18019033d8bec6c5e15db6e65428f5b9690f57ccb0ae9f5c120155c59f5bb432

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18019033d8bec6c5e15db6e65428f5b9690f57ccb0ae9f5c120155c59f5bb432.exe
Size

55KB
MD5

d4a8ebc7ab9100835dc53e4cdbbda4b4
SHA1

a01df7d37813ff3a93d69de1e562f477624ddf26
SHA256

18019033d8bec6c5e15db6e65428f5b9690f57ccb0ae9f5c120155c59f5bb432
SHA512

95a9b756c1ecccc686f5bdeabe90a4ecdf9e52e6297c9d23cbabf5ea42c5c24b9f4ab3c6edf520ff7a006c21f0fbb51bc2d09fa428fa4c8da40fff4ca442daa2
SSDEEP

768:cSm8ib1SEAKfP9Mc1XsP4Qk57GdRvE6XJcKab6bptNfIQ37qGMJZ/1H5OXdnh:cV5blA0LQk57oRvEKNVn0y

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	18019033d8bec6c5e15db6e65428f5b9690f57ccb0ae9f5c120155c59f5bb432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe

Executes dropped EXE 34 IoCs

pid	Process
2956	Lnepih32.exe
3464	Lpcmec32.exe
2004	Lgneampk.exe
5104	Lkiqbl32.exe
4400	Lnhmng32.exe
1392	Ldaeka32.exe
2728	Lgpagm32.exe
1068	Lnjjdgee.exe
3044	Lddbqa32.exe
1208	Lgbnmm32.exe
1016	Mjqjih32.exe
3300	Mpkbebbf.exe
1680	Mciobn32.exe
3124	Mjcgohig.exe
3092	Mnocof32.exe
2952	Mdiklqhm.exe
1096	Mgghhlhq.exe
3052	Mkepnjng.exe
1180	Mjjmog32.exe
2944	Mcbahlip.exe
4960	Njljefql.exe
812	Nqfbaq32.exe
5068	Ngpjnkpf.exe
2492	Nnjbke32.exe
3156	Nqiogp32.exe
1584	Nkncdifl.exe
1660	Nnmopdep.exe
4080	Nqklmpdd.exe
4264	Ncihikcg.exe
2360	Nkqpjidj.exe
1516	Nbkhfc32.exe
2740	Ndidbn32.exe
380	Nggqoj32.exe
4660	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	18019033d8bec6c5e15db6e65428f5b9690f57ccb0ae9f5c120155c59f5bb432.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	18019033d8bec6c5e15db6e65428f5b9690f57ccb0ae9f5c120155c59f5bb432.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	18019033d8bec6c5e15db6e65428f5b9690f57ccb0ae9f5c120155c59f5bb432.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mkepnjng.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5072	4660	WerFault.exe	114

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	18019033d8bec6c5e15db6e65428f5b9690f57ccb0ae9f5c120155c59f5bb432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	18019033d8bec6c5e15db6e65428f5b9690f57ccb0ae9f5c120155c59f5bb432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	18019033d8bec6c5e15db6e65428f5b9690f57ccb0ae9f5c120155c59f5bb432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mgghhlhq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 2956	3672	18019033d8bec6c5e15db6e65428f5b9690f57ccb0ae9f5c120155c59f5bb432.exe	81
PID 3672 wrote to memory of 2956	3672	18019033d8bec6c5e15db6e65428f5b9690f57ccb0ae9f5c120155c59f5bb432.exe	81
PID 3672 wrote to memory of 2956	3672	18019033d8bec6c5e15db6e65428f5b9690f57ccb0ae9f5c120155c59f5bb432.exe	81
PID 2956 wrote to memory of 3464	2956	Lnepih32.exe	82
PID 2956 wrote to memory of 3464	2956	Lnepih32.exe	82
PID 2956 wrote to memory of 3464	2956	Lnepih32.exe	82
PID 3464 wrote to memory of 2004	3464	Lpcmec32.exe	83
PID 3464 wrote to memory of 2004	3464	Lpcmec32.exe	83
PID 3464 wrote to memory of 2004	3464	Lpcmec32.exe	83
PID 2004 wrote to memory of 5104	2004	Lgneampk.exe	84
PID 2004 wrote to memory of 5104	2004	Lgneampk.exe	84
PID 2004 wrote to memory of 5104	2004	Lgneampk.exe	84
PID 5104 wrote to memory of 4400	5104	Lkiqbl32.exe	85
PID 5104 wrote to memory of 4400	5104	Lkiqbl32.exe	85
PID 5104 wrote to memory of 4400	5104	Lkiqbl32.exe	85
PID 4400 wrote to memory of 1392	4400	Lnhmng32.exe	86
PID 4400 wrote to memory of 1392	4400	Lnhmng32.exe	86
PID 4400 wrote to memory of 1392	4400	Lnhmng32.exe	86
PID 1392 wrote to memory of 2728	1392	Ldaeka32.exe	87
PID 1392 wrote to memory of 2728	1392	Ldaeka32.exe	87
PID 1392 wrote to memory of 2728	1392	Ldaeka32.exe	87
PID 2728 wrote to memory of 1068	2728	Lgpagm32.exe	88
PID 2728 wrote to memory of 1068	2728	Lgpagm32.exe	88
PID 2728 wrote to memory of 1068	2728	Lgpagm32.exe	88
PID 1068 wrote to memory of 3044	1068	Lnjjdgee.exe	89
PID 1068 wrote to memory of 3044	1068	Lnjjdgee.exe	89
PID 1068 wrote to memory of 3044	1068	Lnjjdgee.exe	89
PID 3044 wrote to memory of 1208	3044	Lddbqa32.exe	90
PID 3044 wrote to memory of 1208	3044	Lddbqa32.exe	90
PID 3044 wrote to memory of 1208	3044	Lddbqa32.exe	90
PID 1208 wrote to memory of 1016	1208	Lgbnmm32.exe	91
PID 1208 wrote to memory of 1016	1208	Lgbnmm32.exe	91
PID 1208 wrote to memory of 1016	1208	Lgbnmm32.exe	91
PID 1016 wrote to memory of 3300	1016	Mjqjih32.exe	92
PID 1016 wrote to memory of 3300	1016	Mjqjih32.exe	92
PID 1016 wrote to memory of 3300	1016	Mjqjih32.exe	92
PID 3300 wrote to memory of 1680	3300	Mpkbebbf.exe	93
PID 3300 wrote to memory of 1680	3300	Mpkbebbf.exe	93
PID 3300 wrote to memory of 1680	3300	Mpkbebbf.exe	93
PID 1680 wrote to memory of 3124	1680	Mciobn32.exe	94
PID 1680 wrote to memory of 3124	1680	Mciobn32.exe	94
PID 1680 wrote to memory of 3124	1680	Mciobn32.exe	94
PID 3124 wrote to memory of 3092	3124	Mjcgohig.exe	95
PID 3124 wrote to memory of 3092	3124	Mjcgohig.exe	95
PID 3124 wrote to memory of 3092	3124	Mjcgohig.exe	95
PID 3092 wrote to memory of 2952	3092	Mnocof32.exe	96
PID 3092 wrote to memory of 2952	3092	Mnocof32.exe	96
PID 3092 wrote to memory of 2952	3092	Mnocof32.exe	96
PID 2952 wrote to memory of 1096	2952	Mdiklqhm.exe	97
PID 2952 wrote to memory of 1096	2952	Mdiklqhm.exe	97
PID 2952 wrote to memory of 1096	2952	Mdiklqhm.exe	97
PID 1096 wrote to memory of 3052	1096	Mgghhlhq.exe	98
PID 1096 wrote to memory of 3052	1096	Mgghhlhq.exe	98
PID 1096 wrote to memory of 3052	1096	Mgghhlhq.exe	98
PID 3052 wrote to memory of 1180	3052	Mkepnjng.exe	99
PID 3052 wrote to memory of 1180	3052	Mkepnjng.exe	99
PID 3052 wrote to memory of 1180	3052	Mkepnjng.exe	99
PID 1180 wrote to memory of 2944	1180	Mjjmog32.exe	100
PID 1180 wrote to memory of 2944	1180	Mjjmog32.exe	100
PID 1180 wrote to memory of 2944	1180	Mjjmog32.exe	100
PID 2944 wrote to memory of 4960	2944	Mcbahlip.exe	101
PID 2944 wrote to memory of 4960	2944	Mcbahlip.exe	101
PID 2944 wrote to memory of 4960	2944	Mcbahlip.exe	101
PID 4960 wrote to memory of 812	4960	Njljefql.exe	102

C:\Users\Admin\AppData\Local\Temp\18019033d8bec6c5e15db6e65428f5b9690f57ccb0ae9f5c120155c59f5bb432.exe
"C:\Users\Admin\AppData\Local\Temp\18019033d8bec6c5e15db6e65428f5b9690f57ccb0ae9f5c120155c59f5bb432.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Windows\SysWOW64\Lnepih32.exe
  C:\Windows\system32\Lnepih32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\SysWOW64\Lpcmec32.exe
    C:\Windows\system32\Lpcmec32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3464
  - - C:\Windows\SysWOW64\Lgneampk.exe
      C:\Windows\system32\Lgneampk.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2004
    - - C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5104
      - C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5068
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1516
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:380
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        35⤵
        Executes dropped EXE
        
        PID:4660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 400
        36⤵
        Program crash
        
        PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4660 -ip 4660
1⤵
PID:3832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
55KB

MD5
caf507f6f94b38d09cd995f11108215a

SHA1
93a6594d9d3ce385606d3c053e8e2aeec3d8a170

SHA256
31480d1ae7e735d91c3b562194d697a17335e2c6879a9882f175dd92530ad081

SHA512
8bc985274ad03c89ccd468cba3a0c923161256d9eedde619cc74a1e672d71e7339148dcc1e02a23b74fc246788aa9467c7d0bd46a104551f02b81eabc9b16e0b

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
55KB

MD5
27c46012b6655791f06ab3f0fb93e751

SHA1
95cc5a0dd147a3e6293b17bb8f8172b5ff01a75a

SHA256
ab3ac1688f7d07910b619d437eb6aefee7e9e395be00c832232cf9eea7282f31

SHA512
493b6659ecddfc3d597dd63758603e8d27c70b553ef9f969989c0838610a901e297a4589de6e4ef91432bd0dab4cebbb0058e18ae4f1e6962a28f21736915db0

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
55KB

MD5
b19d601ceb9a09ec4f7e2a0c025f2cb5

SHA1
f7add8c6753dd678b97be0753617454f534c78f5

SHA256
05b42795a74c0891264130a607f60f822c4da3998cf105180aab7037fddb2490

SHA512
7b11ee314a88a25aec862995d665ac3f80eb54eecb27ca42e1dccd5dcd7049fb039feb131e495ec08e95e56b638028f379fca6b637d95b9e72e645a990d1d728

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
55KB

MD5
ff1cf4d08419901a6e43a70e6046b8d7

SHA1
ac889081eb876700143e99b917a4f6835bed0176

SHA256
9afbb6527989e860ae8e47e897157e13ae8534a42c7258a4d47fa2b1735d34d2

SHA512
5c6e7279e98aa5ebc081a2d5a9e127d2cd6ccf29217e2281015910eee6f20e52c957ce5a8103fccb88b6c320a6661fbb721990b7f5e3216a87b76f09c12636ec

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
55KB

MD5
086585168abb8e4d50d4cecee58a4081

SHA1
42b7a36f3a75b05d92a7b3f755919b58c35e024a

SHA256
8efe86c993c142ed97f5190f186743d953a92408416e776273d74bd6d8bae869

SHA512
9dbf99418d0d538eeab8dbd0d5fa920d7b9aa7c1abb46b9508af2a17bcfca4fb70753768abe2ab2cf83b1ee536dc6f539036c234d9b94d6062a105ed1b3c55ff

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
55KB

MD5
6808aab6d5cb4970690ebe5fe31443fd

SHA1
bac193a2e78b2b4f2b586a252926dea1da6144a6

SHA256
ff0d8b1c5f58c7f1f57ef420a3b9182b4bfcd5ce41453e51f0d8dbde2dd3ed29

SHA512
4afc0167bf3ce700858467a0673ee1a490375f884ef1058dcba5677889e6a08a54f175bc00d819888d95b2a47bba994a5e3e84e2176fd9ecbc5756f2c888aa5c

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
55KB

MD5
f985351dcf783d7518b72f49f43e5858

SHA1
df503f9b482b35ca4686a31dc2af37a327174100

SHA256
01fd9042300bbaeb8323c513f4002d1803f86a50bd9ab39bb90ee9914f35e26d

SHA512
edbbee83c51555f27e3c4f6ffdeff1f8ebec61541a964b49fb77a7be756592fae5ecc0c661c8d15ba37fc2c0189a97e4195f327c3ce97954593e38adab8e074f

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
55KB

MD5
dbe965c7dbb17c12f44cc29d1cd6037c

SHA1
964f4e67f650505f5c317739580c928233573e91

SHA256
73b992ebc88f513493ce6c8641dd179b3675bd348e2a81a5ceb1f51427037e01

SHA512
897aa3c50fb001e4828de6cc688629163dade0e1a2589530e5925114bd8b0d6bacd97eb90677115e4c602224571d49dd758cd05c196644c67c7e6a106f932d5e

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
55KB

MD5
ceb26538b228129de8f458baae9c5b8f

SHA1
341fc9027c948119ac3d6b8e0f270efd3371badf

SHA256
6c132f1215309654c78d370e21e0715e7e9ffe39ef18c5d07134430f8ee92c54

SHA512
a65ad9d375a52ffd1019dd98d1448a8915aac1460ac6acad15bae1f3452b38b1fc3113974dff3950507bb3143c75d120257878aff85997b97b85d7940d3bce22

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
55KB

MD5
a77ede351e4cd5ccab394a07dc1c6f52

SHA1
d0c0de6a9ed6267a00c8293851359754cd17b078

SHA256
01edc4197e35210ee06989b04db6697be2a587d2193e923fb58f2e61dc562e05

SHA512
57b3322c6bc315dc4d03bd28da0c5e319bdeaf481ec04fe15c7be3370730859019530b1107a0d4153375644abae1645277924659e3898e595f385f289266b561

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
55KB

MD5
0c3313f54a7e2f6684b7f215ac10acae

SHA1
c286e7b9ce4b5d350402f48461ff2ac8225fbc47

SHA256
d8eba7176ebfa37ccd7aa61af39f62fbe6972496261f23cc0525013966c89b3b

SHA512
10ed9252579c7a217f710fff61ce857c728b168c00eae05f5787d582ce4054dc41b0faf2c19fb984d286a63201af80c09caf1a66022ccce740271abcf507ebfa

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
55KB

MD5
c45e4b2c8554ce39646bc39b6ccc87e0

SHA1
eb1271f09e78b828bcdb1ac080fc82f4d3a70858

SHA256
9c8e9893df7aac0f6cfd32bfa802fbffbd294f95c1f876289071beb502bd8697

SHA512
8b4ea912ea6f64b8af3ac056a5934dcce2cbae8698b5118e13d795672e691108b2c0c6b7bd77c13ecb124ae602054606e41858a10a4a4aa3e32f8237fbdd6413

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
55KB

MD5
a8f3ee306ce9a397bd4d2ad44ada6361

SHA1
364710c02aee32368e9fc52b889ab61a62ef99bf

SHA256
071fc37a81708c3336eefcffe444729d5ea2cc0d9168db08d962c53b38a2993d

SHA512
6308d4f2a38eced3f78a86ea9658d9009422a07ab9fb4fc733dd00485900f362454dfea735ab20a0716470cb94a54bee4c45bb5b1f82e6ad5d44145d55cdf725

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
55KB

MD5
e6da4d6e08cfd5973776c2beebe48f74

SHA1
00764078fd13f62e9f57eea0392701309eccd2f7

SHA256
35c460856006436ce7ed52b6ef5fce4fd484394f58a7f57e246521595adcbb57

SHA512
ca7efbe3f7d8fac45bd4e38c46a74e8799ff6d391b8166919b9ff3b4f2ce2309e553aee331a160643fb66e1f449a52bf64ab3221f49682d98fdd9ce9510daf1a

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
55KB

MD5
09e6a8da2849ed036f62cb8c2fd06b33

SHA1
7a09f505c106016134a52f48e0b37561a7a3a321

SHA256
90f2aca49a46f0d8ddb51bebe3e2357fd5eb455ed35ef9ccbad76e91a35b2ee7

SHA512
433c8651cf2848296a55abcd5f6af3df792ef49fe88bd2ef0400632705d97e8d8572ad26d6af55eef77e626cc7fc9ebb4ad57037b64e6fab69e948ce8eacca05

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
55KB

MD5
9b1ff7c647563264544a83d8d429d4f8

SHA1
6852551e1b9f7345f7f2b7372458b9940fc099ec

SHA256
856ca20ca7125bd2d6c78cb4f592905924a54bded00dff93e615872fcfccb74a

SHA512
c980605b7b1eb08ec7e241e29d11cc4452b0306294f7db794548baf43c48c695f5a85a462127ada889e8b399096ec14e235d9745d373a2144a14cb9e7eb5a558

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
55KB

MD5
06bd5a5f474afa55c1dad7e439f1d16e

SHA1
248c26a7c0b72c65e3357a7965416b4a2a6687b2

SHA256
24f1e8289df22f23cee8bfbd7023c373efed40022cebfcbf2269fb5f8759c78c

SHA512
b1f0f1727aa91cb5c4a3624352c458c22630b642c4201a8a28aa00344c02ecb6d237043789ee7319922c2df531e14b6fffe420e9e2e1b61366407516a41361ed

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
55KB

MD5
73beab604aea3cb78b5b6c24478026e6

SHA1
543ce080f39754d8ec9fca348522daf25452b9b7

SHA256
2d6d6d6345432921934c0603c813b27c28c1a8089525020e311f8ce2ec0d4f9f

SHA512
620bd59ac79ad633853f748ba327a2b48356a454c56760e042a38296c05ed346c91ed4fb98fb47d0ed1e224ef4428f1d0120836aaa08add9bb198303c80f9995

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
55KB

MD5
265921307c59cbb63870344f5ccc9e89

SHA1
091e244fb31468eeacfca75a64b1b9c84716f537

SHA256
ebbb32073f031bb36e6efa3215803b70cd4b6f34b5b8f244b6be138b872cc00b

SHA512
55d98ca273b4340e3fba09a6ad9f51e3e547f0617f4fc1e13c95808d8d2a1c4fb65e6d9b881626ddc920b98d4646d54d184c463f19fd3a2f3d4be6ca8c9cf218

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
55KB

MD5
e7035e2d6f42e82da15ae980c3f0cf16

SHA1
c3b9fe6174ba2eed29cc912ab12cc28a00f88922

SHA256
083d585995bb551ac0a64286a7da830ec44fa8ecfb8792b377c2fca7853de784

SHA512
e6de0823e872c076ede80becec7244ba4bd2041a3d49a67be3a524c1cacf07db069c64ff3b590e2e5d610aab3dd0bdf8ea7e9ab13a558a628307ec14d28ee226

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
55KB

MD5
ae66affb8141490f6d781ae99632b2a0

SHA1
198b71a546990031d2c1209ae426eb8c1a288057

SHA256
bf5b3547c6f53a780fb7d017a15a1f13488348e8b0d5da0e6991fc39f156791e

SHA512
d5f69bfd9ded00e9ba0dea848e9fa5c589a640d3c74efe098039d0db94233c2699049c9eec31efc8674cb5917b335387cbe85fc84f7b2ab0745605fcad58a46f

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
55KB

MD5
0851237700391dd4461fd71521f1e98f

SHA1
2dbdd95bf013b437fe8431825e3eb940f84ce918

SHA256
f057587903b147642edb6918f069b109cb45d1910d834f78ce2299f1fc488e8c

SHA512
88998094df111a3ace48954e943ddf0b801785ba3460bb02da88e2d74338deaf92912041f9f1652626e778584b3b10d9f4ec4b3da096491ed9b191036eb08530

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
55KB

MD5
01c901182acb77736ef724fff11d6f34

SHA1
3bcf9ca9196ffc923dfeae6e336f28630eaead0b

SHA256
af4318a3f403aab8fefc45e8d8954ff42f05719669b4396a4dcef87462619bd7

SHA512
4bc443d9372df8478d6c9018007353d7269c450dfe3637c53b1d448fa078e4a7fa04d0ac98ffd22227109ff2f879ff502e330ec7efaa21f6f00841160a540ee0

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
55KB

MD5
841877e201cbf7abea79f84f38295d87

SHA1
90a36e73bd3ac791648df236d95ba24141b1a7ce

SHA256
897e2ed770f2db1c69fe8f79291578a95b547cc310582983bee7db49dc42f820

SHA512
726877b638718a3c769de7ce4c49188cef51d24ba17e75ee503fede1498c2e0482a264bf902db01f9de97db780be9a1f95026364cc703d825f3a3f68c7b6e097

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
55KB

MD5
3740c7b32ed02cea1b5fe19fd419a090

SHA1
38fac2ae1a2e910752ee761caab444a269aca496

SHA256
0527e40013a3c05639b995ffafbd75017b38aaa074ac4e5f5756a379e51a5128

SHA512
3b3c634c5389868c40b17fb874f3d972dabf84693664c6fd64143e80d297c16bb5506b39f9a578c28cc4d2189721c4bab9125f5d084417b2bf2d768677480441

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
55KB

MD5
009bce03f18741fadc057793a427a620

SHA1
428dd155b95aed8e4c8be7512efd4ba6d03f566e

SHA256
457b824bcde2615086892ec76fb5b69ef1284fd1d8757ef0605d3f00a968f628

SHA512
0fd5f0487351a3b0611f1be0699b85cf1e4e29607a67074f66f1cb489a2d2a6e80641a44306b3f00d770764bd8653f313b54f31ab783ce88fa06ec5ae76da843

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
55KB

MD5
5a709618606432ff604741349546a72e

SHA1
9d9ee0cfb0e10d3ab7241e29555dfae50f22740f

SHA256
24c1c32d4ad5fa679cfed90d4f0962f7b7dfaff46988acf258cdac59c1059d98

SHA512
866902abe25f5dd2864e14be189520dccc23cea733038adfc51f31cca0fb712958557930a6620f9db80ce85defef2808fb5db008bf1e9db8383a919a46711734

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
55KB

MD5
802559f59d49729165ef082bd809e661

SHA1
8e859c9376ce26c01b5206236515a4079f794640

SHA256
1d633587106c39262660512c8cfe9b4608f723033736cd5e324c2aa9872cc909

SHA512
62e376b6c6c483e0d4c0e5e547f3a56c6c9665ccc60492b558fe490e5a849dd1ac9c0ffdba7903f17d89282329beb70829ed9f04c8933ef71d24e5c03ee48ebb

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
55KB

MD5
27bef3540772f596041e087d792bcf40

SHA1
0ff4c355fa4d3460a4e7ef46fff550837e6d55c9

SHA256
559ef07114c88931d206a4362adfbd68f8cdb22a19fb6338473c6840684048a7

SHA512
2e517369e7482d9c03b2bd96c0df6ef252760c706af2cd9f925efe8f824461a06738a9cbfe4ddda8b8f8eb9d207d91784b3a8396c9fbd513bbc323d4a9ac5d25

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
55KB

MD5
89f178337c9a440ba0a10ccbaeade4bc

SHA1
895d4352c2f3d8504aabc2c8b4df8af69d035549

SHA256
c9b23d6a56a5fb1dbd8299b413e64809ca64c622738b79bb9d05819cfef692d5

SHA512
3fa3157562d42e71fbda7cfb5287a02d9cf76755a69b6015595c419dead4c0cb57eb005bc4bacdea2f8022185187b55dc9d7b538e251fb9eaacea8b48e3d213d

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
55KB

MD5
180a49940fa0846abe839c40ce340f3f

SHA1
f69ef1f59fcf406914ad0ce36f9a6838bf96701d

SHA256
cc3e8992ef04527ab0790ad19f9584a077c08627a09d1fb1ec84153f0cd5dfd7

SHA512
db1ce7fba03777dde92e24b350c4c9e796a5f4a7f48398706f33dc0bb3a1db5dd9ee992b3fe1929c8a71ef5dc8fd596525ab37ae86ac26257c336bf54005ce6f

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
55KB

MD5
1d9acfe0d684cd7f51f790674e426664

SHA1
0736f8c3bf241fee52da6ef20f8ef214eb63b741

SHA256
f30dee7c05a8aaf784b4edd186e83b12a0a1c736f1d731a6eb3ff555f87b37ee

SHA512
85afac2141235d7cfb6ec41882c25baa99473f23c090b003241ed37dd685544bbdf5d6993e905edbe42f1b15b411470bdb0dcd06740dab4a9f3f71a6629c8811

Download Submit
memory/380-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/380-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/812-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/812-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1016-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1016-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1068-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1068-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1096-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1096-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1180-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1180-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1208-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1208-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1392-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1392-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2004-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2004-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2728-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2728-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2952-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2952-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3092-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3092-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3124-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3124-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3156-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3156-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3464-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3464-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3672-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3672-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3672-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4080-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4080-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4264-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4264-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4660-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads