njrat | a51880a1745bc5b19078e85140a6fac4776ff6dcfa819fb8dacea89b1f16e8a3

Analysis

max time kernel
51s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26/06/2024, 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a51880a1745bc5b19078e85140a6fac4776ff6dcfa819fb8dacea89b1f16e8a3.exe
Size

337KB
MD5

14706d806b92888bb9d2c36a29e04e74
SHA1

601509a3aac13831e6f2e69384f7f202d29f172d
SHA256

a51880a1745bc5b19078e85140a6fac4776ff6dcfa819fb8dacea89b1f16e8a3
SHA512

8061c9bc37f9595d57670bd2a4a2e3b53c6fca522d0d99cb040c1b3db1dd21c1950b69569cdda7b48fd83a6cc4c9e968c91fbdb209688244281b6b54519e01d3
SSDEEP

3072:gk+UCBZgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:gk+9Z1+fIyG5jZkCwi8r

Score

10^/10

njrat persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a51880a1745bc5b19078e85140a6fac4776ff6dcfa819fb8dacea89b1f16e8a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a51880a1745bc5b19078e85140a6fac4776ff6dcfa819fb8dacea89b1f16e8a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 24 IoCs

pid	Process
720	Kcifkp32.exe
1840	Kkpnlm32.exe
2716	Kkbkamnl.exe
752	Lalcng32.exe
2548	Lkdggmlj.exe
3452	Lpappc32.exe
2808	Lkgdml32.exe
3484	Lnepih32.exe
2140	Lgneampk.exe
1896	Laciofpa.exe
2860	Ljnnch32.exe
3676	Lphfpbdi.exe
1464	Lknjmkdo.exe
704	Mpkbebbf.exe
4668	Mjcgohig.exe
3144	Majopeii.exe
1788	Mcnhmm32.exe
5064	Mglack32.exe
1112	Mcbahlip.exe
1484	Ngpjnkpf.exe
4484	Ngcgcjnc.exe
552	Ndghmo32.exe
3096	Nnolfdcn.exe
1444	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	a51880a1745bc5b19078e85140a6fac4776ff6dcfa819fb8dacea89b1f16e8a3.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	a51880a1745bc5b19078e85140a6fac4776ff6dcfa819fb8dacea89b1f16e8a3.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	a51880a1745bc5b19078e85140a6fac4776ff6dcfa819fb8dacea89b1f16e8a3.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Lnepih32.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mglack32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3028	1444	WerFault.exe	103

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	a51880a1745bc5b19078e85140a6fac4776ff6dcfa819fb8dacea89b1f16e8a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	a51880a1745bc5b19078e85140a6fac4776ff6dcfa819fb8dacea89b1f16e8a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	a51880a1745bc5b19078e85140a6fac4776ff6dcfa819fb8dacea89b1f16e8a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	a51880a1745bc5b19078e85140a6fac4776ff6dcfa819fb8dacea89b1f16e8a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	a51880a1745bc5b19078e85140a6fac4776ff6dcfa819fb8dacea89b1f16e8a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	a51880a1745bc5b19078e85140a6fac4776ff6dcfa819fb8dacea89b1f16e8a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4684 wrote to memory of 720	4684	a51880a1745bc5b19078e85140a6fac4776ff6dcfa819fb8dacea89b1f16e8a3.exe	80
PID 4684 wrote to memory of 720	4684	a51880a1745bc5b19078e85140a6fac4776ff6dcfa819fb8dacea89b1f16e8a3.exe	80
PID 4684 wrote to memory of 720	4684	a51880a1745bc5b19078e85140a6fac4776ff6dcfa819fb8dacea89b1f16e8a3.exe	80
PID 720 wrote to memory of 1840	720	Kcifkp32.exe	81
PID 720 wrote to memory of 1840	720	Kcifkp32.exe	81
PID 720 wrote to memory of 1840	720	Kcifkp32.exe	81
PID 1840 wrote to memory of 2716	1840	Kkpnlm32.exe	82
PID 1840 wrote to memory of 2716	1840	Kkpnlm32.exe	82
PID 1840 wrote to memory of 2716	1840	Kkpnlm32.exe	82
PID 2716 wrote to memory of 752	2716	Kkbkamnl.exe	83
PID 2716 wrote to memory of 752	2716	Kkbkamnl.exe	83
PID 2716 wrote to memory of 752	2716	Kkbkamnl.exe	83
PID 752 wrote to memory of 2548	752	Lalcng32.exe	84
PID 752 wrote to memory of 2548	752	Lalcng32.exe	84
PID 752 wrote to memory of 2548	752	Lalcng32.exe	84
PID 2548 wrote to memory of 3452	2548	Lkdggmlj.exe	85
PID 2548 wrote to memory of 3452	2548	Lkdggmlj.exe	85
PID 2548 wrote to memory of 3452	2548	Lkdggmlj.exe	85
PID 3452 wrote to memory of 2808	3452	Lpappc32.exe	86
PID 3452 wrote to memory of 2808	3452	Lpappc32.exe	86
PID 3452 wrote to memory of 2808	3452	Lpappc32.exe	86
PID 2808 wrote to memory of 3484	2808	Lkgdml32.exe	87
PID 2808 wrote to memory of 3484	2808	Lkgdml32.exe	87
PID 2808 wrote to memory of 3484	2808	Lkgdml32.exe	87
PID 3484 wrote to memory of 2140	3484	Lnepih32.exe	88
PID 3484 wrote to memory of 2140	3484	Lnepih32.exe	88
PID 3484 wrote to memory of 2140	3484	Lnepih32.exe	88
PID 2140 wrote to memory of 1896	2140	Lgneampk.exe	89
PID 2140 wrote to memory of 1896	2140	Lgneampk.exe	89
PID 2140 wrote to memory of 1896	2140	Lgneampk.exe	89
PID 1896 wrote to memory of 2860	1896	Laciofpa.exe	90
PID 1896 wrote to memory of 2860	1896	Laciofpa.exe	90
PID 1896 wrote to memory of 2860	1896	Laciofpa.exe	90
PID 2860 wrote to memory of 3676	2860	Ljnnch32.exe	91
PID 2860 wrote to memory of 3676	2860	Ljnnch32.exe	91
PID 2860 wrote to memory of 3676	2860	Ljnnch32.exe	91
PID 3676 wrote to memory of 1464	3676	Lphfpbdi.exe	92
PID 3676 wrote to memory of 1464	3676	Lphfpbdi.exe	92
PID 3676 wrote to memory of 1464	3676	Lphfpbdi.exe	92
PID 1464 wrote to memory of 704	1464	Lknjmkdo.exe	93
PID 1464 wrote to memory of 704	1464	Lknjmkdo.exe	93
PID 1464 wrote to memory of 704	1464	Lknjmkdo.exe	93
PID 704 wrote to memory of 4668	704	Mpkbebbf.exe	94
PID 704 wrote to memory of 4668	704	Mpkbebbf.exe	94
PID 704 wrote to memory of 4668	704	Mpkbebbf.exe	94
PID 4668 wrote to memory of 3144	4668	Mjcgohig.exe	95
PID 4668 wrote to memory of 3144	4668	Mjcgohig.exe	95
PID 4668 wrote to memory of 3144	4668	Mjcgohig.exe	95
PID 3144 wrote to memory of 1788	3144	Majopeii.exe	96
PID 3144 wrote to memory of 1788	3144	Majopeii.exe	96
PID 3144 wrote to memory of 1788	3144	Majopeii.exe	96
PID 1788 wrote to memory of 5064	1788	Mcnhmm32.exe	97
PID 1788 wrote to memory of 5064	1788	Mcnhmm32.exe	97
PID 1788 wrote to memory of 5064	1788	Mcnhmm32.exe	97
PID 5064 wrote to memory of 1112	5064	Mglack32.exe	98
PID 5064 wrote to memory of 1112	5064	Mglack32.exe	98
PID 5064 wrote to memory of 1112	5064	Mglack32.exe	98
PID 1112 wrote to memory of 1484	1112	Mcbahlip.exe	99
PID 1112 wrote to memory of 1484	1112	Mcbahlip.exe	99
PID 1112 wrote to memory of 1484	1112	Mcbahlip.exe	99
PID 1484 wrote to memory of 4484	1484	Ngpjnkpf.exe	100
PID 1484 wrote to memory of 4484	1484	Ngpjnkpf.exe	100
PID 1484 wrote to memory of 4484	1484	Ngpjnkpf.exe	100
PID 4484 wrote to memory of 552	4484	Ngcgcjnc.exe	101

C:\Users\Admin\AppData\Local\Temp\a51880a1745bc5b19078e85140a6fac4776ff6dcfa819fb8dacea89b1f16e8a3.exe
"C:\Users\Admin\AppData\Local\Temp\a51880a1745bc5b19078e85140a6fac4776ff6dcfa819fb8dacea89b1f16e8a3.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Windows\SysWOW64\Kcifkp32.exe
  C:\Windows\system32\Kcifkp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:720
- - C:\Windows\SysWOW64\Kkpnlm32.exe
    C:\Windows\system32\Kkpnlm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Windows\SysWOW64\Kkbkamnl.exe
      C:\Windows\system32\Kkbkamnl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:752
      - C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:704
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3096
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        25⤵
        Executes dropped EXE
        
        PID:1444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 400
        26⤵
        Program crash
        
        PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1444 -ip 1444
1⤵
PID:672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
337KB

MD5
c2ac1b6419f4da313a8c5d3536bc4ab5

SHA1
6ce9bf4a7b70f3d6ff6a0ae2ded0cee4c9ffd3d7

SHA256
778b2951f14c5b2b3d96f5e26aab876f633936d647b66189e2902b50dc4b2ec4

SHA512
d97494441c5242f6a1be775c6755280030c1d375734e14c132ed84610df56a6913d3e74a4739387f6ceb6a7bdfbd48a852d20d143bb35b05eb607ed3b5a75265

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
337KB

MD5
3b5589e379a6c62c8da328564892bd50

SHA1
1c0a1ba35a7d2c95366b043db938c1a91d947232

SHA256
1b3bd8314db3b39b8d50c74d1cf40e3a39504cc823bb1e4a21fe0edea62d591c

SHA512
483f1b172f3b6fe9907329cb16b17275aa799a7c427baf2c2032d28d93f529fa8cddd2e8577525b7de3495ade0b4608dc2deae1c5160c36cd2566eff6df143ec

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
337KB

MD5
503dbd35946fdd95e42c75c6175df91a

SHA1
4e7b67fd298c15a6783c9fae6a03f740daa8d3f8

SHA256
cf6229029e807d6b54cda43c34cb7305fad9fabcf6b9d087d3a0a78b97bf6608

SHA512
49262e04954e50dcf754af24ada0cfdcb647707f7d9c496486637e05c26559d0abc9b41b8a6eede9f33bd87a95fd47f36f870563794492ae29798991839094a0

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
337KB

MD5
d7be6cf2e64453146b1f647cf91dc2ba

SHA1
0e47b46430a956f670bbe2595a73dc98a982f654

SHA256
467547276b1035ee6338b5086a309e4acc490e292c9a305d19e156e75d0e7865

SHA512
457aca330ef01be3c69117febf93fbe23f5a2c5405ff1403937f6157b69bf2f5081e1d61798f815ee3af29c959da2dde90f6af26536706841899b35b45c48e66

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
337KB

MD5
92c9c308affed8bc69fa6966953e9293

SHA1
4ca4f237fb8a22b679a23097f3c83a0240d46967

SHA256
b4cfcfbcddb66eb466c142fbbbe4fabf22764e8c9864360a67992efd95adb6c0

SHA512
79e0e6a3e2a53375255a33d4e0c194e4fde350bd3b88a02585c11da2788508aa2a9b1c190deb0d425fc0d7594f59d847e48102752a8be344256904fb36b7c7ea

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
337KB

MD5
57f0caefd68090c4132e9186517f767a

SHA1
bc18bba65d39e2ff1d1928a637850d27aaef4ada

SHA256
ab3b7c8424358957c5ba00fb816c753cc1aac4b648a88d4d2d736e9721e261f2

SHA512
0be4334f9d5b37dcb5c0bfba0b93275cc905ae1dd05f452fb9e6d0871d96b2460581532700af4e8686583f9bd8f834d0aa3caeed597f2568bdcd84037fd3acaa

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
337KB

MD5
b6c8084aa7161835a12c5fc8ca712641

SHA1
94faa7efc417e2d61007a0eb0a64b7f8f4d9df03

SHA256
3bb082fb99fb052fa029b86cb10d595a8da02f0884739ebc31a3daf7c9551679

SHA512
ba9820e2b076a4f6a48876fad55b2a4eb4ae862782e90f14f0dad047ca6824a06860aa3bd1d7b965baef2c49d356d31ce12f3c607849cfce7a543773df822c22

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
337KB

MD5
abde98f2ef161680bd7bbb3198cb322b

SHA1
3f241d7356c775a134482e835477272c1e91faf1

SHA256
a6503d22178fe8a4554d434b190514ee4bd4a628fc136f6cc72f98f8525ed2b5

SHA512
b76302cce06f74fd04d2d12b7806d2b2b1ff206a4e047474d12853c68cbe97718da63c733c853ed23d526be3545f47e424a0fe76a5275a6d884a199d48c3a962

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
337KB

MD5
1f47576bb513a6063e96b29d4feb9d23

SHA1
a3d64bde567b305734a6d1ef40877f6450126dd7

SHA256
9025168b8946894717b3239c1cdf53ef561bdb44cfea63cdb9d6f5a1fe39f168

SHA512
ba00d0f6f853344ea0a1021231f5bf9f44ef427536c10f9f5bb86e24a34c5956b38d315f9eae34762a501efab7c3b0a5bf6174048893454a99dcf367cb63bcfe

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
337KB

MD5
109bd4202b801d177aa9b214418dfd76

SHA1
4b9c0c298785aad6d1b16f3a50b690787aa2495b

SHA256
82c6e0c66f08c266e133f09f42803258e7b4bf496160bc0185371e39153db95b

SHA512
2fa76e8d1b07e246b86c2d68dac89f6f02eb936b645d299c335925240c532921828ee3c85ea01694de201e5703d5f9e90c40da6fd069eec44a1b48aeaa571c81

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
337KB

MD5
d0706a080e4ffdb2525d35a01f4fa2b3

SHA1
61264607d4ed093c0b2e57b0c7fa622d35dab7d3

SHA256
c2afbfb50744cef78d912f659adaced37d5613406773681ea683a7ea89cb5a24

SHA512
16980fcb84efe3a63ff9d353c6aa53a137ffd8fb5f78e27a534e9fe76aaa4d88d9b4069d39cd1a39d2edf9e56452728e57731af33d1fb6b6166890fafb94d0f2

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
337KB

MD5
69a7409f0c79b08af381efac69c4c91b

SHA1
88cf604bc52d2b7ad4b56e9791d9a0e0a91b5180

SHA256
e7ffccb86a25b85868b51509e5df8ed29fea82fa755ce70e54df04974a8851ec

SHA512
6ce95981ae1c11576c2a0cb8a56bf8fddd4b37c8af6f988f531b61086dd802744569622c9e1518343be23cab43fe288667e542eaba15b549f85d3274479a5bb4

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
337KB

MD5
888bdca8f3ab701ecd5ff33f967542d2

SHA1
b74a07119e827c49a19e4b930a22d0634bd73eab

SHA256
65f9170397f632a0b52bc9e695a1b12f9ccbe613014a9edc72b848445d052058

SHA512
7a8201cf1fb5de6cfebe04259de403fd4ed436d43bfd2995d2de68e90c29feb744121314bec23ee8ba40cd2d05e7c278a6d60e4757f779f3d5fc13274aed79d8

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
337KB

MD5
8e305456276fb69ff739d8e179a9a59f

SHA1
ab324e8e37694de604928b654b176488f3af40ed

SHA256
9ffce59cc391877f56f243c68ffba854ffa6292e86e4ad63d2e5648f2c718f5e

SHA512
257783ed1e69c2092c663be0a42ecb30a5af79fe4eba2b21b04098a31c52250e8ee59f8858bb2d0fd6ef8b49fa59024f127fb77ef0e9f656680c421932ff4ff4

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
337KB

MD5
5b89b7360ecf634d6bd10c8cfb037d99

SHA1
14c4c922c81b414a5daf8d71821083fc2b254210

SHA256
254725afc927149008ca8e9d662d819abd21c75f2c4dfb17373444e814d3b2ea

SHA512
c1c7a9a0295d44928cdc8dfa7ab9f40bf250ec7f1c1594efd5bf983970ee78e5aa2493ec52831bbb29023a1b68093ae90fdf9bd520b59426cb033bb267b572ec

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
337KB

MD5
f6911bb8356eb87e15f803a517ec602f

SHA1
555ef9a6ea40c2b27f8866316e0bccc12bbd5a34

SHA256
a59c72045a6661ccad2657eaf23129c6527007f0f193fdea21f38dfb8c45bb16

SHA512
6eba552cb26a4790cb17ba599448fd97626feebc2f6a5546f817d8db87fcd5d72c6a444db5259e3057de170b6035b5dacec2d46b45c7bd2d551076874de1fead

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
337KB

MD5
f4d95c9e3fc4304b4ce34f0524fa9f7c

SHA1
d8ba072a2d0529dcd62cc6984b6bff67744345ee

SHA256
0e0a0a565c3110438071d54a5d790e51c0465dbf9b97f5db21f82e72d9612001

SHA512
d421e3fb346e67b48080a9db7556592d3243fc21de8097b61bd3d2215756e09d1c5626f597d1b20cb02150f50f37c219159070c027073fbcb2add10e49f642ae

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
337KB

MD5
cc9e45685d07699e99061d936ab582c5

SHA1
3454f53224a8ca1611d4f78fc8559ad4e0b376ed

SHA256
06d27298b0cc820322fc684bcc26de7e2726a841230503862d3c0e02e55d06b7

SHA512
23e8cd98d568d1a3ed4a412524c96667e6eff34f9875ee240099205eb0b354348970ed7d58133fa8734d1ee57aeac725775053e621dd3f4f96648e146ce12192

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
337KB

MD5
d053bf7a3b097b5ee90fa8bd279dc17e

SHA1
be74f13fbab21f0b0a66b723c078e4656451ac30

SHA256
ef2021a3dfe2ae777df684c601819145837d8579aa49ca7c0cc02ccc2f8ca7e0

SHA512
2f3ce9a22add0ee0df351953cff1288a35c706776f312b9e549c936ba6d5c38a3ead8db145f72799d1b3f16df50bffa99d29ecc1b56d0721ab2ac9c9d4147c7b

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
337KB

MD5
7c16f4422e7c3a3f0eae65f18b8ca00b

SHA1
c7cba470c5d8ce94a1252c15e53c6dfc4f88ad3e

SHA256
685dcabf5927e7b4e6dd8f5f46f9c68f953f2fb195a32cf8c26f6ede39b230d4

SHA512
67c596b23137f5d231e80297c52ec0489fbe8b988435fade1b4383c99238f7ef91ca332e4f5ce5d345780f855c87b61051652319ac87bb98b77f281c63eea3a2

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
337KB

MD5
25b654964435a06200838f63ae8fe290

SHA1
3459e2a14d61dc8db8197805a8dc1fe8f689ded3

SHA256
740627fa32157c1f11b24491a892eeca365ba93bda5ae7f4105edb18e661c049

SHA512
dba91f69c26feb3aa77959bf64bf7b6e1848089da647396b2f5736c6033976b91ed04dea3ee00416aced2b44dc31188de0ecda738a2e8f841e41641247c0234c

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
337KB

MD5
36023bf5c1f35cfac8983af67d316dff

SHA1
106a9f63ee826a356099926663f878c7040b83b2

SHA256
ae0417fb49cbd2afd8bec73a4c4078e67d99bfaf2dd3d14ac33823d1d97b5e03

SHA512
154fc206b2cf7a285f5221137b8310df35111643b7a570fbea317043624b70e76e97c10882ef482dd829421595c71ad3accd06cd30b5e1acdb58f72f8961e2bf

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
337KB

MD5
7140a11171fc05c067f78ca1ed85092c

SHA1
2c0a5751268546daad049edb00c97343ee4e693e

SHA256
04a56abf812abcdac01ce8256731aa1f306d4b3ef9c0db2457d393fb63592b1d

SHA512
2b5fac10ec8a2708886523aa9176d8ce97c991bf870d211554f2cd3ce05cb14f738e4232701f1acd53d06c85268f6185d6adf1c8eabf7372ea55c6b2afa8f3c5

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
337KB

MD5
223986b78d0f9c7d52e2e5ad1f6d9552

SHA1
b4eb33a5e8d610faefd9c7dc36a7316c1773540c

SHA256
4e491731aca676130175e09a52da3cdfed1233229ba421a53c323d7667539b60

SHA512
a08503f855b0084f55604b8593ebab0ed2d7222981ff3e28d2c8b36cba59f4c8e0e89878b601e565f1dc397bc5e29951bd73808c8ba57f75c7c51a0fd4eabf38

Download Submit
memory/552-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/552-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/704-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/704-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/720-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/752-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/752-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1112-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1112-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-196-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1464-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1464-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1840-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1840-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1896-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1896-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3096-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3096-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3144-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3144-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-227-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3676-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3676-219-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4668-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4668-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/5064-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads