c2199f6b33c0a6506923641f75fcad3ca2a21a76a57ea9948f497c97773a95c6

Analysis

max time kernel
62s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/06/2024, 01:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2199f6b33c0a6506923641f75fcad3ca2a21a76a57ea9948f497c97773a95c6.exe
Size

362KB
MD5

fcf12ec761e351aa240d116378099060
SHA1

cc628e9a815e2ce988d43983fda7f01a56721906
SHA256

c2199f6b33c0a6506923641f75fcad3ca2a21a76a57ea9948f497c97773a95c6
SHA512

4e4caa0ed04e9dafb24c27211b139492425887a2cdb520254e27c0b383e2a09fabcf661daa0e6e1b61a76b3d36a0e83eca7719ba170c87cf9f753759134e8109
SSDEEP

6144:dzXhttGDuMEUrQVad7nG3mbDp2o+SsmiMyhtHEyr5psPc1aj8DOvlvuZxriEldlP:dzjtmuMtrQ07nGWxWSsmiMyh95r5OPGf

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	c2199f6b33c0a6506923641f75fcad3ca2a21a76a57ea9948f497c97773a95c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c2199f6b33c0a6506923641f75fcad3ca2a21a76a57ea9948f497c97773a95c6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjcgohig.exe

Executes dropped EXE 40 IoCs

pid	Process
4404	Kkbkamnl.exe
1420	Lalcng32.exe
4748	Ldkojb32.exe
428	Lmccchkn.exe
2820	Lpappc32.exe
4700	Ldmlpbbj.exe
892	Lnepih32.exe
2764	Lcbiao32.exe
3128	Lgneampk.exe
1736	Lilanioo.exe
1212	Lklnhlfb.exe
2204	Lphfpbdi.exe
3720	Lcgblncm.exe
4724	Mahbje32.exe
4252	Mpkbebbf.exe
1652	Mgekbljc.exe
632	Mjcgohig.exe
404	Majopeii.exe
4632	Mcklgm32.exe
4920	Mdkhapfj.exe
1732	Mkepnjng.exe
3788	Mncmjfmk.exe
3036	Mcpebmkb.exe
1888	Mkgmcjld.exe
4308	Mnfipekh.exe
4120	Mdpalp32.exe
2212	Nkjjij32.exe
4552	Njljefql.exe
4148	Ndbnboqb.exe
2556	Nceonl32.exe
4648	Nklfoi32.exe
636	Nafokcol.exe
3444	Nddkgonp.exe
872	Njacpf32.exe
4508	Nbhkac32.exe
664	Ndghmo32.exe
956	Njcpee32.exe
5080	Nbkhfc32.exe
2068	Ndidbn32.exe
1400	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Lnepih32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	c2199f6b33c0a6506923641f75fcad3ca2a21a76a57ea9948f497c97773a95c6.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	c2199f6b33c0a6506923641f75fcad3ca2a21a76a57ea9948f497c97773a95c6.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	c2199f6b33c0a6506923641f75fcad3ca2a21a76a57ea9948f497c97773a95c6.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2280	1400	WerFault.exe	125

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c2199f6b33c0a6506923641f75fcad3ca2a21a76a57ea9948f497c97773a95c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	c2199f6b33c0a6506923641f75fcad3ca2a21a76a57ea9948f497c97773a95c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	c2199f6b33c0a6506923641f75fcad3ca2a21a76a57ea9948f497c97773a95c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c2199f6b33c0a6506923641f75fcad3ca2a21a76a57ea9948f497c97773a95c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mncmjfmk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4348 wrote to memory of 4404	4348	c2199f6b33c0a6506923641f75fcad3ca2a21a76a57ea9948f497c97773a95c6.exe	83
PID 4348 wrote to memory of 4404	4348	c2199f6b33c0a6506923641f75fcad3ca2a21a76a57ea9948f497c97773a95c6.exe	83
PID 4348 wrote to memory of 4404	4348	c2199f6b33c0a6506923641f75fcad3ca2a21a76a57ea9948f497c97773a95c6.exe	83
PID 4404 wrote to memory of 1420	4404	Kkbkamnl.exe	84
PID 4404 wrote to memory of 1420	4404	Kkbkamnl.exe	84
PID 4404 wrote to memory of 1420	4404	Kkbkamnl.exe	84
PID 1420 wrote to memory of 4748	1420	Lalcng32.exe	85
PID 1420 wrote to memory of 4748	1420	Lalcng32.exe	85
PID 1420 wrote to memory of 4748	1420	Lalcng32.exe	85
PID 4748 wrote to memory of 428	4748	Ldkojb32.exe	87
PID 4748 wrote to memory of 428	4748	Ldkojb32.exe	87
PID 4748 wrote to memory of 428	4748	Ldkojb32.exe	87
PID 428 wrote to memory of 2820	428	Lmccchkn.exe	88
PID 428 wrote to memory of 2820	428	Lmccchkn.exe	88
PID 428 wrote to memory of 2820	428	Lmccchkn.exe	88
PID 2820 wrote to memory of 4700	2820	Lpappc32.exe	89
PID 2820 wrote to memory of 4700	2820	Lpappc32.exe	89
PID 2820 wrote to memory of 4700	2820	Lpappc32.exe	89
PID 4700 wrote to memory of 892	4700	Ldmlpbbj.exe	91
PID 4700 wrote to memory of 892	4700	Ldmlpbbj.exe	91
PID 4700 wrote to memory of 892	4700	Ldmlpbbj.exe	91
PID 892 wrote to memory of 2764	892	Lnepih32.exe	92
PID 892 wrote to memory of 2764	892	Lnepih32.exe	92
PID 892 wrote to memory of 2764	892	Lnepih32.exe	92
PID 2764 wrote to memory of 3128	2764	Lcbiao32.exe	93
PID 2764 wrote to memory of 3128	2764	Lcbiao32.exe	93
PID 2764 wrote to memory of 3128	2764	Lcbiao32.exe	93
PID 3128 wrote to memory of 1736	3128	Lgneampk.exe	94
PID 3128 wrote to memory of 1736	3128	Lgneampk.exe	94
PID 3128 wrote to memory of 1736	3128	Lgneampk.exe	94
PID 1736 wrote to memory of 1212	1736	Lilanioo.exe	95
PID 1736 wrote to memory of 1212	1736	Lilanioo.exe	95
PID 1736 wrote to memory of 1212	1736	Lilanioo.exe	95
PID 1212 wrote to memory of 2204	1212	Lklnhlfb.exe	96
PID 1212 wrote to memory of 2204	1212	Lklnhlfb.exe	96
PID 1212 wrote to memory of 2204	1212	Lklnhlfb.exe	96
PID 2204 wrote to memory of 3720	2204	Lphfpbdi.exe	97
PID 2204 wrote to memory of 3720	2204	Lphfpbdi.exe	97
PID 2204 wrote to memory of 3720	2204	Lphfpbdi.exe	97
PID 3720 wrote to memory of 4724	3720	Lcgblncm.exe	98
PID 3720 wrote to memory of 4724	3720	Lcgblncm.exe	98
PID 3720 wrote to memory of 4724	3720	Lcgblncm.exe	98
PID 4724 wrote to memory of 4252	4724	Mahbje32.exe	99
PID 4724 wrote to memory of 4252	4724	Mahbje32.exe	99
PID 4724 wrote to memory of 4252	4724	Mahbje32.exe	99
PID 4252 wrote to memory of 1652	4252	Mpkbebbf.exe	100
PID 4252 wrote to memory of 1652	4252	Mpkbebbf.exe	100
PID 4252 wrote to memory of 1652	4252	Mpkbebbf.exe	100
PID 1652 wrote to memory of 632	1652	Mgekbljc.exe	101
PID 1652 wrote to memory of 632	1652	Mgekbljc.exe	101
PID 1652 wrote to memory of 632	1652	Mgekbljc.exe	101
PID 632 wrote to memory of 404	632	Mjcgohig.exe	102
PID 632 wrote to memory of 404	632	Mjcgohig.exe	102
PID 632 wrote to memory of 404	632	Mjcgohig.exe	102
PID 404 wrote to memory of 4632	404	Majopeii.exe	103
PID 404 wrote to memory of 4632	404	Majopeii.exe	103
PID 404 wrote to memory of 4632	404	Majopeii.exe	103
PID 4632 wrote to memory of 4920	4632	Mcklgm32.exe	104
PID 4632 wrote to memory of 4920	4632	Mcklgm32.exe	104
PID 4632 wrote to memory of 4920	4632	Mcklgm32.exe	104
PID 4920 wrote to memory of 1732	4920	Mdkhapfj.exe	105
PID 4920 wrote to memory of 1732	4920	Mdkhapfj.exe	105
PID 4920 wrote to memory of 1732	4920	Mdkhapfj.exe	105
PID 1732 wrote to memory of 3788	1732	Mkepnjng.exe	106

C:\Users\Admin\AppData\Local\Temp\c2199f6b33c0a6506923641f75fcad3ca2a21a76a57ea9948f497c97773a95c6.exe
"C:\Users\Admin\AppData\Local\Temp\c2199f6b33c0a6506923641f75fcad3ca2a21a76a57ea9948f497c97773a95c6.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4348
- C:\Windows\SysWOW64\Kkbkamnl.exe
  C:\Windows\system32\Kkbkamnl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Windows\SysWOW64\Lalcng32.exe
    C:\Windows\system32\Lalcng32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\Windows\SysWOW64\Ldkojb32.exe
      C:\Windows\system32\Ldkojb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4748
    - - C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:428
      - C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:892
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3788
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1888
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2556
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        35⤵
        Drops file in System32 directory
        
        PID:4596
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:664
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:956
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        42⤵
        Executes dropped EXE
        
        PID:1400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 412
        43⤵
        Program crash
        
        PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1400 -ip 1400
1⤵
PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
362KB

MD5
2538bb87e5ed7600742b0edf0e0c11ae

SHA1
d61d26c9b38fe5658bdcb708691462bcc9c2faeb

SHA256
e6fb3af70c6bb2e1b68be37bd9e2f5709bbf9a676cb3f1cada20727800f0c317

SHA512
11f9adb69d3908009bee4733a82901c027ca17c36f0973fdd2251cdce5e7b3d15c35d2936caa45e8b60e41fbc2a8f216dc4848037d66712130b1a6602663b061

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
362KB

MD5
65caa417427994cb895aba0416b61179

SHA1
4c535b4ffd939b67873a45adb01f8134f1395e3a

SHA256
a2b474bc60132d9f0ad4fb89b3eb259ff35cab92899aa5531c0327cd85db2ca9

SHA512
a30d2492f55e91d318ea8c067626fad4aca7308cc5e67faced072dd61a5c35c278ee146a830ae09bfdc831eac817232c909e88ac46306238871b9642102cda88

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
362KB

MD5
750913a503dc8d16c175a98253871e60

SHA1
87c21b98bc9836be3cb60fd2407a31bfb8773dcb

SHA256
6951548151d3bb2d129deb8b535014ee3a25b4d0804991043f75b7865d701a91

SHA512
18dc1ed9ae853d114b0b78052a700475e4a269edd6b0b48a08b0a2e34065584535c748f58a8c15b8e1442a5a4e850c3703d9bf322f6ec768d6430da08f767d1a

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
362KB

MD5
a4bf5cb53a2009acc60e24e19e1a6db6

SHA1
36d8805c9774fda2a860eae9d39c298068c2b835

SHA256
4a0714af19534406fd1c11eebeee27ce6ef6e2e2e330e1fcb8d67941db03d8e4

SHA512
34d377600ee9af6e5378b2b6fec9c77c7b16d2eff161ab72c1211fc1ad4c1e8a1c708788d0e26b855ec42a6fa6601fb27b4df0eaff36a65308d7f7b085fb8350

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
362KB

MD5
c1a2f51f470e1e32608f3112ed56f020

SHA1
8610e14dde9f32b7b1fff664152610973c32a1fa

SHA256
254ee58db867a495025f9c128e9e4a1ce3fd6c32b4bcc61f06452e1cde1c736e

SHA512
25825a6b055a46b31ac146b65589e2049bed0fe4ff94a7a841bb8566cb91bff4a4b5c410f7bcb4cfaf8fa2a9cd7ca3e6eb61aec03370e42bd0ad7f0efe16b88b

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
362KB

MD5
7c7b038c3d6913988bea77f1bdb55026

SHA1
7a0d5f9ab4bb8102557d9d80634f8990835d5f7e

SHA256
b761ccb0d915a7743d46a70d00d3b5948b53de53b972a426b148983168e95bd2

SHA512
c964d183c4af7c2608be51608a50673e83a534b178a9d8c8656c64348b7769f30fad32cdcd4c981ee8311f5912c54772defd7ecad8c8f7a1469e1aaca2bd9322

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
362KB

MD5
e0f124971e0c5a754f215fad7fbc30ca

SHA1
51aaa559a11275beda7d2149f5ec0902941dbe75

SHA256
679006d44c49391073fc7b65efb50f49c9a9f20721bff55030e7adc70539bf40

SHA512
38f797841973a44ee0cb2753884ba32b0c4bd1086774b2454809170fdb43ad6de0d6c625cb6887fe35aee51288516366329f5769cdc20a10b68e7523a3022a82

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
362KB

MD5
1160a4703dc344d8bad28d100e4ee0e9

SHA1
d99e98135e58cc1f0f8f115fc3b59f8757119783

SHA256
4bf36f6f2bc2100ebfa25a11e2a44d07e39eaff01c19c04b3368d919ab11dd12

SHA512
0eb9d124ea4a1f21a125fd6ace6a7f148af1b00e8292562e09903424350d94276b4b943e1f0ceddf779a8031336fdbb29f23653178ccee1cdeb6edba93062005

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
362KB

MD5
ff6fdce5fe15b90eb21d7288e5879476

SHA1
82a0e2a9fe0c3dbe1dc4b72c8f85ea448e068791

SHA256
a61402b208dbbc6f33b28fa2ea9cdf3f520815e8e9322426005e21328d81e7ac

SHA512
d00c96f5198d0fcf9b11221955e9f894e8482360537fd293d170a37ce52d2b4a3fe7e021c5437b8ef9b6d86d0c1fc03a7dd5b66310c37c3a9197121e4379ac15

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
362KB

MD5
9fa27f5cfbe17cd49054a56dfe62df50

SHA1
0d4dbeb022c5b6f843310651fc11fcc7df7b4b90

SHA256
23ae53df2da38314b3d1fd0610d93bb27c7b2ef88add401ce63b90feb2e4239b

SHA512
07f8f26e9217114899b752e73d80dcce6242cf8412e2b1bdffe5be031a9b2177ae1a87ba3847e3fa674e7d33d204713049d4b8b93d54a91d0c5b3ccd883abd22

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
362KB

MD5
1d00d4a4e93102d1cacfed920afb94d3

SHA1
24b9d6d8db51b09b9ed9e91264f6754303714804

SHA256
71a730bf4db160367a4205ae1c2a680deb14383648b3a2b2db739a584fc5e9c7

SHA512
82b24f94fd9713339cbd11a965183e96f563a3bcc6b496cde9f2858116ca0be283dfa5d94c2274d321c7a3d5f30840dbeb7c2342d880736e94a24995b4375def

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
362KB

MD5
15968502c443df62d2a17fc37a7576d8

SHA1
92f4221a211416a337cd695e90b2c37f81a1280c

SHA256
31f103001d42ffca980e094dc69a33cdd95fc827724359e77a403baca0335aaa

SHA512
8d8475bb15dccb6bdefd0390584c99dd87a65d8e1d28371bb20524cde650aac0798f7a63cfb09e2085a595313c5862ff170d9f519a269b4d0e5757386f7a3f43

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
362KB

MD5
6b0d6921a828a6f7596649cdf7015785

SHA1
895e89498068ee7a686a8920adaca87129c15a2a

SHA256
fde24d212f29aff770dd922270fa0c66d2923f6a9f87344c67261a01885c59de

SHA512
01a2fc411e2aee8a5df24e7fb60dcaa57114071d7235c4b70d9fdc94d152046f5d916ca01c6310c22fbfa4d4a27984b553fe1f2ef60409b769bf9315bc8e18d0

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
362KB

MD5
479ebc26deb47d0e4b1604056cfbbb02

SHA1
771691037211c91617fc40d759586e9edaae439c

SHA256
e5e8b4d2a4f497373cd30115d0abdfa6ab35986030be74b75eae8ba9c6f011c6

SHA512
13392b956c298a24e8baa4ebf8cc72d1fb89e3630f9857fbc23d2cb0d5944c8d49ea75da1cd668ce8ded7608e23bac3aeeffbafda71b9c1b11da0e7aae9913d0

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
362KB

MD5
991d42783ab9a72ed24df3ca08d25707

SHA1
5bfb24b0cff1af33e7d6cb5677ee9e2c723cf14f

SHA256
c385a423b62454784e8a0187e7ae75ce25372ba01bdc73598718547ca8275ddb

SHA512
1fcf59cbeb9fe60f8c5fc3dc85565c55c27d5cee6b9ccf028b265bd9bd180540a607aeffb752588ecfa7d1b17f03456c347dcb5a2885eb76ef6119b389c716d0

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
362KB

MD5
d3c8874ff32d6d4a4fbcc753928511a4

SHA1
fc11e20cd1b687e8254e43130785ea6cceffb65a

SHA256
fdf16f0adeaf78957ee37c37e0e71a8223262ccaf900cbbdeed5ec90dd3b825a

SHA512
214fef9ea1cfb2c5205da88197397d611225a171f2b435d5d33abd914910e447b8e2997f3698a8e25050914cb0429360c5e176898299d2599b390d5a77844581

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
362KB

MD5
ea4f902356b6ec794404ccdb7f5a807e

SHA1
86c4d0e93d9a1ccd4c7ceecd8a91f11d8eea85e0

SHA256
6cfaf97212814d9650d71969087191d7b3bf072cd37f1e977b7c14bfc7d6ed6d

SHA512
8cf3d47ca36a7953edef8c9d3e748445252df91a3746f0827987348d983c09196db68f26387b59d7b554cc330df6d82df1c58f4844e424f231d6ba43ce6cc6e1

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
362KB

MD5
286abf1cda8a287b43673fc825575bd8

SHA1
f8592a545a6c1a2ec231719cbdb73f9d6d22f986

SHA256
9e42b5b8a488eb6c107388bb154b39e3e3d34e7b26ede091158f62850aaa651d

SHA512
ad60a851db260c68591d520182229f4c28e9e6d8c29d65105e8bcb0fc755ba00d6ed4e4402d732ce7b82dda83007aba5abfee35bd3426ab877a6db07b5edf82d

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
362KB

MD5
cc0d86a09ec16957007e302613050c64

SHA1
6cc5c7b5ece848724ccf0362e510e7757d8b6450

SHA256
6c1c6bcb3d0131accaf6577ba4e2a1b471f3b8e2fb980c7cfb6b44f5d7676153

SHA512
02e0d98150b0c4d42667df238b6919c653a8c4634402eb653aa8ac87ced62cca5c7ba27ca5a636094c9875a24b2067f0ca8e56580c1f123b280900b130a3c277

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
362KB

MD5
f66870fbf8a92f5049900efd9fed1a08

SHA1
cb49f1a4a919ba4e3fe3a14b2055e9113566af67

SHA256
e39e821c0132ff73b4bbfddba57134b76b3723a79927ee72d632e1959a398c5b

SHA512
c386d3a9ae7036c455956c9434db235eab693aa9bfa38734d7664f82da651426fb4ddc327fb3cdbb7b451ccabe984c8678ca4dcd8e193af901ea6c3f37a69a59

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
362KB

MD5
ad023f4519d25ca95ef2f76074dc3489

SHA1
b1522d425cd3ae9a05c83d86c87644bf52a867c3

SHA256
c19cf0fa9f4dbb7edec5d017738d9c3db7992ed0be0f317bba233969c787cbc1

SHA512
5ff1c257d9b25dc6ba2b113a667691e0b4228a0ff75d5c8e2657f3d52f13748d5a99db4bf7ca262daced6b109ad68a6a91391f266fe812f1b19f9445fd5ff854

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
362KB

MD5
4ff88106b493777ec2199f40d5fb7231

SHA1
c72d7b646ea3e86ea36b8b91267d363fc7e87032

SHA256
d3f98b09b40d31d5d4e5040b40af4e871a4849352db01383e1c8dd9a1a3ef979

SHA512
51b12ba773c3edcf26fba879c33ff6c808d316f102e28fc1e1c4bc94924427d813cbda8dfc8531458ca5a6421f23c556b1f0f4c775f3b7b1243146f03c138d7c

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
362KB

MD5
637abb559842513b19cbc9b8260d9d0b

SHA1
c35a5e5a27ab655f002fefee1b7ea340f67de00c

SHA256
650e4225cdb8a46924f9eed3a8b0d4b7578f884d2f9d193eb651ae87a5d63863

SHA512
1a746a2868719e8d6acc2b6586903c55615dcc2a021e344d54ff487129283f6a9f55448a92b685fdab2a03fcb39dbda65f042ddb91cadedcbad3d4b71bf9e1c0

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
362KB

MD5
c3c03c13e81eeb1a885b51ac627caad0

SHA1
b57813a6fa62727d0da20df54489f9966b0e94e6

SHA256
0701b738def878902726c8f9ad60bdaf54c5493a235b29ff82e6b6f4d2adfb6e

SHA512
3fc3cb969d4ae23813da50ecb28e0a62a835783a181e103fe88129ab0228545f3640282d21950bb1626749f0227bf92b38312c3a8ba686f07ca5ae5074340116

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
362KB

MD5
b5ed01a1e62d21857056d16d3c80be71

SHA1
03469c9d8d5ee9bba83244a76b61954cd0bf4c00

SHA256
bfd9450ef5930dd3b808986f8793591916915c19edf4fd705adaa874dd13affa

SHA512
991a2850f22886ded866138c922b5b7e29c132a029c3b76953ee5eaac3c14382fa99da0c0c9c8efdcd2428412f15f079108cb743e44a10a7ba3c9b67ede5f140

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
362KB

MD5
1be644098d41a83e6bcfa981a1f2e80e

SHA1
643b69a05dd55ffdf7541c69fd10736279a491ee

SHA256
24bae7f7da366e840c6df6c2aeb69f12ffaa96ea0ce86e198fdabded494b5eb1

SHA512
b6d0783afcdab91b4978cc56d96055fe8766473a1172fac9f60a1a73b09bf52d91622c220007128d65c42a5e225022e4a25ec7c4c3654f9428502355d8aa7b12

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
362KB

MD5
dbf03c2ff82a3f6d2f777cd86b74d3a8

SHA1
56e91e032f012ddceb635ebd15a2a9b8dd03d233

SHA256
48831c6da99b3d8ebd9f1bc30a35af79acce0280c314066e10fc2d912103ba85

SHA512
18774b4e91bb56077d35d19d4b46979255a3f1c5df1bca4b5bfd29793ffc6d0c27e11ae13c1fcb2680c3b9156c0dd85832c1a7578a90b48e5876a69a96d7b709

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
362KB

MD5
4f654d664aa869f815ab29c9a9be7d40

SHA1
7d29d95a871945967fe52ba5960aa985a25a1fa6

SHA256
614b02923e8fafc139ab32099608082d83d0fedfeee060980aef2d0f9d8f0476

SHA512
8484b1fa053f4a4a575575b32929e77d2de5f07bec965658e358153bc26685d26df451f6f06bc0685e69588c4345ff906a57de9a696d8deee927f0d224f56fdf

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
362KB

MD5
b9deef9a163411519c315e20223167db

SHA1
52adfe2f1e755e65c3310fe2644a2d0f82d6ce18

SHA256
5454cbaa3d498825121868119b489b0fd1a78647d4ff06a6056f10e353a7f590

SHA512
e32c1ba4390bdd5ac9fa1e60db9a8facfcd6beb4592fbee9f480006d55966f6e2f22076c0562c8403b3d0e89ca116bab1163663ae85669530bbeec9ccb3ac7b6

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
362KB

MD5
204f888d002fa627cc09d5d7148ee1a7

SHA1
535a333ab743ef1880e886958d10767e90117342

SHA256
cab680ae29313eaced6e1f42d8f58894c055536afd06e82d80ed8188f5294469

SHA512
d82a40e85ffdbd472250b5aef71ea4fba87ea75a81e9fa58d38b1627cb08fbefa3e391f30dd171f473788e8f811d98aa2b175e0ef85846ceed3f7a16ef75ae57

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
362KB

MD5
182ae1cd5319c1f66b998b1fccef8290

SHA1
b7c70e3869b0ec8cc316b2bbab50862265aa89b1

SHA256
030edee99e3addb89be444265599a708eca0a64d3dd80c629320f82a1d605125

SHA512
505f51f62938546b2a7a291b6132345bab3cdbb0fee07e21e16926b170a356716f87a8cbb8bca73323c9ddd676c33e5977c6992aabd791d900a9b618de75fd6d

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
362KB

MD5
4070273acfbfc72de6d0a51b820a637d

SHA1
ed8981c07ec3509e5358191ffce9a092245ea5e1

SHA256
b703080fc68131c35b4164971e4313e814aca2c55bd80a85ef758fca9793174d

SHA512
4310014815bb46c5175a78bc28a9b5981d9a1b0421d250630da7ae2573a2609bc82c16c7fcdaee581c51277560fbdc2b3ce551008031c702bc0e56241580c9d3

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
362KB

MD5
ce74d9a0438237e766eefc7fc7a6bbbf

SHA1
42a548886850e702c46da4894170c57bbf44d9ca

SHA256
bf4be37a98e1419ae46d7ba70dc4804f8b67c6c5739ea9449db75b78d1b42dd6

SHA512
7bb5dc47295f90d608e5c6eb58434207afd91b54fbb26e4a353eefa7a6ad43589f636f0c1502fe78a2d04784f0b0dac161ba7e571e9a1e9183c2f3a208644e1b

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
362KB

MD5
1f60fb8ba0ddf361002b70099428803a

SHA1
1d0801c6e30a4be205f6c84c01dc2649997c057c

SHA256
d0ab93f6298cc9cacbc7f4810679947f1012f5c7101c904a4c8fc95441022288

SHA512
0ef7fe5fe827dea1f9227cd1a51d95e1c9c43f5235e7e3e298085d67991abb7e388f1a991102a17d8173a8a5f3c9efb0fcdebcd652ab448491e7715b54095ced

Download Submit
C:\Windows\SysWOW64\Ogndib32.dll

Filesize
7KB

MD5
65f4f6f9eabe8165feed6b0df3ce7e79

SHA1
98502aac30ada1145eb2d395edfa7fb76a412e1f

SHA256
2ba0e545010b1b07922ca4618399ec267fbdceeefb3b25f503a14bf4ea0ffb52

SHA512
71d4e9cec384649a080f8cdd7714f97265e11b634819ed8e79f24953610c3bd356109986dc6333b56a328e363778e6ea0367eb18f0c5371499b6e22207a25f48

Download Submit
memory/404-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/404-326-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/428-339-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/428-31-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/632-136-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/632-327-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/636-256-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/636-313-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/664-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/872-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/872-269-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/892-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/892-337-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/956-307-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/956-287-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1212-92-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1400-306-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1400-305-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1420-340-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1420-20-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1652-128-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1652-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1732-172-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1736-333-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1736-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1888-192-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1888-321-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2068-303-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2204-331-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2204-96-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2212-216-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2212-317-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2556-240-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2556-315-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2764-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2764-63-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2820-338-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2820-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3036-188-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3036-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3128-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3128-335-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3444-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3444-312-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3720-332-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3720-104-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3788-176-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3788-323-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4120-319-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4120-208-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4148-318-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4148-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4252-120-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4252-329-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4308-200-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4308-320-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4348-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4348-342-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4404-341-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4404-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4508-309-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4508-275-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4552-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4552-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4596-311-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4596-263-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4632-325-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4632-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4648-314-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4648-248-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4700-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4700-336-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4724-111-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4724-330-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4748-30-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4920-324-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4920-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5080-293-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5080-308-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads