ae40ddf98d748a2ec71fc39125178105999870bc918881454e1707447e1422d3

Analysis

max time kernel
93s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00c8b77dc1b55380e0061102f2c7232f.exe
Size

1.1MB
MD5

00c8b77dc1b55380e0061102f2c7232f
SHA1

9566e67ea0fef1ab6a3a0c72e9af272f19142375
SHA256

ae40ddf98d748a2ec71fc39125178105999870bc918881454e1707447e1422d3
SHA512

5da726f529d455c2f1c75fa346ce113556e6c87da46a24744909170714e34aec2619090fbb623d4c56c0284c1a9559a3ce8c6664af35c01ce5006aa832afd2a0
SSDEEP

24576:8PaHLcrQg5Wm0BmmvFimm0MTP7hm0BmmvFimm0HkEyDucEQX:8CmQg5SiLi0kEyDucEQX

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdiklqhm.exe

Executes dropped EXE 49 IoCs

pid	Process
3184	Kpccnefa.exe
4188	Kkihknfg.exe
2056	Kkkdan32.exe
3284	Kbfiep32.exe
3436	Kajfig32.exe
868	Kgfoan32.exe
2216	Lpocjdld.exe
4004	Lgikfn32.exe
2736	Liggbi32.exe
2324	Ldohebqh.exe
4652	Lgpagm32.exe
4824	Lphfpbdi.exe
3992	Lgbnmm32.exe
2576	Mciobn32.exe
4368	Mjcgohig.exe
5088	Majopeii.exe
1660	Mdiklqhm.exe
4280	Mgghhlhq.exe
1636	Mjeddggd.exe
3680	Mamleegg.exe
2516	Mpolqa32.exe
2480	Mcnhmm32.exe
1216	Mgidml32.exe
4708	Mjhqjg32.exe
3232	Maohkd32.exe
3320	Mpaifalo.exe
3660	Mcpebmkb.exe
2596	Mkgmcjld.exe
2780	Mnfipekh.exe
3828	Mpdelajl.exe
4324	Mcbahlip.exe
3008	Mgnnhk32.exe
960	Nnhfee32.exe
1452	Nqfbaq32.exe
4856	Ndbnboqb.exe
1008	Ngpjnkpf.exe
1632	Njogjfoj.exe
2964	Nnjbke32.exe
2592	Nqiogp32.exe
1116	Ncgkcl32.exe
4124	Nkncdifl.exe
3412	Nnmopdep.exe
2156	Nbhkac32.exe
4628	Ndghmo32.exe
3476	Nnolfdcn.exe
2240	Nqmhbpba.exe
464	Ndidbn32.exe
388	Nggqoj32.exe
2632	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kbfiep32.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Nphqml32.dll	00c8b77dc1b55380e0061102f2c7232f.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kbfiep32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Kkkdan32.exe	Kkihknfg.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	00c8b77dc1b55380e0061102f2c7232f.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Ppaaagol.dll	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Kpccnefa.exe	00c8b77dc1b55380e0061102f2c7232f.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Lgpagm32.exe

Program crash 1 IoCs

pid	pid_target	Process
808	2632	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	00c8b77dc1b55380e0061102f2c7232f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghpbg32.dll"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	00c8b77dc1b55380e0061102f2c7232f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphqml32.dll"	00c8b77dc1b55380e0061102f2c7232f.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 3184	4772	00c8b77dc1b55380e0061102f2c7232f.exe	86
PID 4772 wrote to memory of 3184	4772	00c8b77dc1b55380e0061102f2c7232f.exe	86
PID 4772 wrote to memory of 3184	4772	00c8b77dc1b55380e0061102f2c7232f.exe	86
PID 3184 wrote to memory of 4188	3184	Kpccnefa.exe	87
PID 3184 wrote to memory of 4188	3184	Kpccnefa.exe	87
PID 3184 wrote to memory of 4188	3184	Kpccnefa.exe	87
PID 4188 wrote to memory of 2056	4188	Kkihknfg.exe	88
PID 4188 wrote to memory of 2056	4188	Kkihknfg.exe	88
PID 4188 wrote to memory of 2056	4188	Kkihknfg.exe	88
PID 2056 wrote to memory of 3284	2056	Kkkdan32.exe	89
PID 2056 wrote to memory of 3284	2056	Kkkdan32.exe	89
PID 2056 wrote to memory of 3284	2056	Kkkdan32.exe	89
PID 3284 wrote to memory of 3436	3284	Kbfiep32.exe	92
PID 3284 wrote to memory of 3436	3284	Kbfiep32.exe	92
PID 3284 wrote to memory of 3436	3284	Kbfiep32.exe	92
PID 3436 wrote to memory of 868	3436	Kajfig32.exe	94
PID 3436 wrote to memory of 868	3436	Kajfig32.exe	94
PID 3436 wrote to memory of 868	3436	Kajfig32.exe	94
PID 868 wrote to memory of 2216	868	Kgfoan32.exe	95
PID 868 wrote to memory of 2216	868	Kgfoan32.exe	95
PID 868 wrote to memory of 2216	868	Kgfoan32.exe	95
PID 2216 wrote to memory of 4004	2216	Lpocjdld.exe	96
PID 2216 wrote to memory of 4004	2216	Lpocjdld.exe	96
PID 2216 wrote to memory of 4004	2216	Lpocjdld.exe	96
PID 4004 wrote to memory of 2736	4004	Lgikfn32.exe	97
PID 4004 wrote to memory of 2736	4004	Lgikfn32.exe	97
PID 4004 wrote to memory of 2736	4004	Lgikfn32.exe	97
PID 2736 wrote to memory of 2324	2736	Liggbi32.exe	98
PID 2736 wrote to memory of 2324	2736	Liggbi32.exe	98
PID 2736 wrote to memory of 2324	2736	Liggbi32.exe	98
PID 2324 wrote to memory of 4652	2324	Ldohebqh.exe	99
PID 2324 wrote to memory of 4652	2324	Ldohebqh.exe	99
PID 2324 wrote to memory of 4652	2324	Ldohebqh.exe	99
PID 4652 wrote to memory of 4824	4652	Lgpagm32.exe	100
PID 4652 wrote to memory of 4824	4652	Lgpagm32.exe	100
PID 4652 wrote to memory of 4824	4652	Lgpagm32.exe	100
PID 4824 wrote to memory of 3992	4824	Lphfpbdi.exe	101
PID 4824 wrote to memory of 3992	4824	Lphfpbdi.exe	101
PID 4824 wrote to memory of 3992	4824	Lphfpbdi.exe	101
PID 3992 wrote to memory of 2576	3992	Lgbnmm32.exe	102
PID 3992 wrote to memory of 2576	3992	Lgbnmm32.exe	102
PID 3992 wrote to memory of 2576	3992	Lgbnmm32.exe	102
PID 2576 wrote to memory of 4368	2576	Mciobn32.exe	103
PID 2576 wrote to memory of 4368	2576	Mciobn32.exe	103
PID 2576 wrote to memory of 4368	2576	Mciobn32.exe	103
PID 4368 wrote to memory of 5088	4368	Mjcgohig.exe	104
PID 4368 wrote to memory of 5088	4368	Mjcgohig.exe	104
PID 4368 wrote to memory of 5088	4368	Mjcgohig.exe	104
PID 5088 wrote to memory of 1660	5088	Majopeii.exe	105
PID 5088 wrote to memory of 1660	5088	Majopeii.exe	105
PID 5088 wrote to memory of 1660	5088	Majopeii.exe	105
PID 1660 wrote to memory of 4280	1660	Mdiklqhm.exe	106
PID 1660 wrote to memory of 4280	1660	Mdiklqhm.exe	106
PID 1660 wrote to memory of 4280	1660	Mdiklqhm.exe	106
PID 4280 wrote to memory of 1636	4280	Mgghhlhq.exe	107
PID 4280 wrote to memory of 1636	4280	Mgghhlhq.exe	107
PID 4280 wrote to memory of 1636	4280	Mgghhlhq.exe	107
PID 1636 wrote to memory of 3680	1636	Mjeddggd.exe	108
PID 1636 wrote to memory of 3680	1636	Mjeddggd.exe	108
PID 1636 wrote to memory of 3680	1636	Mjeddggd.exe	108
PID 3680 wrote to memory of 2516	3680	Mamleegg.exe	109
PID 3680 wrote to memory of 2516	3680	Mamleegg.exe	109
PID 3680 wrote to memory of 2516	3680	Mamleegg.exe	109
PID 2516 wrote to memory of 2480	2516	Mpolqa32.exe	110

C:\Users\Admin\AppData\Local\Temp\00c8b77dc1b55380e0061102f2c7232f.exe
"C:\Users\Admin\AppData\Local\Temp\00c8b77dc1b55380e0061102f2c7232f.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Windows\SysWOW64\Kpccnefa.exe
  C:\Windows\system32\Kpccnefa.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3184
- - C:\Windows\SysWOW64\Kkihknfg.exe
    C:\Windows\system32\Kkihknfg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4188
  - - C:\Windows\SysWOW64\Kkkdan32.exe
      C:\Windows\system32\Kkkdan32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2056
    - - C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3284
      - C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4708
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3320
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2780
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3828
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4324
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:960
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4856
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2592
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1116
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4124
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3412
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2156
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:388
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        50⤵
        Executes dropped EXE
        
        PID:2632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 412
        51⤵
        Program crash
        
        PID:808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2632 -ip 2632
1⤵
PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kajfig32.exe

Filesize
1.1MB

MD5
4201ba15b791f1aea1da68f12d6b8f83

SHA1
0e653c11cd761abfafcee043cbe6f87dd964cf95

SHA256
cfb075e91bb3418369a2276432ee6a1e9030054830d0cb80c22a4e1430f55cd2

SHA512
644aecca6630013ec5af30a9e3af10ccc4873fbaf4051c46333c6ddd0368dc10a1f380ed1dc2264681deb25e6f7ee565bba7b0c6ce40192d14ef72df63cb98ff

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
1.1MB

MD5
a20502240ef737c68584f7b0e208afa7

SHA1
a8c6aa8e97fce4f71326ca7c4a895b1b6e9ace35

SHA256
7bbe03700f42006e453a5485e410ba4fb89fad96b0378e57eda2d3bdb8c1a92f

SHA512
06e07158702cd3b5ccd0b85302a2006ef42f5f2365f2286e7d0af290f45ed4344c7343f78b3384a1163fcf28408912230c6c3d3693786c4831e8a99a5a099d9a

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
1.1MB

MD5
c03891b8b045138d1dccdc8efa906b6a

SHA1
edb0f79fac312b7fae1111fec901fe3e9524e979

SHA256
5c55e47555ba2a6d45b3730ebd61773721723a95e7349f4adc4840676239730d

SHA512
781865122e27805398b2a80e1cc93612912f4c4c63d356b348dde1eeba906141085460634f1439c6943153117fd68af0cec21a734a32fb73875ccee0e5fea589

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
1.1MB

MD5
10e3dbd0db2b9af6427e7b6a4316754d

SHA1
e19fff615194d702d61c016c36923dec7b411508

SHA256
5e34cc16ce7de20c079bcd99fe456d1b8f560c3ee57f480f4d55094026035296

SHA512
ecc3acb9ec32a5959b9618aebf6741c1451f340b6be751c16a79bd58ca89a22dcbab373a226dc75185bc497b3a6118e7de6c1d75c48974b37a86590eb56c8e79

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
1.1MB

MD5
374cbd8ab8ffb0bcf4c5ffcb48a0a56e

SHA1
b3a4ee21f720553f0c5c809047edcea93dfdfca6

SHA256
a6c5cb1dd58e7b158c85e4a054cada41bcc997fc7fed409f849610ce503641cd

SHA512
67cedcf3ec7fbf7d490d13e78620a34c230366ce7884d22dfcd11e1d17a6f4f26c6b4c18ae2d90ce663bf1064a3e5dec8c1761a9bf11b4951e7caaf24d8054a6

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
1.1MB

MD5
76d2cc157b1b37504890c3fbdcabf49d

SHA1
284b3d1181a548bfcbfce57665f87d000dbe35f4

SHA256
3ab6acb4973e326f22969ce5cf59eeda10995c9f7c3792bfc84e595c8dc6cf67

SHA512
3aef25d30416ebffe0abb1a90d180b62b427570337dc2bb0a90ec3499db3a7f46d48914f266b67fe4137a4edde1b2a6eca86e38f07f9bc3c7557a5f3b4cc515a

Download Submit
C:\Windows\SysWOW64\Lbhnnj32.dll

Filesize
7KB

MD5
6efed2870fae6d8f3f4fa217cd39d295

SHA1
f22fb2f2bb67c97782e2d19a00f7469590401ce6

SHA256
3b4d5d7259d7a794d309ad6f0509e35c0fa0e17a597e254f851e26d91e69468c

SHA512
990675837a5a8374a5cd77d5aeb6552e6c684d466bc339f241a2d9bd6cd54da7909a8a012134c46a6b4ca080f0539ddb7c0bb275b05fcbe7bdd37ebdf1d31976

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
1.1MB

MD5
5300d0b05de4b22eb4429b04761608df

SHA1
904e336f42007c1a8c355dc5619c8868d0e55a40

SHA256
a7862eeb9d3219d9cd4e0f8764050e36eb2906f6c2326207794435f94b473a74

SHA512
345a91721bafc045b98f309f64b0835672a6b1ae57c910a0e958046ae2cb6894d89c16945e4c3c0dc9006aa1445da5b4b1604d8c25c86074ec28d0f392961b1d

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
1.1MB

MD5
e7b1823e873128d3cb861b94e0187f47

SHA1
b48e2c484ba16dd5260398f0423f9b0ddefd512b

SHA256
7fbe5f109e33c67a64de02f45eb4af6cb60a10a461421a6cbb8c078fc3bc182b

SHA512
5dcc45ad3c006de01a105fa86e1f841066e502214654e79afd79bdb9c39df8cd3212a00ee4f39282f56e537e3992b3df83c724619c1d3b0c22c35c5a032f5427

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
1.1MB

MD5
76384ee04b29265042aed1d1de6b3616

SHA1
594eab2eb1ab45e38a4567c40354204e5ca4ba09

SHA256
b21968d6480f049915e65e69942de758b225ca178b560ae20540bdbf88616aa7

SHA512
e447bde126c928b2121d750f8d9ec147e5448263e20c7d13152765ab772eb964a0bca604f5f0dda53cb31d58feaf8ce494cf8716b6809f4ed74e7b937606d875

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
1.1MB

MD5
7371670a2d66a29efb61f05a534d7386

SHA1
b5cf88fce3748b34ce390876a08314a412add432

SHA256
f2904566a6bf1a6305aaeb955d0b3e6f5d6da19dd30c4d0ae66b238c9b60dce9

SHA512
702cbace4d655c4b0bad77f4ddb74fe2c9b136344dcb0b914ef8cb002df41c1434a89f791e771c950492452c39b20491f203c8fc1ee92080a3c7f714597a0402

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
1.1MB

MD5
907162cd1b69c1af04f7732baaca7746

SHA1
39af3caa55b80e81c1fc7d80481609349be9b5ad

SHA256
97d60eed6a3b5a54b5f46908f5d33cc32ca938855e49f7a13ce902e1a11b467d

SHA512
056e194f96c9df907997c6b361bb14d5455d94cc2f47b9465f2f9a13cd0a3e5507d5bce0a96c7b4db2553e76c9d74e3bd128fcffed582c7a6f6a1c7f4ed8e1e5

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
1.1MB

MD5
b3b3eafcd9566ec09af0c893bb20124a

SHA1
63b1d5895ede611af949a9ee4845f03c44fa542e

SHA256
72eb0600bd784a79e00c0ab490930e2e699097f7c75e3f6b7fc91c19b53d7e8c

SHA512
0f3bd8c12e1e47a4c01ee0635b2fccf2c501854c11cd2253b098d12f22d3130378eae445b69501a00d9d148febfa236ca6914a36920223e26ac56e897a247e69

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
1.1MB

MD5
5d1bce1bd97ec352c4fc94783ea3f9d1

SHA1
60a006f10dd1fd871fca8cff2b570bab7af6595a

SHA256
0bd2c2dcb2aa3cd4e7453706f59767890990ca7a7690e595d7cfc46fb136b2cc

SHA512
9616dd3f23e889f149cb9f0de610fea9a36f45106ced650a817c199c6a53e7bc5433e5045de9059cd8029ca914dbd22151ee69dda0ba2a5b04633a55f8c361b9

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
1.1MB

MD5
39339ae8a9d214539501304f9af3fbc8

SHA1
ba14922951ac6875c49096cc51cf87212cb68861

SHA256
d841e9d0749d98bec1a13b083a6ce94007488607d7010946f1c124f1edbbbf93

SHA512
7a7103c2bd5c060fa80d32ca7c2b0951eee0a514936204c22ecf8ad2b5a7410cec668bdae7428a7c14fd3b5a047c7c40315c2ef9ee1fc03cdc9760ba67607fe2

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
1.1MB

MD5
437ec2553cefb36b67fdc2c59d621165

SHA1
611760291ea3400a10be7a6c4dba9743e0a084d4

SHA256
c292246a5a7c6c78fde2c69f17fbdfcd2a2d97e3d092a92362692900031c6e92

SHA512
2fb52bdcd99213fe0bd4f878a20b2f36abe15ef1f7c1225e1e0073ff6f8ec4a4eada2eb8554c01004bffbe75b34d1702a9ae9dede14559cff2c761e21829102e

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
1.1MB

MD5
74ad6741a5a5c16a05411d1db7604c67

SHA1
d95e6fd5c3be511cccb1dcbe40b8cb9b2d9244af

SHA256
82b019339729740acb4cfd68189da234b4215b20bc2647f9544ba3b2030b6bec

SHA512
34c9a8b4e21ef077771d1a7d4d9507d8f8254ca6dbed4739089a2489434342c54072a32c8f31ff179f8c4113e6bf0f69c8f7108c6d8872136dd49e2088cc20f2

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
1.1MB

MD5
1c4618829bc8b0ddc7da8d0760128b75

SHA1
cbb44f477051fc72a8370a724f6cceb0cf88dbb8

SHA256
bcfe205d27a1d11a36f20a1867ca6a19ba17c9e4c1eb9c06f2a1c341f1a88cf4

SHA512
79d90952fc58879f91ecd5ee4d78c3530a863fbadfac703b8033935ba0a9f4a34bb968192a1584a2640d4d8ed516977e021b7a2a8758e36c2601588a74254c34

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
1.1MB

MD5
adf1776c1a716800ef4ea0886238ad27

SHA1
72867423fe0ed51d9ab2d32d871fd6873b992fbd

SHA256
ac3d0f5c7debeb40c30db3207a78036ed2194bda4c5d2fdf0aec6df961617af4

SHA512
bdcedd90c2a30fde754f4d202a422cb9ab91201eb6ee0635bcafad52c860d2573d798cec4740716c45fa221d573d25fe7fe89b9aa56d5c84cf68db1c028a9d20

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
1.1MB

MD5
e44c05ef3610922f05e00d4966cd3a87

SHA1
9c73183768b392fdec1f31eddb8b1355fefa2a00

SHA256
d84dd119820e98fa95a891d8c38a41e1f85d5dc48b0128246d42bf984488a8a4

SHA512
75ccb1bd83b15798ea2a8695506955d045d196af2e7f912fe9f9a1c88fc42d663b855a2409cbc50eb396e0436694bbb03bd3d4c1e33aca210c26737c5edf78fe

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
1.1MB

MD5
c368f6a3b50c1a37a1e0df3af7ae82e7

SHA1
74fe5fcca63c4c167d6f5b81725045f795fe66ba

SHA256
c5e64a2a6a05485a453890b1084aef7ac638ee50de2384da34dbbdd4ad53ad04

SHA512
f225f583bf3c3603006019c18ddd71d2dde91e3e6bc1a3c2441043f04e7713121d5caf3123a820906b08fefc2af7cc5ba440946ef072470c11c5e335e8c9d578

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
1.1MB

MD5
00ab7e7aaff53508d3fcfb6ec030cb45

SHA1
0116e224a3baf22ffc3cbfbf5095562853cb6e68

SHA256
78188bcbe5a69f5e914db6c131e6d8a5f7e33ed1faba0f6899f1fb1bb5b4c7b7

SHA512
af72861144fc1e9ab39d50f4b869bf7f6ab314637cc9f19f1955276f62ef41735752882774f09c9aa1d8d384c1037703da12c380e09fd5f23176463d95b7d7b6

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
1.1MB

MD5
0139277d844d94c473335ccba863da05

SHA1
c0f3b4a1a0f8dbdd6f1dea74b0f2ab737a3eb62b

SHA256
9bfc399598cbae7ae0505264b4e51ac248486f3016447316bcc154410871ccf3

SHA512
cc7c713fa6b28779936ad0c487444c4bd11d5385a166fb0bad9ef7bd3950ecfd08b6b1942cc0d3ef9ba84231f11d27139418280874f204b083f5156db54037f1

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
1.1MB

MD5
e1ea2b521eff79949425a41d062c4881

SHA1
b38e493dd9a326efa4f6a90dd95c98317017311f

SHA256
8724393fa72298ac9e854d8c22b1bbdc0cd45eb430e4418e8f58ce184ed05121

SHA512
4a5a7dd00aadf441765f1871160eea4db5b6d50484cad20de027e818d9876c04dde3fec7f4b662daed8a43f1958342f3b534c3fcc1f485e110fb5435b062d7ab

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
1.1MB

MD5
aa4d07b1be0222a955481ee487318085

SHA1
0c496cd996d0fac34f6c9230e9a891639e4fa85a

SHA256
c46f7d26871ed6e2c4882a793d5682575d0798ed594243540b92f414c03a1205

SHA512
6331c63048a017d48fc7fdd9caf63678a7c03ad3b64e14d92b365b1ce2c436b57f44a7e040db8d7388fbadba59845e24b7d54b324f01f3bdaa8e58156d5ffecf

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
1.1MB

MD5
1fb0fb81619e0b2e0a1ade80feb17626

SHA1
22ea98291882d996f20f5536e4a1b9b1c359fd2a

SHA256
cef331a59e46cdcfec26456a7a58854187d40cb9984177caf3396dac31df7154

SHA512
b79bb8e5a2fddd33637db47d985bbb7bcd75ee17ae194908a0b2c6db5bbff493d3468904a57912b84733a03f18f19c8ec863ffd951fce69afabf31a89e624442

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
1.1MB

MD5
cbd92f5cda8a59652668d3bf619bcaef

SHA1
0f91f797392077f047fdafb81a9da4609563fad9

SHA256
b324ff8676df052e40f95cb91baa599298de49a86af7ab0d604766bbe1a6285f

SHA512
5a0f4753b5f3738c772aac09ebbce31113c5f0d37bff9730252ad27ffa8c5520800f4b79307f36d96500c18894fa50a1b2cf30eddc4cec4e596e31d359988e17

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
1.1MB

MD5
dcfb3ad73b9371e9fdfbdd48a315c3e0

SHA1
e68c0057abe2d59a766f773ff6037b80b5646e06

SHA256
d95f9f0737575b0ac45b872c18be22b3463cd0a7a6bea1c027b4107146a90e4d

SHA512
8325c9a34c5452a807b0e77cb922db78f7598f4265373bc2f95410e7b19dfe6bdb1d40d1ebfb9fc274a29946cc09be9a3cdf9b9f3d9111b9cbc8550d81cb3e72

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
1.1MB

MD5
5cb46a41656698edb185a65c9d43043e

SHA1
746b2dee4011a494c0996a32e5c39c4c587cdabd

SHA256
4e731290539c9f8f01ce1b03bdfa9df53293337fd6882fa0c2cd792d49f82546

SHA512
ab10634bcf6d786d1a1c0092a1af34cbbe672f6c0f28af1c98c1fd12da9fd7d7fe6abace1297d3f4a8f92966f556527cdbc20ff7bfe82f93bdbf5c38a40d1051

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
1.1MB

MD5
bdcaf77b444cf3a98a2e41767a7eafff

SHA1
a2967b73f08e126c0c9581c8f143d8f182c154c6

SHA256
7d63dd62cd80ff5d30065b172c80d1b9e73d6b2534c79bbc79d8af34b6a03869

SHA512
c1e6fa20db0a97fb25d145bcea8fd83e017ca6bd52aae4c419219fd472d065a25d21f9003bc51a9265c912fcffe0845d1b07823e989d9f3318cc5515f41a7d64

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
1.1MB

MD5
b9fea5485618f35ffb6cb51cdf417f11

SHA1
64c56aa171d2062078e4a87507e0b9f4ae0904d2

SHA256
38bee03f860d9402fb909bd1a5970246dbe2d701009a73f8b7c7f363c6f9e55e

SHA512
91378798f77ed4122bc1b1f22a45ee12cd84104de20c28f2a9aab50d22aa800709449f4ae471d485007d64c0a5bf01a0c5e2017529c4a2679fade7371c5ab076

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
1.1MB

MD5
e037e7a86075ca75f147e5d9dab8b964

SHA1
4905222e5b94654448d782d902884a2cd4cef1fb

SHA256
a8709138f6f77df81003e8e40db6b041c061bb002aea92156a8a84fb75060259

SHA512
ec1e903f655c55a304041387fe6d890c2bbdcdaa1bc4a2afd42c5ca098b50d3dbe88ca3ebed3b716ce6e21b32cc4819a7795f4a40cb4d871932a1154dd896675

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
1.1MB

MD5
04b1248593fb5b65462c04bdadc0b873

SHA1
789d0a6ef2c40eff58a31b261122762086819582

SHA256
99485ad496d110c104174dcdb293eb46aa17dedf4b6b92e7f1ea6df53d8b3826

SHA512
9de563979a663c6e15673af3019cabb161de2c455c1fc747ec3e9fd8dcb2da45fd2c32eaca06c97331fed055510f247e8cae20b5b31898e7dc7ad8b95583309c

Download Submit
memory/388-328-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/464-330-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/868-48-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/868-367-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/960-352-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1008-347-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1116-341-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1216-349-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1452-350-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1632-345-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1636-337-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1660-331-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2056-115-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2056-24-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2156-336-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2216-366-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2216-56-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2240-332-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2324-81-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2324-365-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2480-346-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2516-343-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2576-361-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2592-342-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2596-359-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2632-327-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2736-76-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2780-358-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2964-344-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3008-353-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3184-7-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3184-89-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3232-354-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3284-363-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3284-32-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3320-357-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3412-338-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3436-40-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3436-368-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3476-333-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3660-360-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3680-340-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3828-356-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3992-364-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3992-107-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4004-69-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4124-339-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4188-105-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4188-16-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4280-334-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4324-355-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4368-362-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4628-335-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4652-97-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4708-351-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4772-80-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4772-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4824-103-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4856-348-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5088-329-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads