3f03262a24c9f053df87fd6ac68f6a9ca2ad3fcc10aa30c3f5df29245fb4ff1d

Analysis

max time kernel
2s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
02/01/2024, 14:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a7a748ae3f5eb83833eebc2571bd2580.exe
Size

123KB
MD5

a7a748ae3f5eb83833eebc2571bd2580
SHA1

c285052bf14451ea0dc88303596a09b2d165ccbb
SHA256

3f03262a24c9f053df87fd6ac68f6a9ca2ad3fcc10aa30c3f5df29245fb4ff1d
SHA512

eaf1a04a1a132e01ab9299bb87987eb39b03c8cde159012a1a079119b04ae2c0e1d3adb53d7cb2f156ec2a965d413717c2efc6afc772584d2a60c39c52b90532
SSDEEP

3072:MtMbGKfZ0DWR0bvC3dTRf96KRYSa9rR85DEn5k7r8:MtMCMZ0vwh96K4rQD85k/8

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkppbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmfbogcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llkbap32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mggpgmof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkeimlfm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maoajf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maoajf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmhodf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcegmm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkppbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mggpgmof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mppepcfg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgljbm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmhodf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meccii32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlmlecec.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llkbap32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpjlajk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcegmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	a7a748ae3f5eb83833eebc2571bd2580.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mppepcfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkeimlfm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpfkqb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a7a748ae3f5eb83833eebc2571bd2580.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgljbm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmfbogcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdpjlajk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpfkqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Meccii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlmlecec.exe

Executes dropped EXE 15 IoCs

pid	Process
2188	Kpmlkp32.exe
2324	Llkbap32.exe
3032	Lkppbl32.exe
2804	Mggpgmof.exe
2716	Mppepcfg.exe
2596	Mkeimlfm.exe
2448	Maoajf32.exe
2860	Mgljbm32.exe
2936	Mmfbogcn.exe
1944	Mdpjlajk.exe
1576	Mmhodf32.exe
1056	Mpfkqb32.exe
1628	Mcegmm32.exe
3000	Meccii32.exe
1856	Mlmlecec.exe

Loads dropped DLL 30 IoCs

pid	Process
2056	a7a748ae3f5eb83833eebc2571bd2580.exe
2056	a7a748ae3f5eb83833eebc2571bd2580.exe
2188	Kpmlkp32.exe
2188	Kpmlkp32.exe
2324	Llkbap32.exe
2324	Llkbap32.exe
3032	Lkppbl32.exe
3032	Lkppbl32.exe
2804	Mggpgmof.exe
2804	Mggpgmof.exe
2716	Mppepcfg.exe
2716	Mppepcfg.exe
2596	Mkeimlfm.exe
2596	Mkeimlfm.exe
2448	Maoajf32.exe
2448	Maoajf32.exe
2860	Mgljbm32.exe
2860	Mgljbm32.exe
2936	Mmfbogcn.exe
2936	Mmfbogcn.exe
1944	Mdpjlajk.exe
1944	Mdpjlajk.exe
1576	Mmhodf32.exe
1576	Mmhodf32.exe
1056	Mpfkqb32.exe
1056	Mpfkqb32.exe
1628	Mcegmm32.exe
1628	Mcegmm32.exe
3000	Meccii32.exe
3000	Meccii32.exe

Drops file in System32 directory 48 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mkeimlfm.exe	Mppepcfg.exe
File created	C:\Windows\SysWOW64\Loolpo32.dll	Maoajf32.exe
File opened for modification	C:\Windows\SysWOW64\Mmhodf32.exe	Mdpjlajk.exe
File created	C:\Windows\SysWOW64\Fbbkkjih.dll	Mdpjlajk.exe
File created	C:\Windows\SysWOW64\Ijlhmj32.dll	Mcegmm32.exe
File opened for modification	C:\Windows\SysWOW64\Llkbap32.exe	Kpmlkp32.exe
File created	C:\Windows\SysWOW64\Mgljbm32.exe	Maoajf32.exe
File created	C:\Windows\SysWOW64\Mdpjlajk.exe	Mmfbogcn.exe
File created	C:\Windows\SysWOW64\Ofbjgh32.dll	Mmhodf32.exe
File created	C:\Windows\SysWOW64\Mcegmm32.exe	Mpfkqb32.exe
File created	C:\Windows\SysWOW64\Dfnfdcqd.dll	Mpfkqb32.exe
File opened for modification	C:\Windows\SysWOW64\Meccii32.exe	Mcegmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mppepcfg.exe	Mggpgmof.exe
File created	C:\Windows\SysWOW64\Lnmfog32.dll	Mggpgmof.exe
File created	C:\Windows\SysWOW64\Najdnj32.exe	Mlmlecec.exe
File created	C:\Windows\SysWOW64\Pqhmfm32.dll	Mlmlecec.exe
File created	C:\Windows\SysWOW64\Llkbap32.exe	Kpmlkp32.exe
File created	C:\Windows\SysWOW64\Lkppbl32.exe	Llkbap32.exe
File created	C:\Windows\SysWOW64\Bmamfo32.dll	Lkppbl32.exe
File created	C:\Windows\SysWOW64\Maoajf32.exe	Mkeimlfm.exe
File opened for modification	C:\Windows\SysWOW64\Mdpjlajk.exe	Mmfbogcn.exe
File opened for modification	C:\Windows\SysWOW64\Lkppbl32.exe	Llkbap32.exe
File created	C:\Windows\SysWOW64\Lkoacn32.dll	Mmfbogcn.exe
File created	C:\Windows\SysWOW64\Mmhodf32.exe	Mdpjlajk.exe
File created	C:\Windows\SysWOW64\Mpfkqb32.exe	Mmhodf32.exe
File created	C:\Windows\SysWOW64\Mlmlecec.exe	Meccii32.exe
File opened for modification	C:\Windows\SysWOW64\Najdnj32.exe	Mlmlecec.exe
File opened for modification	C:\Windows\SysWOW64\Mcegmm32.exe	Mpfkqb32.exe
File opened for modification	C:\Windows\SysWOW64\Kpmlkp32.exe	a7a748ae3f5eb83833eebc2571bd2580.exe
File created	C:\Windows\SysWOW64\Mggpgmof.exe	Lkppbl32.exe
File opened for modification	C:\Windows\SysWOW64\Mggpgmof.exe	Lkppbl32.exe
File opened for modification	C:\Windows\SysWOW64\Mkeimlfm.exe	Mppepcfg.exe
File created	C:\Windows\SysWOW64\Mmfbogcn.exe	Mgljbm32.exe
File created	C:\Windows\SysWOW64\Ohkgmi32.dll	Mgljbm32.exe
File opened for modification	C:\Windows\SysWOW64\Mpfkqb32.exe	Mmhodf32.exe
File opened for modification	C:\Windows\SysWOW64\Mlmlecec.exe	Meccii32.exe
File created	C:\Windows\SysWOW64\Gmndnn32.dll	Meccii32.exe
File created	C:\Windows\SysWOW64\Nfcijc32.dll	a7a748ae3f5eb83833eebc2571bd2580.exe
File created	C:\Windows\SysWOW64\Bbmfll32.dll	Llkbap32.exe
File created	C:\Windows\SysWOW64\Mppepcfg.exe	Mggpgmof.exe
File created	C:\Windows\SysWOW64\Gfadgaio.dll	Mppepcfg.exe
File created	C:\Windows\SysWOW64\Oacima32.dll	Mkeimlfm.exe
File opened for modification	C:\Windows\SysWOW64\Mgljbm32.exe	Maoajf32.exe
File created	C:\Windows\SysWOW64\Meccii32.exe	Mcegmm32.exe
File created	C:\Windows\SysWOW64\Kpmlkp32.exe	a7a748ae3f5eb83833eebc2571bd2580.exe
File created	C:\Windows\SysWOW64\Hbfcml32.dll	Kpmlkp32.exe
File opened for modification	C:\Windows\SysWOW64\Maoajf32.exe	Mkeimlfm.exe
File opened for modification	C:\Windows\SysWOW64\Mmfbogcn.exe	Mgljbm32.exe

Program crash 1 IoCs

pid	pid_target	Process
3232	3168	WerFault.exe

Modifies registry class 51 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijlhmj32.dll"	Mcegmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maoajf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmhodf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loolpo32.dll"	Maoajf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkeimlfm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpfkqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfcijc32.dll"	a7a748ae3f5eb83833eebc2571bd2580.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfcml32.dll"	Kpmlkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llkbap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdpjlajk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnmfog32.dll"	Mggpgmof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfnfdcqd.dll"	Mpfkqb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgljbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpfkqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqhmfm32.dll"	Mlmlecec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	a7a748ae3f5eb83833eebc2571bd2580.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mggpgmof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmamfo32.dll"	Lkppbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkeimlfm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmfbogcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	a7a748ae3f5eb83833eebc2571bd2580.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcegmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkppbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mggpgmof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohkgmi32.dll"	Mgljbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoacn32.dll"	Mmfbogcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	a7a748ae3f5eb83833eebc2571bd2580.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbmfll32.dll"	Llkbap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgljbm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mppepcfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oacima32.dll"	Mkeimlfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Meccii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlmlecec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maoajf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Meccii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	a7a748ae3f5eb83833eebc2571bd2580.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcegmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlmlecec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbkkjih.dll"	Mdpjlajk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmhodf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofbjgh32.dll"	Mmhodf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Llkbap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkppbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	a7a748ae3f5eb83833eebc2571bd2580.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfadgaio.dll"	Mppepcfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mppepcfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmfbogcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmndnn32.dll"	Meccii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdpjlajk.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2188	2056	a7a748ae3f5eb83833eebc2571bd2580.exe	28
PID 2056 wrote to memory of 2188	2056	a7a748ae3f5eb83833eebc2571bd2580.exe	28
PID 2056 wrote to memory of 2188	2056	a7a748ae3f5eb83833eebc2571bd2580.exe	28
PID 2056 wrote to memory of 2188	2056	a7a748ae3f5eb83833eebc2571bd2580.exe	28
PID 2188 wrote to memory of 2324	2188	Kpmlkp32.exe	29
PID 2188 wrote to memory of 2324	2188	Kpmlkp32.exe	29
PID 2188 wrote to memory of 2324	2188	Kpmlkp32.exe	29
PID 2188 wrote to memory of 2324	2188	Kpmlkp32.exe	29
PID 2324 wrote to memory of 3032	2324	Llkbap32.exe	140
PID 2324 wrote to memory of 3032	2324	Llkbap32.exe	140
PID 2324 wrote to memory of 3032	2324	Llkbap32.exe	140
PID 2324 wrote to memory of 3032	2324	Llkbap32.exe	140
PID 3032 wrote to memory of 2804	3032	Lkppbl32.exe	139
PID 3032 wrote to memory of 2804	3032	Lkppbl32.exe	139
PID 3032 wrote to memory of 2804	3032	Lkppbl32.exe	139
PID 3032 wrote to memory of 2804	3032	Lkppbl32.exe	139
PID 2804 wrote to memory of 2716	2804	Mggpgmof.exe	138
PID 2804 wrote to memory of 2716	2804	Mggpgmof.exe	138
PID 2804 wrote to memory of 2716	2804	Mggpgmof.exe	138
PID 2804 wrote to memory of 2716	2804	Mggpgmof.exe	138
PID 2716 wrote to memory of 2596	2716	Mppepcfg.exe	137
PID 2716 wrote to memory of 2596	2716	Mppepcfg.exe	137
PID 2716 wrote to memory of 2596	2716	Mppepcfg.exe	137
PID 2716 wrote to memory of 2596	2716	Mppepcfg.exe	137
PID 2596 wrote to memory of 2448	2596	Mkeimlfm.exe	136
PID 2596 wrote to memory of 2448	2596	Mkeimlfm.exe	136
PID 2596 wrote to memory of 2448	2596	Mkeimlfm.exe	136
PID 2596 wrote to memory of 2448	2596	Mkeimlfm.exe	136
PID 2448 wrote to memory of 2860	2448	Maoajf32.exe	135
PID 2448 wrote to memory of 2860	2448	Maoajf32.exe	135
PID 2448 wrote to memory of 2860	2448	Maoajf32.exe	135
PID 2448 wrote to memory of 2860	2448	Maoajf32.exe	135
PID 2860 wrote to memory of 2936	2860	Mgljbm32.exe	134
PID 2860 wrote to memory of 2936	2860	Mgljbm32.exe	134
PID 2860 wrote to memory of 2936	2860	Mgljbm32.exe	134
PID 2860 wrote to memory of 2936	2860	Mgljbm32.exe	134
PID 2936 wrote to memory of 1944	2936	Mmfbogcn.exe	133
PID 2936 wrote to memory of 1944	2936	Mmfbogcn.exe	133
PID 2936 wrote to memory of 1944	2936	Mmfbogcn.exe	133
PID 2936 wrote to memory of 1944	2936	Mmfbogcn.exe	133
PID 1944 wrote to memory of 1576	1944	Mdpjlajk.exe	132
PID 1944 wrote to memory of 1576	1944	Mdpjlajk.exe	132
PID 1944 wrote to memory of 1576	1944	Mdpjlajk.exe	132
PID 1944 wrote to memory of 1576	1944	Mdpjlajk.exe	132
PID 1576 wrote to memory of 1056	1576	Mmhodf32.exe	131
PID 1576 wrote to memory of 1056	1576	Mmhodf32.exe	131
PID 1576 wrote to memory of 1056	1576	Mmhodf32.exe	131
PID 1576 wrote to memory of 1056	1576	Mmhodf32.exe	131
PID 1056 wrote to memory of 1628	1056	Mpfkqb32.exe	130
PID 1056 wrote to memory of 1628	1056	Mpfkqb32.exe	130
PID 1056 wrote to memory of 1628	1056	Mpfkqb32.exe	130
PID 1056 wrote to memory of 1628	1056	Mpfkqb32.exe	130
PID 1628 wrote to memory of 3000	1628	Mcegmm32.exe	129
PID 1628 wrote to memory of 3000	1628	Mcegmm32.exe	129
PID 1628 wrote to memory of 3000	1628	Mcegmm32.exe	129
PID 1628 wrote to memory of 3000	1628	Mcegmm32.exe	129
PID 3000 wrote to memory of 1856	3000	Meccii32.exe	30
PID 3000 wrote to memory of 1856	3000	Meccii32.exe	30
PID 3000 wrote to memory of 1856	3000	Meccii32.exe	30
PID 3000 wrote to memory of 1856	3000	Meccii32.exe	30

C:\Users\Admin\AppData\Local\Temp\a7a748ae3f5eb83833eebc2571bd2580.exe
"C:\Users\Admin\AppData\Local\Temp\a7a748ae3f5eb83833eebc2571bd2580.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\SysWOW64\Kpmlkp32.exe
  C:\Windows\system32\Kpmlkp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\SysWOW64\Llkbap32.exe
    C:\Windows\system32\Llkbap32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Windows\SysWOW64\Lkppbl32.exe
      C:\Windows\system32\Lkppbl32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3032

C:\Windows\SysWOW64\Mlmlecec.exe
C:\Windows\system32\Mlmlecec.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1856
- C:\Windows\SysWOW64\Najdnj32.exe
  C:\Windows\system32\Najdnj32.exe
  2⤵
  PID:2948

C:\Windows\SysWOW64\Nkeelohh.exe
C:\Windows\system32\Nkeelohh.exe
1⤵
PID:1148
- C:\Windows\SysWOW64\Nncahjgl.exe
  C:\Windows\system32\Nncahjgl.exe
  2⤵
  PID:1648

C:\Windows\SysWOW64\Ngnbgplj.exe
C:\Windows\system32\Ngnbgplj.exe
1⤵
PID:2764
- C:\Windows\SysWOW64\Nacgdhlp.exe
  C:\Windows\system32\Nacgdhlp.exe
  2⤵
  PID:2844

C:\Windows\SysWOW64\Olpdjf32.exe
C:\Windows\system32\Olpdjf32.exe
1⤵
PID:2544
- C:\Windows\SysWOW64\Oonafa32.exe
  C:\Windows\system32\Oonafa32.exe
  2⤵
  PID:472
- - C:\Windows\SysWOW64\Ofhick32.exe
    C:\Windows\system32\Ofhick32.exe
    3⤵
    PID:2964

C:\Windows\SysWOW64\Oqmmpd32.exe
C:\Windows\system32\Oqmmpd32.exe
1⤵
PID:752
- C:\Windows\SysWOW64\Oclilp32.exe
  C:\Windows\system32\Oclilp32.exe
  2⤵
  PID:1688
- - C:\Windows\SysWOW64\Ojfaijcc.exe
    C:\Windows\system32\Ojfaijcc.exe
    3⤵
    PID:2224
  - - C:\Windows\SysWOW64\Okgnab32.exe
      C:\Windows\system32\Okgnab32.exe
      4⤵
      PID:1552
    - - C:\Windows\SysWOW64\Ocnfbo32.exe
        
        C:\Windows\system32\Ocnfbo32.exe
        5⤵
        
        PID:596
      - C:\Windows\SysWOW64\Odobjg32.exe
        
        C:\Windows\system32\Odobjg32.exe
        6⤵
        
        PID:2856

C:\Windows\SysWOW64\Pogclp32.exe
C:\Windows\system32\Pogclp32.exe
1⤵
PID:2888
- C:\Windows\SysWOW64\Pbfpik32.exe
  C:\Windows\system32\Pbfpik32.exe
  2⤵
  PID:320

C:\Windows\SysWOW64\Pedleg32.exe
C:\Windows\system32\Pedleg32.exe
1⤵
PID:2020
- C:\Windows\SysWOW64\Pjadmnic.exe
  C:\Windows\system32\Pjadmnic.exe
  2⤵
  PID:396
- - C:\Windows\SysWOW64\Pefijfii.exe
    C:\Windows\system32\Pefijfii.exe
    3⤵
    PID:2728

C:\Windows\SysWOW64\Pnomcl32.exe
C:\Windows\system32\Pnomcl32.exe
1⤵
PID:684
- C:\Windows\SysWOW64\Peiepfgg.exe
  C:\Windows\system32\Peiepfgg.exe
  2⤵
  PID:1556
- - C:\Windows\SysWOW64\Pfjbgnme.exe
    C:\Windows\system32\Pfjbgnme.exe
    3⤵
    PID:2740

C:\Windows\SysWOW64\Pmdjdh32.exe
C:\Windows\system32\Pmdjdh32.exe
1⤵
PID:2072
- C:\Windows\SysWOW64\Pcnbablo.exe
  C:\Windows\system32\Pcnbablo.exe
  2⤵
  PID:2916

C:\Windows\SysWOW64\Pikkiijf.exe
C:\Windows\system32\Pikkiijf.exe
1⤵
PID:1124
- C:\Windows\SysWOW64\Qmfgjh32.exe
  C:\Windows\system32\Qmfgjh32.exe
  2⤵
  PID:2984

C:\Windows\SysWOW64\Qimhoi32.exe
C:\Windows\system32\Qimhoi32.exe
1⤵
PID:1656
- C:\Windows\SysWOW64\Qpgpkcpp.exe
  C:\Windows\system32\Qpgpkcpp.exe
  2⤵
  PID:1044

C:\Windows\SysWOW64\Abhimnma.exe
C:\Windows\system32\Abhimnma.exe
1⤵
PID:1404
- C:\Windows\SysWOW64\Aefeijle.exe
  C:\Windows\system32\Aefeijle.exe
  2⤵
  PID:2192

C:\Windows\SysWOW64\Aidnohbk.exe
C:\Windows\system32\Aidnohbk.exe
1⤵
PID:2160
- C:\Windows\SysWOW64\Albjlcao.exe
  C:\Windows\system32\Albjlcao.exe
  2⤵
  PID:1972
- - C:\Windows\SysWOW64\Abmbhn32.exe
    C:\Windows\system32\Abmbhn32.exe
    3⤵
    PID:2956
  - - C:\Windows\SysWOW64\Aekodi32.exe
      C:\Windows\system32\Aekodi32.exe
      4⤵
      PID:960
    - - C:\Windows\SysWOW64\Bldcpf32.exe
        
        C:\Windows\system32\Bldcpf32.exe
        5⤵
        
        PID:2724
      - C:\Windows\SysWOW64\Bocolb32.exe
        
        C:\Windows\system32\Bocolb32.exe
        6⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\Biicik32.exe
        
        C:\Windows\system32\Biicik32.exe
        7⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\Ceodnl32.exe
        
        C:\Windows\system32\Ceodnl32.exe
        8⤵
        
        PID:1696

C:\Windows\SysWOW64\Aamfnkai.exe
C:\Windows\system32\Aamfnkai.exe
1⤵
PID:2672

C:\Windows\SysWOW64\Alpmfdcb.exe
C:\Windows\system32\Alpmfdcb.exe
1⤵
PID:928

C:\Windows\SysWOW64\Alnqqd32.exe
C:\Windows\system32\Alnqqd32.exe
1⤵
PID:1540

C:\Windows\SysWOW64\Aipddi32.exe
C:\Windows\system32\Aipddi32.exe
1⤵
PID:1900

C:\Windows\SysWOW64\Qbelgood.exe
C:\Windows\system32\Qbelgood.exe
1⤵
PID:2796

C:\Windows\SysWOW64\Chpmpg32.exe
C:\Windows\system32\Chpmpg32.exe
1⤵
PID:1036
- C:\Windows\SysWOW64\Cnmehnan.exe
  C:\Windows\system32\Cnmehnan.exe
  2⤵
  PID:1928
- - C:\Windows\SysWOW64\Chbjffad.exe
    C:\Windows\system32\Chbjffad.exe
    3⤵
    PID:1172

C:\Windows\SysWOW64\Cdikkg32.exe
C:\Windows\system32\Cdikkg32.exe
1⤵
PID:2408
- C:\Windows\SysWOW64\Cnaocmmi.exe
  C:\Windows\system32\Cnaocmmi.exe
  2⤵
  PID:1084
- - C:\Windows\SysWOW64\Djhphncm.exe
    C:\Windows\system32\Djhphncm.exe
    3⤵
    PID:3052

C:\Windows\SysWOW64\Dpbheh32.exe
C:\Windows\system32\Dpbheh32.exe
1⤵
PID:1224
- C:\Windows\SysWOW64\Dcadac32.exe
  C:\Windows\system32\Dcadac32.exe
  2⤵
  PID:2708
- - C:\Windows\SysWOW64\Djklnnaj.exe
    C:\Windows\system32\Djklnnaj.exe
    3⤵
    PID:1420
  - - C:\Windows\SysWOW64\Dhnmij32.exe
      C:\Windows\system32\Dhnmij32.exe
      4⤵
      PID:2792

C:\Windows\SysWOW64\Dbfabp32.exe
C:\Windows\system32\Dbfabp32.exe
1⤵
PID:2360
- C:\Windows\SysWOW64\Dhpiojfb.exe
  C:\Windows\system32\Dhpiojfb.exe
  2⤵
  PID:2100
- - C:\Windows\SysWOW64\Dojald32.exe
    C:\Windows\system32\Dojald32.exe
    3⤵
    PID:272

C:\Windows\SysWOW64\Dfffnn32.exe
C:\Windows\system32\Dfffnn32.exe
1⤵
PID:3248
- C:\Windows\SysWOW64\Dggcffhg.exe
  C:\Windows\system32\Dggcffhg.exe
  2⤵
  PID:3300

C:\Windows\SysWOW64\Enakbp32.exe
C:\Windows\system32\Enakbp32.exe
1⤵
PID:3404
- C:\Windows\SysWOW64\Eqpgol32.exe
  C:\Windows\system32\Eqpgol32.exe
  2⤵
  PID:3452

C:\Windows\SysWOW64\Ednpej32.exe
C:\Windows\system32\Ednpej32.exe
1⤵
PID:3636
- C:\Windows\SysWOW64\Ecqqpgli.exe
  C:\Windows\system32\Ecqqpgli.exe
  2⤵
  PID:3696

C:\Windows\SysWOW64\Emkaol32.exe
C:\Windows\system32\Emkaol32.exe
1⤵
PID:3920
- C:\Windows\SysWOW64\Eqgnokip.exe
  C:\Windows\system32\Eqgnokip.exe
  2⤵
  PID:3972
- - C:\Windows\SysWOW64\Efcfga32.exe
    C:\Windows\system32\Efcfga32.exe
    3⤵
    PID:4020
  - - C:\Windows\SysWOW64\Eibbcm32.exe
      C:\Windows\system32\Eibbcm32.exe
      4⤵
      PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 140
1⤵
- Program crash
PID:3232

C:\Windows\SysWOW64\Fkckeh32.exe
C:\Windows\system32\Fkckeh32.exe
1⤵
PID:3168

C:\Windows\SysWOW64\Fjaonpnn.exe
C:\Windows\system32\Fjaonpnn.exe
1⤵
PID:3120

C:\Windows\SysWOW64\Echfaf32.exe
C:\Windows\system32\Echfaf32.exe
1⤵
PID:1188

C:\Windows\SysWOW64\Efaibbij.exe
C:\Windows\system32\Efaibbij.exe
1⤵
PID:3872

C:\Windows\SysWOW64\Emieil32.exe
C:\Windows\system32\Emieil32.exe
1⤵
PID:3816

C:\Windows\SysWOW64\Enfenplo.exe
C:\Windows\system32\Enfenplo.exe
1⤵
PID:3752

C:\Windows\SysWOW64\Ebodiofk.exe
C:\Windows\system32\Ebodiofk.exe
1⤵
PID:3584

C:\Windows\SysWOW64\Egjpkffe.exe
C:\Windows\system32\Egjpkffe.exe
1⤵
PID:3540

C:\Windows\SysWOW64\Dkcofe32.exe
C:\Windows\system32\Dkcofe32.exe
1⤵
PID:3348

C:\Windows\SysWOW64\Dolnad32.exe
C:\Windows\system32\Dolnad32.exe
1⤵
PID:3200

C:\Windows\SysWOW64\Ddgjdk32.exe
C:\Windows\system32\Ddgjdk32.exe
1⤵
PID:3136

C:\Windows\SysWOW64\Dbhnhp32.exe
C:\Windows\system32\Dbhnhp32.exe
1⤵
PID:3084

C:\Windows\SysWOW64\Dccagcgk.exe
C:\Windows\system32\Dccagcgk.exe
1⤵
PID:1608

C:\Windows\SysWOW64\Caknol32.exe
C:\Windows\system32\Caknol32.exe
1⤵
PID:2748

C:\Windows\SysWOW64\Cnkicn32.exe
C:\Windows\system32\Cnkicn32.exe
1⤵
PID:2908

C:\Windows\SysWOW64\Qfokbnip.exe
C:\Windows\system32\Qfokbnip.exe
1⤵
PID:1804

C:\Windows\SysWOW64\Qpecfc32.exe
C:\Windows\system32\Qpecfc32.exe
1⤵
PID:1800

C:\Windows\SysWOW64\Pimkpfeh.exe
C:\Windows\system32\Pimkpfeh.exe
1⤵
PID:2648

C:\Windows\SysWOW64\Obcccl32.exe
C:\Windows\system32\Obcccl32.exe
1⤵
PID:2096

C:\Windows\SysWOW64\Ohfeog32.exe
C:\Windows\system32\Ohfeog32.exe
1⤵
PID:2060

C:\Windows\SysWOW64\Ogblbo32.exe
C:\Windows\system32\Ogblbo32.exe
1⤵
PID:1676

C:\Windows\SysWOW64\Oddpfc32.exe
C:\Windows\system32\Oddpfc32.exe
1⤵
PID:2628

C:\Windows\SysWOW64\Onjgiiad.exe
C:\Windows\system32\Onjgiiad.exe
1⤵
PID:2840

C:\Windows\SysWOW64\Ngpolo32.exe
C:\Windows\system32\Ngpolo32.exe
1⤵
PID:2704

C:\Windows\SysWOW64\Ndpfkdmf.exe
C:\Windows\system32\Ndpfkdmf.exe
1⤵
PID:2036

C:\Windows\SysWOW64\Naajoinb.exe
C:\Windows\system32\Naajoinb.exe
1⤵
PID:2172

C:\Windows\SysWOW64\Ndmjedoi.exe
C:\Windows\system32\Ndmjedoi.exe
1⤵
PID:2340

C:\Windows\SysWOW64\Ndkmpe32.exe
C:\Windows\system32\Ndkmpe32.exe
1⤵
PID:1532

C:\Windows\SysWOW64\Ncjqhmkm.exe
C:\Windows\system32\Ncjqhmkm.exe
1⤵
PID:2404

C:\Windows\SysWOW64\Nlphkb32.exe
C:\Windows\system32\Nlphkb32.exe
1⤵
PID:2532

C:\Windows\SysWOW64\Nefpnhlc.exe
C:\Windows\system32\Nefpnhlc.exe
1⤵
PID:1640

C:\Windows\SysWOW64\Meccii32.exe
C:\Windows\system32\Meccii32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\SysWOW64\Mcegmm32.exe
C:\Windows\system32\Mcegmm32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\Mpfkqb32.exe
C:\Windows\system32\Mpfkqb32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\Mmhodf32.exe
C:\Windows\system32\Mmhodf32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\SysWOW64\Mdpjlajk.exe
C:\Windows\system32\Mdpjlajk.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\Mmfbogcn.exe
C:\Windows\system32\Mmfbogcn.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\SysWOW64\Mgljbm32.exe
C:\Windows\system32\Mgljbm32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\SysWOW64\Maoajf32.exe
C:\Windows\system32\Maoajf32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2448

C:\Windows\SysWOW64\Mkeimlfm.exe
C:\Windows\system32\Mkeimlfm.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\SysWOW64\Mppepcfg.exe
C:\Windows\system32\Mppepcfg.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\SysWOW64\Mggpgmof.exe
C:\Windows\system32\Mggpgmof.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lkppbl32.exe

Filesize
123KB

MD5
fd341ef5505e6c959dfe16a3939c40d2

SHA1
f9207cf9eb4dff418665f456f9b5082c1f0c82b1

SHA256
bc63ef672e5fd9121a99257afd2e45f361803bf29672baffce8ab9e3745dc4c7

SHA512
26acf187f1c7328fbff55a969222fa3ac9c0c7f1fa12e07d54e1181af2d57547be6290153addea5cb71ea046d28ca3cca659b11e310c8056e74f118a7f812f2e

Download Submit
C:\Windows\SysWOW64\Maoajf32.exe

Filesize
123KB

MD5
e7ca51ee7864c9a51677190a9783cb88

SHA1
fb4a21d333073c30a6c2c0b517f3a639cb86e902

SHA256
3879cb2d510527b67a8ee05af841412753b3802440944ca3f164a1cb4c6a354b

SHA512
e6bab21e57b3261c09b28166ace3f18e6ca90f323455406132b86890b8d79ad372c0a8f9bd7234521b1fbcc1678a2510e2336741bbdea36d910957daf2f17d66

Download Submit
C:\Windows\SysWOW64\Mggpgmof.exe

Filesize
123KB

MD5
2f237a55f651e822e820b244b546f307

SHA1
2f26f417e364360d3aed5511bc3b4d7a7bf4debe

SHA256
266e27863822e2e2315da31b8d4e50eca687ea5aba0e03904ee338fca884ea8c

SHA512
3f3fda41ddfd18864635bf99ee0a986fd623af1a6ee64b8117c63f41e03a1cda6052f5fc2f11f86e5701ec0faa908283713a6f2178b799990ab3d1a12a3eb3ef

Download Submit
C:\Windows\SysWOW64\Mgljbm32.exe

Filesize
123KB

MD5
1bf589b38a28acbab8ec045f5ff2ad66

SHA1
5557dde42e5dffdfc9bd13b2672876ae847f05c2

SHA256
7b6271d800d0aaa1b29299e97f50146d3878a5cc2a609f81190d4094d1b43ba6

SHA512
bb9498cde1d3a8863c304534ee18c39b191436f9ad2f45e841691eceea0972db0f725ddd14ccaeb0ee2131b36b5b363405494428cf8623ca78ca281376861c32

Download Submit
C:\Windows\SysWOW64\Mkeimlfm.exe

Filesize
123KB

MD5
5c33d307570760f41f0494b7e104850b

SHA1
5ef9fcec851fe7ef982880d9255cf16930120aee

SHA256
0927db835ed8adad4a8a388832f93aa793336d18c58500f8d02c0d150e1c9030

SHA512
bbd3eb02311cc808b13332740366fe6574e49e9870a8bb0c76eaecc860b5e9793431a242efaf388ba30c94d08c199acaf7690d32f6a7bbf3a6ce1af600024ed8

Download Submit
C:\Windows\SysWOW64\Mmfbogcn.exe

Filesize
123KB

MD5
8b8af288c7e46ff99b0949404c307c16

SHA1
ddb3012f59b634f25bed6c7589097c8699b8a232

SHA256
166bac2fb188e4fd4d1daccf792369f34b0b10b410ab180926ac86fd0d395e22

SHA512
b9961589b47f497be3fed8a14041908ac8ac44deb87e849f410bf31d74712b8cfc0e7e575cede27273eb5d025154f38d4faaf175161f34d613de60196bb520c4

Download Submit
C:\Windows\SysWOW64\Mmfbogcn.exe

Filesize
96KB

MD5
d0b78cc29b516b4bcd8eef28ff79dbad

SHA1
25c4634564c380c3c3131ead1d3836b4a1832bb5

SHA256
6eb053100e8e6de986d7ea563ffe63df7179aa973a66a29f144f5fc25f492415

SHA512
5d9449fd6d7828dc179cf9d546a08a7f5124dab342b599abed8558b25e2d996fc387c7200e44e33a09db2cf77909d63309e37cf69c22026f56d88ecf5b887380

Download Submit
C:\Windows\SysWOW64\Mppepcfg.exe

Filesize
123KB

MD5
7e4cbd31b807d33cd2597149d0fffc02

SHA1
7dfef36b6829fb11d79afdf59c127cd802fc8c5d

SHA256
e42f0ae5a95db849b57eb5842e71de686032efec347f8f0f3c4ae42af83fd123

SHA512
e2639ac21c776b94a7bf614880c645a0226cc82548548c1dadafa7464f6d7d48304affb93bc20e8c8aab851a62df72afdf5f5bedb5454c691563f1b9d984e560

Download Submit
\Windows\SysWOW64\Kpmlkp32.exe

Filesize
123KB

MD5
37b0f5cc743ea79e7e90b94b7b8cf61b

SHA1
e96483b2ce8f3662d4b3f497a69c9634bf9d92cc

SHA256
86b6c87f24786083d38b3ce7c9d5420aafcf4ad2da642a533d2bfa80ef6da42d

SHA512
ab4325dc19f802780c69b6fc05e6e7660b9cd36c0d144e6a422bed9d4ab76a5e1d11ee9943f0174d5fa7b1f2795070fa7c11fd2ee35c9a39c325b88f4efd07ad

Download Submit
\Windows\SysWOW64\Lkppbl32.exe

Filesize
92KB

MD5
92d46b372c0058f67d55bd85edcdde43

SHA1
1e2063fb219d1232d49c5476f7c1d6f7e92c4435

SHA256
2e0f7eb296e0f70f533d02ba8124e5102658845061046a65cc55ae0d6bb195db

SHA512
acd63175d4efe4639e2c86fa8b5421061742ce1e4a0855db57eda9fd27f151ee91c5990e7a9bdb5f40f61611639b59890bd24a53be67c66aa410e2f02b7dad75

Download Submit
\Windows\SysWOW64\Llkbap32.exe

Filesize
123KB

MD5
00bcb651986596635f856adc940c0976

SHA1
e8c988f407a137881bf0d91497fa2e906f1e9fcc

SHA256
2a5e4535459c52f9da762ebdc0aaa87c38428c77c0d3d319e4194b287d3020d7

SHA512
2ba80a5992d8e6362fb4db18ac8216005e1be44f8f099d5225bbf18fe2d33d887adc5b4ae8dc32a0ee726193d9ab5cc2d284f068e51257ca7a3874acd384dc63

Download Submit
memory/1056-181-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1148-276-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1532-283-0x00000000002C0000-0x0000000000308000-memory.dmp

Filesize
288KB

Download
memory/1532-271-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1576-167-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1628-193-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1640-250-0x0000000000230000-0x0000000000278000-memory.dmp

Filesize
288KB

Download
memory/1640-247-0x0000000000230000-0x0000000000278000-memory.dmp

Filesize
288KB

Download
memory/1640-242-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1640-342-0x0000000000230000-0x0000000000278000-memory.dmp

Filesize
288KB

Download
memory/1648-287-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1856-231-0x00000000002D0000-0x0000000000318000-memory.dmp

Filesize
288KB

Download
memory/1856-331-0x00000000002D0000-0x0000000000318000-memory.dmp

Filesize
288KB

Download
memory/1856-227-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1856-341-0x00000000002D0000-0x0000000000318000-memory.dmp

Filesize
288KB

Download
memory/1856-235-0x00000000002D0000-0x0000000000318000-memory.dmp

Filesize
288KB

Download
memory/1944-146-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2036-322-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2056-101-0x0000000000330000-0x0000000000378000-memory.dmp

Filesize
288KB

Download
memory/2056-13-0x0000000000330000-0x0000000000378000-memory.dmp

Filesize
288KB

Download
memory/2056-81-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2056-6-0x0000000000330000-0x0000000000378000-memory.dmp

Filesize
288KB

Download
memory/2056-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2172-320-0x0000000000230000-0x0000000000278000-memory.dmp

Filesize
288KB

Download
memory/2172-310-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2188-102-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2188-26-0x0000000000260000-0x00000000002A8000-memory.dmp

Filesize
288KB

Download
memory/2188-15-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2324-118-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2324-36-0x0000000000270000-0x00000000002B8000-memory.dmp

Filesize
288KB

Download
memory/2324-28-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2340-297-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2404-280-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/2404-265-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2404-270-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/2448-261-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2448-95-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2448-111-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/2448-116-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/2532-248-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2532-255-0x00000000001B0000-0x00000000001F8000-memory.dmp

Filesize
288KB

Download
memory/2532-356-0x00000000001B0000-0x00000000001F8000-memory.dmp

Filesize
288KB

Download
memory/2596-87-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2704-352-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2716-68-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2716-220-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2764-330-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2804-59-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2804-147-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2844-343-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2844-353-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/2844-354-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/2860-117-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2936-302-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/2936-126-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2936-296-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2936-145-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/2948-236-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2948-249-0x00000000002F0000-0x0000000000338000-memory.dmp

Filesize
288KB

Download
memory/3000-312-0x00000000002D0000-0x0000000000318000-memory.dmp

Filesize
288KB

Download
memory/3000-207-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3000-205-0x00000000002D0000-0x0000000000318000-memory.dmp

Filesize
288KB

Download
memory/3032-53-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/3032-139-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads