69234bb50ef96594760646f33f2276d9d4b45a4c7996623c0af8034b8b341d62

Analysis

max time kernel
93s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2024 06:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69234bb50ef96594760646f33f2276d9d4b45a4c7996623c0af8034b8b341d62.exe
Size

192KB
MD5

bae0a9960df892d7151538d58f9de242
SHA1

21a750fd69cb82caa25eb628fe61e329da601cb5
SHA256

69234bb50ef96594760646f33f2276d9d4b45a4c7996623c0af8034b8b341d62
SHA512

4a2f667268e506bd17ac7d7968286568b615b106c772b01b457ed64cdcc628fb57a58e6fcba4968381c7b927587f2e3b8d1665f9920c8c96b75bae2eb54b2480
SSDEEP

3072:PCwSPZmQLcr9JKCBAiyVLf2guEmeFKPD375lHzpa1P2FU6UK7q4+5DbGTO6GQd3H:PC7PZmQGLBAiyVeEmeYr75lHzpaF2e6T

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	69234bb50ef96594760646f33f2276d9d4b45a4c7996623c0af8034b8b341d62.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	69234bb50ef96594760646f33f2276d9d4b45a4c7996623c0af8034b8b341d62.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgidml32.exe

Executes dropped EXE 42 IoCs

pid	Process
4016	Kkbkamnl.exe
4432	Lalcng32.exe
184	Lpocjdld.exe
4176	Lmccchkn.exe
4444	Lpappc32.exe
2356	Lgkhlnbn.exe
1900	Lijdhiaa.exe
1244	Ldohebqh.exe
948	Lilanioo.exe
2168	Laciofpa.exe
3968	Lgpagm32.exe
2096	Laefdf32.exe
2796	Lddbqa32.exe
456	Lknjmkdo.exe
4172	Mnlfigcc.exe
4412	Mpkbebbf.exe
2272	Mciobn32.exe
3908	Majopeii.exe
2088	Mcklgm32.exe
4104	Mnapdf32.exe
1308	Mpolqa32.exe
4588	Mgidml32.exe
3088	Mncmjfmk.exe
2116	Mdmegp32.exe
2504	Mglack32.exe
3992	Mnfipekh.exe
4080	Mdpalp32.exe
1804	Mgnnhk32.exe
2872	Nnhfee32.exe
5080	Nqfbaq32.exe
4272	Ngpjnkpf.exe
1988	Njogjfoj.exe
3688	Nafokcol.exe
2724	Ngcgcjnc.exe
3204	Nnmopdep.exe
3076	Nqklmpdd.exe
3740	Ngedij32.exe
2992	Nkqpjidj.exe
4500	Nnolfdcn.exe
4752	Nqmhbpba.exe
4048	Ncldnkae.exe
3168	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	69234bb50ef96594760646f33f2276d9d4b45a4c7996623c0af8034b8b341d62.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Lgpagm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3644	3168	WerFault.exe	124

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	69234bb50ef96594760646f33f2276d9d4b45a4c7996623c0af8034b8b341d62.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	69234bb50ef96594760646f33f2276d9d4b45a4c7996623c0af8034b8b341d62.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	69234bb50ef96594760646f33f2276d9d4b45a4c7996623c0af8034b8b341d62.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	69234bb50ef96594760646f33f2276d9d4b45a4c7996623c0af8034b8b341d62.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 4016	4784	69234bb50ef96594760646f33f2276d9d4b45a4c7996623c0af8034b8b341d62.exe	83
PID 4784 wrote to memory of 4016	4784	69234bb50ef96594760646f33f2276d9d4b45a4c7996623c0af8034b8b341d62.exe	83
PID 4784 wrote to memory of 4016	4784	69234bb50ef96594760646f33f2276d9d4b45a4c7996623c0af8034b8b341d62.exe	83
PID 4016 wrote to memory of 4432	4016	Kkbkamnl.exe	84
PID 4016 wrote to memory of 4432	4016	Kkbkamnl.exe	84
PID 4016 wrote to memory of 4432	4016	Kkbkamnl.exe	84
PID 4432 wrote to memory of 184	4432	Lalcng32.exe	85
PID 4432 wrote to memory of 184	4432	Lalcng32.exe	85
PID 4432 wrote to memory of 184	4432	Lalcng32.exe	85
PID 184 wrote to memory of 4176	184	Lpocjdld.exe	86
PID 184 wrote to memory of 4176	184	Lpocjdld.exe	86
PID 184 wrote to memory of 4176	184	Lpocjdld.exe	86
PID 4176 wrote to memory of 4444	4176	Lmccchkn.exe	87
PID 4176 wrote to memory of 4444	4176	Lmccchkn.exe	87
PID 4176 wrote to memory of 4444	4176	Lmccchkn.exe	87
PID 4444 wrote to memory of 2356	4444	Lpappc32.exe	88
PID 4444 wrote to memory of 2356	4444	Lpappc32.exe	88
PID 4444 wrote to memory of 2356	4444	Lpappc32.exe	88
PID 2356 wrote to memory of 1900	2356	Lgkhlnbn.exe	89
PID 2356 wrote to memory of 1900	2356	Lgkhlnbn.exe	89
PID 2356 wrote to memory of 1900	2356	Lgkhlnbn.exe	89
PID 1900 wrote to memory of 1244	1900	Lijdhiaa.exe	90
PID 1900 wrote to memory of 1244	1900	Lijdhiaa.exe	90
PID 1900 wrote to memory of 1244	1900	Lijdhiaa.exe	90
PID 1244 wrote to memory of 948	1244	Ldohebqh.exe	91
PID 1244 wrote to memory of 948	1244	Ldohebqh.exe	91
PID 1244 wrote to memory of 948	1244	Ldohebqh.exe	91
PID 948 wrote to memory of 2168	948	Lilanioo.exe	92
PID 948 wrote to memory of 2168	948	Lilanioo.exe	92
PID 948 wrote to memory of 2168	948	Lilanioo.exe	92
PID 2168 wrote to memory of 3968	2168	Laciofpa.exe	93
PID 2168 wrote to memory of 3968	2168	Laciofpa.exe	93
PID 2168 wrote to memory of 3968	2168	Laciofpa.exe	93
PID 3968 wrote to memory of 2096	3968	Lgpagm32.exe	94
PID 3968 wrote to memory of 2096	3968	Lgpagm32.exe	94
PID 3968 wrote to memory of 2096	3968	Lgpagm32.exe	94
PID 2096 wrote to memory of 2796	2096	Laefdf32.exe	95
PID 2096 wrote to memory of 2796	2096	Laefdf32.exe	95
PID 2096 wrote to memory of 2796	2096	Laefdf32.exe	95
PID 2796 wrote to memory of 456	2796	Lddbqa32.exe	96
PID 2796 wrote to memory of 456	2796	Lddbqa32.exe	96
PID 2796 wrote to memory of 456	2796	Lddbqa32.exe	96
PID 456 wrote to memory of 4172	456	Lknjmkdo.exe	97
PID 456 wrote to memory of 4172	456	Lknjmkdo.exe	97
PID 456 wrote to memory of 4172	456	Lknjmkdo.exe	97
PID 4172 wrote to memory of 4412	4172	Mnlfigcc.exe	98
PID 4172 wrote to memory of 4412	4172	Mnlfigcc.exe	98
PID 4172 wrote to memory of 4412	4172	Mnlfigcc.exe	98
PID 4412 wrote to memory of 2272	4412	Mpkbebbf.exe	99
PID 4412 wrote to memory of 2272	4412	Mpkbebbf.exe	99
PID 4412 wrote to memory of 2272	4412	Mpkbebbf.exe	99
PID 2272 wrote to memory of 3908	2272	Mciobn32.exe	100
PID 2272 wrote to memory of 3908	2272	Mciobn32.exe	100
PID 2272 wrote to memory of 3908	2272	Mciobn32.exe	100
PID 3908 wrote to memory of 2088	3908	Majopeii.exe	101
PID 3908 wrote to memory of 2088	3908	Majopeii.exe	101
PID 3908 wrote to memory of 2088	3908	Majopeii.exe	101
PID 2088 wrote to memory of 4104	2088	Mcklgm32.exe	102
PID 2088 wrote to memory of 4104	2088	Mcklgm32.exe	102
PID 2088 wrote to memory of 4104	2088	Mcklgm32.exe	102
PID 4104 wrote to memory of 1308	4104	Mnapdf32.exe	103
PID 4104 wrote to memory of 1308	4104	Mnapdf32.exe	103
PID 4104 wrote to memory of 1308	4104	Mnapdf32.exe	103
PID 1308 wrote to memory of 4588	1308	Mpolqa32.exe	104

C:\Users\Admin\AppData\Local\Temp\69234bb50ef96594760646f33f2276d9d4b45a4c7996623c0af8034b8b341d62.exe
"C:\Users\Admin\AppData\Local\Temp\69234bb50ef96594760646f33f2276d9d4b45a4c7996623c0af8034b8b341d62.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Windows\SysWOW64\Kkbkamnl.exe
  C:\Windows\system32\Kkbkamnl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Windows\SysWOW64\Lalcng32.exe
    C:\Windows\system32\Lalcng32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4432
  - - C:\Windows\SysWOW64\Lpocjdld.exe
      C:\Windows\system32\Lpocjdld.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:184
    - - C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4176
      - C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3688
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3076
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4048
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        43⤵
        Executes dropped EXE
        
        PID:3168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 232
        44⤵
        Program crash
        
        PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3168 -ip 3168
1⤵
PID:4384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
192KB

MD5
bdbbccbc1b23e3f93e391d8840bc6c95

SHA1
325f55d73f30666824414b7425bec9d70d3871bc

SHA256
79d11cc1cfeb678620a35a425e08a45ec30cba22e7577e93bed455f7c7b7c056

SHA512
ac075e46933d6cfc05c5f8eeddf31dc4040aa45789a5e45f7cf8a60fb0eda34d2a2b503071bec9addab05a427e1def7f8eaf4838bcafc190e251cfa138622c7c

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
192KB

MD5
90c8c81fe275de400cbb04b607eb7753

SHA1
95d502eec6429bb7950a1c329182e7d047c3becd

SHA256
eefe88f31c233499339143b00de9427149b54c77969205b86acfb7becf3c8d8d

SHA512
a3401dd5a9f45974999b5e460600d0802c6a11b6d0853b8e5e541de3bbe9efcc307bf6a0ab539722fb118aa31fa17493695fd6d503ecc7bcd532edcba4dd96f8

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
192KB

MD5
0daffa34e0ea97b651805f26c35f858a

SHA1
e807c74b1549ea18b98fc5ea18bdd506a2162f2a

SHA256
fcdb6532e9200bc194ee3f1f53f75561cdfe8b5904a8c925bd2d51fd97637b4f

SHA512
3e11735b1570208ee184e48d57677ad8518c5cea64dd95db0c212c7e816d9facc55b3eb71c873e6598b58c318a9354e8efcbfad512d5434cb38b9ee3a9ac8ca9

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
192KB

MD5
383da89acdfcb930c6ac3cc6feef2294

SHA1
c4a0c6bc057ac4f65a9782047d4a1ef43a71db5f

SHA256
9a1ff9c0769363b4a0d2dd4a9ecf0be67bb52c7563db7e23163b14d09e7c4351

SHA512
22476ffbc20e08be1953a23702e3e975840cff330468180031a6f39bcf031caaafbf748699c82b28a222bc60619b457c3517e1c59683b16e45444ca017414dd3

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
192KB

MD5
38ae9c7b013e7382ef036636928bab59

SHA1
9c7245966a2d7fdc12a17e72e904fb615aaa89cf

SHA256
8e4300ad0b57712462fed6bddbad34fb2814a883dba561f347ed0538c33a9e17

SHA512
51bef7ff28383f25e2eb96fb268312c1f67bd548bf3288f20d55a95fe854150bde09af516b40655f8c25c584814d8a407c896ef3209eeed6b8cc657d1300338d

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
192KB

MD5
67998828afca998d24e34af17ee4f6e0

SHA1
2d9a81fe0472df20b70a8e3c37b004a3682f3e18

SHA256
2a27bea039f6716504befff7a1c316c30addc2706d546384572d544256cc9a7b

SHA512
06338363b409f6ee5b0341b7178d2ff8ac99a6ed3096662b162b5025fae51e8ec0cc65da2fe4efc88ffaaf34411a4ff0fb1828b03e8763ed85ce925f5b6fd7b0

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
192KB

MD5
5eb893419d3ed7d4e086514070cbdeec

SHA1
8c71ffc6dd7cfa01fc0edc7742402c43b31b52e4

SHA256
50742f51b43036effa3731a0abe9eb8fefc639849f5475934c226a2fece7004a

SHA512
3907aa43111946b2c7e382d7a0680c89a93a7646d39cb6e8d87a610fc9cd8f5a435cbd2bdee994537f0bbf72796c629fa8bada3639f23fa0529ac0ae29b546c9

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
192KB

MD5
2bfba1340f8ac48a85f034d0baa60b2c

SHA1
f254e7b269c81ab7a125df9e4465e9de892c3174

SHA256
38ff6a53564378053de101ce1c65554ca9d818c094a009e0d0097c36c62716df

SHA512
7ebfb9606b294b1eda9a6e0eab22559edacbad77abadeed1e3ad59addb23ae7e626d6f56a8d4a8039840ee74891f696ae08242145abd7d0f2c929738f9a36c41

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
192KB

MD5
e3f5ccb6baa6fc8597f7bb43abd0c8ec

SHA1
7210387b6e75c6f6e72a7786a2a87373c70de0c8

SHA256
52ff6fdb23a36628e8843ee5374e673a6577094615ade37b98210f6c8f7d3dbe

SHA512
045a8343e2671967c3e1df9bea4be59e97d688110e3cb7738e37b0afa3d4e5608a2a2551afc86aabef3b619df4e3a9bc94edb9174d23545d08add75f7dd9eaa7

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
128KB

MD5
e372fdd3d05936c66f2cf00c57666ed9

SHA1
01c72106bf27279ac6eff669a23fbed3c67a4c73

SHA256
222f97ee005bb18c7d25532712cd9be729d8d14394d335de9077293674ca628d

SHA512
ab5acab22864f37c6c06e25af8a28f0da7932b6f05c35e772e5499dcdcd178b5a01b41433bcdd0a36cdc96f43ed4964b2f5bfbfd6a6c060b9210fe513b149ed1

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
192KB

MD5
5a4033d2cab6f6048a6787e5e4ff0523

SHA1
1cee757a3d04372c5ab8302c10399456b54b6aa5

SHA256
92e729f39245f00cbbd1b00e29ea7b14106cc2e24f971170470f14c4dc825b15

SHA512
65750a4a2e74c30ad0ee0879810cacadc5f293cae7c82b1b082884c4af6f9909793e6e9305a6348889a5de3b464aab46e4645a5ab25120466623e10db2db8d7a

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
192KB

MD5
7e8098857a09e3b88e2a2fc4051de4f7

SHA1
228225863b0b5240a565f1abe99781cb42e22409

SHA256
b8742bb9951bb797dfb58deccc81778934c080b08278621cf698085af8761569

SHA512
9aa121cfce046614a80ace42b9386a5dece74120369a5d038f725a0a4ecb075b99270a6acaf17ab358dc99d89c471d859879cac9d2c92e2e733d55fa52860fc4

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
192KB

MD5
62c98a73a2e2d2987047f20bcf571d13

SHA1
a7e817ddeca9636a638d17f4d848c10f31651f77

SHA256
5fb7c5e96020a622e2a11e4836f14a7329069e6620abb4dc49cca7ac6b7d1c1d

SHA512
28d245cec7eee9ac54a6bd2ee949b471547c84f4b71eb5bda993e5dc9a98f04a6bfb616e952ef22f0a252ad9f9f8079fb85569c448b381fc530feaec9b4f16e7

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
192KB

MD5
7bafd774cfc83b125982a4d4c16eb172

SHA1
51d92f499d3e7162812b0e049da30c2cf1e642be

SHA256
0ded6173ef5e2e01bf57e726cdb1f8d33aa622a60047b92406eaa3dad00c7750

SHA512
94d1d30ba381f4463db0f1611c9eb78fb6d703f1d6f71f2014766adf32aa5a62f0b35615a5af59502d22c2a8b6671b1ac9fd45e23a75030f4697eb633cdbb660

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
192KB

MD5
cfa79012caa26105c2c83f83a18c8f2a

SHA1
443fa00b7c0bf22e014d707459d743f15efbd221

SHA256
2bda447c4153acd93cefd4c7d5d165328b6431165cc95d19f83b9c3180d9fc6a

SHA512
1e8d984e85332a8b64dfd361dc6a9d8943020ce5817c5a89734eb17af6e95820cc3102c3ae787079d46cd9d438993fc0c2fec344fd35569462dca95f25fdeb1a

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
192KB

MD5
1ff1497067a7003e460fd06a30842d7a

SHA1
4432d76abf6e72d42d78adff83e1ee07d5d7d196

SHA256
fd04e5a4a81256c1e25280646251f7227b7d885be1ff4eb16c64728eb35de13a

SHA512
8f3ca2b26879a9c3e356d3db80d5e3db00d94e767ac6768530124a1be104e89043f5c84c58e561faf6bd4ee2023b210eac96fe91cb64f888e1031e23a9fa7281

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
192KB

MD5
c260216a9da7ace3f50fc82cc88893b1

SHA1
3eb6da535fddf874a5dcaf3e9578fd77a3c522b9

SHA256
0d0a8e3440ecb543f60cc52010c4dc42575b3d9850bdc699789a915264cdb0fa

SHA512
22a6e602e79eeec4781b7ac412983cb62e9d696c6e8b740cfce7973d9c64945e9d620cf81074058214730305a94bf4ca30a84f802ac8181c16135e9e64c0d762

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
192KB

MD5
3a1cf582f6ffb2b081fcf3edc936b5dd

SHA1
5f119cb7797b1154fc743e88e13d1d24b4f9b187

SHA256
44114a86881c31e55ab2aa89c98cf4af34a404086e91c668f45224a4802de252

SHA512
c167ccff590069c235fc713400b97a5027eecacd18c45ff881d0a1897bf1c9c7b7f9e95bf0dab4d241fba2b011f46833a18ebcd3ef8777c23d09e1ed4f148ecd

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
192KB

MD5
b366d6883ae97bee62cc880928aacaa9

SHA1
7e44fe4239b0a88950de4883bcb927f5a7cc7406

SHA256
bee7fdd1a461fef8239a1f9f2c36aaa2ac7e9da9fa53ba18c497b3798f522115

SHA512
712b463472600c4466b8e8463bc6ae307f1457546fd7888f6c2f037fddb5db1d2b1c9fcf74fad49c96ed13ca84ca9e447a224673d0692ce9ed5bc6c22ec76402

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
192KB

MD5
81742dfcaf3cabb12873f79b6c458620

SHA1
e16afe3972e338531736d26fec7ad08807153e3f

SHA256
ab42eceaf07568ae059587c1b9af154cfaa3882dab5f131c3f169722d63d98f3

SHA512
a196ccc5094c960a19a584b99b3db498fa8bb0f542e908bc1579f34f88ac6ae1f287ee896882a3911992573d7a32fbca439f1aa94c0fe60ef34428c616bc16ad

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
192KB

MD5
e55f7a410f108216529370f4fe0055e2

SHA1
840ba1c77afd9d77f4c30e28db48a9b4d86b970b

SHA256
c4c41f4079413fb58bbf73eaeba014b92249ca6623c0b1f14797ae77cd5739ab

SHA512
e382454e34804c67c26d411dc391a34e5ff6ee331c9abf4e9148b1dc5c0568e5be35d3043dfd33e5e7a826978b5272bf98a1a5cce43026ed829d100ad476bec3

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
192KB

MD5
4cebec4a8fdefe6d48d36aa8f8042310

SHA1
9e900a5a1210de37f2eccfb6a25c0bf32930f51a

SHA256
85e828c8a43210e7a478484e0c56b08fc90296bb4129b7e63d50b0dc4944fda1

SHA512
38ee073b9d0fe5187c868201670746e995166729fdb328c2b160f85ba7dc1bb85950ba7cdb7c17226df59d7dd9f38c97632439c13d48a788aba29b1340a3b71c

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
192KB

MD5
97934f2dbf357ee4f92cb60552ec6ac9

SHA1
1f8eaf28740224f2f6536536bff0e45b8daf674f

SHA256
22e202e4ee8360507c4fa055dd39924cc681d9de91f8fb6cb6b65c2f5bf3c70d

SHA512
cf183becb4f83ef55d629eddfd2e3258d61d8942c1b1fd3e9619e8fc3ea2f639a6316a33990fedce55ccb738876e4efdb90a8b655833bde900682cc9ca33eb11

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
192KB

MD5
c22a9109efd592241629e71e47e24b63

SHA1
38c55a80cb1f772f6f3d34c879d186bcf88c87e0

SHA256
2048f2c9abe81065ddb0920d370440dde251ea7d29dc2d6c64eae4204d0f7829

SHA512
e6868ded251088c1902654ccfab1da78d4c7647aca5e64106c5cc8cf38d9815ffc8bd62d41f8f4c1255942bfa5bd72a2d531da0a609b27283f32819bfd1ae99f

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
192KB

MD5
2315f0a2028e7c99e6814694b1fd0cf0

SHA1
76687114e5a4b002e219e2b2744193568f1a5b9a

SHA256
41831d3fdd824ab886f61038b26415d7cfd9f18a1bb4150511460336ef6bcad5

SHA512
4a8dc4ecfab1efb113a3a0d9812de0610210aed2658be461284059b3ee534e1234a3f733997743c0959792387eb8e8c218cc599ce8e66b7ce19a2796a405bba9

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
192KB

MD5
51e9a20a22939cde4fa60373c0b7268e

SHA1
df33f0af1a7358c44f41bdf3c29d916648f923ad

SHA256
bf593a5447f1de09954c6d5dc3360f4ebc165e0a75af8cc607409b551167442a

SHA512
87ecccc2277a5cc193379e2f8dd3aaae70cec4c5353dc070e7e675494d3be2fd8a0ffb772de91b68c2ef8f9506915cc03288dc8940ead84bd636f4afe9391906

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
192KB

MD5
6c771197af8c1c7c8dba904f4f7aca8c

SHA1
25e75a39ec11e261448cde9081978c7a6a4e1e6e

SHA256
9c3d202b4e7bd4ddba980d9a526c0b540b9d88171f75f032e08cad441b299559

SHA512
bb1d7e1c1cd137732def84ddbd6357a07d8d9c858374b7bfd6df6ef517c72a8d5ad0daa49ea6392a1cc87c365e4cafd0b14ad775827939d5cc6ab19845bff603

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
192KB

MD5
e68ca1c4456a830e2b035b47d827e4ea

SHA1
b2bca52a3003fa446e6c74d7451b360c4f581acc

SHA256
b2968920425cfe8ac90cf3668e018815cf47e3499810c24f816cc4ca4ad8e0e1

SHA512
0276ebf7409d5919c7afa3941cf232fac5ff7bf2ccd62f4c94f9e8691006f17ca8a2e66e1a4bb94eaece4ca5fe408c5eebfec9f221aff38c9c7a06157e4ba106

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
192KB

MD5
a5982649e49ff1efc3a8f75e6cbe76d9

SHA1
3a914561d499347ffb19c28161d35797ce6102e7

SHA256
388549f05e8eaa840975c9e58609d79dc1ae1424122467ab31931eff1ac5d04e

SHA512
1b6b79fb9fa62e63d7ec5e9f9ce538da846841905238d276f9d3e69289212ddec91181f70ac31865343915e540e2434577cdc5568edae82e0f5153fdc4d2488d

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
192KB

MD5
110994aff71d8eee24f8c9b1668e96b1

SHA1
4a125a86306506321732840f0ef23e4717957559

SHA256
032af3ee092b13ab71558aba3fdb171a9b5ac92c341fb2e20d30b137a29732c0

SHA512
57b6761f9b2186269ac6cdb6100b44d9fab3e8c313a467ca04bccfe2fe6640ed5bc828d4d7df4eb0991d60f6c504f02102b6bc5ae60891b9c801724aa0c8a42a

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
192KB

MD5
6b7beabf420cf9bc71d09b5754b1707b

SHA1
167b353ee3c2d03fdc9fad759c2dae83a0b29a10

SHA256
59506226c5ce79861d7ea54547f5e07c7a53cbc6a980bf185df0514ad81e16f6

SHA512
632472949ff9374d5e8d23547382037969a0db70d8b2d017c90628119f7f8edc4ace1bba9188973d095c34f3e1a6652a99dc2946b4024c40237a32484dce6c9a

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
192KB

MD5
204b147fe3c60c8326e3c6dad9e70f24

SHA1
15e2c0dc7886e4a5d50d790bba0e0c0c8975ba1a

SHA256
dc04e75572203e1c414a0ee3db725d14e70a90fdeeced05b2e83ad77bbc93e57

SHA512
7c7d522b407efb812229b88e21c62ddf89c57b02439bc267d6cc1d6146540515d63e88c518f0e6f6576b1fc1e88373af20131161d76134fe54dd599352e20d53

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
192KB

MD5
8763eb6d2a3a5d083cbfb701fb18614d

SHA1
a8b371433b6672cea20586384b7760cefc8ffe81

SHA256
db7cc12c69c9e7e9b84ef275cd4d832af6ff97229938a93f5dbf1c541ae3836b

SHA512
3c059c454174d18c14ab47ef95c1cf1802eb88e175b7e459ab54dfc4c02354e065dfbbb0b202c4f4a58e5924de563a0d13c84e2376e88e3cb3a84559563f0874

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
192KB

MD5
68fd25bf9bcb73a95cbe9ccd2060bf37

SHA1
b0fc64283bf4faeb44672b5cb271ef0b6a04a3af

SHA256
9746a7ccf54ad7dde072fb1610f1122f40eb081d7936bbe036e1dfd131f19a6e

SHA512
3738e37988bb7482bf64c62005ea3115b8511832d11cc7c5c98a5803ac9690583db98f9703708b72793a4f2ddf23fb8d37395e0c5f35b9d2ce0cc4e51761324d

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
192KB

MD5
c5db1d293bd187ab8994a0f9db177b62

SHA1
12abd807640f2ef353d89917bb36cbad10f5aaa1

SHA256
6e55cbfa1332fc3cd4e12346d1bb6f48a72bf653abedcbc7a47b7fb833904084

SHA512
c6c83e7eb29256fc99b2ccb6e666ca3c8a583bdd70b3f8de6b828014dccb063b084a7f68b78b0a36379c0b85862ff6143a5b1a632c41c27fa7b399021b02a9ae

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
192KB

MD5
20f5bbb1dfebfdc86a97fe7670846adc

SHA1
286be2fe681e600240cc2c8b08c8b7f43bb437c0

SHA256
0aa870ac6ef2393f98d4f48d0822cfe884465ae4053ca17403fc1860eec6c461

SHA512
8c8a87093f1425b394ff9729cafcc6249b0861c11b4b6e3835727185461f83051734142702b674bf2ec416e716d2dd59296cd7d655eb128080783fe4ba47780b

Download Submit
C:\Windows\SysWOW64\Ogndib32.dll

Filesize
7KB

MD5
f49c5d754913323702e2a94028660c5c

SHA1
e9e699def9e83fc848e162f58bda7a792d02580f

SHA256
b2a918cd2e497332e858b7f5205e36082ff1f253f97c265c6a6cc4830b437baf

SHA512
30f8b445e24d609bbd57efb87e48cefcad340c56839e8ba8bcb00bd0129364f4a1cce69ca1f6a00163acd8843a36d2b63cdeccf5539d146a6470a23d596d5443

Download Submit
memory/184-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/456-111-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/948-76-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1244-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1308-167-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1308-335-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1804-327-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1804-228-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1900-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1988-261-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2088-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2088-337-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2096-96-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2116-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2116-331-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2168-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2272-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2356-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2504-330-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2504-200-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2724-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2724-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2796-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2872-326-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2872-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2992-319-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2992-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3076-320-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3076-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3088-332-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3088-183-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3168-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3204-321-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3204-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3688-323-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3688-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3740-290-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3908-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3908-336-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3968-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3992-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3992-329-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4016-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4048-317-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4048-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4080-216-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4080-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4104-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4104-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4172-120-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4176-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4272-324-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4272-248-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4412-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4432-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4444-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4500-302-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4588-333-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4588-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4752-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4752-318-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4784-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5080-325-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5080-244-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads