c301c58e84e6c39a1e52fa8cd972666379ed0ed7d17458399c006bb77cf8b91f

Analysis

max time kernel
140s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20/03/2024, 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c301c58e84e6c39a1e52fa8cd972666379ed0ed7d17458399c006bb77cf8b91f.exe
Size

64KB
MD5

7677ef05b80ad7c6a33243a481d39fb5
SHA1

cf68cbf9e02b01cbda6cd549c42321601cc6afb7
SHA256

c301c58e84e6c39a1e52fa8cd972666379ed0ed7d17458399c006bb77cf8b91f
SHA512

978f8ccfd5d284eb540267dbeee6c8fd2e7887ed34c103950bffc000293c1187255524deb0ce86e13842ef1bcea1b2ae206b566f2bdcf8392330ac2c5d76d1a7
SSDEEP

1536:uq8CK+ZFTBIQsCADwO4YuzVyfLDvlCYE8Rm0Z:58B+ZFdI/CDO41EvvlCY/m0Z

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe

Executes dropped EXE 54 IoCs

pid	Process
4548	Lalcng32.exe
5080	Lgikfn32.exe
4988	Lmccchkn.exe
1812	Lpappc32.exe
3880	Lgkhlnbn.exe
4016	Lijdhiaa.exe
4456	Laalifad.exe
3916	Lcbiao32.exe
1248	Lkiqbl32.exe
2416	Lnhmng32.exe
3020	Lpfijcfl.exe
4672	Lgpagm32.exe
968	Ljnnch32.exe
2052	Laefdf32.exe
2788	Lgbnmm32.exe
4336	Mjqjih32.exe
1528	Mpkbebbf.exe
2908	Mgekbljc.exe
4756	Mkpgck32.exe
3756	Mnocof32.exe
4416	Mpmokb32.exe
3544	Mcklgm32.exe
3832	Mgghhlhq.exe
2516	Mjeddggd.exe
3568	Mamleegg.exe
2744	Mdkhapfj.exe
2276	Mgidml32.exe
5052	Mjhqjg32.exe
1376	Mncmjfmk.exe
3356	Mdmegp32.exe
1804	Mglack32.exe
1884	Mjjmog32.exe
1512	Maaepd32.exe
2156	Mpdelajl.exe
1484	Mgnnhk32.exe
4832	Nkjjij32.exe
2400	Njljefql.exe
1592	Nacbfdao.exe
5036	Nqfbaq32.exe
3508	Nceonl32.exe
1740	Nklfoi32.exe
2384	Nnjbke32.exe
3228	Nqiogp32.exe
2588	Ncgkcl32.exe
1272	Ngcgcjnc.exe
3600	Nnmopdep.exe
3776	Nbhkac32.exe
4384	Ndghmo32.exe
4156	Ncihikcg.exe
2728	Nkqpjidj.exe
1700	Nnolfdcn.exe
2524	Nqmhbpba.exe
100	Ncldnkae.exe
3452	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mjhqjg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3512	3452	WerFault.exe	145

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c301c58e84e6c39a1e52fa8cd972666379ed0ed7d17458399c006bb77cf8b91f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	c301c58e84e6c39a1e52fa8cd972666379ed0ed7d17458399c006bb77cf8b91f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c301c58e84e6c39a1e52fa8cd972666379ed0ed7d17458399c006bb77cf8b91f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c301c58e84e6c39a1e52fa8cd972666379ed0ed7d17458399c006bb77cf8b91f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mgghhlhq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 4548	3688	c301c58e84e6c39a1e52fa8cd972666379ed0ed7d17458399c006bb77cf8b91f.exe	88
PID 3688 wrote to memory of 4548	3688	c301c58e84e6c39a1e52fa8cd972666379ed0ed7d17458399c006bb77cf8b91f.exe	88
PID 3688 wrote to memory of 4548	3688	c301c58e84e6c39a1e52fa8cd972666379ed0ed7d17458399c006bb77cf8b91f.exe	88
PID 4548 wrote to memory of 5080	4548	Lalcng32.exe	89
PID 4548 wrote to memory of 5080	4548	Lalcng32.exe	89
PID 4548 wrote to memory of 5080	4548	Lalcng32.exe	89
PID 5080 wrote to memory of 4988	5080	Lgikfn32.exe	90
PID 5080 wrote to memory of 4988	5080	Lgikfn32.exe	90
PID 5080 wrote to memory of 4988	5080	Lgikfn32.exe	90
PID 4988 wrote to memory of 1812	4988	Lmccchkn.exe	91
PID 4988 wrote to memory of 1812	4988	Lmccchkn.exe	91
PID 4988 wrote to memory of 1812	4988	Lmccchkn.exe	91
PID 1812 wrote to memory of 3880	1812	Lpappc32.exe	92
PID 1812 wrote to memory of 3880	1812	Lpappc32.exe	92
PID 1812 wrote to memory of 3880	1812	Lpappc32.exe	92
PID 3880 wrote to memory of 4016	3880	Lgkhlnbn.exe	93
PID 3880 wrote to memory of 4016	3880	Lgkhlnbn.exe	93
PID 3880 wrote to memory of 4016	3880	Lgkhlnbn.exe	93
PID 4016 wrote to memory of 4456	4016	Lijdhiaa.exe	94
PID 4016 wrote to memory of 4456	4016	Lijdhiaa.exe	94
PID 4016 wrote to memory of 4456	4016	Lijdhiaa.exe	94
PID 4456 wrote to memory of 3916	4456	Laalifad.exe	95
PID 4456 wrote to memory of 3916	4456	Laalifad.exe	95
PID 4456 wrote to memory of 3916	4456	Laalifad.exe	95
PID 3916 wrote to memory of 1248	3916	Lcbiao32.exe	96
PID 3916 wrote to memory of 1248	3916	Lcbiao32.exe	96
PID 3916 wrote to memory of 1248	3916	Lcbiao32.exe	96
PID 1248 wrote to memory of 2416	1248	Lkiqbl32.exe	97
PID 1248 wrote to memory of 2416	1248	Lkiqbl32.exe	97
PID 1248 wrote to memory of 2416	1248	Lkiqbl32.exe	97
PID 2416 wrote to memory of 3020	2416	Lnhmng32.exe	98
PID 2416 wrote to memory of 3020	2416	Lnhmng32.exe	98
PID 2416 wrote to memory of 3020	2416	Lnhmng32.exe	98
PID 3020 wrote to memory of 4672	3020	Lpfijcfl.exe	99
PID 3020 wrote to memory of 4672	3020	Lpfijcfl.exe	99
PID 3020 wrote to memory of 4672	3020	Lpfijcfl.exe	99
PID 4672 wrote to memory of 968	4672	Lgpagm32.exe	100
PID 4672 wrote to memory of 968	4672	Lgpagm32.exe	100
PID 4672 wrote to memory of 968	4672	Lgpagm32.exe	100
PID 968 wrote to memory of 2052	968	Ljnnch32.exe	101
PID 968 wrote to memory of 2052	968	Ljnnch32.exe	101
PID 968 wrote to memory of 2052	968	Ljnnch32.exe	101
PID 2052 wrote to memory of 2788	2052	Laefdf32.exe	102
PID 2052 wrote to memory of 2788	2052	Laefdf32.exe	102
PID 2052 wrote to memory of 2788	2052	Laefdf32.exe	102
PID 2788 wrote to memory of 4336	2788	Lgbnmm32.exe	103
PID 2788 wrote to memory of 4336	2788	Lgbnmm32.exe	103
PID 2788 wrote to memory of 4336	2788	Lgbnmm32.exe	103
PID 4336 wrote to memory of 1528	4336	Mjqjih32.exe	104
PID 4336 wrote to memory of 1528	4336	Mjqjih32.exe	104
PID 4336 wrote to memory of 1528	4336	Mjqjih32.exe	104
PID 1528 wrote to memory of 2908	1528	Mpkbebbf.exe	105
PID 1528 wrote to memory of 2908	1528	Mpkbebbf.exe	105
PID 1528 wrote to memory of 2908	1528	Mpkbebbf.exe	105
PID 2908 wrote to memory of 4756	2908	Mgekbljc.exe	106
PID 2908 wrote to memory of 4756	2908	Mgekbljc.exe	106
PID 2908 wrote to memory of 4756	2908	Mgekbljc.exe	106
PID 4756 wrote to memory of 3756	4756	Mkpgck32.exe	107
PID 4756 wrote to memory of 3756	4756	Mkpgck32.exe	107
PID 4756 wrote to memory of 3756	4756	Mkpgck32.exe	107
PID 3756 wrote to memory of 4416	3756	Mnocof32.exe	108
PID 3756 wrote to memory of 4416	3756	Mnocof32.exe	108
PID 3756 wrote to memory of 4416	3756	Mnocof32.exe	108
PID 4416 wrote to memory of 3544	4416	Mpmokb32.exe	109

C:\Users\Admin\AppData\Local\Temp\c301c58e84e6c39a1e52fa8cd972666379ed0ed7d17458399c006bb77cf8b91f.exe
"C:\Users\Admin\AppData\Local\Temp\c301c58e84e6c39a1e52fa8cd972666379ed0ed7d17458399c006bb77cf8b91f.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Windows\SysWOW64\Lalcng32.exe
  C:\Windows\system32\Lalcng32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Windows\SysWOW64\Lgikfn32.exe
    C:\Windows\system32\Lgikfn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5080
  - - C:\Windows\SysWOW64\Lmccchkn.exe
      C:\Windows\system32\Lmccchkn.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4988
    - - C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1812
      - C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2516
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2744
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5052
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3744
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2156
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4832
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2400
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3508
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1740
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2384
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3228
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2588
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3776
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4384
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:100
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        56⤵
        Executes dropped EXE
        
        PID:3452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 400
        57⤵
        Program crash
        
        PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3452 -ip 3452
1⤵
PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laalifad.exe

Filesize
64KB

MD5
8288d751f2da0fe2fe8f0f52d3b58b69

SHA1
7c818a3892c0d677550e756f23dd7db414fb0147

SHA256
1ccb071d06b214e59acddfd81dc2e85c96c830ea842b9fe41d2447800f615fc2

SHA512
bbe6d3186f6d4e76ae60984dbeed483ef9a1727e2019038eb07e9de4ed8d251e4122d4eaff8e07cd3ff618555e44d97343247f27661db30880dc3d8703cef9bf

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
64KB

MD5
3faf5cb2a0e1f61045b2c960cc4484fc

SHA1
24a2983231b046da20de00547edd8636af0261e9

SHA256
01963c8132da4c8462e27a59b411a7a6c25d23db76c9deb2286114ae826d4765

SHA512
d5d41d81e297117655eea9be541ceaa8e1f559a8dfd64d47c008dc02618c7beac5f7ceb01dc571443cdcf6c40a3a4e09f6596ad3dc8b6978711bad77732de9f6

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
64KB

MD5
bff3826b15aa1af6bef9c13b41fec216

SHA1
f096ee6d80bfe14ee0f89e6644e9b393914f020d

SHA256
bab9357b7eda52b9bee40f0eb8249184dd530ffd2f5bffa92e46257da5838d0a

SHA512
c42993daab64abb7731d32771b53b000c6638a20fa08a18e15b35198c2c4ca6a56bedec139b666c8489818ab54b460f9768ec4f694cfcd03757f74b43f366f03

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
64KB

MD5
37cf9e79a461119e1c9552571b3d1aee

SHA1
bf2a2df4af9895bb4ecfafe6c6da81d239c148f2

SHA256
384e4dfbadcd3d3aae1995005316be407ba9b360d4f4638610e5455276f15cbb

SHA512
858188ff5b5c9ad3b173dfc9fa126eb9d8b5505080b1d6257eb7e22935ac3a8c46fbedc1b0f4fd6c8db2a509f85e0edc50b4659cba644112816b1cb3733adad9

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
64KB

MD5
416d87a22e2ea3106da810090dcbbd10

SHA1
96424ff163e2dcf74c9dbe9c0722e0e67c3d1d0f

SHA256
c95849a5fe84becb08187450f5f76669bb932c799b45419a6bbbde1b09c6281e

SHA512
aa02878db7eba65de809e1e7a567751365b6983613855ef55398a31b9750fefeed351df09f283cd6e546820b798a216794efe9a3f9dfc07f325238e6ae6c259f

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
64KB

MD5
f3cf3bd7c4d54cdff25ee49fa9919e0f

SHA1
7fc6d9df4acbdf23a62f18d4da3cbf10bbffe15c

SHA256
6e73761259595d32821999cc51bc41d1cfc50777e9eaa6fe5cef9cd9100fec43

SHA512
c01682fe6d266771b91e75a667c434e645044441c84cee69a6fbacd111e614c2716e2e67f12f6c8658e89e20b4b3603d39f72e443a075863cc3c85641c862fb0

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
64KB

MD5
7e0c1331418b0e2ae9dc3385b322f093

SHA1
1e32f796732403feea1b31f498286295b0b342c3

SHA256
6db1f11c7b0fcfec7e923fb1d5ce8d6c79daa9fb3e3c39629ab18f05077bf9e1

SHA512
0b146ee1321fac799dd2874713cabc4a880da926650216459ea03ea2dcdb569def72fcf9229633871d561a5fb3e87eb9870bcf2dfee4df25322d6e1e7773bd1d

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
64KB

MD5
6bc72d12c597c3f9641cd475bef0f250

SHA1
adea90f3d625d1348c481c9a3da700c5f8d417f2

SHA256
da9f068e8b6ffbcabd5b336262dd572198d320ef362835c0bb6eddceb119ef4b

SHA512
fa887ae92c38636f36b8c324279a8a0bcf4cc41b6b0aae749b82e9448cb7d6e08f8e5e3b6bd33f4a9b6b3236333da7e7c4a6bf64be6441f9d1f2e435093907dd

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
64KB

MD5
513941cb15cde6dc82b008217beb9bfe

SHA1
763a79578dcae91f243cbd33a1773357b8ca0146

SHA256
62732f467fc3fc06d83eb820cdb82ddae1b9c9d2e491100e382237c86487c1bf

SHA512
3198be81e3eae93972d631fef1c6b48a38e645df6aa9a964b0ec612b125c3382851a702e227bb7e5845de7b8a3842b86634c37d56417ce71d2bfd5ebb9f7caf9

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
64KB

MD5
4a8f466f70c65f818892b36e2f1fcf4e

SHA1
20d86f24342576511f4a6960f0ce256bd867dc18

SHA256
112e157cdfdb68818d1b38cfc89fa58bd44a44a00819323b07d07eb3cda2828b

SHA512
7a01823d26dc14c6efcac3cf13d021c8e3d4417ac156e682aabebf058d0d0375c84bf5af1e087e6e75767620ee174f2b88a3d5932a879be20a848baf2b694b65

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
64KB

MD5
6391750b8f07ed366c5f59ef3fa7ca86

SHA1
0845b815fdbcb51656e9bac849b6bcb68dc1139b

SHA256
6bb0496491032f2572b3e4390ecde150f79bcf261550bf38efb324981da6f453

SHA512
6212cc9267d762236c43aecd26a1b4bb9482acbe69443013b80603b443d53aa848c89aecfabb40a81df5262b2b98a9b39c9ce3f26c770a1efa5713bed23aa35e

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
64KB

MD5
ba5efb73f081a1e56e483070ebb4c8a9

SHA1
034aa370ed843d61fa856224e86dbd3011ea273c

SHA256
b82bb80d7e2251c6b0b4848fbb71ff9a256f58ea79775dd5ba05ea9b00be0469

SHA512
61624b665dd39fe5032306871e7c1584ea34650220ed6ce7dd1ebff6db3b6ea875418ad3dbb51ea2fdf7cbe2eb4dd2ee449cec74f44fc090cf49476746cfbe97

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
64KB

MD5
02f8cb80356a16cdb6312c3c7032872a

SHA1
012db1d948be172e272139bd06271bb7184760eb

SHA256
331946dba4f2aecb24bc8fc3d62a9e4f352039a62982cd3e31d93f9951f46f10

SHA512
db3282347cb4874d4426912f59aaf506fff465ba86ca661b4a7a76c7066b20392cff758d95abe73e4c8729eb5ce3bf84da925dc7ce93e740f88828fdb5339a0b

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
64KB

MD5
9e296aab490358461114e9b4185bbba0

SHA1
1ba012ebaddb13343c46cb242607499ffddc8400

SHA256
6082d82f336e19439bb032951b607ba4304edcf3bd5ee869fe9eb7229c88c63c

SHA512
b94734663b9ad79ffe02c5444a0d747f65f81c798c04398057058bdcea798b02891ac1ddaf6cf5809d77d4850cd25493115cd6bbcfba6957dabd971e7d2f9d2c

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
64KB

MD5
ebc97d09074207364bc11745150359c2

SHA1
3af9639733fd9aa26252c131d23fe06c48254d18

SHA256
3935ef0d3b502d0b09d2ed923c32d92228da97ae4768fc611a975238f80232cd

SHA512
4d67b5a9283ea0b84bfdfe8d00bfb246d23b06be1900b95e29ada8bf821fd476a88bcb1e07877fa86de6ca06ec83471396e684c3d55400ffebc22714dae15b6f

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
64KB

MD5
9e93b663644c3be4d630fa0cecbf716b

SHA1
65d270cfd758253af3ffb45af2a7991fe796e098

SHA256
2d00bbd8fbe0c16dd11571471ce4a522e09447f3668aba7d9efbbcef889deda5

SHA512
ec98a16b8a833070f895bf798050ae1042dfa4568910fff445faa69b5b8d24dce06c4a8604a51e1013a88fa2ac40f910dd2432feb54cdc25af2377309744f2ac

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
64KB

MD5
055b0579bb39d7687fb24dcc837262d2

SHA1
042b450cde298f08c23fa1f728d7c9cdca05b430

SHA256
8f064275279ab87fa968d94328782855abc794c459eec27eb59e1740e429a7c4

SHA512
003b31cc7e9ab2934d52a6cd38a061c0e58770d094a5b5ce879c647ca902199937f3f5bbcbfc62edf8843a9a0e28998dc60ea87c3774bb77b11d6ab3627d5bde

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
64KB

MD5
e63cf40b4dacd10118cd3ae63fea0495

SHA1
74747f1129cc10a58b73b01fb7d4074907ce0dff

SHA256
55f18a27fee4ae2c1bf0b43b84a648ca27c0d78c1a84a32e6b2e14e4b8a48cd9

SHA512
f8679ea005d16e03f81ea3cff8239df5262c440a64e0f091488fe978a2f583babd6f3fa68cd78a9adcaf96588035cef0ee13ed686f76572bb4310890583cac0b

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
21KB

MD5
3b48f88b9953a34466082af5ecea3edf

SHA1
e04858a0051500c2af2d4e8c759679f4241dcf2a

SHA256
93b5f4fff0618f900d027b14048e7d7c653e733de825d9e6312f1e21bdfbd311

SHA512
8e50de711999bfd7bab37031f2ba568750b2fab460ddbecb9520efb80dcedb2339338a0132eaf365e2fc8869fdf2178b4a84e82bbb06ffd81ea124d752eef106

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
49KB

MD5
1695fa36c5d574e57d13ea9c5fe2980e

SHA1
8e58175d1748de5a9bc80c178028767972d0932c

SHA256
5e7ceaca94cc498cba6ce38478386f4f5a181a6f77f2070657a6835fe1e3a24d

SHA512
61f45d75943055217af148c7aa69c9aea15d92bd1f1a700a9de6172061d854261bcf9bbaa689ad4d8e55224bee12aac8bc1a407edb89c82521039a4271187606

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
64KB

MD5
6b3e64345af3479f7da9353af9496a09

SHA1
079ed679472e6c64b2c7cff114bbfff4b112a556

SHA256
480ce565520261ab3d01fad16d2f390e513ba266fc5b6ac34b922d7d1ef5ac59

SHA512
aa6651f40cd90c52888233d614655e8451bbeadaf4d07c1d42199fc3f00c6b1885dc57dcdeebf02f16eb3502563cd029f209a3e8ca74cd28571482d0754e23a5

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
64KB

MD5
0d33afdb31dfd54f98a742f828c41b65

SHA1
04cf29463301974b5e51f97026cb747f9a1bafd5

SHA256
bc5151f7e549061e296eabeae38d6ddd9ed3a0629223d7c189951e0d78d21d71

SHA512
0ac9fd9782ff50cd6729b57e288346b9db048eedfc9d00cc27b86b61f4386915b9e5ff90e91204b0e858af349af085c54f22cb1f949876288e79cf1247ee70ee

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
64KB

MD5
0d351f0c117922219feee36515a6f7e6

SHA1
fd051487ce5b7e1d99c161da1c9b36a698a86860

SHA256
d3186476869991380f4b38afb209429dbacf63d9fab5855c171da8221f887c1d

SHA512
c38a39240507876b7c3d849280833d07540eb7a4b39b720c31a828aaba44e052a9e477a516b930714cadf55655a00c878dc2860fa192c1968893f4cb2abb6597

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
64KB

MD5
9eb1b89f707576c1ef16d24ed39ea565

SHA1
cfe4451ead90dd310abaea85b6fb9d76678bac49

SHA256
5c4105aa31b0f05aa9ba5dc72351cec2490e7be4bb7149fdf90a51837a55f8d4

SHA512
60d0865d85a103ebcbb3a84c66378822f40340f3511c4f02936e77eacf68de366dc9593bea2fe78e5ae2c3fb9ea89c4e6788e2a32583c1f3dd1ae701caf2b947

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
64KB

MD5
d3a60c778a1dd29cd9aad854e5cbf71c

SHA1
82235556375d2a00889efbe2a95f889cb9d8f44e

SHA256
3b09dc1c54ba3c39039143718d4b33030d9e027249ecfdde8008d52bedaf81b7

SHA512
7f096cf442d8dda6e8ffe2c1cc53ead316d6de2aae4d01db77dfdd6a128d8a3b254f1270dff3222258ab96ae2c6ab2ada5b51381a50bab38d1a2c62d3a537eea

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
64KB

MD5
fee95094b661d957c23224e350d0464c

SHA1
8e42912eceb25c560d4a70ff79df0b475e7cd34d

SHA256
9d517798d40caf51aa61326987accb1a46cd1a6349b67e3497163bd24abfa76b

SHA512
c22f4eebc47dac21caf001fb494fb29efa1db0469c90473abad1b45e2058def616d60c1c18a130e1c4f8dfabf157f14ffe8b4c7808b2e80c85d4ea55d071ac42

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
64KB

MD5
c3c1bf1a239905f38ad42dd54d346060

SHA1
092312056a0f423ed394566427da5e7e6a7d7927

SHA256
d2b90427bcdde3c3acc68a896183f17f3520e551d26ba417b497cfed449939b5

SHA512
5f0a1fd72bca13c3f3f71898bcde024b449035b9f22581c3b3d30afa65961301b09a349ca858a1d17d7c5472a429bebd38208022c7ca4feebd3ef8c236420cb7

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
64KB

MD5
42c15916a99c9a94c1860e33570d522f

SHA1
41762219f93369a8b5597b7521ff4ed076d0532b

SHA256
4fef912dc560e4ed943c109c5606c4627e93e5e4d5f6500a9e69a6a5c4c9c1e6

SHA512
ac1f246e8ede220de7ba034a425005e33ae0f73d7024bfea940c1b1814ebd98b2be8f9428703d10a251f0413642b06d359f49e33c21a7d5f8fc58af514a4b6e9

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
64KB

MD5
46055160115a0e509c9f453aaa723253

SHA1
d0e0d4760480e25a2953d7d1610fbfda94e2b313

SHA256
bf83ba743d1b570eaf1cf127c312458d71737776d62dfb07fa30c94b33b11026

SHA512
742871cb573df1673ca942819dc01d069fc057f0dcf7ef6c06731a5e2ac0e15e56c8bb925a5b0fcb9bd337e825a22b4e63835b8825cf07d138fce6753cffad38

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
64KB

MD5
2b277a1840e431d21a057234fddfd747

SHA1
53258bcb985d75d624738bd257450b6e9a4880db

SHA256
55c8e3d77516d1328ea699f5429ea413c86e757465ba878008d374abd1b11c48

SHA512
a51a7853b4956efab3c6c179c408b99f6399c43906572f8b95a766478452b785c2dee455ab4e05a127638eefdad74ee9c8e3c26780aec02e2a17dd0ba0e59980

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
64KB

MD5
bb9745dfad492d2454e480e690cc8ef5

SHA1
012b75cf8ee3f9dde0c8a8176697c1724d6fa378

SHA256
9c37b48ae080779d31283b302878b0ce48970f98a3e7ba72443719d7e6a6fafb

SHA512
46c92ca2d143124b8fc4e7d413c76bb24c01cf55f6f20758aee7f43aac9ec6a26260d4a9e3b0fab0784dd1f12d3ba14c017c48817b6c46ccc052f7937a27c7fc

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
64KB

MD5
e51f96350f382600cf604c76b05ad66c

SHA1
2b79bf24187d2e586f89ae3b31f4941b283598ba

SHA256
61c480be2f8369d7175129a9cf718bc92091a6fddc70fda33954bd480a9d2f3c

SHA512
736031de0f65c69d8fcc7ca3f7a96c46eb79b8e7c3d0dcaa36ef159d089fcab35a2a170a3dd356e79d1f88ddae456785431025a86c340a5aeb758b2f69e04c86

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
64KB

MD5
e6ca0de27131a696c85a586a510e39db

SHA1
991c2cc77e46828bee99d428ca7ea618ab7ad6a8

SHA256
8c133799983cfdf1ab57cd067efb8a0bb86c923e27d5ebf0081cd1986ef9173b

SHA512
416696a289bcd05d8184cb055e0b53ad8ee8b240b2d00c86ffab24cd957b549005582bb397172c29c788f7d5c91ed3e147e20c6c0897033638ac425b680c8486

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
64KB

MD5
52fabdf9c176b83cee8b33c7869c8b4c

SHA1
dc19f9be3781b860fde6b80e8585986a0ce247fc

SHA256
8cef0b1cc903bf3797e8212adc2d4661fe8ef5b52cb3d760fd057e5c0ddd3093

SHA512
42b4b0a64bda8ce7b2aec78cb3d63e829cb79385b9e39a6dd349be7eb0849ac4bca3b35ceee0af41471937a90142920b80d0ac45f33d970959c33426766b31f7

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
64KB

MD5
68324e89bd9bd12a3659859ab8069ad4

SHA1
3bbefab61a852a7ee8ac5a89f62e6f9aabdea663

SHA256
c1243ee5333d4c128c7c288fff8ec39cb3df255400a1b0fd1a3f69aabf1d4fd6

SHA512
37570f259d34c54f4a6c2e8f63981169b400a07223b5e8be0488c12e85c6955a03e26a420ec72ffc9ec4bf349aaf667cc507bc7f28701dfb48d2ea8f9078dcde

Download Submit
memory/100-389-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/968-109-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1248-73-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1272-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1376-233-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1484-277-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1512-265-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1528-142-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1592-299-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1700-378-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1740-317-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1804-250-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1812-37-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1884-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2052-114-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2156-275-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2276-217-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2384-319-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2384-397-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2400-294-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2416-86-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2516-198-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2524-383-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2588-335-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2728-371-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2744-209-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2788-122-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2908-150-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3020-90-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3228-396-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3228-325-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3356-242-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3452-391-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3452-392-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3508-307-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3544-178-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3568-202-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3600-395-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3600-343-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3688-81-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3688-4-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3688-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3744-238-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3756-162-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3776-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3776-349-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3832-190-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3880-43-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3916-65-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4016-49-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4156-361-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4156-393-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4336-130-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4384-359-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4416-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4456-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4548-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4672-98-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4756-154-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4832-287-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4988-25-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5036-301-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5052-226-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5080-17-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads