fe6746565bcb4960b8d9bf828ba710f3c6cb4c4713b3262095e2782364593769

Analysis

max time kernel
51s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/06/2024, 04:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fe6746565bcb4960b8d9bf828ba710f3c6cb4c4713b3262095e2782364593769.exe
Size

80KB
MD5

03566ccd1a25fee7545a15c0126c8f8c
SHA1

035f9243ac942dbe11ad9683aa085b62d54d9a63
SHA256

fe6746565bcb4960b8d9bf828ba710f3c6cb4c4713b3262095e2782364593769
SHA512

51128b723ac82d1acc89ddf3f32e170c429fe5957f160492e6bfcd34d4b3387ad40a43a0a55fe5f55186ade73e536525a979cf73d137d71d77723104c4a53827
SSDEEP

1536:p1XsOXZv9+75m2fmVYac/U2WhNm2LQS5DUHRbPa9b6i+sIk:T8l7QoacyhQS5DSCopsIk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	fe6746565bcb4960b8d9bf828ba710f3c6cb4c4713b3262095e2782364593769.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe

Executes dropped EXE 35 IoCs

pid	Process
4168	Mjcgohig.exe
1540	Mpmokb32.exe
4968	Mdiklqhm.exe
2640	Mcklgm32.exe
4428	Mkbchk32.exe
2140	Mjeddggd.exe
4632	Mamleegg.exe
1032	Mpolqa32.exe
1388	Mgidml32.exe
1372	Mjhqjg32.exe
3020	Maohkd32.exe
448	Mdmegp32.exe
2664	Mglack32.exe
4280	Mkgmcjld.exe
2436	Mjjmog32.exe
4024	Mnfipekh.exe
956	Mdpalp32.exe
4644	Mcbahlip.exe
4852	Njljefql.exe
4340	Nacbfdao.exe
4992	Ndbnboqb.exe
1748	Ngpjnkpf.exe
4108	Njogjfoj.exe
2956	Nqiogp32.exe
4416	Ncgkcl32.exe
4220	Nkncdifl.exe
440	Njacpf32.exe
452	Nqklmpdd.exe
3180	Ndghmo32.exe
1896	Nkqpjidj.exe
380	Njcpee32.exe
4524	Nbkhfc32.exe
3716	Ndidbn32.exe
4956	Ncldnkae.exe
1660	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	fe6746565bcb4960b8d9bf828ba710f3c6cb4c4713b3262095e2782364593769.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	fe6746565bcb4960b8d9bf828ba710f3c6cb4c4713b3262095e2782364593769.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2916	1660	WerFault.exe	119

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	fe6746565bcb4960b8d9bf828ba710f3c6cb4c4713b3262095e2782364593769.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	fe6746565bcb4960b8d9bf828ba710f3c6cb4c4713b3262095e2782364593769.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	fe6746565bcb4960b8d9bf828ba710f3c6cb4c4713b3262095e2782364593769.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 4168	2808	fe6746565bcb4960b8d9bf828ba710f3c6cb4c4713b3262095e2782364593769.exe	82
PID 2808 wrote to memory of 4168	2808	fe6746565bcb4960b8d9bf828ba710f3c6cb4c4713b3262095e2782364593769.exe	82
PID 2808 wrote to memory of 4168	2808	fe6746565bcb4960b8d9bf828ba710f3c6cb4c4713b3262095e2782364593769.exe	82
PID 4168 wrote to memory of 1540	4168	Mjcgohig.exe	83
PID 4168 wrote to memory of 1540	4168	Mjcgohig.exe	83
PID 4168 wrote to memory of 1540	4168	Mjcgohig.exe	83
PID 1540 wrote to memory of 4968	1540	Mpmokb32.exe	84
PID 1540 wrote to memory of 4968	1540	Mpmokb32.exe	84
PID 1540 wrote to memory of 4968	1540	Mpmokb32.exe	84
PID 4968 wrote to memory of 2640	4968	Mdiklqhm.exe	85
PID 4968 wrote to memory of 2640	4968	Mdiklqhm.exe	85
PID 4968 wrote to memory of 2640	4968	Mdiklqhm.exe	85
PID 2640 wrote to memory of 4428	2640	Mcklgm32.exe	86
PID 2640 wrote to memory of 4428	2640	Mcklgm32.exe	86
PID 2640 wrote to memory of 4428	2640	Mcklgm32.exe	86
PID 4428 wrote to memory of 2140	4428	Mkbchk32.exe	87
PID 4428 wrote to memory of 2140	4428	Mkbchk32.exe	87
PID 4428 wrote to memory of 2140	4428	Mkbchk32.exe	87
PID 2140 wrote to memory of 4632	2140	Mjeddggd.exe	88
PID 2140 wrote to memory of 4632	2140	Mjeddggd.exe	88
PID 2140 wrote to memory of 4632	2140	Mjeddggd.exe	88
PID 4632 wrote to memory of 1032	4632	Mamleegg.exe	90
PID 4632 wrote to memory of 1032	4632	Mamleegg.exe	90
PID 4632 wrote to memory of 1032	4632	Mamleegg.exe	90
PID 1032 wrote to memory of 1388	1032	Mpolqa32.exe	91
PID 1032 wrote to memory of 1388	1032	Mpolqa32.exe	91
PID 1032 wrote to memory of 1388	1032	Mpolqa32.exe	91
PID 1388 wrote to memory of 1372	1388	Mgidml32.exe	93
PID 1388 wrote to memory of 1372	1388	Mgidml32.exe	93
PID 1388 wrote to memory of 1372	1388	Mgidml32.exe	93
PID 1372 wrote to memory of 3020	1372	Mjhqjg32.exe	94
PID 1372 wrote to memory of 3020	1372	Mjhqjg32.exe	94
PID 1372 wrote to memory of 3020	1372	Mjhqjg32.exe	94
PID 3020 wrote to memory of 448	3020	Maohkd32.exe	95
PID 3020 wrote to memory of 448	3020	Maohkd32.exe	95
PID 3020 wrote to memory of 448	3020	Maohkd32.exe	95
PID 448 wrote to memory of 2664	448	Mdmegp32.exe	96
PID 448 wrote to memory of 2664	448	Mdmegp32.exe	96
PID 448 wrote to memory of 2664	448	Mdmegp32.exe	96
PID 2664 wrote to memory of 4280	2664	Mglack32.exe	97
PID 2664 wrote to memory of 4280	2664	Mglack32.exe	97
PID 2664 wrote to memory of 4280	2664	Mglack32.exe	97
PID 4280 wrote to memory of 2436	4280	Mkgmcjld.exe	98
PID 4280 wrote to memory of 2436	4280	Mkgmcjld.exe	98
PID 4280 wrote to memory of 2436	4280	Mkgmcjld.exe	98
PID 2436 wrote to memory of 4024	2436	Mjjmog32.exe	100
PID 2436 wrote to memory of 4024	2436	Mjjmog32.exe	100
PID 2436 wrote to memory of 4024	2436	Mjjmog32.exe	100
PID 4024 wrote to memory of 956	4024	Mnfipekh.exe	101
PID 4024 wrote to memory of 956	4024	Mnfipekh.exe	101
PID 4024 wrote to memory of 956	4024	Mnfipekh.exe	101
PID 956 wrote to memory of 4644	956	Mdpalp32.exe	102
PID 956 wrote to memory of 4644	956	Mdpalp32.exe	102
PID 956 wrote to memory of 4644	956	Mdpalp32.exe	102
PID 4644 wrote to memory of 4852	4644	Mcbahlip.exe	103
PID 4644 wrote to memory of 4852	4644	Mcbahlip.exe	103
PID 4644 wrote to memory of 4852	4644	Mcbahlip.exe	103
PID 4852 wrote to memory of 4340	4852	Njljefql.exe	104
PID 4852 wrote to memory of 4340	4852	Njljefql.exe	104
PID 4852 wrote to memory of 4340	4852	Njljefql.exe	104
PID 4340 wrote to memory of 4992	4340	Nacbfdao.exe	105
PID 4340 wrote to memory of 4992	4340	Nacbfdao.exe	105
PID 4340 wrote to memory of 4992	4340	Nacbfdao.exe	105
PID 4992 wrote to memory of 1748	4992	Ndbnboqb.exe	106

C:\Users\Admin\AppData\Local\Temp\fe6746565bcb4960b8d9bf828ba710f3c6cb4c4713b3262095e2782364593769.exe
"C:\Users\Admin\AppData\Local\Temp\fe6746565bcb4960b8d9bf828ba710f3c6cb4c4713b3262095e2782364593769.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\SysWOW64\Mjcgohig.exe
  C:\Windows\system32\Mjcgohig.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4168
- - C:\Windows\SysWOW64\Mpmokb32.exe
    C:\Windows\system32\Mpmokb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Windows\SysWOW64\Mdiklqhm.exe
      C:\Windows\system32\Mdiklqhm.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4968
    - - C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2640
      - C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4108
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3716
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        36⤵
        Executes dropped EXE
        
        PID:1660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 408
        37⤵
        Program crash
        
        PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1660 -ip 1660
1⤵
PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mamleegg.exe

Filesize
80KB

MD5
fcfb76e259a00b6f61ffc777c86dbf65

SHA1
c0e412f87f014ec19e5b170e996a643da5154b46

SHA256
54a901a413aa823230847237dd10e1da88d1e67cb7de2ec435286627ffa669b5

SHA512
3b5be00d4f45faa7a4ecf5fe26f78c73c3ba1c7c768af54af3a01934b6277d33cbcd4b00260511ef739cae0679735a9fbaafdbb82115f5619556353d761ae869

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
80KB

MD5
2f7a1ed3a3a2e715d1f519813e1aa8cd

SHA1
9079553b2ec02fa0336339b1d37645ac2750324e

SHA256
06bf9ccd23441e0bf4709cd40c2fd49859f5124b21fca5cd8263aeea9eb7da9a

SHA512
0533d3c7c0941c44600d4dfe1623ee98752bb1ceee05ff458d214c10b7003ca81b682613bff8e99170bc5c533e27e3ffc19a82fed50bbdb79de3cd5d4cf8e6b1

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
80KB

MD5
da3b20e7e150ceadafdbfee8f15a7c34

SHA1
81065affc18c1f21c487ce0fe600add3d069b9cd

SHA256
a85cc70a15769d2c99d72e687cedba6bd205e796d4bcad95d2914893c21fa50e

SHA512
9a222e2b2caedc677fa0ad18251901e701b4577056e2f26d681692f0e4daf13e8968220d3e6cadd27b38b39cf573ffc824925ff0af0c1749ce83c748dc84c6c4

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
80KB

MD5
d37fbedb5068acc4f7ed7bd4800b6ce2

SHA1
dc78ec24c7743a98f0fed3e086d49b19ae83877a

SHA256
27acf6f7938d018581175a60649b45c72695e8f86563af1b003b1dae67e0b652

SHA512
a6c193c4f86d3192af5d84abfad5a723337f8ac13d84e6c70ea54d826a031df2f72144f9ea79ab6fa8fb46d5900e4677073f0959b35a73014bc309518a10a3f5

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
80KB

MD5
522db86e6ea30c1f9ceb58ceaccadf4e

SHA1
c62ea5d8b220647aecd6bacf085ee011e638a67d

SHA256
ecd27d609171872e42c6b8c1965fd00101c0c18eb79d23794970db190c69d0f5

SHA512
897dc449d9c624bd8ec34d7813b80f796b844038df144760fd57ac6a82b12bf9a302db407333cf8c527a9f2711f4563e2ce89e9ca2bf3ff9eb64e1a914c656f7

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
80KB

MD5
37e341a72f21ca9dbc71d452bc9b8092

SHA1
a8a6fcafdbf68cba0ad5d65d1534f4ce0c47891e

SHA256
731e09b4fa6f4623e17a3d2a81bde66db7f2e5a2457032ee4942d4b00d6f1297

SHA512
bcc688ac16184b8fc9474bf408a6a93ec120a86a13e32a1e21943d7f9541b79f1c36f36d378936ad0b500f6044fb933627b09a5a383c040f02293b9f97156f1b

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
80KB

MD5
08b3b910bf6a6bca132378c67cefc5f1

SHA1
105a6886addcab70262d0373e24ad0400d327956

SHA256
d505f25a86342af03955d2b5393ad63bc4a44bf7ebd9ddf2a972dd4b96140a16

SHA512
70ec6fbc331626d2117007159a7e10aa009d7c0356314db1f910970ded7600fc850939c42cef242da156134ec7f28246dc79ae1bfe5424d162fac873b87a0b62

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
80KB

MD5
dffe32384783189fbf0c22bd09170b7c

SHA1
f6c80a86aac2b6cecbfae5eafa65053851b5c51c

SHA256
68c1879cb1dfa7d82c5ca183ed911297ea7cc517be9c1d8d831fd336552d8efe

SHA512
a2e06b16ab9e856a85fb7e181ae43b05e91ad0580a98cc624cd14d9a5a87165b7d78d9d9df1ddb2844c00a922c41a8d42175c97b854a5e0aa0c87ed959d37fb6

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
80KB

MD5
01d2590d787002ea9aeb23755d319069

SHA1
8882dad9ab41cd10f652c2134415a210b4de587a

SHA256
230b464522d5b478098c6c4ad23223d98f17c5437a172e1c056a1d1f4c7d772f

SHA512
3dca88e7ab807137a93c394d05585fc37628d0dde7d962ac95e275faf0db144ef559e1002ef5fdcba072c9ac43b0569187abfed3ecb48ce50dbf8223d29b217d

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
80KB

MD5
86150f1c9125a5843d1d74bbd4ff42ac

SHA1
e71712274f46b25758cf4f078bb039704103c4b5

SHA256
19f8d574af74132791298ddbc247107e1d2ffe18aa14db9b6a546936c1e95f42

SHA512
8adc5fd53179b2fd2479b0bffdb655d99313e24c866ce76578ec7f28f969136f67728a296077e5ed0df135d5d9241ed2a0ddb576ba8be51adfc49e9e9aa2951a

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
80KB

MD5
33982af7939fc6e75a4dc90f1e429794

SHA1
9cbdccdb86ff523a827266ac4406ebcf9aedd16e

SHA256
94b2813e8a3623c0af90de6e0ff47db81a95b6a7121d5c0f698e236e1f210835

SHA512
c550529814345417484f14938d59a9e7ae3f8a81f1f8c979156a226054e3152b7bc769bd27b98666b3e818388b9ee7ac690ceeac709e32f53e0ac439fcda0a91

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
80KB

MD5
1081755af681ced6156ecca622d471c7

SHA1
7a803863f9d2774ceccbbc50159fcff01169f4b5

SHA256
15f8d282f74844e6d75c67214f3cca4ce84ea484e78ddaa4fd758e92bbbe993c

SHA512
3e98dc7d1b48fa34816889c328d5fac0fe06ab3fd60b50d83bf914813f20d6b080c04aab0413ffffb2b1e99570899250c9d5657b9fee9824451ceb856cdcb831

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
80KB

MD5
1ca0c19c57d36131c102ba3e416f4513

SHA1
2684347a92af4aae1bd67a470d64f193e9fcb8ee

SHA256
6a90d6f5dc0612e36dcf74d129e63f3fe462708ee1b43fceccaa302a2b1a9164

SHA512
0957c2b7c918882f291d5e98d4a48d47237c7e4d622d6cabc3ce69686a5b2a14b1529ea9d1273c47f7ec72d4519e79d7c2ca8f6d4d57f76a0285a62fbe8bdd2a

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
80KB

MD5
c467d16a0ed40ef2c0224be09684a5a1

SHA1
8d7db4047e60036023458f877bbb4de2600eb0b1

SHA256
745f75d654c78eb0c18ed0f3335ec5fb3652643129e13d8ed3194322a865d4bf

SHA512
56999d004345c720b0fd4c41668131796500fd050d00e8def3b77d5ae241207abc40c6f46fbe99b4e69cb7b03be48132a87af0c047495c20476067edf1c78fbb

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
80KB

MD5
30a8fb5f45edba4f7bcaef4e350859e3

SHA1
ea6cc111498cf503227bc6115a4b9a77179d338b

SHA256
67504232da8af33eca8e4a669ca6f1b0a6d68b6c248b399b0cb29e198eef068f

SHA512
790198ca17f3462b6b9183bf26ed1776c156a40f857c5ce07b56ac3a02743d26fc5ca554f7d61c34d68c4d670b4fe6e5593d219384d60d58ad728daeb95f1dd7

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
80KB

MD5
836c773554a52f7935a3db8072ae7851

SHA1
b8c35f111b68d8d2ab3c69860bd7bb970fb6f9cb

SHA256
eca1e368f7add1e92f575e310aede65cb996f0276e73d8d5d1dfc254bcb9413a

SHA512
ee18b543a8822284d0a6ec54cdf397c9a860c4661a9ceb5d1d2bb15c9e3f8abb4150c6c397d18f0eede08da8d275bec71a9a885cc8e05739d70eadcfcf9b43da

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
80KB

MD5
a922192e2df8d38599cbf708e0da5313

SHA1
be4171c29cd4b9d8daa7d439ed92e20ba46d99ec

SHA256
c3b747ea88901133aed21ef09a8a1d0ff6e6336585647ccb878ab5b8efb2a3bb

SHA512
57188418477f7658f0ffb59135a9a6a121316ed4ce2bd9e71824ceed9e9257dab85dec69ee152bba7d532f818ac691146172558bc7bf7ed543ab1c79b3bfd109

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
80KB

MD5
06cebb4f9731425f8d321ef4bf9f9f71

SHA1
0322649c4ca43adf20cc12a805b8748a9a71c9b0

SHA256
b3731eb6e867295499e20a94dc44fcfcdaade493b7fd8f447a5f8d2413913ab4

SHA512
667fcb334ac880a7896e2dfa32d0c541695535c044ecacd16e4db40a968a6e4540faf4891acafe5d000586add3ea7f91a71ebb06a459c55365b718bc26dc10f9

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
80KB

MD5
a696863505159a9b0766426a1d93df6c

SHA1
4df344780dffb2347cfbf6f532e93923b706a752

SHA256
90e2171c13ed06d3eddcd440e1a861ae862dfa4c18cbac67f00251dc64d33e98

SHA512
f5cb9c8a4fedb67e9829fd20884637e4cf6c7a9ca021ddac75b271f71c8241c8c58b33d927e14d40dc52ec15bb2ecf28bc1df194c721da637b851c35880dc02c

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
80KB

MD5
ae6523e454fd5317934b70bed208eacf

SHA1
e2be004761725c247d31524ceb5a96efe0e636bf

SHA256
6032748225215a3ad2f01b484e1ddce3bd571d8a2d51b8242eade7669ec465ca

SHA512
d3eb4e5ee616dad5ae2fbcfb8bc16c6f3cb0a7f376c8081272075dfbd702541b149f70534424490c6441030ccca73c5071aa2bb0ed9548f41c964525493e3a55

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
80KB

MD5
f1b36a81e06769775179161ad0b6d06e

SHA1
1b589fdb46153d99409222ac90e118361defe392

SHA256
b8ad8ccc388ec16b192d2dc91524c4d48467d1ec6a76063344aaf1c6b5dd1367

SHA512
bd6fa1634ff1bc9684614497d945aceec102d8ab525e52ebb1428c1305cc291dcbf0ce032c6f665ac505b9f553a392b66dd1a2a8bd45018b64241b355d5fb62a

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
80KB

MD5
ad050b69cb3b54f55eb3b54b3afc029b

SHA1
ca8d864277299da66cc2e580ff0ac185ca72e9e9

SHA256
73ea41334d69ec074a682fabb4718c1ae254ffc19d4e48d66a1a3921eb87a66b

SHA512
21bde5d563982199142cac05268bf4aa900e669b3b417b893193bc094ff8f979758c7ed55da287f7009519f04a8c14d7b0b86905b4928b25b7f905f99febf6b3

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
80KB

MD5
e520335059fafd2ad256cf51b91faf01

SHA1
bee1eb3bcb8c5363047c6cba5afa9579220fd742

SHA256
f5fa997b9c6d390f4482ec1a0afb833734a9089a7985ee0e5e9717e362c1fe6e

SHA512
0725da057adcdf46088c144fc2cbd815a737c1fbf3248db651ad2266977736e2b9907347535018b203b88d571dd1f13754d7c1a86827c3fca2c6dccbe1fe0be6

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
80KB

MD5
81d56f786fb310d30a17971938b6285f

SHA1
ac52342010fb282e7e7f3c9de1258e4b763ab454

SHA256
da1bd291d000639cc8df7710eae4955babc5e1bea1980ec26c2182d3ba17a90e

SHA512
d9e0d76195e0ace446c25747ac57d0987d34fa8d3ca4ad5bf16e5833a0c6b308c78465b21c6c223d8376dab38a61c96c9f0e2d125099a4fa5729fa925bf483c2

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
80KB

MD5
37f01dbaac1c8be110d2e00f67a49fd8

SHA1
9651bde5521ee4fcce8f4e58c665f16342334a98

SHA256
34ae6c118899ded955bb37d7ea831bbcbd575aea29a1aca41bb4ca1bd4329d07

SHA512
9e5ca5b5663fbdd1cbf853767d2c2aa96d94b8cd6429c796fba1a61cdcc0a439ee88b1792d9b51a7a15655f63f67bec50f08f4963dd951193224bd9ab2a14199

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
80KB

MD5
066e2af0ff1311b6cd9682e0b5876033

SHA1
7755150f98bbf33cd9cd6ef060275933a31bf566

SHA256
30b3ad4997f799b7ae21d7202ee9fdf66bc3571577e7c33a4ee756bd8c80d980

SHA512
2d2b1d0d8b3acce2a1706c25556f99169edcbbcb5b844d54c185d5d7aa17beb42edbc0b37b2eb7f2554347a9124bee3c3efea7d7bb368e600afb56f18cde52c8

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
80KB

MD5
e5457941cab77baf99e4210b80567f40

SHA1
b52c372fbc9d6f587bbc30f300053ac4a876a9cd

SHA256
ea305937ecdef5262ccf81f5535fae258a1b590fb80ddf4c3585cccf9d472cb4

SHA512
3aebc3a7596fb203b83abbca26445fee4cc2039004ce3eda3d7d2b71f381f7b5d865e7dfa88cf46f11f0272e7a1431e3e78e7109ef3272c848cf62e9f88da2b7

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
80KB

MD5
3c932a97a35ef4f8022fe91d2ba692ca

SHA1
4ae24542895dbbb0367f981450f5a42af913a965

SHA256
133e0bcbe13a62e1345ec0f34c585fa7e82ec11dbc4c098e5e183329693b7a38

SHA512
35902e1e1cf40f6e02fb96192df1e27c455469747c93d50bee104a7ee7cf4939b4c49a6fcdefb3a0aea2a0f46f318aaddd0ab376b329916cea2d0a4fbc779ba8

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
80KB

MD5
59a0d242a9d1ac6c37a85760c473ff28

SHA1
d039018290b39994e8669e28798dff536af3aa49

SHA256
064c254148d489f87e29988bb986e78b903ef998d08b658b9b1b0d217c060b12

SHA512
7aa5c5d49e8cd771c2eada72cee8d73b63cf932d5dbe3c3d8b598485c6ae893fac535e9fb631718e016ee7c51a66bce9d7e24b93bb1a1306719fa90169ac0778

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
80KB

MD5
d512dbbf4ddd99412e0d0d32a360a5a3

SHA1
d22b6c4e0ac5664c7b9ba2ff706ab51816d70d6e

SHA256
b551d6c1a0249bf6d2d86a1adb7833a2373216add42b9600ce385b54945eaa59

SHA512
50489ebeb8ea5036820a34470275d3d8c88926177cd5aeb7712008a86f405821068596fdf26c6ab6a188dd9120ef7ded0d7c353a6cb67347909841725d61fe2e

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
80KB

MD5
8c64a38da8444e11e1e55411271b9c06

SHA1
c493a567887ab03d9001844df81ce8d9f989f45d

SHA256
b90d0c56a182f167ddd06979ab0df2571e7c29f7840ad081dbec62c12cc78f30

SHA512
cd6802f685ce6391e5613fa239d44540088500989d203b381f6ae3e52d468d9b3796597c7d9a7260dba40b2a666f4879f12c5f5e5d9f8d35ec8691d2b8b47966

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
80KB

MD5
a258db9489d7f0e9752987ce8f2e9f42

SHA1
e152dddfd2ba6756d1cd73f56aefa754fbd08be5

SHA256
e7d95c0d88561650b3568cd76b687c900f78401750d34fdcf236bd360d007a5a

SHA512
1e15756f85759f821019d4020daeb681555d875a249e7c5dd3c9e676c65d60d0a56381cfabbf074c59f29f5469f7936d3c7f36d2254b8e27d79990826700dafb

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
80KB

MD5
e6f466979240bc2f22ff098565961bcf

SHA1
fb3c97d7bd5d779ddb7b9f45eb01f9269aa6d1ba

SHA256
e19dea3ecf827d53bff1f4d1a29692803bd98b5bad7dc7aeee40e563b9732742

SHA512
93649262ab805f318d55a6aa2a67951cfda765a04fbdab9affffc5126b1ccf75a2ee45e2330604d21464d4674dbab5cb1d3fee52d6402bd3e1c6242e385dd28f

Download Submit
memory/380-249-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/380-278-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/440-217-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/440-282-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/448-97-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/448-293-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/452-281-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/452-229-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/956-140-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/956-290-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1032-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1032-297-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1372-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1372-295-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1388-296-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1388-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1540-303-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1540-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1660-275-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1748-181-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1748-286-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1896-279-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1896-240-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2140-298-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2140-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2436-292-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2436-121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2640-33-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2640-301-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2664-119-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2808-4-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2808-302-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2808-2-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2956-192-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2956-284-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3020-294-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3020-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3180-232-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3180-280-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3716-268-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4024-129-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4024-291-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4108-185-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4108-285-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4168-304-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4168-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4220-213-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4280-120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4340-165-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4416-201-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4416-283-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4428-45-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4428-300-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4524-277-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4524-256-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4632-299-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4632-61-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4644-289-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4644-149-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4852-288-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4852-153-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4956-276-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4956-269-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4968-29-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4992-287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4992-169-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads