af45434a310a6ee2a00499f6e0a0d9658484dae68c0b6be10fdace28ad1e1efa

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/06/2024, 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af45434a310a6ee2a00499f6e0a0d9658484dae68c0b6be10fdace28ad1e1efa.exe
Size

94KB
MD5

3c269a2ae80033002658c37f357681d6
SHA1

d1191e1477aee48fd5353bedce62ad17d4e70111
SHA256

af45434a310a6ee2a00499f6e0a0d9658484dae68c0b6be10fdace28ad1e1efa
SHA512

53fe79b4105abde5cb2724d66f5ac9e52850be2253e32f00b5c072423129f42ecacbd43661f9f8b175742d4125998d78e8cd76dacc934256cd2fbf2bd3d6a79f
SSDEEP

1536:r7VnHlVrIPEhTeuZLk2LX0aIZTJ+7LhkiB0MPiKeEAgv:r5FVMPEhTeuzEaMU7uihJ5v

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	af45434a310a6ee2a00499f6e0a0d9658484dae68c0b6be10fdace28ad1e1efa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	af45434a310a6ee2a00499f6e0a0d9658484dae68c0b6be10fdace28ad1e1efa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe

Executes dropped EXE 35 IoCs

pid	Process
1624	Liggbi32.exe
4524	Laopdgcg.exe
2596	Lcpllo32.exe
924	Lijdhiaa.exe
2116	Laalifad.exe
3976	Lgneampk.exe
5072	Lilanioo.exe
2736	Laciofpa.exe
1036	Lcdegnep.exe
2268	Lnjjdgee.exe
4004	Lphfpbdi.exe
1688	Lcgblncm.exe
3324	Mnlfigcc.exe
2128	Mdfofakp.exe
2072	Mjcgohig.exe
1336	Majopeii.exe
4556	Mgghhlhq.exe
4236	Mjeddggd.exe
4720	Mamleegg.exe
684	Mkepnjng.exe
3792	Mpaifalo.exe
2648	Mcpebmkb.exe
5040	Mjjmog32.exe
864	Mcbahlip.exe
1568	Nnhfee32.exe
3164	Ndbnboqb.exe
4492	Ngpjnkpf.exe
3532	Nafokcol.exe
5016	Ngcgcjnc.exe
2508	Nkncdifl.exe
4932	Nqklmpdd.exe
4404	Ngedij32.exe
4352	Nbkhfc32.exe
3428	Ndidbn32.exe
3992	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	af45434a310a6ee2a00499f6e0a0d9658484dae68c0b6be10fdace28ad1e1efa.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	af45434a310a6ee2a00499f6e0a0d9658484dae68c0b6be10fdace28ad1e1efa.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mcpebmkb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
676	3992	WerFault.exe	119

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	af45434a310a6ee2a00499f6e0a0d9658484dae68c0b6be10fdace28ad1e1efa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	af45434a310a6ee2a00499f6e0a0d9658484dae68c0b6be10fdace28ad1e1efa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	af45434a310a6ee2a00499f6e0a0d9658484dae68c0b6be10fdace28ad1e1efa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	af45434a310a6ee2a00499f6e0a0d9658484dae68c0b6be10fdace28ad1e1efa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 1624	4880	af45434a310a6ee2a00499f6e0a0d9658484dae68c0b6be10fdace28ad1e1efa.exe	82
PID 4880 wrote to memory of 1624	4880	af45434a310a6ee2a00499f6e0a0d9658484dae68c0b6be10fdace28ad1e1efa.exe	82
PID 4880 wrote to memory of 1624	4880	af45434a310a6ee2a00499f6e0a0d9658484dae68c0b6be10fdace28ad1e1efa.exe	82
PID 1624 wrote to memory of 4524	1624	Liggbi32.exe	83
PID 1624 wrote to memory of 4524	1624	Liggbi32.exe	83
PID 1624 wrote to memory of 4524	1624	Liggbi32.exe	83
PID 4524 wrote to memory of 2596	4524	Laopdgcg.exe	84
PID 4524 wrote to memory of 2596	4524	Laopdgcg.exe	84
PID 4524 wrote to memory of 2596	4524	Laopdgcg.exe	84
PID 2596 wrote to memory of 924	2596	Lcpllo32.exe	85
PID 2596 wrote to memory of 924	2596	Lcpllo32.exe	85
PID 2596 wrote to memory of 924	2596	Lcpllo32.exe	85
PID 924 wrote to memory of 2116	924	Lijdhiaa.exe	86
PID 924 wrote to memory of 2116	924	Lijdhiaa.exe	86
PID 924 wrote to memory of 2116	924	Lijdhiaa.exe	86
PID 2116 wrote to memory of 3976	2116	Laalifad.exe	87
PID 2116 wrote to memory of 3976	2116	Laalifad.exe	87
PID 2116 wrote to memory of 3976	2116	Laalifad.exe	87
PID 3976 wrote to memory of 5072	3976	Lgneampk.exe	88
PID 3976 wrote to memory of 5072	3976	Lgneampk.exe	88
PID 3976 wrote to memory of 5072	3976	Lgneampk.exe	88
PID 5072 wrote to memory of 2736	5072	Lilanioo.exe	89
PID 5072 wrote to memory of 2736	5072	Lilanioo.exe	89
PID 5072 wrote to memory of 2736	5072	Lilanioo.exe	89
PID 2736 wrote to memory of 1036	2736	Laciofpa.exe	90
PID 2736 wrote to memory of 1036	2736	Laciofpa.exe	90
PID 2736 wrote to memory of 1036	2736	Laciofpa.exe	90
PID 1036 wrote to memory of 2268	1036	Lcdegnep.exe	92
PID 1036 wrote to memory of 2268	1036	Lcdegnep.exe	92
PID 1036 wrote to memory of 2268	1036	Lcdegnep.exe	92
PID 2268 wrote to memory of 4004	2268	Lnjjdgee.exe	93
PID 2268 wrote to memory of 4004	2268	Lnjjdgee.exe	93
PID 2268 wrote to memory of 4004	2268	Lnjjdgee.exe	93
PID 4004 wrote to memory of 1688	4004	Lphfpbdi.exe	94
PID 4004 wrote to memory of 1688	4004	Lphfpbdi.exe	94
PID 4004 wrote to memory of 1688	4004	Lphfpbdi.exe	94
PID 1688 wrote to memory of 3324	1688	Lcgblncm.exe	96
PID 1688 wrote to memory of 3324	1688	Lcgblncm.exe	96
PID 1688 wrote to memory of 3324	1688	Lcgblncm.exe	96
PID 3324 wrote to memory of 2128	3324	Mnlfigcc.exe	97
PID 3324 wrote to memory of 2128	3324	Mnlfigcc.exe	97
PID 3324 wrote to memory of 2128	3324	Mnlfigcc.exe	97
PID 2128 wrote to memory of 2072	2128	Mdfofakp.exe	98
PID 2128 wrote to memory of 2072	2128	Mdfofakp.exe	98
PID 2128 wrote to memory of 2072	2128	Mdfofakp.exe	98
PID 2072 wrote to memory of 1336	2072	Mjcgohig.exe	99
PID 2072 wrote to memory of 1336	2072	Mjcgohig.exe	99
PID 2072 wrote to memory of 1336	2072	Mjcgohig.exe	99
PID 1336 wrote to memory of 4556	1336	Majopeii.exe	101
PID 1336 wrote to memory of 4556	1336	Majopeii.exe	101
PID 1336 wrote to memory of 4556	1336	Majopeii.exe	101
PID 4556 wrote to memory of 4236	4556	Mgghhlhq.exe	102
PID 4556 wrote to memory of 4236	4556	Mgghhlhq.exe	102
PID 4556 wrote to memory of 4236	4556	Mgghhlhq.exe	102
PID 4236 wrote to memory of 4720	4236	Mjeddggd.exe	103
PID 4236 wrote to memory of 4720	4236	Mjeddggd.exe	103
PID 4236 wrote to memory of 4720	4236	Mjeddggd.exe	103
PID 4720 wrote to memory of 684	4720	Mamleegg.exe	104
PID 4720 wrote to memory of 684	4720	Mamleegg.exe	104
PID 4720 wrote to memory of 684	4720	Mamleegg.exe	104
PID 684 wrote to memory of 3792	684	Mkepnjng.exe	105
PID 684 wrote to memory of 3792	684	Mkepnjng.exe	105
PID 684 wrote to memory of 3792	684	Mkepnjng.exe	105
PID 3792 wrote to memory of 2648	3792	Mpaifalo.exe	106

C:\Users\Admin\AppData\Local\Temp\af45434a310a6ee2a00499f6e0a0d9658484dae68c0b6be10fdace28ad1e1efa.exe
"C:\Users\Admin\AppData\Local\Temp\af45434a310a6ee2a00499f6e0a0d9658484dae68c0b6be10fdace28ad1e1efa.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Windows\SysWOW64\Liggbi32.exe
  C:\Windows\system32\Liggbi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\SysWOW64\Laopdgcg.exe
    C:\Windows\system32\Laopdgcg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4524
  - - C:\Windows\SysWOW64\Lcpllo32.exe
      C:\Windows\system32\Lcpllo32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2596
    - - C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:924
      - C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:684
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3792
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2508
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        36⤵
        Executes dropped EXE
        
        PID:3992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 400
        37⤵
        Program crash
        
        PID:676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3992 -ip 3992
1⤵
PID:1172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laalifad.exe

Filesize
94KB

MD5
478a2aeb24434ff055d26fdccc35613d

SHA1
9fbafb1d9cbde81d2c45b374008ad51b55caa7ff

SHA256
8e7bf845cab66bf26c35723456ba26586f68b7fb9293d337be161c18604806e9

SHA512
acf4d62bc5607c481d3867f9661accbf6b6170d5a4fe0328739525b81e2510a3fa0d487e4d9fa9f6056bbe92e29b360e48ade4457c1617631df514fc259fd42f

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
94KB

MD5
9184370ed73e8d5e2f542a5449dafb17

SHA1
08693661d61a4a75264b07b40580f85d8d5417db

SHA256
0c1ad9649d73985cf7d4d7fbd1a0f270cd6a14db01abff427fe378db45cb7bc8

SHA512
97574999032977f4d5779162b008a0084e92b8c39fc0ba7daa0d526bc2ca842bb0d1752dbaf80cd846eef5a8a8b41baa38220f82f426faa71174b825bd0776b7

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
94KB

MD5
e2bdc6688712724263d8ed4793eeb886

SHA1
1e6a6ba8b658f700ca952118e4063b67c2828cb7

SHA256
678a7b07432a780484cb9aabe0f620af276553b4053a48964e2f073f128aab0d

SHA512
733a27d058f32a0e1f7874b9864d9923698e5c91fa8540dbe14ea16991ca0d241e2e384cdc8cd8ee1f5b01a225123cb4751fb7be2a465c96236fa8df84b69c0d

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
94KB

MD5
bbcfced97ef75c0159f5119a06332e86

SHA1
d632a5fda27b2da3357eb10141b41d69ee07444c

SHA256
ddec713a7fc077c9f61abd43ab818e98caa8de2c51915ba39b634e8acc051ad8

SHA512
b70d1130c4e103ff4980b4e58aad10d6f55d2048966b5ebb3f38abcdd3f139d1b4ee3254024d25a03be229be49c7bb140f809352143fad1c38d4ed80df724bc1

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
94KB

MD5
bd0c1aecd5723928c75899a2dc26349a

SHA1
4c08ee9a9a3f10de1f8da5dd8bd820d2b21c570a

SHA256
14bf71a7a870045cf0550689d7f52e3691fc5d2ba0035e95975b39acf0c443f3

SHA512
7038233f9ae98b7fea6ece9b00ee80a9ca392ddce5ef54009c91a490e1db641e2e6d4545836731dba8951d3f29bda373daba8366ecc29353bae755d8755b7c85

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
94KB

MD5
5b8214705a1d88e675c867ae043db6d9

SHA1
437ee51f4940102ae59ccece37dcc685ded0362e

SHA256
dc890233a9dd4e993449121a302d911b22afdd66bef3cb68b012a8b667f971d7

SHA512
0bfd73da58ba26390d3758450031301494e33dfb3ac571f7d1cdffce6a50d334bac68ffa1ae81c4607f596e4bab384f4b3e69bd292934ecfb396dcc668dbbfa8

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
94KB

MD5
4f4fa09ce710bdb2e186535dae8def16

SHA1
5122c1e8d093d70ff016993742af9d5940619858

SHA256
5894cd2ca123f4d8b752118543a8f1bae66076cff89c0351d7e49642c8e91b5c

SHA512
11339de8c08612c331efeb2001d7fcc41a49ab08981b1d6c618e8d0f3c3861c150823a98a3dccf4557c2693f126dacf9780571c2452e54fb55dd127bf5f1a490

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
94KB

MD5
51a3c3c02005827237f17012f2f03b79

SHA1
d474e3df59fae467ca384e107885330df15bdcd8

SHA256
1dafd3adcf30ea092bb33eeeb4091f4977e1cc89bf17035880baef12539533c4

SHA512
d530561ae96cdd237429192b0091b7b104df086bde206256243e2d0a801335ac4e572e07010c0b197cc67432f375ad68b2dfe3bbfcc23dada28411a741cba1b6

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
94KB

MD5
98dc9f8e0d21a216260d591fe1e8c7b1

SHA1
e492b6748c7a51348769d2c73bfc5fe17c1ff5de

SHA256
c440bfca177b69df97c9e91f9176a4f24a80473dee27fb071ecfc95932c685f4

SHA512
e9ee2ae7b63f0d481428c32c437b98e8373aca45258369c1382761b01ba815112abde33f98f69fda48ab865a4de1dcad9467fdcc72dbb1524025a3725ea36696

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
94KB

MD5
e0fe7e0fdf6de594cffe8aa4701db219

SHA1
456fba7b61100ba1bfad8ff8424774d91b28d06f

SHA256
1910e2d4ca737fbf09312886078efd3599c69f42d00ad6e0f50d96d86815a382

SHA512
9b7a82a9763ff5ae2214011c76fa3e2fd237f5e37fe18914bf0b41f56e5435f5dbf4522eabdec672a1e8fb24b2d50766ca155d9e707eb87c08fedfa998fe3a4b

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
94KB

MD5
b77dd10ea24ce7e99006a04a27257eb5

SHA1
5daa9d3b66508c593d0243f668828b24294c3e9b

SHA256
5ed8cae08834c48bd0023bd0714b430811eaf4144a2a8677540684df089a9fe4

SHA512
4e41d17f4d29643d19796ebb33aa6b6971e3bf7875f84f5ad607fe754f87085daa058e05fc6a6c2c1c8f20b0e687446d1a3e800235f33a98aa10f0b22fb3f671

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
94KB

MD5
e754e560817081377e7c9dc34ea23b63

SHA1
b0a5bbf45e004e1e551ddfde6791f166b31188a7

SHA256
891310505ac15a3c68641f755689d937c64d8481defb8d1e8b9830d528488491

SHA512
595684d7a4ead5aa4f8e62687ffb6b7c1dcb065ba8a2f50efc308f60743c9be7503abf6968dc0d578cb8d51cf99085f181748732e1fa6061e5d0fc0ce788bda1

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
94KB

MD5
0318913c81f91ae4b36c7ecc269dcc44

SHA1
f0fafad0cffd60ced81aeba77c05734d7e97b6aa

SHA256
2b5026c5c941b1cf16d89107bafbe145c1db55be48c9db02bfdac7ed775b800f

SHA512
1f16021459d4dbe18e1354e3d988c5eef9af0811e233d5ab04edbe40f6754dc5679b530063f9b04319e2307b9ced8e8d9cdba9ac2df33b328f1aaac36f940ed6

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
94KB

MD5
c1265e90551fa2eb45f1052015424004

SHA1
b3b35ba7e5430eefab1a0c2ad4ac02ed21ef1311

SHA256
066bae5d4dcb5142f4c5a884880ac8b80b80332bf803bff3a167cfaf23f796d6

SHA512
65f625929bc4711c138576547ee986e7ab87368c57d48b0155cb0697396f50a1f50ebdc07909386dcad6597afcbab171608d4f03593651605e83b7d5038fcee7

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
94KB

MD5
cb11ea2dcaee6d372fdeecefa70238e3

SHA1
160bb260227da6e4f848d26a86e2b16554d8cfba

SHA256
9dda6c67f8642d2b5b6089edc98eba7f98cc863b445e2ca942b3b37323b8825a

SHA512
8687da3976e78b5dc4c93ca1b953a2dc545809fa3dc966687adda7707b45f30740411a90fedb50d834ebc638a70a9237113b09356b3d676e976c5cb7b5de8d9c

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
94KB

MD5
2def9da2e8f1b8470e3554f725566a66

SHA1
d8a458be05eb9c9571698abe43bd4a3fc2d481b4

SHA256
f92441b4be7a1ab8eaf95e423ef4dfeed1a5290fbbe94f48d72a4b88507b0d7a

SHA512
9fd974d5d74e9810bf3c9d3190602fd8236adf7a4cbe3dfd06796b14baa4df6a1cb59f7493d48749faf5271dfabe9ce2bb709768756a6b1a29e00dcc823a2cff

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
94KB

MD5
6ff3e85cd51ea71bf57e48910e12ef7b

SHA1
a6eeb63f3a9cc732ebc3bf3a4ff0becc683cd36e

SHA256
8fabafdfcd0463535fb5d95ecdcbd49c38949aaa7b4c216366e9604020ced082

SHA512
0ea9944d9b519fe626f6b294c84fc3d59e55e498821adfb081ec92521b126d76cb193ecb8321748440170b3cb38bd016c8f493b8d58054cd1321d454aa9bd14b

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
94KB

MD5
8325fd8fcb33b88535e59e3a9e597036

SHA1
3149281c2a938acbf73384b3eb990de622ccc05b

SHA256
3d0160b1b8246b70942c9329a979081a77c177c9014dc63a6eaad51213e825f1

SHA512
caa730a695d9d323dcf7457497713bd00bc1c9b0a1c0536dcead7e11fa52e4d7698722682174f352dda7a69d7990914df8776be60724fc8c3d6775ed0da95d1b

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
94KB

MD5
621c95303312fce103ddaa49234e7e35

SHA1
9d88e8ea267f06f91d0627e0a4b0028ab8db4142

SHA256
f97c6b87e0864fb4cb33f6e8b3b6df90f803785a2510daa4fedc557767c7511c

SHA512
fc08efd83a052f159c89d22d32ad3ae4b8500d7b9fe4c4db3e3913e82f60509db81731119dd24220b6c06dfc4e281b35096d36e451cc605b448f8ad0fa3ee69d

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
94KB

MD5
a7308a1954425fb7eddfe4a06807df84

SHA1
133f229ac8d8fe6e05f68b4faa6b357f209878da

SHA256
996e41eaada48103900f990f4386db645e688441ff22468f4b67a8435e495ebb

SHA512
c83c2a5858073919c62e09a0f2d0acdbabbcb01847f48115b4fa39c525a538ce5aad0ecfe8814fc3a686299276f7fe95373f86dda05f0808b470d1e2408e703e

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
94KB

MD5
8e8d18a47e6139b89e25c495e0b8894a

SHA1
30407aa08beee91ecce7b44cd8a3870dfbab3436

SHA256
575ec25d245191136a64e1b78391cd321b77c871c7b9591b4fabfaf07d30e230

SHA512
70317b8d989d8cda5cab53fad359ad20dc14ed5e2041c3333241c2f304bd674b68af06b95d016767fb89ae5c85d73e0f6a7ea893c23695469c040b9520ea88e0

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
94KB

MD5
cf8dd556a5d4dee44b8bf3b777d51ee8

SHA1
9a717893649a377930eba5aea517b213a7f26439

SHA256
82beb0bfe3d527a426548d7b6fe7206d052d7fdb48e9c806642b72586f5597bf

SHA512
189b5f0b93dadfb4e7a74328fb2311a3d8f75bde568638fc95217098b9df2ed4a9b9f59b96fb1e01d3a9ad95e4a0c5b703281e01d8b5095c0b04bc98ea13a8e3

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
94KB

MD5
45a99cf6f2da071a2a2f5bf957b5231a

SHA1
2ec893e99d8a3c5b0a317d114b719fd88ad1b4b7

SHA256
4daa6a001a94c67859ca820ccf2a1d5b41fcf98e01e098711c52439bee999e19

SHA512
b186625622601ab637f3ae568e5bffb2718da9b6b186561f7b1a0806a67df01f1ceb727bd9f0ce015852e411e4a37958163593ef7e534ee4d27df5fe05cce3d3

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
94KB

MD5
09f4e60c43366b6d1a4be2c5b45704a4

SHA1
50f727847c6a415e753e52857cda4356a0b71ebf

SHA256
4df73340c71fab437b25c74572d893e7efa86062ca88a84bd84d2611c429be17

SHA512
79ee600504d6f6cef72e804de561c64c80db2cf6f14921a277864d7dac73d59ef448da8be118d4dc296d1c3eaa9887d6395ec0d4e4b299bb436e6f0c7630d47c

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
94KB

MD5
90bfe6f1b45357de40973d561ed0bb99

SHA1
1ca3c5962a3ca7c62bf9e282bee01e4b37c4b92d

SHA256
078684dffabdfecc8a2f1915b0633f49361ee7fd2bd033a8b4b46d1b0aca0607

SHA512
cad2094c2a9c9ad41c3c01f642c934e37c4c9981b334d26306e1605813c2706366e64f21ef609bb65d4bad78b0ea00f787fc6fa17e30cc85c921b9e114092a93

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
94KB

MD5
0d9ecec2c890451393dbf8fd2ce77c5b

SHA1
b5f7183a3007f10f01b3df0c752baa7964a2e54a

SHA256
77fbbf9fd38670ec09911929a129d94d117d5846f4835a2065d558dd1d7b111e

SHA512
6095b84ab4249ffda9a54768ac87f5d75e1ffa2d724101f94caaa2b88b2cf4215b33e451d9d9963bec36e9fb0744076341ae7c3f41b1f85760cfd90188413b3d

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
94KB

MD5
9936c470d7b91fceb07975115357f2b9

SHA1
4afbb73de7a211600fd3e9aa0f43c2131311172e

SHA256
1b1f4930f53d2108189be3f1ecee2aaed34103054e8747dea193a9c82e7312c2

SHA512
6befae98e679944e4687b39fb6ceec9d9223220a68107a55526556330b9b9a3ecce650b4b5fddd50a454e271b14772b49e7e245dfca9236596092effdf9c598f

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
94KB

MD5
d5289d7531512880e8e75d9dc4bd49b2

SHA1
af28f5c5c0af3f5e990e07f08ddf3d35580c65cd

SHA256
4a0ae7e5eafd59eb82cb0fa8c67314454b77ffe61e11393740aff4673c541cb4

SHA512
2e543163a93a4f1ae918ca9e32b27143589ecfa856fb34e8ae257913912b6e5305cee9a8f48a344783bd5bae772ebb64f695c15fc2eae5017789f0bb6c4ee0aa

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
94KB

MD5
4e4c318b5458a287c97adc906f5f9cc4

SHA1
a5b4b6eca063e7501a6a85e0b21ce52fd9b92e18

SHA256
e4a6b420f531c547cf1219f4b66b35aa46950455e364904785c78570cf9569d3

SHA512
c9942f4cdc03eac6d1f2029606b4513d210f4b16968c8f4f962627d9c8416d072d4c0b802782831af97ce1165a28f207715e29e815042c99e28f179db00b0ab9

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
94KB

MD5
f44a189ab213096e668476e04eb53a87

SHA1
2080a707030fbcb945a4ec966a7311573dfd3dce

SHA256
5134189a9f187b966b5817ec864ce2ddf0164ad420b5cf215a6b53877ea7189c

SHA512
e0777f09ca4d036458b77c5b66ed983072947d52e1d43ccee8a8a7270586e122327c6c53c49eb3ea3f9229dae7676ef0713b345af4f68cfe828c38586be592ab

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
94KB

MD5
094501bfec4d37715a0dc8bf336206f4

SHA1
e5c1315286a7d5e858ff9c6d50584748448706c2

SHA256
f890b88680ca4c9991584fafa6200778d1491d5d4e3d4ce986732323b73d68a5

SHA512
27ea9b978342aca8edcd3192f67839a40eb3e2ef28aa2127f166412e89a04e73b1b4665f30f68e3ec057535fc4dcbf15f85c38175193bb9f3acda67d5498134d

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
94KB

MD5
97024149281e19deaf2b36571bf5a186

SHA1
7716597f0e7a0f4232dc5b807a5c992839ecf680

SHA256
3e8f2d15145221fd3b8fd2b84d66adbd6d29d9e55e139ebfc74d16d88e7bc7da

SHA512
5b91339ba6bfdd8ebe040416c09d91b4150684f2ba9897392f211ffcaada7abae1d9fc07162e99ba043b3081971659fbff6a42a76cb6c31a944bb626629634f5

Download Submit
memory/684-257-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/684-169-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/864-205-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/864-288-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/924-114-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/924-33-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1036-74-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1036-159-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1336-222-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1336-133-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1568-214-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1568-295-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1624-90-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1624-8-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1688-99-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1688-186-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2072-125-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2072-213-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2116-41-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2116-124-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2128-115-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2128-204-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2268-82-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2268-168-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2508-301-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2508-258-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2596-30-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2648-187-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2648-273-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2736-66-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2736-149-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3164-305-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3164-227-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3324-106-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3324-195-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3428-298-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3428-289-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3532-303-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3532-240-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3792-182-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3976-53-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3992-296-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3992-297-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4004-91-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4004-181-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4236-238-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4236-151-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4352-282-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4352-299-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4404-300-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4404-274-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4492-304-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4492-231-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4524-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4556-146-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4720-160-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4720-248-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4880-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4880-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4880-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4932-270-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5016-302-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5016-249-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5040-196-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5040-281-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5072-57-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5072-145-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads