA256
2a036573732dd14a5744f8a79ea4bbf9eac548c37af293421a4b0bc9472edec5

SHA512
2286aa1a215a3253d7de70b12bb92cfa1268b0ce4825f0a48a90526d1c6b22187ec5e644b4b4eb782ae11c4cda08dde009d0b9b7f5d61a9f10a2fff32c86555a

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
99KB

MD5
5670f9cd15753f68f20751753ce91ad2

SHA1
229891552272801296d336d80bcb089e67541aff

SHA256
fcfa287dd60f797ce53e29877d95a60d726da78f6366c8e30caab06d3b974665

SHA512
74390ec23461a42bfee2f02e372f9707e1c0bc8c4856143912602c4277bbbdf75d770bcc0ce456dff0cb1a3078e1e0c89b20684786a6be1f90a82eb2a99e4d45

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
99KB

MD5
ae58a32d9ce65cfdc0a60f72a4880996

SHA1
a2d066c378a5684935c6f355308668ad5506fdae

SHA256
19fd1fddfe593936beea83392f265b04d3469339da6925d5ec1aabf5e01ffbfe

SHA512
5ece1a04edba85503e7229cb366a20e0d3c7086fbeb4c64a79cfb2cc7687191a72f879089061876ce67f4c5567311c7378dd89282396a0eddf00c033a753276b

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
99KB

MD5
d7ad2f87cf365b645ed3f9fb72db371b

SHA1
363f5f1c43700b9aef748323260f0ea3bf8612b8

SHA256
2a9db550b8fb0f873bd23004fb1f88de420634ce6d45774757895d2798473653

SHA512
e60c88f4c9ebe766519f6f6e06d535d2675d4ee8bd937cfe685f43893a127e41b94e7baa453f4038e53f2a7da8615e07620579522a84609e9c060657dfd93cab

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
99KB

MD5
87a2f19fe310a9aee8cb56bdb37c235d

SHA1
858b2882115cb01ce1f337c672d9e6b2ed655d7f

SHA256
ccf87dccb22e198f4b1f7cdad40bda07e6ddd7918486022ca01f77136fc4810b

SHA512
10b336043424212dc11b61cd79d85415c3a95818587794f18e7248acf7baa0312fa28b0ebd0049c2438720eb01e2d0d64c473f7b80fd89f4b9fdac011f533ea9

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
99KB

MD5
85904df58c04a09adbec91b2d425c16c

SHA1
4b44364d7a2b48fed2c423770a6b946f32756271

SHA256
d125e9af7166d12afb3a8aa3e848b6af035f8951fa63397b6f06f47adbe9f4ff

SHA512
2673259cb061573143768dd8775e71578d4efa8b4aef871dda62efcdd064f1877d2d87b1eaa0067750517a1b06719651c87ff4a5ed5684a32fe3e20d4e313a0c

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
99KB

MD5
74fd90c57ee6f83b7480874d3abc4add

SHA1
b0c19d4f228a1735ed367f1f08a0c522a9fbfb1c

SHA256
fe1b1d09d42031d5d4668122fee999732140db25fe81399bc6c44851dfd143db

SHA512
9cd81e39e515d5b6750795c08080a1bcd31b77f54260e16d320d7f7ad3e7215b71d947e3bb5e6de05ba2732131447dfe75d58bcbb622b9e01e35de3db04301bc

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
99KB

MD5
3356076ae06887446035f7f77f253825

SHA1
a8425d6854e25a7a90fa85e05c00e57359010935

SHA256
e885b23feebe5de6b77f697dbc6d8436e9e582f357d66265bba7851e5edd1d55

SHA512
39934e7e38626301435e79c515be434115d05abf69479419522620f8d13ad20098a7f7326c3cb715963001c5f84a06a756ca84b07f5d3ee7e36adbe537c8d19c

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
99KB

MD5
cc5be586a93a77990225da2942d09e6b

SHA1
9512a2e4e5e50647203239c2c586b52edd5d8af5

SHA256
4f799ea2dc4f1f99f36c6fb139baf6ab568613132987232fffcf67273f20df4e

SHA512
ebc9c695564cdf2ee4b218e1a904e64444caab90f46a55841f52c3e68ac6111d96506f4aec917818ae0c511805e7f9abdacec73d404a537f8ff9af1c580ac20c

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
99KB

MD5
0a124a93d01dbfcc337367af8d80ad35

SHA1
c22cd8785371df2af18acec5baa054bb7145bad0

SHA256
22b2a25a908e2efcaa6730eb41eb5a1448e08d6aa9c13756310f644bc4859ed0

SHA512
8b2828cdaec13b7730d749f85b5e2d14847a889f51213eecf734f17451b0014681d3b831616de997988a38870d8d0b068b38b8f1b865c37cfa0699c3e3e5b503

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
99KB

MD5
cc99009a400f3eda4855b117071bf5cd

SHA1
3336720f16882c59fc694e01a85b3374277d2bb0

SHA256
a9819cc9c543e988ed9fa7ffa795f8edfcf8dd63ab1884d01959589569f94bf2

SHA512
053e0608de9ef3594c432e11059758e17a1aa0deae2944c68e090cbdac243e93ed1a4c8f7a5160dd0039eba892ce6380412327427730def87f454d1f5f6cc497

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
99KB

MD5
c47507d8dbd1c48d7e84a8b1c9c3daec

SHA1
f1d7542f8a13486568db05b5f24a4cf583937061

SHA256
0df0697ef5db862b52a3efaf0b1198248e30533674af0ceb447bc7df70cfec62

SHA512
c76ba3162ebc765a7ae939beb30f4925a9cb7d6abaa4125955ad6224113500479798ed4948a87c596de993de712bbd6132c0e57667db7c9c92128409e98e903a

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
99KB

MD5
068ba6e5678c0685b2ca1f57eb300511

SHA1
6389d3ba7739032ef4d0213c700b0929335b7939

SHA256
c3ba2c9db78b340d8bcf5cb1f2e4c98d5a3cacda0b878034f712ef2b42639f07

SHA512
db5f2ba9005b259edb00ab099a31cae6a787f2532a7ca4344a4dd7d359ee5e28a70056f4980216849d4c5056eaeb0fddd23278b6fc8347d20292fb84c0d3e2ab

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
99KB

MD5
907bcab6af05cae66b79260a26162f92

SHA1
6ebfabd75baa3b9a3a09c4e8623c175b3d109936

SHA256
eaad6ff48a3d8319bae58a752c676fbf989785c0192aaa1782bc5e7f396c87bb

SHA512
6bc42804ff9c8384d3198f8838dd8c0dd205e36702f464657588f7cf4e7292da4edd76230c8dc591b1793b9bac597f29e5799aab84abaa721ca7ec6157509f66

Download Submit
C:\Windows\SysWOW64\Ogndib32.dll

Filesize
7KB

MD5
65f4f6f9eabe8165feed6b0df3ce7e79

SHA1
98502aac30ada1145eb2d395edfa7fb76a412e1f

SHA256
2ba0e545010b1b07922ca4618399ec267fbdceeefb3b25f503a14bf4ea0ffb52

SHA512
71d4e9cec384649a080f8cdd7714f97265e11b634819ed8e79f24953610c3bd356109986dc6333b56a328e363778e6ea0367eb18f0c5371499b6e22207a25f48

Download Submit
memory/60-97-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/60-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/64-179-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/64-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/684-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/684-89-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/860-170-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/860-258-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/908-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/908-116-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/932-90-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/932-178-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1084-153-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1084-240-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1472-117-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1472-205-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1496-323-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1496-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1652-188-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1652-276-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1700-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1700-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1820-85-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2108-284-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2108-197-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2236-98-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2236-187-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2340-241-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2340-318-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2576-143-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2576-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2704-219-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3188-259-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3188-326-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3336-327-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3336-251-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3428-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3428-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3496-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3496-84-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3584-135-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3584-223-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3612-305-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3612-321-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3656-126-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3656-218-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3692-107-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3692-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3716-315-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3716-237-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3884-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3884-235-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3988-285-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3988-325-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4016-206-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4016-291-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4356-277-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4356-324-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4436-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4436-269-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4624-125-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4624-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4756-224-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4756-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4840-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4896-161-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4896-250-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4912-196-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4912-108-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5044-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5044-300-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5064-134-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5064-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5080-320-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5080-319-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads