d3a9d4ce8fa169ce5d5424e16900c9ac2ed18ede4b87062769eaea372d288988

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 03:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3a9d4ce8fa169ce5d5424e16900c9ac2ed18ede4b87062769eaea372d288988.exe
Size

92KB
MD5

41cb9ed2004b4b8b679351021b8313f0
SHA1

efcda9edd138c82b4c49ae21eb34a8a8f1c88f87
SHA256

d3a9d4ce8fa169ce5d5424e16900c9ac2ed18ede4b87062769eaea372d288988
SHA512

8ec6aa110f036ca445d4c44606aa69670ad29ddda042ae9b9ca1dff9b47216922faccd897063682ee0d46cf13b93f4dd0939d4921d43b7bd8f9cb1a3d596c514
SSDEEP

1536:oYsk1nsfkeIsEa0Q3X6Ecy15WjXq+66DFUABABOVLefE3:db1nscHu33X6q15Wj6+JB8M3

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d3a9d4ce8fa169ce5d5424e16900c9ac2ed18ede4b87062769eaea372d288988.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d3a9d4ce8fa169ce5d5424e16900c9ac2ed18ede4b87062769eaea372d288988.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe

Executes dropped EXE 37 IoCs

pid	Process
1916	Kgfoan32.exe
2084	Liekmj32.exe
4128	Lalcng32.exe
4084	Lpocjdld.exe
1312	Lcmofolg.exe
4056	Liggbi32.exe
224	Ldmlpbbj.exe
1404	Lgkhlnbn.exe
4932	Lnepih32.exe
3156	Ldohebqh.exe
1704	Lkiqbl32.exe
2444	Lnhmng32.exe
2428	Lcdegnep.exe
2112	Lklnhlfb.exe
3108	Lnjjdgee.exe
2332	Lcgblncm.exe
1100	Mjqjih32.exe
1548	Mahbje32.exe
1868	Mciobn32.exe
4608	Mdiklqhm.exe
4724	Mpolqa32.exe
3588	Mjhqjg32.exe
2088	Mpaifalo.exe
3436	Mjjmog32.exe
4372	Mnfipekh.exe
2544	Mgnnhk32.exe
4980	Nqfbaq32.exe
5084	Nklfoi32.exe
3096	Nnjbke32.exe
2608	Nddkgonp.exe
468	Ngcgcjnc.exe
2712	Njacpf32.exe
3300	Ndghmo32.exe
2372	Njcpee32.exe
3768	Ndidbn32.exe
5052	Nggqoj32.exe
4728	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	d3a9d4ce8fa169ce5d5424e16900c9ac2ed18ede4b87062769eaea372d288988.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Kgfoan32.exe	d3a9d4ce8fa169ce5d5424e16900c9ac2ed18ede4b87062769eaea372d288988.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lnepih32.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4340	4728	WerFault.exe	117

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d3a9d4ce8fa169ce5d5424e16900c9ac2ed18ede4b87062769eaea372d288988.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 1916	2984	d3a9d4ce8fa169ce5d5424e16900c9ac2ed18ede4b87062769eaea372d288988.exe	81
PID 2984 wrote to memory of 1916	2984	d3a9d4ce8fa169ce5d5424e16900c9ac2ed18ede4b87062769eaea372d288988.exe	81
PID 2984 wrote to memory of 1916	2984	d3a9d4ce8fa169ce5d5424e16900c9ac2ed18ede4b87062769eaea372d288988.exe	81
PID 1916 wrote to memory of 2084	1916	Kgfoan32.exe	82
PID 1916 wrote to memory of 2084	1916	Kgfoan32.exe	82
PID 1916 wrote to memory of 2084	1916	Kgfoan32.exe	82
PID 2084 wrote to memory of 4128	2084	Liekmj32.exe	83
PID 2084 wrote to memory of 4128	2084	Liekmj32.exe	83
PID 2084 wrote to memory of 4128	2084	Liekmj32.exe	83
PID 4128 wrote to memory of 4084	4128	Lalcng32.exe	84
PID 4128 wrote to memory of 4084	4128	Lalcng32.exe	84
PID 4128 wrote to memory of 4084	4128	Lalcng32.exe	84
PID 4084 wrote to memory of 1312	4084	Lpocjdld.exe	85
PID 4084 wrote to memory of 1312	4084	Lpocjdld.exe	85
PID 4084 wrote to memory of 1312	4084	Lpocjdld.exe	85
PID 1312 wrote to memory of 4056	1312	Lcmofolg.exe	86
PID 1312 wrote to memory of 4056	1312	Lcmofolg.exe	86
PID 1312 wrote to memory of 4056	1312	Lcmofolg.exe	86
PID 4056 wrote to memory of 224	4056	Liggbi32.exe	87
PID 4056 wrote to memory of 224	4056	Liggbi32.exe	87
PID 4056 wrote to memory of 224	4056	Liggbi32.exe	87
PID 224 wrote to memory of 1404	224	Ldmlpbbj.exe	88
PID 224 wrote to memory of 1404	224	Ldmlpbbj.exe	88
PID 224 wrote to memory of 1404	224	Ldmlpbbj.exe	88
PID 1404 wrote to memory of 4932	1404	Lgkhlnbn.exe	89
PID 1404 wrote to memory of 4932	1404	Lgkhlnbn.exe	89
PID 1404 wrote to memory of 4932	1404	Lgkhlnbn.exe	89
PID 4932 wrote to memory of 3156	4932	Lnepih32.exe	90
PID 4932 wrote to memory of 3156	4932	Lnepih32.exe	90
PID 4932 wrote to memory of 3156	4932	Lnepih32.exe	90
PID 3156 wrote to memory of 1704	3156	Ldohebqh.exe	91
PID 3156 wrote to memory of 1704	3156	Ldohebqh.exe	91
PID 3156 wrote to memory of 1704	3156	Ldohebqh.exe	91
PID 1704 wrote to memory of 2444	1704	Lkiqbl32.exe	92
PID 1704 wrote to memory of 2444	1704	Lkiqbl32.exe	92
PID 1704 wrote to memory of 2444	1704	Lkiqbl32.exe	92
PID 2444 wrote to memory of 2428	2444	Lnhmng32.exe	93
PID 2444 wrote to memory of 2428	2444	Lnhmng32.exe	93
PID 2444 wrote to memory of 2428	2444	Lnhmng32.exe	93
PID 2428 wrote to memory of 2112	2428	Lcdegnep.exe	94
PID 2428 wrote to memory of 2112	2428	Lcdegnep.exe	94
PID 2428 wrote to memory of 2112	2428	Lcdegnep.exe	94
PID 2112 wrote to memory of 3108	2112	Lklnhlfb.exe	95
PID 2112 wrote to memory of 3108	2112	Lklnhlfb.exe	95
PID 2112 wrote to memory of 3108	2112	Lklnhlfb.exe	95
PID 3108 wrote to memory of 2332	3108	Lnjjdgee.exe	96
PID 3108 wrote to memory of 2332	3108	Lnjjdgee.exe	96
PID 3108 wrote to memory of 2332	3108	Lnjjdgee.exe	96
PID 2332 wrote to memory of 1100	2332	Lcgblncm.exe	97
PID 2332 wrote to memory of 1100	2332	Lcgblncm.exe	97
PID 2332 wrote to memory of 1100	2332	Lcgblncm.exe	97
PID 1100 wrote to memory of 1548	1100	Mjqjih32.exe	98
PID 1100 wrote to memory of 1548	1100	Mjqjih32.exe	98
PID 1100 wrote to memory of 1548	1100	Mjqjih32.exe	98
PID 1548 wrote to memory of 1868	1548	Mahbje32.exe	99
PID 1548 wrote to memory of 1868	1548	Mahbje32.exe	99
PID 1548 wrote to memory of 1868	1548	Mahbje32.exe	99
PID 1868 wrote to memory of 4608	1868	Mciobn32.exe	100
PID 1868 wrote to memory of 4608	1868	Mciobn32.exe	100
PID 1868 wrote to memory of 4608	1868	Mciobn32.exe	100
PID 4608 wrote to memory of 4724	4608	Mdiklqhm.exe	101
PID 4608 wrote to memory of 4724	4608	Mdiklqhm.exe	101
PID 4608 wrote to memory of 4724	4608	Mdiklqhm.exe	101
PID 4724 wrote to memory of 3588	4724	Mpolqa32.exe	102

C:\Users\Admin\AppData\Local\Temp\d3a9d4ce8fa169ce5d5424e16900c9ac2ed18ede4b87062769eaea372d288988.exe
"C:\Users\Admin\AppData\Local\Temp\d3a9d4ce8fa169ce5d5424e16900c9ac2ed18ede4b87062769eaea372d288988.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\SysWOW64\Kgfoan32.exe
  C:\Windows\system32\Kgfoan32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\SysWOW64\Liekmj32.exe
    C:\Windows\system32\Liekmj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Windows\SysWOW64\Lalcng32.exe
      C:\Windows\system32\Lalcng32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4128
    - - C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4084
      - C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3096
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3300
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2372
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3768
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        38⤵
        Executes dropped EXE
        
        PID:4728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 404
        39⤵
        Program crash
        
        PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 4728 -ip 4728
1⤵
PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
92KB

MD5
be52d846ef557ad0e282f42d5b5922fb

SHA1
f08a17e9d9f7f80bb99d072f1136522ecde1313b

SHA256
6b930f8031981fcc2065c8366e0d089c5c86bdd763e3edf60ed94fa82fb24f59

SHA512
7934e29ea2da5801b54c044f2829324b04341c7b9ca7edf0b08369dd00bb840dd8e5e26275056640d261103f64652c3820ddbeba22dd6b501066735029165c95

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
92KB

MD5
31b85d26506feb790add15a896998671

SHA1
34677676106a27156fcd39f652af72fa4f831fcd

SHA256
ab04ee849a5fb008e2bd1dd3f99393b07ca556f411941313b0ee0c7574069d89

SHA512
a07211f19fc2d0751ec8a4a28fc946ea90044dec65209889ae7f2d753e7f41e02fdd5030e59e2d3b541868fa3935ad596be1d2ba027489d0ac05e559ca0e28e9

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
92KB

MD5
587061a314367c7e36458226953e8750

SHA1
ece7292d7bfc9ae212eae587ea6b89a1485d9b1d

SHA256
5d47cbd5511862484e537bd360d26014b23f7a40927bb12f6f6f68b6c2223656

SHA512
a151e5d8cbfbb383bc36e9b56a1a807cfc541238b6be19d498e08a7154e8d83dd34a1739c02bb5ad615ca8e2895fb4f571b4c3e64fd8ab305a2c39f80eb1eb14

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
92KB

MD5
c9f7adc3680d33c421aa6b8169f58c8e

SHA1
8a5bdb6998b1f20d25aea1f633600720d4167ab3

SHA256
be2605a85ac5eed8b0b4fb42ee3053ac9214612614dfb169ec879e68ee287a6e

SHA512
d44cbcdb67ae2a9032be67694085f5b8da491b0a3da5d5c7eb5d3b7a27d391ffca6acb87c91cbaac37a8e8d1d133dbe31bf1b04ce956390704b9ed97601e4cb7

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
92KB

MD5
00a7a689809fbc5e3be3e11349f10624

SHA1
278b6b177cfb9fef542bcc62cc31bee46a58d851

SHA256
e39392d9108f22c18df0efc733d4f5f2964a514abfaf1d4e19ba6ea8a42d4506

SHA512
c7cf052e17012afe44419503bb075ecdfb6d35b87b27b29d2e06ee11dbc5773cc05357b35c66f0ac16afd8737874ff8c3aff5d4f66aa8a7580f679be2cbda5b4

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
92KB

MD5
5221ab64e457ea20704222cabb0d58fc

SHA1
3a6f16db86144ed75c4afa2f6dc72b400d02464e

SHA256
1a94a16d4c3c253770a13ea5612fcc963436ff24614f6c70f8ff5ef9707fc607

SHA512
201e84ece29623c036a57c51dbf07548faeca81bad083a934a2333c1fa32ecec46ba2d61590ee57f40d90000e082e25c132cb2c26525e5177cdbfcd8170dbdfa

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
92KB

MD5
5c8879ff6ded71e298cdc8ca746c7b6b

SHA1
fc883ceffee8c613907b66177a2fdd9353b77643

SHA256
92159ca21435228599f63bca2d8c2f569489f6b18873714fcfb155218853fc91

SHA512
c01f4bc10d4faf7225056cb3040bfb870c333c06075d00bb0eaa53f70ea1f5bb16215d327453b2c76cf815f1a0a23b5a2fae11f99bdeff2bbb62aed4ea3d2118

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
92KB

MD5
58ca41e512ca6b7c829640f4b619bdbe

SHA1
18f772b80bc3cb70cd8dfcc3326449a04ce52a7b

SHA256
32f4155eb487a340de769c406c11b98719a5125ee59dcf65bf9d5fa186926144

SHA512
2dd6cdf8514959057df31b8b046eb6cdffb3e158026b013507f31acd7dfeb3bbebe0c87f6cdf040801f837b11e90d6dda47889ef7d059ee40df08f34f4539682

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
92KB

MD5
c379d51b3e11e5cf99828749f2aa14cb

SHA1
3ea2545176c4361a6487f505d2fbd2d1566dc7f1

SHA256
672980f80a9cf053f33438c4441e0e31ed7c1f5d7a22268faed79e1ba84b6467

SHA512
78e4e33e4a91424d5dfd9ae733473319d2a022d6977a18c918d11c97af8549f236d9d43dfe485541fc8f9b790e98c82f62525c9c498f3ce2df6ce46aba48485e

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
92KB

MD5
a1006541d93e55b845ab3d6c4dea40ed

SHA1
afd9557f726404c5785df7604cba8d424a7375ba

SHA256
70f739ba979ad2b0fabac49791b7b65f8bb963a316b7f40888456313cfb654df

SHA512
721e69e9f2779bba5d5f1b0c81564de663e28d969e132ee307d56edbb891f5ff6162b5565220b84f479141072af8c93f8254f5e8f0756eff1254f98b41661cbe

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
92KB

MD5
d2e78fb8b1dfd26ab70bafbc1f2ca7a2

SHA1
95b2503fb3df190a09f2ea42f0c109bb117f9810

SHA256
81dd32e96ca971e1f46d78d0781a4cc1d1178a5b4f5b2c955bfe37040ba9e065

SHA512
f5be0c95d9a43f8ffd76dccaf6525b8eb632b046d158b0902ab36145b28596ceae795276cf287c41ec61881fa5b0b7fc3d4dfe36a99d6707452656f2d9aafc97

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
92KB

MD5
0e240dd96322f099829f7da2a54ab1a9

SHA1
f6ec7f9fd3ffcaeafa18a28f97f0e7d53be65732

SHA256
9b33b6423872c747186706ef2fa3a60a3a8e698fce5611d72652e08706554359

SHA512
d5a9f60b00a708503dc16f8e107ae909647b13f9a34910e9f4e020eafc24c19524252937829eccffb96f97d58aa3ee6ea823d9e60e0e2b455e39274b7de53c0c

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
92KB

MD5
b7f3e6790a0962fc4d5367811ad8196d

SHA1
cc81f0685b906c5a5682b5eba573d3d157949cb2

SHA256
d2218f8a1b1ee3ccf44555b90fe7d20140b238969f931fd48dd3175a78db505b

SHA512
a2215dff227aab2ea651925df307266d072791104514ec40c34bb012cb1a1f15cb11a0390cbf2108b776c11122f792913e4fb94c36a2f72e65b89e67b1edf21d

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
92KB

MD5
aed375f575ae23747bd9f92a2bfacc9b

SHA1
fcfa3ffe1e1b4e407f706af57b3890d7a6948e9f

SHA256
3fe4ef3974816bbb4c6a7440cda0ed4f4528b527af8523c395e202155ef5f5e8

SHA512
ff82760cf600d9ef939cda9753b8a65323c78115d54df0ac81f7b80984351f489bd3b77fdb6def20a11110ca8028be7a889c8b75c6e86e78b48798f2c485ad1c

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
92KB

MD5
e4910b05b71b2e8755d24dbfc6153247

SHA1
b60712d2573e8a58bcb8ca826331f579d4db2432

SHA256
c1bfddcd0fa1168c5c1ec4c16fb84014ff2a11a2f89cc1d2769ee23a3ba469e4

SHA512
e024c9214ae0ce0bfc725e018276c7bb3775497e8e82127950819bfc6e3088b13d3985493cb038ec9adcfc9bb4af423af45a2da7ad69bfab1704148668af757a

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
92KB

MD5
590b7a660b4273911dc34a158066c285

SHA1
71a139fceb0b5d4507c0cefd425b7b50b9f3ea35

SHA256
e117d2c29961b52154aa369e791419d183dcbc02cae18ba94ba6853f588addc5

SHA512
d607b1970c982f2feac7b4aff27a9c09dd7bc408b9a2c73f86b256c366dec310f6667518bebc712dd71f679121cefda100b38d01bfaac7f64286b86d6bdfacc6

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
92KB

MD5
ef0af4a9d8b71f06db8c236802c72657

SHA1
3e1bff1d3a0c02acfffd87b60338cc214f6ee9da

SHA256
68095fce001ee41a5124d5f64820b2d391093016ceb2bfeebb77fa04925d1175

SHA512
f35f30c2fade9424f4fa19a9b04588555dc3abbfbbdd9f7a55bab60191722526387bc621377e6c0f611e057337d20adfcc7e3301e59f53a3fe5e7d5c0c94c50d

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
92KB

MD5
d99e12c96ab5091e37e36b5eb0598416

SHA1
22e2ff74fbd08e53063616d45b4fa40dc3b5207c

SHA256
71e7288e8e756476a523ebadc5077eb80d2fbff8e488c32144ca48a2c88acd1f

SHA512
b64a580117ad6172b76f50118bae67cf883c017acafe46a91306568e83bb5786c83614c1ef9a0b41b99dd256c94f80cec70868e96b8b2680cd7211995147ac71

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
92KB

MD5
c106cf13f82823e9cf93038320a13257

SHA1
317785e32090d7b3803de90fbeceb26a9522d459

SHA256
3bb90c342c879608c331d45134e9f61e41804d1595a274aadce86c0f789328bd

SHA512
c51b0be24c40fd383a8d4488399cdb31e0be4d4b01285707dc6609930496aa3fbd606ed675562ba66acdcb550e89f47306167574d16efb11abdf493ef4bf5dca

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
92KB

MD5
55e5118b1f6726e6b6d941f9cbdabc35

SHA1
af88daa950a36f6486364641534f58513ff3b9ac

SHA256
464188e82003fb47f966b84fe8fb5d532ea24972f076b06e7e839f8ad60cd7a0

SHA512
e2f6fcae73d9adbd143b6759fb0903458ce7f71610a1a83088c4758692060c7ba53f54de2d41c6e62de4363a352999a6cf3ad09d4c723cecd3e94731e28c7734

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
92KB

MD5
9f9804a3ce92cba6d9f91cfbdfb86a65

SHA1
3fd136ab9d5b5a5703db5a56ed11685266a9d302

SHA256
79a9f5b6147edc62097e1da8a05cb64f142cb93228f6e166b6add144c37e61bf

SHA512
07cedf6588f705bce8ce6dad761fdf5bd5600cc39db6aaeaeaf641d7303f64d66d9dd4f726e8c36bf2b9be59a8f195ccf25990bd86452b103ec252ce8a52bad3

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
92KB

MD5
851100bbedc0b96ac7b71a7139450145

SHA1
6d97cad85da5db1ddc1e408878b8620c475eafff

SHA256
8dfd86e2dcfe701f1b44c15945419e50008fb08fa8aab3f0822faee08bbd3237

SHA512
c41b24c63814cf90471d3a64571924ddbf899c03ba4621c48ddcbc835fd81515d8ec63d3f839b8d2f0718bc8810bf6c2b45a013235e0b78152d49835d2d63aba

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
92KB

MD5
868a0603694fbe073fc819622aec8db2

SHA1
9d58b27dfecc8c36211436eb9c3c949aa11ef512

SHA256
0c336e8888a99c4189510dde71896f5b04e715ae5810340bd807256981f1e9dd

SHA512
b6b238a05e3f91d316603e2b39c7b8842c8407b22545f34cba889f50c6e9acb2ea9c209f2c4155bfaa8a00b25c861fcc690e76872325431d5efaf7460f613ba8

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
92KB

MD5
ca598a2d7937d137c473ae90d8c090cb

SHA1
259415282118e5bd89f6e97c182a6cfba7ed15ca

SHA256
ac48e6a1620c56260ad27e0b73c70ca4ca55041dc02e7ac6b94972b74e915223

SHA512
a568ff490e92ace53a7c9ea733d3f0f554464ecf2e444899175822dd8d0710244054b0675bffc6a388ba9b95d0d3f8df4c4ebb456625f7a38a1362863af561f6

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
92KB

MD5
304c1c8c74e4ce41b917130c82a953c9

SHA1
e263f2f8643d546cb8261a55c2df37e56a02f139

SHA256
11f6c5494ec3da5513e87c9613511604e4ff1f982238cc8b7a51b1e4c3447b89

SHA512
1c1d89a1aab3fbc99d90fe2ad6bd6f7ff96cb905d5e02bca212420c094d5a7a91bc4fed886b235119fceaf49acc0890b408bd88f47b5d24ea6d4dfe9f35a1ee0

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
92KB

MD5
39fb2f642cd08442319df4e212b13a36

SHA1
1d92badf438da7e17ea635f98a73ef260e84c03e

SHA256
816afeefd23e1c082f1f95f251ea63da61c404d57727cbec11deed87efabfb4e

SHA512
bdd7f625d3293e11c8524ff531124e6a7f8de46a16817a3b83cbd42444212647a476616454e122b0d3c3f6efcc0533bf6c4589f3022896990350c6a95219f689

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
92KB

MD5
ac56d60b92d00d4730896dd1517032cf

SHA1
a8c90f7d9af4586bfd8cacb5be9c7550c37f07ce

SHA256
625bd66eaf52d8905604614b18e91c65a19d8243508aa08c3396928de3ee891d

SHA512
9f2a2f85d0201d8f53c4bbf720c9fbee03fb7461227995d83768633c2dc61ca61da0a804ff3a3cbbd0e644640281262428d9f2c28c9b730096114fcac90f0c66

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
92KB

MD5
0adc63ff20459480a52c59ddb3a2d3a4

SHA1
09b3fa4651c989936cad2c0c66941906e59a7873

SHA256
536df509c7644233c1bef4e794e152a340096c1d9130366ec664bbd84619eb02

SHA512
238cec9590d57bf96032f6af43e43d18e0ed140fc5cb72eaace2fa6d0ec622b13392098bbf3f932edebc94329bdca402d8ee7153ab7bfbd996011d7d19624d9f

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
92KB

MD5
a7d7ea777c8738f823af697f696db010

SHA1
9e8326e867f0f57196aca85d1ad514315f9a3090

SHA256
c9bfbb235eb39f06738cacb31e726fb1dd27d6dd808609eda7fc269fea1381cc

SHA512
66386ddefdc4dcc737fb749d8dc13c88b2558678cf3d51eea2dcbe4ad4cbaf448e9bcf11c122f8bd132e9a76d034a4584496a83136c8e95033809665c7fe937e

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
92KB

MD5
93d928d30cc7e394b35276d4d882cd59

SHA1
5e9e132b99ea8fc9bff3f05845f6e83506f65ce5

SHA256
e06223addbc10542300808c37e40f490d3e56ecdc6d3da14b97867b4979682ae

SHA512
9de8b576ef2e7877b1204e16d3094ec3c74b72aecf39f9e4be0028857ec32b2c6f5e713828e65e352e0fb353f82183ab91a834e41e97bb566843e9997b96c449

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
92KB

MD5
b995c3b75edc673368248eaab6e484f7

SHA1
a84ddc8e3e34276d3f006c97f2f6d1a7bf16099c

SHA256
fc4c3bbc542533893c1332ed340ffe6e17c8690d2ad772fec34faaf388f432d1

SHA512
453eb77ae6b16cf9d955997be067c1ff8f08a8c4bc9de9ddb02e59b2f4a684939f61a1ba95f6e413a7c7a15f2868cae73ca193ce60b4d422ed436abff4be04a2

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
92KB

MD5
461c758c8ab2d6f4f8e2b4517482fd15

SHA1
0a254ee46edb34db45009c737a58c94e754b5877

SHA256
37ab0a67ae28298e2fafaabb42026375609ba76713264c88ad1e347113365c17

SHA512
cea2d60b939db712b8c7ddeedc84933d4c2357b8155f9738d11659a4eb5c30cba2092346557e47eb358642461bee17afabb54697df5f6fe2e2473bb9090f16ee

Download Submit
memory/224-315-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/224-57-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/468-248-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/468-293-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1100-305-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1100-137-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1312-317-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1312-41-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1404-314-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1404-65-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1548-145-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1548-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1704-311-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1704-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1868-303-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1868-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1916-321-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1916-9-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2084-17-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2084-320-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2088-299-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2088-185-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2112-308-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2112-113-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2332-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2332-306-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2372-290-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2372-269-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2428-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2428-309-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2444-96-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2444-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2544-323-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2544-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2608-243-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2608-295-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2712-257-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2712-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2984-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2984-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2984-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3096-294-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3096-233-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3108-307-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3108-120-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3156-81-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3156-312-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3300-291-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3300-263-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3436-197-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3588-300-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3588-177-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3768-275-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3768-289-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4056-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4056-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4084-318-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4084-33-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4128-319-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4128-29-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4372-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4372-201-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4608-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4608-302-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4724-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4724-301-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4728-287-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4932-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4932-313-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4980-216-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4980-297-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5052-283-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5052-288-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5084-225-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5084-296-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads