280aacecd58cafe1b8178d9e665cb30de1240b51088367e9e6b38e4ca77e5902

Analysis

max time kernel
92s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2024, 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

280aacecd58cafe1b8178d9e665cb30de1240b51088367e9e6b38e4ca77e5902.exe
Size

96KB
MD5

33a0568b03e3740d76dd824266961c7c
SHA1

b5e12f845f4c20ce3301b4edeaed5df8219e34f6
SHA256

280aacecd58cafe1b8178d9e665cb30de1240b51088367e9e6b38e4ca77e5902
SHA512

fea0e4dbdfe3236e3b3b3f43dcb91b37844b4114f0da2f0c584a8a9d9fb72d8c2b055a8d7bf9c92b8f2798979bd3d11f562524454bd18972d188ca8798ac3125
SSDEEP

1536:b6lH5RPjHIQtOOLTDjnOLzN+S8HDymoVS2Ly/7RZObZUUWaegPYA:+lHTsQtjLTDjnOLzMS8cNYClUUWae

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	280aacecd58cafe1b8178d9e665cb30de1240b51088367e9e6b38e4ca77e5902.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	280aacecd58cafe1b8178d9e665cb30de1240b51088367e9e6b38e4ca77e5902.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe

Executes dropped EXE 43 IoCs

pid	Process
4936	Lcmofolg.exe
2420	Liggbi32.exe
3508	Lmccchkn.exe
4668	Ldmlpbbj.exe
4092	Lkgdml32.exe
4036	Lnepih32.exe
4380	Ldohebqh.exe
232	Lkiqbl32.exe
2728	Laciofpa.exe
4928	Ldaeka32.exe
508	Lgpagm32.exe
4360	Lnjjdgee.exe
4352	Lphfpbdi.exe
5060	Mnlfigcc.exe
2252	Mpkbebbf.exe
3180	Mciobn32.exe
4484	Mkpgck32.exe
664	Majopeii.exe
640	Mdiklqhm.exe
1676	Mkbchk32.exe
4408	Mdkhapfj.exe
4780	Mgidml32.exe
808	Mkepnjng.exe
4132	Maohkd32.exe
1324	Mcpebmkb.exe
4076	Mkgmcjld.exe
4856	Mnfipekh.exe
4788	Mpdelajl.exe
2160	Mcbahlip.exe
3152	Nkjjij32.exe
2796	Ngpjnkpf.exe
5104	Njogjfoj.exe
60	Nafokcol.exe
4940	Nddkgonp.exe
4264	Nkncdifl.exe
4580	Nnmopdep.exe
4952	Nqklmpdd.exe
4872	Ndghmo32.exe
2972	Ngedij32.exe
112	Njcpee32.exe
4364	Nqmhbpba.exe
2036	Ncldnkae.exe
3336	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	280aacecd58cafe1b8178d9e665cb30de1240b51088367e9e6b38e4ca77e5902.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lkiqbl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1480	3336	WerFault.exe	127

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	280aacecd58cafe1b8178d9e665cb30de1240b51088367e9e6b38e4ca77e5902.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	280aacecd58cafe1b8178d9e665cb30de1240b51088367e9e6b38e4ca77e5902.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 4936	976	280aacecd58cafe1b8178d9e665cb30de1240b51088367e9e6b38e4ca77e5902.exe	85
PID 976 wrote to memory of 4936	976	280aacecd58cafe1b8178d9e665cb30de1240b51088367e9e6b38e4ca77e5902.exe	85
PID 976 wrote to memory of 4936	976	280aacecd58cafe1b8178d9e665cb30de1240b51088367e9e6b38e4ca77e5902.exe	85
PID 4936 wrote to memory of 2420	4936	Lcmofolg.exe	86
PID 4936 wrote to memory of 2420	4936	Lcmofolg.exe	86
PID 4936 wrote to memory of 2420	4936	Lcmofolg.exe	86
PID 2420 wrote to memory of 3508	2420	Liggbi32.exe	87
PID 2420 wrote to memory of 3508	2420	Liggbi32.exe	87
PID 2420 wrote to memory of 3508	2420	Liggbi32.exe	87
PID 3508 wrote to memory of 4668	3508	Lmccchkn.exe	88
PID 3508 wrote to memory of 4668	3508	Lmccchkn.exe	88
PID 3508 wrote to memory of 4668	3508	Lmccchkn.exe	88
PID 4668 wrote to memory of 4092	4668	Ldmlpbbj.exe	89
PID 4668 wrote to memory of 4092	4668	Ldmlpbbj.exe	89
PID 4668 wrote to memory of 4092	4668	Ldmlpbbj.exe	89
PID 4092 wrote to memory of 4036	4092	Lkgdml32.exe	90
PID 4092 wrote to memory of 4036	4092	Lkgdml32.exe	90
PID 4092 wrote to memory of 4036	4092	Lkgdml32.exe	90
PID 4036 wrote to memory of 4380	4036	Lnepih32.exe	91
PID 4036 wrote to memory of 4380	4036	Lnepih32.exe	91
PID 4036 wrote to memory of 4380	4036	Lnepih32.exe	91
PID 4380 wrote to memory of 232	4380	Ldohebqh.exe	92
PID 4380 wrote to memory of 232	4380	Ldohebqh.exe	92
PID 4380 wrote to memory of 232	4380	Ldohebqh.exe	92
PID 232 wrote to memory of 2728	232	Lkiqbl32.exe	93
PID 232 wrote to memory of 2728	232	Lkiqbl32.exe	93
PID 232 wrote to memory of 2728	232	Lkiqbl32.exe	93
PID 2728 wrote to memory of 4928	2728	Laciofpa.exe	94
PID 2728 wrote to memory of 4928	2728	Laciofpa.exe	94
PID 2728 wrote to memory of 4928	2728	Laciofpa.exe	94
PID 4928 wrote to memory of 508	4928	Ldaeka32.exe	95
PID 4928 wrote to memory of 508	4928	Ldaeka32.exe	95
PID 4928 wrote to memory of 508	4928	Ldaeka32.exe	95
PID 508 wrote to memory of 4360	508	Lgpagm32.exe	96
PID 508 wrote to memory of 4360	508	Lgpagm32.exe	96
PID 508 wrote to memory of 4360	508	Lgpagm32.exe	96
PID 4360 wrote to memory of 4352	4360	Lnjjdgee.exe	97
PID 4360 wrote to memory of 4352	4360	Lnjjdgee.exe	97
PID 4360 wrote to memory of 4352	4360	Lnjjdgee.exe	97
PID 4352 wrote to memory of 5060	4352	Lphfpbdi.exe	98
PID 4352 wrote to memory of 5060	4352	Lphfpbdi.exe	98
PID 4352 wrote to memory of 5060	4352	Lphfpbdi.exe	98
PID 5060 wrote to memory of 2252	5060	Mnlfigcc.exe	99
PID 5060 wrote to memory of 2252	5060	Mnlfigcc.exe	99
PID 5060 wrote to memory of 2252	5060	Mnlfigcc.exe	99
PID 2252 wrote to memory of 3180	2252	Mpkbebbf.exe	100
PID 2252 wrote to memory of 3180	2252	Mpkbebbf.exe	100
PID 2252 wrote to memory of 3180	2252	Mpkbebbf.exe	100
PID 3180 wrote to memory of 4484	3180	Mciobn32.exe	101
PID 3180 wrote to memory of 4484	3180	Mciobn32.exe	101
PID 3180 wrote to memory of 4484	3180	Mciobn32.exe	101
PID 4484 wrote to memory of 664	4484	Mkpgck32.exe	102
PID 4484 wrote to memory of 664	4484	Mkpgck32.exe	102
PID 4484 wrote to memory of 664	4484	Mkpgck32.exe	102
PID 664 wrote to memory of 640	664	Majopeii.exe	103
PID 664 wrote to memory of 640	664	Majopeii.exe	103
PID 664 wrote to memory of 640	664	Majopeii.exe	103
PID 640 wrote to memory of 1676	640	Mdiklqhm.exe	104
PID 640 wrote to memory of 1676	640	Mdiklqhm.exe	104
PID 640 wrote to memory of 1676	640	Mdiklqhm.exe	104
PID 1676 wrote to memory of 4408	1676	Mkbchk32.exe	105
PID 1676 wrote to memory of 4408	1676	Mkbchk32.exe	105
PID 1676 wrote to memory of 4408	1676	Mkbchk32.exe	105
PID 4408 wrote to memory of 4780	4408	Mdkhapfj.exe	106

C:\Users\Admin\AppData\Local\Temp\280aacecd58cafe1b8178d9e665cb30de1240b51088367e9e6b38e4ca77e5902.exe
"C:\Users\Admin\AppData\Local\Temp\280aacecd58cafe1b8178d9e665cb30de1240b51088367e9e6b38e4ca77e5902.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:976
- C:\Windows\SysWOW64\Lcmofolg.exe
  C:\Windows\system32\Lcmofolg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Windows\SysWOW64\Liggbi32.exe
    C:\Windows\system32\Liggbi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Windows\SysWOW64\Lmccchkn.exe
      C:\Windows\system32\Lmccchkn.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3508
    - - C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4668
      - C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:508
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:808
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4132
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1324
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:112
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        44⤵
        Executes dropped EXE
        
        PID:3336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 404
        45⤵
        Program crash
        
        PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3336 -ip 3336
1⤵
PID:400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laciofpa.exe

Filesize
96KB

MD5
cb46c591d000c856164fcfee2fd09d03

SHA1
21555ae71d4e524574f7e69494e19b04a9c6be5a

SHA256
adffa7341a3971a639ce77bd39057b523d7bc8a72677e08d5fcbc210d082993d

SHA512
c8f9f5069bbc750febe6ce745e91001dbaced959b1f0beee7de304f33dc3dfbce7709ed992b631738a04a93bd62c19c1fa4fde485a01f031486f39b3515834a5

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
96KB

MD5
2ccbba3b4e5ec512a64d0be22cf30e7f

SHA1
ffbd15c42b3de4846aa877814d26f80fd6219640

SHA256
beb7aa425322082adc494adc9107c5c22212b49aac5ec4d0eb6e8a5bef1ac964

SHA512
321b1371c75eaea54a37b1bb9585b417681ff714c97960a4c926768e366f392fc4f02ae45045e6ca73fc3e30c2152d20e7667aeb791bc2657aad20ba4e2b9b66

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
96KB

MD5
f631bb2355d503511ce4847728d0ed12

SHA1
5856d138686e4cd93447601a95ba385c15c8b9f5

SHA256
a228b64608ef87e682de489b1efcf7a04c56ac2b783886dbd06d90115071f81c

SHA512
14065bfc7298a649011baec6df0768fc727b4e1564250aa99e8b87406278303ab37458b51aacf75b72c7b5df329d8dfc0e4ae40bb66a49d100cd84011dfbcd74

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
96KB

MD5
23163d68c0a141c6bd04c4ab2c3fae5d

SHA1
a0d8ef338e5a66c5fd281ee150497474a0b9f24d

SHA256
7f876e5c230e530f42d99ffc9c47f176e0d2ad0de3864e1c0cfcc51ca3413f46

SHA512
9dde3511f19e486bbd3c4ed8988e0a69b30d185864d5b8dd839f24938dfba4586b370b989c6aabb95c464af3c3dc79a619f9d5cc292b2105ae1db5435a7c55a5

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
96KB

MD5
8f871a1e090d404158abf9480a966a4e

SHA1
4a726b60454b77e548ae1d30955c006d48c23d80

SHA256
25ad5a1a4a66555def170e89add0f55475d477ebca498b0cac213fe4a94c3117

SHA512
010a3c34f8b0c1c155e9f6e86516a336289ccfa18c607cee5891f3dca0dfe542ede0a4c590acf420774f0fcce8c2ff2910f58e32e11290ce7a7e40a3d0857ebc

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
96KB

MD5
ec0f46c94ab396cf186f20e1c22c83e5

SHA1
ae00677307bdbb1ab995b5efdb56c2781741d170

SHA256
42737de833917fd817e24e0358f11650d87007d97347db524ea3ec4f852b2a7b

SHA512
a007ccd047774cda16ca4d7184359a4a799327ccbe0e20cc12b4420e76deb23a4cb57c42c9cd2aa28670ab734f614e2ac3b63fa49e396219fdd0e459a2dc4296

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
96KB

MD5
178dc84ed16102b26645b8aaa121c6fb

SHA1
0e68b8e5dc8defebb51babaf6a09e7c95e0c61f8

SHA256
183b8a4d9b3fc5719230207f4a93aca7bfb9ed427216b4cf28848861fcd467db

SHA512
e5e30ce34a1981f7bc50e5ce7f918afe5e6ae90db3ee1d8589ba2d13c9d64ab68725a9ad0c8f0c826ff032e31c3560135338de00980cacf8e6cac3ad7b21a6c7

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
96KB

MD5
a77f7a1890b832798aec85b1cfbe6c07

SHA1
4ed6902a5f7e18bb2ab11fe6c5356364b453e16f

SHA256
0e91ff0251d517fa65c9bb28d76bcde598d9f05110cb499c647323468690083c

SHA512
b98e05a7063eb6cf0e641ff39057a4717da86f1a8bab245ce46323115893750e1dea68a8aace6932d86e8362b1a6f6e789982cbda7e90cacd35127a8e81940d2

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
96KB

MD5
3b7ee6db3d3682152fea51bf2b03e1a2

SHA1
b315a6a16966c4980c0e3aeb514d7b2713905f56

SHA256
6d93011d0bc6fc095366934bb1ad5cf520b647eb5531a6979984bb98552b78c2

SHA512
9789485f0cf084b65f7d3456279ea269c1c9176830735e2a645208206afe728db885dde783c9cc5fe37fa94cbd858a330cd7aa48fdea164182a320034b119807

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
96KB

MD5
267eee4416d641fd30b41829b0ab6e86

SHA1
c4f0c4695dab740d632dfd1ea8ef949dcfca8d4d

SHA256
7b276fbff4132fc8938f538c4507381ae7a2e44aea7206db35173755fefe629f

SHA512
b71c952697a60298680488f7e7bce2d6390c215d1decc6ba81658eb87e9d877d46b95214b772ee383fff7e1606458cff3c01a6805dbf5d643342a3f2b5259e69

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
96KB

MD5
489871ce20cdb7bca533bbee4a480dc6

SHA1
7d18f883eae346770df1baf482cf08e5bee3d1ef

SHA256
8469cf6e9ac538df8afb143f9a4205eea01033136cbc1ec23c5ed8fcfbd4e426

SHA512
97549c6ab83671e71e94a43f93a1da3accd6c705353eda30059634131242970938c11e373727e9834f399a90f321976a33f8888321d5d83e714807f6245f4987

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
96KB

MD5
5ff41a84a8d5f1614e4a014870fa888d

SHA1
a65d6830d5b3560326fbaa01ba99d9b9040dbb64

SHA256
d87ba1cdad9a2bc65ab2be94c7de94f4eab2f606f1cc4579f66da6e9e3399743

SHA512
2f9ca973b4fa3ff84b2d6950f849fbb48214d192eb045492d2c904b789beda58804a58e332c20365ec6d765660643bd1e9d231641aa7e2b9a691a4644a83ce63

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
96KB

MD5
99bc6f6dec1e48c6b0dc72d098724e34

SHA1
e55bbd066fe75329f70402ef0d64ede8d4b85d54

SHA256
855ff872aa2522f23f3437dcb1632aa88b67c5d3810deb94672be016888b6943

SHA512
9e53152982abba7f4122f3d6f0ec1ed62937b71b973bbafe7d758e71de94eae2929cc448db534eb6461ecbaab682c1275a394d35b148495ac31bc61ec7684dbc

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
96KB

MD5
f7a33ae2e68bfca32c7a5f413da28002

SHA1
30879ec991bcaac8290347e3ad06aa02e30904a9

SHA256
eb529ada019ebbba3fe82a7599658f28471d7311df1aa9d643c0963e70e28f7c

SHA512
27997ee72eb7b9008b573b42ecfc82a75248ae6bd64e689186e0332d8ecc58b5c6e749d6a7b5698e4d2309bf3f474827d94eb1fa5925409cd0d6a63aae146883

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
96KB

MD5
d162bf386a2765d3c7a08dc61836d1df

SHA1
b0e61ed7074a927445461299d2c654e6b90533f0

SHA256
b594885b63f7fca0fd8b5b9c5e639748736ec399a3a379168c83c768067d3e86

SHA512
b57805a648be581929ca78cd7a5b238be95ce2443329c4f32bc211ceec115e025587abe68ea2b6bfc3490b0828bd7f5aa0908eadbe4aa4ddb80c5677d30f4879

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
96KB

MD5
1e74d37eba3a030a609561cd0fbea40d

SHA1
18213f410099b64b3c2dd996bd3410c4da824210

SHA256
069502c75135f445bf4f83888e42a94a8ba41c3f070a0b6acace86d4346ecc2e

SHA512
f666a605a9ea27ca903bc3a52fe2565b39f094def36f1fbeb400847843a8fe0a5c0a70ea8e7138308b8750fd5666620bcf92e415967b4ea3fd0484c116da7f05

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
96KB

MD5
f044e571524b6d1977affe2cc3fb1648

SHA1
2459ad18055c51979b8692476d7f79f610b910bb

SHA256
5a9dc5f3bc0ed3d439d15b9f1994a200e77ae28346d581e63c0f75ce1c70b3ad

SHA512
4bd3e6208c59fe0898c14c58ae2a0e670463715a5d1693533c663304a31d54f73fa8758ffde53ad94e4c05e2a788422c9052a5458ca47778f6e28c9e586b5373

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
96KB

MD5
e466a6fcfe95d7a1e045fde84162c277

SHA1
d20ac686fe5a6de5bf9dcfae7107f34f23fee7eb

SHA256
d75567b96bf32b33a861a4019b722dc64331b7c3028e2bc42b4e18a2eefccbc2

SHA512
fac942a5ae4ac35d89a65871e4f017e630b0113dbb7b3492d2c2c0dbf06ba5e8cd44595454e800fd8f7fbd3c822e6c5fe36f7bb20573ba927576b44484431e34

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
96KB

MD5
69019fdb2c85c905ee7bdee6f0425895

SHA1
929e4abcaa7b502c01cd7440392213073fdaa5c4

SHA256
6f4ad0f43a6522b15b5297813cb26b96eca7c4d85d1050e9a1cf6401ca02ecbd

SHA512
60a4f5b78132469f90b77e3beeb18550533cdfd453b2bdea7435d36ea2e64b412eedea01171d8437defbfdeb0a069439acae08ded843c464c6987c7302e43003

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
96KB

MD5
8beb87d4a920193c3dbda8e6ea2263ee

SHA1
7fe1ec088a32e2209f97a190788378f3e9d6fa99

SHA256
da63e5701f363f9e84a464599aaa88d69e4926b38fe84b751b509edcbed590eb

SHA512
39caa04e9bd0ed6174c01f843c189c5ac55f9aaf999aa7cc3e66bb6a1789f2da0dded8514d6b43b8b8800e59e4af41d3c2f150d1f6bb21c046e3e400a12c7b28

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
96KB

MD5
cf29ecae46c2ded41878de10fd33a748

SHA1
56d58b1e3278f1c2a0f0563479a2a6c35f1665a8

SHA256
877ded9dca7b2a9febca78d4753a55483b3cf1abc0745712bb9f7c3e0d67b65c

SHA512
425a247d3a8d4cf375872a61deac5637cd6ea6aa58d5573ba2c4166634b0d56ef4890227395f67389ac477c6d578573229f3b8cdb213560906d91bb5a5191956

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
96KB

MD5
8df98f71c088dfcd36f3ad13bf5b77d9

SHA1
491b8e06477094966b483f2d98c863f89d5ba90d

SHA256
8c7b6990e9435d6962a211ecba89c0a487e8b0fa6651709ef5be2a23aa8389c4

SHA512
af4cb84837601641b3aa34eab0483053fdd8dc1aa08f234434fadb4ece4908ab22326a598d1b476c1e7757d561229ced31f141562e1ac50dc1b4cbf10ce43cef

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
96KB

MD5
a330e11c3818dd021daf3c90343a1235

SHA1
72e5785270158e18078bbced8f5cc28035003d29

SHA256
f32c9808c53bf7d212e386380c5383fef472ea836d08378de48e84375906a380

SHA512
fc3ec5bc498e1e0b61527a0c129f7f1af39eda99522662b925dc1d6e95f21307a87114d467ae2e39e2ff9da934e23813e86c1af8c2997b3d6d48eb654a1af2fd

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
96KB

MD5
5f8588947119b5d6d59d6ef263dc57aa

SHA1
b58d10d5aedae415436b478ff06c9c1dc3718893

SHA256
99f08b637ed66e8962272cde9ae8e2107df919f3d087d29a0e105c3bd326e313

SHA512
e1065b56356107f26f5001483fda15558173c32a384b47beec657021608f3833c82f78826ca0757410ea3a21c7539df769e65658090f86e5b84d500a397cb06f

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
96KB

MD5
86d67c21ea74e8165744d473a60a6022

SHA1
52264735021a6727c58d502fbc68faef03754166

SHA256
9b842a230d759518e533eac71eb6d43fd21d97240ba76dea6b3307b4f8421b2a

SHA512
379fe9ca9de03e49c2fd96d00b2ce14aff5b1de5d7366ab3a30f4b310b821fea0187583bfe1a2e1aac32f60c54d30515faaedb5c9c69da33688cf6f9ffec2edb

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
96KB

MD5
553def62d19a4987b6712b1a026816c3

SHA1
e5cf58fbe62007e4ae4a67d320da66d0e536c49d

SHA256
bbca25ba238a869cd636862da71134115b1eae706ca00d75baf3ec823121a7ab

SHA512
419dd0b4bff76c577830d4a93822116c60d4448be0b1dc7c7d63f9da9ad3cf806aa433726c7fb380f4047bf1a02843fec87ce04e028cddfe0f3e1559c385e940

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
96KB

MD5
19fd51d5b14de02ff1f50e9dfd559f0d

SHA1
31bb89776fd6e84a89d6e4159df25c35e95a8cc5

SHA256
c0e8086b123c418088e189b38980d825bd5fa7794e706da2a58e519f7e2cfd36

SHA512
b6f1d306baf1610e3bc8c0a59a5a247dd191882dd7232faa6db386a2038e8f296b398afa6b7b1a234daf57882de71c9dbc012459000db90acf659b28df78bffd

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
96KB

MD5
9fe236c3cad713f3982694a207354c80

SHA1
8a0dbc3cf2f601c1d7d31396efed33ee9b7e6702

SHA256
de0f7dfd602db6bf9f2a096c78d9a7565da7fbd52e64c1af9ceb5b58c469de25

SHA512
314c9d05e0b07bfd92956a1f6fa573747d80359d1b3339f8b2dc1c8f24e6348ac272267703ef24dd83c79f3861efc03f338d8cfb1337293adc93c635b36a69d8

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
96KB

MD5
81476cdfcf86b63f30c08eea1cae0de6

SHA1
e41d12a3da5f16c52a2a6770fca6f16969a86055

SHA256
647ad98f055f9817b4b34fa1325bf9b6c0487be0c240cc73ceb672872b554290

SHA512
7144e7f95c52c29755775e209a947057269a6731c93b3c5a3de7ffe2388ed4cd44724d5612151b318020881f6800ee25910d1ec949301016f54d746782f03ea7

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
96KB

MD5
1deb10b0ff9460b58f66124041d27695

SHA1
0f4edecca193ec0631a31b095c2504be40fa8bcf

SHA256
9483edec8a0bb1363cacc2bb01c650e0649e64949285f5379b1dbfd5c649abac

SHA512
a1ad7de3e2ef3a81f458ccf04af7ee837847bd764501abc3e7504cb04ac5613205cedeb746ee335dcdd7ef26eb37c102e59bd882b6a8f1a3863a2fdb871ce601

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
96KB

MD5
fcfdce91064ce59245d61101bc5bec37

SHA1
b444645e58999107c2d0abdd62d0c21e68576043

SHA256
156bf026323068802b76abe62f43a85ffd30d8ef4b96070a7cc7548e095bced1

SHA512
4ac235764ac8cdca6a7fce21eb8200275c2dd2980d05a44e73be1a68405ef358399ee0fe39c3b3a29e6b01ba4aa214a6043e96a7bff31067a94a746b2e073e15

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
96KB

MD5
7aa8322f9d82784832c2c4a13a319136

SHA1
27365516b3715ea56d85a5542ed3526f797e931e

SHA256
fdca4fc505b9f4e537071ea6b0a4af5bc98b2b35f2c4f60c68aca843f68d1986

SHA512
ff7598c60d9e3448148fa73e6c06196882da0e38b522bc82fa6e28aa84906c43e9e0b7d6757f89f94264cfb3b1c0ef3589abbabf0dddb6e87dd41ff64515eb04

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
96KB

MD5
d87c80f9a271464d7ca49d2e70f1d3d0

SHA1
559107d48ce9990822aa8edf14d396806c5ffc6f

SHA256
16120b644b9959b8c24dba6196018f0383c01200664a3f6bc990fad49de6f0f9

SHA512
8fbd3a7cb35eb62777a1501cc43d19ccc8224efa499368dcb8c1ae70eeb56cb9fc012a2ce5f1ba089cb941de70ef739819e1030bbf230d23f12e39e25e23b70d

Download Submit
memory/60-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/60-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/112-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/112-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/232-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/232-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/508-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/508-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/640-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/640-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/664-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/664-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/808-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/808-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/976-6-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/976-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1324-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1324-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2160-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2160-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2728-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2728-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3152-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3152-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3180-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3180-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3336-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3336-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3508-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3508-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4132-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4132-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4264-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4264-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4408-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4408-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4668-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4668-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4788-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4936-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads