a337eb7e4ab249f5cf69660b1224f9d99a0c47c471e3c3e9bd59a893ad27b876

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

091e24bc45b14a65618486344ad74957.exe
Size

96KB
MD5

091e24bc45b14a65618486344ad74957
SHA1

ddeb09d137d97065315166e33d43d7d9116c2ef1
SHA256

a337eb7e4ab249f5cf69660b1224f9d99a0c47c471e3c3e9bd59a893ad27b876
SHA512

8cc899e70fbc061316ddfca21f2a61d66381586192196a4f0544faa34b2e200b23dfb0e4fe4486911c911b03156cd00e9be628503f4983b7df4bd8154406bfbc
SSDEEP

1536:YmTTDabnUG6S8LjtIBp9AOn89yVilAduV9jojTIvjr:9/jShX9V89hAd69jc0v

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	091e24bc45b14a65618486344ad74957.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laopdgcg.exe

Executes dropped EXE 41 IoCs

pid	Process
808	Kmlnbi32.exe
4764	Kpjjod32.exe
4628	Kcifkp32.exe
4972	Kkpnlm32.exe
2076	Kajfig32.exe
3660	Lmqgnhmp.exe
4324	Lcmofolg.exe
2340	Lkdggmlj.exe
2016	Laopdgcg.exe
116	Ldmlpbbj.exe
2028	Lijdhiaa.exe
3756	Lpcmec32.exe
1340	Lkiqbl32.exe
2424	Lnhmng32.exe
1996	Lgpagm32.exe
2580	Laefdf32.exe
4808	Lcgblncm.exe
1360	Mjqjih32.exe
1588	Mciobn32.exe
3040	Mjcgohig.exe
4804	Majopeii.exe
944	Mgghhlhq.exe
2984	Mkbchk32.exe
924	Mgidml32.exe
4488	Mjhqjg32.exe
432	Maohkd32.exe
4320	Mdmegp32.exe
1984	Mjjmog32.exe
1108	Mcbahlip.exe
3596	Mgnnhk32.exe
1472	Nacbfdao.exe
3336	Ngpjnkpf.exe
4920	Nnjbke32.exe
4480	Nkncdifl.exe
3136	Njacpf32.exe
4728	Nqklmpdd.exe
1544	Ngedij32.exe
3108	Njcpee32.exe
3536	Nbkhfc32.exe
380	Ncldnkae.exe
4676	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kcifkp32.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	091e24bc45b14a65618486344ad74957.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2596	4676	WerFault.exe	129

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	091e24bc45b14a65618486344ad74957.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	091e24bc45b14a65618486344ad74957.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	091e24bc45b14a65618486344ad74957.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 808	3516	091e24bc45b14a65618486344ad74957.exe	87
PID 3516 wrote to memory of 808	3516	091e24bc45b14a65618486344ad74957.exe	87
PID 3516 wrote to memory of 808	3516	091e24bc45b14a65618486344ad74957.exe	87
PID 808 wrote to memory of 4764	808	Kmlnbi32.exe	88
PID 808 wrote to memory of 4764	808	Kmlnbi32.exe	88
PID 808 wrote to memory of 4764	808	Kmlnbi32.exe	88
PID 4764 wrote to memory of 4628	4764	Kpjjod32.exe	89
PID 4764 wrote to memory of 4628	4764	Kpjjod32.exe	89
PID 4764 wrote to memory of 4628	4764	Kpjjod32.exe	89
PID 4628 wrote to memory of 4972	4628	Kcifkp32.exe	90
PID 4628 wrote to memory of 4972	4628	Kcifkp32.exe	90
PID 4628 wrote to memory of 4972	4628	Kcifkp32.exe	90
PID 4972 wrote to memory of 2076	4972	Kkpnlm32.exe	91
PID 4972 wrote to memory of 2076	4972	Kkpnlm32.exe	91
PID 4972 wrote to memory of 2076	4972	Kkpnlm32.exe	91
PID 2076 wrote to memory of 3660	2076	Kajfig32.exe	92
PID 2076 wrote to memory of 3660	2076	Kajfig32.exe	92
PID 2076 wrote to memory of 3660	2076	Kajfig32.exe	92
PID 3660 wrote to memory of 4324	3660	Lmqgnhmp.exe	93
PID 3660 wrote to memory of 4324	3660	Lmqgnhmp.exe	93
PID 3660 wrote to memory of 4324	3660	Lmqgnhmp.exe	93
PID 4324 wrote to memory of 2340	4324	Lcmofolg.exe	94
PID 4324 wrote to memory of 2340	4324	Lcmofolg.exe	94
PID 4324 wrote to memory of 2340	4324	Lcmofolg.exe	94
PID 2340 wrote to memory of 2016	2340	Lkdggmlj.exe	95
PID 2340 wrote to memory of 2016	2340	Lkdggmlj.exe	95
PID 2340 wrote to memory of 2016	2340	Lkdggmlj.exe	95
PID 2016 wrote to memory of 116	2016	Laopdgcg.exe	97
PID 2016 wrote to memory of 116	2016	Laopdgcg.exe	97
PID 2016 wrote to memory of 116	2016	Laopdgcg.exe	97
PID 116 wrote to memory of 2028	116	Ldmlpbbj.exe	98
PID 116 wrote to memory of 2028	116	Ldmlpbbj.exe	98
PID 116 wrote to memory of 2028	116	Ldmlpbbj.exe	98
PID 2028 wrote to memory of 3756	2028	Lijdhiaa.exe	99
PID 2028 wrote to memory of 3756	2028	Lijdhiaa.exe	99
PID 2028 wrote to memory of 3756	2028	Lijdhiaa.exe	99
PID 3756 wrote to memory of 1340	3756	Lpcmec32.exe	100
PID 3756 wrote to memory of 1340	3756	Lpcmec32.exe	100
PID 3756 wrote to memory of 1340	3756	Lpcmec32.exe	100
PID 1340 wrote to memory of 2424	1340	Lkiqbl32.exe	101
PID 1340 wrote to memory of 2424	1340	Lkiqbl32.exe	101
PID 1340 wrote to memory of 2424	1340	Lkiqbl32.exe	101
PID 2424 wrote to memory of 1996	2424	Lnhmng32.exe	102
PID 2424 wrote to memory of 1996	2424	Lnhmng32.exe	102
PID 2424 wrote to memory of 1996	2424	Lnhmng32.exe	102
PID 1996 wrote to memory of 2580	1996	Lgpagm32.exe	103
PID 1996 wrote to memory of 2580	1996	Lgpagm32.exe	103
PID 1996 wrote to memory of 2580	1996	Lgpagm32.exe	103
PID 2580 wrote to memory of 4808	2580	Laefdf32.exe	104
PID 2580 wrote to memory of 4808	2580	Laefdf32.exe	104
PID 2580 wrote to memory of 4808	2580	Laefdf32.exe	104
PID 4808 wrote to memory of 1360	4808	Lcgblncm.exe	106
PID 4808 wrote to memory of 1360	4808	Lcgblncm.exe	106
PID 4808 wrote to memory of 1360	4808	Lcgblncm.exe	106
PID 1360 wrote to memory of 1588	1360	Mjqjih32.exe	107
PID 1360 wrote to memory of 1588	1360	Mjqjih32.exe	107
PID 1360 wrote to memory of 1588	1360	Mjqjih32.exe	107
PID 1588 wrote to memory of 3040	1588	Mciobn32.exe	108
PID 1588 wrote to memory of 3040	1588	Mciobn32.exe	108
PID 1588 wrote to memory of 3040	1588	Mciobn32.exe	108
PID 3040 wrote to memory of 4804	3040	Mjcgohig.exe	109
PID 3040 wrote to memory of 4804	3040	Mjcgohig.exe	109
PID 3040 wrote to memory of 4804	3040	Mjcgohig.exe	109
PID 4804 wrote to memory of 944	4804	Majopeii.exe	110

C:\Users\Admin\AppData\Local\Temp\091e24bc45b14a65618486344ad74957.exe
"C:\Users\Admin\AppData\Local\Temp\091e24bc45b14a65618486344ad74957.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Windows\SysWOW64\Kmlnbi32.exe
  C:\Windows\system32\Kmlnbi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:808
- - C:\Windows\SysWOW64\Kpjjod32.exe
    C:\Windows\system32\Kpjjod32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4764
  - - C:\Windows\SysWOW64\Kcifkp32.exe
      C:\Windows\system32\Kcifkp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4628
    - - C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4972
      - C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:944
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3108
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3536
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        42⤵
        Executes dropped EXE
        
        PID:4676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 412
        43⤵
        Program crash
        
        PID:2596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4676 -ip 4676
1⤵
PID:4108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kajfig32.exe

Filesize
96KB

MD5
b736f00d240bbe8c956ad26fafb747e0

SHA1
7251c4f4745f3f8b93014d0d3176587f39df6228

SHA256
9a0ff200ae717c862037c4bb373acc37dadee0f1c4167ac1b7434e71af097f36

SHA512
cb3788683a1cb05dec26da91a205d8567c4d3b9a3e0b58f165a0326f8861009cb6b54d947251f12ffd520401bda298ba4f49f07ac2a3e89ab49ddcc4dd9f23d0

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
96KB

MD5
26c3113823017dc46c9508ad117ad45a

SHA1
cc831dbdad079273dbb8c600612fa1d6b8aef55c

SHA256
93250bc63f02dbbe901e19c3427233c7b30a4ec9207e0183d5b2c261fc1733da

SHA512
6b99e682c0de07147aef0087c6af4d62f5d810db7a2822cb895d7d7e2b3b866f1ea2ecd4de405d6affc8f617f2f525c406353e16db57af8287bf92fb06771d73

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
96KB

MD5
56c6088ff7bcb9d3476a4a9b5fa3884b

SHA1
8e15f71a5236ce7f2e7ab588843c2ad099eaa9fd

SHA256
9dc2196a0968ac19e5f5c1b41ddb190c34a3f0d1955ddc34b7086fa228546fae

SHA512
4b2e6b42c058676def0bbda5bcdbb7f9d3bd26cdb6d3ab048e954d582b194edca04593592524c97088bf52024c9c512114c7648dcdcce603b239f41c76992db7

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
96KB

MD5
b84fe560616861d96904a2c0cdc83c3f

SHA1
e369d2ec10ff5fe5808e2c7625f0b9e5b3c7b46d

SHA256
a4ca00997cf3f89f507eeee0ae79250ba3174cbf9da1b9949cd5dd37163bc8bf

SHA512
11e3534a9ff60b5ca083701ff81c916b73706c20a63653c668d555dd787c25f1b138bf2511dea9b5f9bd46d88c5da2868dd2fb0806b132d9dfb565632b283906

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
96KB

MD5
2804ed05b67d4c65c4ed04e0f2169482

SHA1
a0305f415aaa552b02e5f4aedccc35374a9391f2

SHA256
6e97361a9f22b552b917ea0734d447297bc323dd8fe7077ef359363f34c8aa0e

SHA512
1f902e275b24f240031bb421be10ccee9eb89669551ecb2e5459744b0f362e72321473ba9b035ae2fc5a3890831c75de4d291f4a8f2179393ff4fb33f778b91a

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
96KB

MD5
68dbbc46c098fe59b0ff782f0639a85e

SHA1
72cc2b4035bbd815df74796569de36ab0972a080

SHA256
96ebc0d32664c8a83dc699c27b3e9af29182e0ac8c196d1c73e17b1e9326dcfd

SHA512
ecdd778a57aa164e20f6dae302641d2b502720e743f04b5e1fdff61fb2a4a5a9dd3825c05330534105b81f141749816e1cf2b17212917cebba0210c5d8885524

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
96KB

MD5
537900903c79c1176154b7e7ff0538e1

SHA1
f93ba58e892c1700d66581e4cdac840f36d801b9

SHA256
8ff5cec154f561322fdf9e5b6036c79344657e322082a4fee881aab278965224

SHA512
54ef55782c97ce591263e88e5aa88a346c13d3e1786e92a327d02e25bd74bb146f959676d573621f9578db83d3173197b21aeeb9ad7d941dcdf8ec421ae7a18e

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
96KB

MD5
f0fd6ce18374491b14641f405ff3820a

SHA1
8d3a622e06f72cc204028d65cc7693d0dbd140bb

SHA256
bfcdce87d2dfceca2b071fa9d36ea875b401a066723446bda8e8ee05670f9268

SHA512
b8ece4766d256db15a0c7d2751e47d4c5d7df904d6722a33d5ad9062726fec68b39f1043ac7b133f82c957d4c735915c6a9a22b1597d205a7028a66c72301fd5

Download Submit
C:\Windows\SysWOW64\Lbhnnj32.dll

Filesize
7KB

MD5
6efed2870fae6d8f3f4fa217cd39d295

SHA1
f22fb2f2bb67c97782e2d19a00f7469590401ce6

SHA256
3b4d5d7259d7a794d309ad6f0509e35c0fa0e17a597e254f851e26d91e69468c

SHA512
990675837a5a8374a5cd77d5aeb6552e6c684d466bc339f241a2d9bd6cd54da7909a8a012134c46a6b4ca080f0539ddb7c0bb275b05fcbe7bdd37ebdf1d31976

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
96KB

MD5
fcf2674f142ec7fe4cdcc8a54d7e0670

SHA1
34deee00b0ec586fd8bd7cd160a605e113098c0a

SHA256
1b646ea4e2fcc1d2ee093b8a8c6d8346ad2511e1743ca65984edea432e285642

SHA512
bf2bdfc2d79df39baf579068d6e31ff9456c2480dafe1b73d12a9a9efd1b6a4613917256bc90f8d2b9c8cc699f02f1aec217f95c28e2e5105df74739556f09a2

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
96KB

MD5
4d3e0a80c0b3731d140156c224daa0a1

SHA1
0e9460d61a79daae4fa6474aeaa045fa5273d481

SHA256
6559e3cbc1fdfea42c1e3a7ba0e1740c1891e1ddcac718aefcdac732476bd511

SHA512
369722bb22db5cd3a7b66d6d5aad197059264d4bd5e1bc808e7550a0eab0cd2befd5d7d3d81df7a3534eab9924dabca47448c185e2098a9537bc10fc4abaacac

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
96KB

MD5
eaaf230540fe4b40e585188d6a0f994a

SHA1
2f77ac1322d39e77d2af94c768391cf570fc65f2

SHA256
77d8024090663caa771882cf9dbbe7a529a7a3e24f19a6d83f62de6dfbc2a3bb

SHA512
64133d8a80bf9f7f1d9c8cfa2d9abbc4a1fff46edc7857b8fb0bb62b90685a059d8214df097cc9326dd18a4a8e4524696fb723e8dca294ef304bd03ab6e341d9

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
96KB

MD5
e9732364805eab5bc7daaea5e64e4f43

SHA1
d09e1b69fe755fdf56a94b0fe6f4eabb00eebc88

SHA256
bae58e2ae3882f0d1f2f03b8087798599b01e726da027c7a2e09bc979aea6893

SHA512
3a200a598a9e5854c911bbbdca891fd3b7bd2bde3dfcad6b0bb16b7c06252ce74fa612eeadd9fc8228e6956d9c7a49d43ee78e616f1eb21ba03b00863542be8f

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
96KB

MD5
3d7ac20fa7343e7cdb11734f35d82df1

SHA1
889ae7234769966547f271b337d095e0d52f27d3

SHA256
3445dea17773be5ee00de623532c40d2ea017bf77cebf1b0a32627f879a9d90d

SHA512
3dfd955df76127f740c3f727c01f9370240ed83d778f2911019a5a99a4c9caa0b82dfac8c3db613545ccd58b3e9882b933504814fa6351efdd5caded93fe9f61

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
96KB

MD5
1a766fae97b4bd3a99a2f1f4a89963a8

SHA1
5c5c726a8f88393386ec24c811ee6381a34da3eb

SHA256
08818fed6c9aee73fea3a583facbc47151d87b3b21ebe66fb3d684e62024ef9a

SHA512
077f5c37a237233e6151212e01f25753ef5e243dd5f654f934f5c62a1e5c5145132389aa51379ac573d511ea399878f25d58e202474cbd3f090f5e75569f0e56

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
96KB

MD5
72ac462e78d05670d48c0da67d313e21

SHA1
0790a015cf449264147862ac891595b300786e5a

SHA256
27d3c781bab78a66c9dfcc7602962b69811ae6255100249408c49736bafb4099

SHA512
cbc653f6ea9eb103df2ce5eb765ac61a677a655453f6c1cc553e0574a0d5a06005471fdc29b5716b59bda481da1266454e40480908c7296e56062b35cea93353

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
96KB

MD5
078f136623fc4de1f5b4915aadef81c1

SHA1
a861d1d9053928c66c54046f849b93a4cd1561f1

SHA256
ca8d66e9ec60fd825aacd03bc126de938f931c9d3f26eba8c8e062268f73bf78

SHA512
7193c056eb0989d2a6691a62f3fc9bd50ed6e27eb2560d738131961049c41c7961fec6678742aff658240e6b33195d65b29fdcaed4ffe08623267b9d0881b3b6

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
96KB

MD5
d95723b8a40493052923e45ed8110935

SHA1
eb30535f503d179f898ae8f1860a25b25df338d5

SHA256
f1675c3c2ab4c3f51c33dc930784e32b9faeac1a35bcf64297d9614bea483b68

SHA512
152728ae5b5a8ec37517b6decbe789b5d6fe47d28440517f10fcc610211c803f01bc5a4a97974e67782575e0572bc974b23b3146b40ed4bac004f1856b2281fc

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
96KB

MD5
f17021b7341ccfd94e681f16ca8f87c7

SHA1
f0f4fc254c4b445770643cee43173c4adedeb8e8

SHA256
9ed8736a068b0f08ef0938ecfc7b4e1a1677d9cd6d47c3bef6a4045835c208bd

SHA512
8a90bfa2b0138a2bc4e725bea3ef78146c21d0ca295f35796f249e985272f5e9d7847e52168a979e8a87aadcfae23868009115655cbfeaf60ddf03b01b9ae013

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
96KB

MD5
f50e8e8afc10546f84f0fc072c150a45

SHA1
13867ae7343b9d901f4d3ac440f9f4aea5ffa472

SHA256
385d931d9b36544df724df33fa27c6fcf6caa5119db2bf1e7680af590cde42f0

SHA512
2e3465f2d3b1773f623d2113d58566bc27f295e5262dd4993362a4e18da5e4968b385ed4e4f5a8231baacfd9ad8cf510e7091cf593d868006124c2d07e2355c2

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
96KB

MD5
33eb286741932b7098b8cc4c3db36d9f

SHA1
4c7f3785b0b78506e472aae966d87ed2dc7c5db7

SHA256
ffd3f20e71771baff59dd7fe38491264df353a5bb1a50416b66a2e5e43707431

SHA512
f303c28b42f2653f082e68b81a08c4b48de392377a89de83699aadf70b643ecfd1e651a7952aff01dd91491b3b09eabe19672e7843320d81b51c75090dd839fa

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
96KB

MD5
9735cb7615f64756a89119fe7d9242c8

SHA1
af6250a0181e28ba752302666d7ced8e9278d250

SHA256
f21d732e003e7d98b1f2c002d52043bce6c006a177cce7362a38774f9e3323dd

SHA512
48ae87529021e70861ac5225f253620b97ed31a6194f3b0719d1f3a1b4ffd5bddabd364cdfadcd6c1d10272ef91a4eea9e67223c2aee0a03daf56d46773b16ef

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
96KB

MD5
cea3553dd5aa3aede55c615432e176bf

SHA1
18f608bec5dd8597c428ad588ccf4aa366cad905

SHA256
2a1deaa87ccf1c08eca998568ae509f45b558d56ef3f5494b334236a3f6f81e8

SHA512
a92e47ce2b8bd2ddb314be5e07351039add6198d9fe2e9208ea11759637f109e0d3dc2e146ee9b72e1166c68b588d1b6da2602f4f022399bbb8082a6e754595d

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
96KB

MD5
908f89108d3c0bdd3c16088e6ef8bb1b

SHA1
3c591a9ed097fd49c9ef16bf664d80f282e0d721

SHA256
9b691d1b945fc4aa906648c3b39d5bfb2dfd63aa63704b261819281886cbf8ae

SHA512
eb066ed670fc900c19b70c51a13d490503a3e06986322fc390526dbbab77169393242c7dea7f663d849b3169508a8c7c8faac439e60f1951bc63a5e30fe72576

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
96KB

MD5
6586ee0f9296a19241617043acfc4f25

SHA1
d39773f64216650cb85184f5c42325abda1120ef

SHA256
2ef2ec70b818e86df71ac7ddb1359e06a331c34ab8c8df93e034bb041b6c2f7f

SHA512
fcdac00f457fbbaa14f1a10d13151fd5ab9d01e53095ca008489a4d889427ed6864f551353be539cae82b180265c0f4bf47e9762f3baf2749f30fce73b7ebc5f

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
96KB

MD5
12bdbf0141e4da305164d809cb62fbba

SHA1
f231817068210f6e258cf77c1cd12e3e40515905

SHA256
a88fd5e60dcad0546a3a561a10b0c3b0ff0f0a79da230db98fd4890cae2a4419

SHA512
d3b1b16ebc92fc417074793c24d6f5f1db001c52905bc785f6604827eca9415e045cf259802a4a4fc261abd6b9f4253093f3bf322617d9b367ba8c766c6131a3

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
96KB

MD5
9c0ef116edc078448d7efe0f4486eb33

SHA1
e5f65c0dd6e9b49ba6eaec1b839e5e5338d8354d

SHA256
6e3388ac20df9060e719878918535e01a99f9c298e4b42be6182a12b912fb644

SHA512
f01ac49e8ad1e89df2a49a3c19489b8ccc75066d28b9b4cecb7889f29b915ec2c293633baf51c5b1bc816f6f37b9e7201f489cfcbdc8442a57b97d98c899a988

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
96KB

MD5
5f3d7e3e70937139a921ae0eae631e14

SHA1
8eb4dfbdc791fc7ef2ce5776e947044304787131

SHA256
37aec664f0b60927c87a5f95d9401a4af61badc01533fe505adb5104a246371d

SHA512
ac0833e62e47dc5387771d323ddaff4cf4ee7cb6a3944368392c4df323cbc39f5d6ecf7f7f2ba6253abdbc672f168512501c1c071d3e34153f378629edbb104e

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
96KB

MD5
505127732b4199fc2c599e945519af50

SHA1
c6fa71c4f291e4c6ad0f7af71282667d1784a303

SHA256
ba9cc1f830088c4c47fd3fde01e91fef469e41a7c2827e199caae594362dbbbf

SHA512
c3a135847645d0ee32457805701a9d69d631dc37430d28b08978e83d0c8cd232f3e85ddca75a35c7c0ab34eef8057a8c09e548ed33e5d494c1cdd17f17063770

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
96KB

MD5
4d109dc90b3b1dee609b6b879103e899

SHA1
f916363f6c7f77cad14de0d174f53ee81405b6cb

SHA256
c46eb61fde3a4836aa646f66bf06198d9638eb5c898e7cf140fa9709604d44ca

SHA512
3d3491b77a3bc1357b7568785fb52f6a53584445af46429efe17d12c405633741b2860382e5e095acc8fe5a90cd34822410609c0e71d50e75d7e37fa995e8489

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
96KB

MD5
6224ef05aca54783dbb08e06eeb9ffc4

SHA1
b09e9e6b4b672d0ee270983a349cae52e58f9849

SHA256
dcda51589742a79aa6089c6b4ceb435c12a70d87e3e9677f36b4dd897451c0f1

SHA512
6661a8de94cd3a519aeb824838ea57ddce9eb26528df52ce3344ec94cad44a29d38249348b02ceb3f760abb1852962f2ac90376959285db7f363d435d2b951d7

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
96KB

MD5
866d00f35560d3f29b841a78e19c23e4

SHA1
a660e67783c601f94abf174d9b3de1e6cd77f812

SHA256
3f0102037b9d95e769bd51778d9a85ff12084e94255d776d5dadaab53a5e66ae

SHA512
f9347c26e3988ca5700c86b2e249a9f93bd572b10a8a0148c3d75a7a7246e3caf9b35df030c06e96e97f86438d17ea65a490f2418ce3ceae00ce643ecde1fd63

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
96KB

MD5
001f60862b35a9fd0018821232cb9170

SHA1
6ecb9b972c6dba3f5f063a0f41d6628da8b76604

SHA256
8ef601cb2f5343f13ac803730664ceaaa42afde88e43bdecbaa70aa40b59fffa

SHA512
253a8e4015419f3116eeca49fe554d6ea9bec02095b06435da96ba0e849c94ee2f60ffc7021bf9f19aeb39a292fa86a538a2ff71785dfce702b96eca214751fe

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
96KB

MD5
3bee9073f4c12e01b5f3e089c81fb007

SHA1
c16175a99fbaf8eac2ba535459b531b8a372d85f

SHA256
6d3487d73a90f6d45bff0be8158adbc5ea9a543cdd019af540117efd10c8190c

SHA512
67c494e99c248b6592557ac326d78ff41bcf1eb2bc855d919568ddf56ba34ef39e60a9e5e203948e3249f395349f0cbfb9c13975e3ce5bb7f924e84bb93adf5d

Download Submit
memory/116-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/380-308-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/432-212-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/808-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/924-323-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/924-196-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/944-325-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/944-177-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1108-320-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1108-232-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1340-104-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1360-144-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1360-329-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1472-318-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1472-248-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1544-313-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1544-286-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1588-328-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1588-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1984-224-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1984-321-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1996-332-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1996-120-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2016-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2028-87-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2076-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2340-68-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2424-112-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2580-331-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2580-128-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2984-324-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2984-183-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3040-160-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3040-327-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3108-292-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3108-312-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3136-279-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3336-317-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3336-256-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3516-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3536-301-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3536-311-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3596-240-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3596-319-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3660-48-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3756-95-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4320-221-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4324-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4480-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4480-315-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4488-200-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4488-322-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4628-29-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4676-310-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4728-314-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4728-280-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4764-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4804-326-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4804-168-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4808-330-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4808-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4920-316-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4920-262-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4972-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads