6a1c610007dc5b6d731f6aa063f48d8d7d68ee367443178fdab9a55b4f25a00c

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a1c610007dc5b6d731f6aa063f48d8d7d68ee367443178fdab9a55b4f25a00c.exe
Size

64KB
MD5

3e03fe41a2ce84cfb556baaf97b797c5
SHA1

e8ba267e2dcae55d4345e001356bbece01d28617
SHA256

6a1c610007dc5b6d731f6aa063f48d8d7d68ee367443178fdab9a55b4f25a00c
SHA512

8d17c8b74a756278a8e9323ee7c0f77f63d9ea7bbae23f846b4e5392b2f7e7d31d70029b142314b74ecb9b7cb4355afb903d109e0ae43dfa9a430a28abdf51a2
SSDEEP

1536:Igyh+JkAj+/nRGpl4he1LN3/NoE8WV4ZbleO6XKhbMbt2:ty4kA5p6he1LN3/NnmZbQO6Xjt2

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6a1c610007dc5b6d731f6aa063f48d8d7d68ee367443178fdab9a55b4f25a00c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe

Executes dropped EXE 39 IoCs

pid	Process
2996	Lgikfn32.exe
4632	Lmccchkn.exe
4876	Ldmlpbbj.exe
3836	Lijdhiaa.exe
4588	Laalifad.exe
1456	Lkiqbl32.exe
3376	Lnhmng32.exe
1756	Lcdegnep.exe
676	Ljnnch32.exe
5000	Lphfpbdi.exe
3112	Lknjmkdo.exe
3796	Mjqjih32.exe
3268	Mahbje32.exe
368	Mciobn32.exe
4028	Mkpgck32.exe
2680	Mnocof32.exe
4988	Mdiklqhm.exe
1908	Mjeddggd.exe
4224	Mpolqa32.exe
1204	Mcnhmm32.exe
3620	Mkepnjng.exe
4848	Mpaifalo.exe
2552	Mcpebmkb.exe
3588	Mkgmcjld.exe
4584	Mnfipekh.exe
392	Mpdelajl.exe
1876	Mgnnhk32.exe
2524	Nnhfee32.exe
560	Ndbnboqb.exe
764	Ngpjnkpf.exe
784	Njogjfoj.exe
1540	Nafokcol.exe
1856	Ngcgcjnc.exe
2044	Nkncdifl.exe
1144	Nbhkac32.exe
2532	Ngedij32.exe
1420	Nbkhfc32.exe
1672	Ndidbn32.exe
4492	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	6a1c610007dc5b6d731f6aa063f48d8d7d68ee367443178fdab9a55b4f25a00c.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	6a1c610007dc5b6d731f6aa063f48d8d7d68ee367443178fdab9a55b4f25a00c.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Lnhmng32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3704	4492	WerFault.exe	125

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	6a1c610007dc5b6d731f6aa063f48d8d7d68ee367443178fdab9a55b4f25a00c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkiqbl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 888 wrote to memory of 2996	888	6a1c610007dc5b6d731f6aa063f48d8d7d68ee367443178fdab9a55b4f25a00c.exe	85
PID 888 wrote to memory of 2996	888	6a1c610007dc5b6d731f6aa063f48d8d7d68ee367443178fdab9a55b4f25a00c.exe	85
PID 888 wrote to memory of 2996	888	6a1c610007dc5b6d731f6aa063f48d8d7d68ee367443178fdab9a55b4f25a00c.exe	85
PID 2996 wrote to memory of 4632	2996	Lgikfn32.exe	86
PID 2996 wrote to memory of 4632	2996	Lgikfn32.exe	86
PID 2996 wrote to memory of 4632	2996	Lgikfn32.exe	86
PID 4632 wrote to memory of 4876	4632	Lmccchkn.exe	87
PID 4632 wrote to memory of 4876	4632	Lmccchkn.exe	87
PID 4632 wrote to memory of 4876	4632	Lmccchkn.exe	87
PID 4876 wrote to memory of 3836	4876	Ldmlpbbj.exe	88
PID 4876 wrote to memory of 3836	4876	Ldmlpbbj.exe	88
PID 4876 wrote to memory of 3836	4876	Ldmlpbbj.exe	88
PID 3836 wrote to memory of 4588	3836	Lijdhiaa.exe	89
PID 3836 wrote to memory of 4588	3836	Lijdhiaa.exe	89
PID 3836 wrote to memory of 4588	3836	Lijdhiaa.exe	89
PID 4588 wrote to memory of 1456	4588	Laalifad.exe	90
PID 4588 wrote to memory of 1456	4588	Laalifad.exe	90
PID 4588 wrote to memory of 1456	4588	Laalifad.exe	90
PID 1456 wrote to memory of 3376	1456	Lkiqbl32.exe	91
PID 1456 wrote to memory of 3376	1456	Lkiqbl32.exe	91
PID 1456 wrote to memory of 3376	1456	Lkiqbl32.exe	91
PID 3376 wrote to memory of 1756	3376	Lnhmng32.exe	92
PID 3376 wrote to memory of 1756	3376	Lnhmng32.exe	92
PID 3376 wrote to memory of 1756	3376	Lnhmng32.exe	92
PID 1756 wrote to memory of 676	1756	Lcdegnep.exe	93
PID 1756 wrote to memory of 676	1756	Lcdegnep.exe	93
PID 1756 wrote to memory of 676	1756	Lcdegnep.exe	93
PID 676 wrote to memory of 5000	676	Ljnnch32.exe	94
PID 676 wrote to memory of 5000	676	Ljnnch32.exe	94
PID 676 wrote to memory of 5000	676	Ljnnch32.exe	94
PID 5000 wrote to memory of 3112	5000	Lphfpbdi.exe	95
PID 5000 wrote to memory of 3112	5000	Lphfpbdi.exe	95
PID 5000 wrote to memory of 3112	5000	Lphfpbdi.exe	95
PID 3112 wrote to memory of 3796	3112	Lknjmkdo.exe	96
PID 3112 wrote to memory of 3796	3112	Lknjmkdo.exe	96
PID 3112 wrote to memory of 3796	3112	Lknjmkdo.exe	96
PID 3796 wrote to memory of 3268	3796	Mjqjih32.exe	97
PID 3796 wrote to memory of 3268	3796	Mjqjih32.exe	97
PID 3796 wrote to memory of 3268	3796	Mjqjih32.exe	97
PID 3268 wrote to memory of 368	3268	Mahbje32.exe	98
PID 3268 wrote to memory of 368	3268	Mahbje32.exe	98
PID 3268 wrote to memory of 368	3268	Mahbje32.exe	98
PID 368 wrote to memory of 4028	368	Mciobn32.exe	99
PID 368 wrote to memory of 4028	368	Mciobn32.exe	99
PID 368 wrote to memory of 4028	368	Mciobn32.exe	99
PID 4028 wrote to memory of 2680	4028	Mkpgck32.exe	100
PID 4028 wrote to memory of 2680	4028	Mkpgck32.exe	100
PID 4028 wrote to memory of 2680	4028	Mkpgck32.exe	100
PID 2680 wrote to memory of 4988	2680	Mnocof32.exe	101
PID 2680 wrote to memory of 4988	2680	Mnocof32.exe	101
PID 2680 wrote to memory of 4988	2680	Mnocof32.exe	101
PID 4988 wrote to memory of 1908	4988	Mdiklqhm.exe	102
PID 4988 wrote to memory of 1908	4988	Mdiklqhm.exe	102
PID 4988 wrote to memory of 1908	4988	Mdiklqhm.exe	102
PID 1908 wrote to memory of 4224	1908	Mjeddggd.exe	103
PID 1908 wrote to memory of 4224	1908	Mjeddggd.exe	103
PID 1908 wrote to memory of 4224	1908	Mjeddggd.exe	103
PID 4224 wrote to memory of 1204	4224	Mpolqa32.exe	105
PID 4224 wrote to memory of 1204	4224	Mpolqa32.exe	105
PID 4224 wrote to memory of 1204	4224	Mpolqa32.exe	105
PID 1204 wrote to memory of 3620	1204	Mcnhmm32.exe	106
PID 1204 wrote to memory of 3620	1204	Mcnhmm32.exe	106
PID 1204 wrote to memory of 3620	1204	Mcnhmm32.exe	106
PID 3620 wrote to memory of 4848	3620	Mkepnjng.exe	107

C:\Users\Admin\AppData\Local\Temp\6a1c610007dc5b6d731f6aa063f48d8d7d68ee367443178fdab9a55b4f25a00c.exe
"C:\Users\Admin\AppData\Local\Temp\6a1c610007dc5b6d731f6aa063f48d8d7d68ee367443178fdab9a55b4f25a00c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:888
- C:\Windows\SysWOW64\Lgikfn32.exe
  C:\Windows\system32\Lgikfn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\SysWOW64\Lmccchkn.exe
    C:\Windows\system32\Lmccchkn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4632
  - - C:\Windows\SysWOW64\Ldmlpbbj.exe
      C:\Windows\system32\Ldmlpbbj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4876
    - - C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3836
      - C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:676
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2552
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:392
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:560
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:784
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1144
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        40⤵
        Executes dropped EXE
        
        PID:4492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 400
        41⤵
        Program crash
        
        PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4492 -ip 4492
1⤵
PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laalifad.exe

Filesize
64KB

MD5
5f39e32869e44cdd9e68c8f068c0e4ad

SHA1
3a3ddac05123e4e46782bb5c2855f2d19ec4c097

SHA256
dc4d1b9ffc3c7caa12d2729c2ddf3f08545bac98051c999a247721c11890e79e

SHA512
d109a873a5270a968b0abb16e959b44aae1e3ecbfa21fa81807acf1d202be29ba8b6381b7818982222887b2eba04ea8de13d56db09f368caed9ebc1166d19597

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
64KB

MD5
93453dd1d68c23919d0671a632dedf71

SHA1
331892128534b9a1976b898e18090ff7627dd924

SHA256
52c178f7e6b9e6b0bdae184f31d4af83231a3b4eaf3d4703a7c4e7f1ea94619c

SHA512
1241dcd0def5008623221660829aa2949db449b15a1e2c931bef2df17d4fad7808b11720d6c98261e330e5a8890d7a03fc4bfffb0068205ed28508bed4f7477d

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
64KB

MD5
60e4b855a5bd04525df5e94a8fcee5f9

SHA1
ebd3bd8674cdf5d3ef4cb54344900faf17e2d47d

SHA256
a7e2dc667bdd83edacd513421eabb3d743d5292599c4b393700d8b36d8b459dc

SHA512
ce7d6bbc46f726235891d909e7c4fc343ce972400a36f4d7fda4518d56d8b6b09e94b51702d2c5adeb54cd8abaf0346648cfa7e47afbe8627537fb367cc26e1e

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
64KB

MD5
73f456ac18b054a1c07529f48d3c6c6c

SHA1
fc9700b040094330372dd4462fb759bb453c0296

SHA256
52ed4eeb2a0470c668a6edfd3e160eb084f82f7914915844836207d6bc53528d

SHA512
75235d9da5cf57710f1e233351365fdd701970f1dfa125058198db95ba9cde4ee4c15117717240b45383e56d720bdc8c6cdd00bc8fbc814e16ba7035fc350485

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
64KB

MD5
573b0ebb1f5b4888f1abf40450f222f8

SHA1
13cb2be7c385837bf6a0356a363f9aa11e1d8a54

SHA256
086090a0a23baea714bc86f45da9da16bd3dbc5c86c5de4c0aad32aea28cb3ff

SHA512
a3d28f2fa50df4f90c40de43f9c6ff2a4aac3b090e842f8f3b56a2bc16d0b2eef8559a384d94ba15ada979857a1aa2993cd5d640b63d150f264cbfb543e7717c

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
64KB

MD5
bd93f4026cfe69770c889a0712ac89fb

SHA1
f1c9dc51443f9abbcba4bdf6f4c32351c2249c9a

SHA256
c5b75da2846633683b9355351350838c7ac394a0dd4a42ba153332100510d48b

SHA512
2991bc8ddb7f204de7a22e5f0713812ba2a9298ddb556e104ccf81ae364f9c3818b9f8003e144b348c7e8918180c00f856256c8e382cc75fa1a469ed31728a9f

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
64KB

MD5
cd2eee5dc6c5eee9049952868d9d6122

SHA1
d85cd3873ae9539890ba1e1bb21563ce387f8d1a

SHA256
f1781424873ec7e3b49a4425f9963c47ef2201014363a272036cb8f8dbe94921

SHA512
5be2b79fcb1f8f655262edf97ad3f3972bc90f50483f6e412e74a6a500f711c5a64020a64ccef07022439398311e9f6a532145c3eb1f46ff50c73623cee1bf9e

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
64KB

MD5
2d8cb99e44a5e43b620ff908ba74db7d

SHA1
20d51a34d6dc11be462feb0427e6f6628e9e2ef7

SHA256
e833c200326afe4a64e5fd6053a6edb9b17d0a9750f85fce840b1a998cc249d3

SHA512
5e2c66acfd4a2e9ce090198e07016ec728e0ab32d0a10af9295b705548255a096e665509abcb6373c78fb799283a5155e09404cefe0a13c4d81f8a5fcd5240b0

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
64KB

MD5
3c4d637a609e6836949095d3677dd167

SHA1
e0e1fa35b0b9dce8411c11741d8dcd03f4bc6608

SHA256
084fd24c113af2a8d95ff13379955f9f7f2f61043e410ede21c9b4750bc5a81f

SHA512
ae621384d11e80d8f0a4f4d7190f46c07b6f8500ca37d951ca5432fda1e3a72bdd19dcd63f1db6debb19f3c5aa44be29b890012c396ad35c9f752e738cdcd83b

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
64KB

MD5
0b751d14f99c13f773bcab4662719236

SHA1
6498c0f218ecf6210c0e731b88cbf1f43af5bd91

SHA256
f15fbf5392dd8cc00f4bcf3b106fa208a36b45445a07c1c564567f7df9b77817

SHA512
be1f345e77f4037e406e7df99b0c4ef437d03093a244f6c9126b40cc68a58438ec55282b7a4f0c06460650e9c121c15cd32d78b5e5a53c2c2773ddf8ffa6fd47

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
64KB

MD5
18cefc4ad2b4ceddb521cdc9bab6ffef

SHA1
6dcb5e8fccc4bce194d1d1b40f246d7da97c8b2e

SHA256
c17e7467b8808ca74c4f4b1ec365ab8c363d000af6a398943e34eb1a867201c7

SHA512
f8794c5f8df4a842fc16972b3393ba898852caa0a20a529fb3ccc394b0543d3f7655bf930563c400b6fe91af88eb5de0e257dc4f07687a09ccda6a0093228aae

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
64KB

MD5
c42e5d39d3d75fc68c859b027132cce4

SHA1
6e9a708f81a103996857c99f2d15d18c8ac64438

SHA256
e4c4afbe4601470621acc83599736d8d82a6ab7769e0deef25cb58cb797e5c19

SHA512
8883a1b2c5ac6dd0291f8c91b5c31733cbe844ab1c5d08997ac6ddc703ce36bcf0cc2c6a5b3a3c2ef0a473c8475f84b308b4ea3295ced15eba7db0be8556544f

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
64KB

MD5
b310bab8a447b9b86b2dd248555884b6

SHA1
a7aa460a9460db2735e1767f54445e0612aa5305

SHA256
ee48c5e506c2c707ac49d24256a9187e84eb95d136854f8b8b09d002619d3c19

SHA512
5ce4a0a55d8e28e6d23d1ce7778b0d1db4a34177da71c331c954c5c4597bba4efeb61c44be2aae40234b52654772626847f565bb94397672f65048aba426acd2

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
64KB

MD5
4eeae058c3ac89214f85642dcab8156a

SHA1
9fb11126e10bb004d60ab0ab89813fe869f27b27

SHA256
9654103f5da3b8fc3298f63f0aeb8208017ebee1a394f4d183e7fb9fbd6e5c93

SHA512
5685b76e5559fdd1c5e0f3b87ba9539bbf944805ce4c5fc76076c1f1bd2af95f574899793cf8d6e3f95e1725c6fe688e85f9b94698d44f0f46cd170e2b67effb

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
64KB

MD5
81eb2459d7237c9a0a6a805ff9b8ebaa

SHA1
bb8df6789e632d07a4f34975fa21ca2561f92b61

SHA256
eba2a99da218b2777a53842e4f1f43df19f2d5dcad28ec41f1caa8e1c5965a1d

SHA512
916ee992c2b483a4da11845d1796b43ea2c6edb12673f5ba56f4df78d1897a9224d9fe5682708167a62830b6c5bfb63683b15585bd34ee17dc9b6f93a9c4b7b8

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
64KB

MD5
5f7e899976bba4429bb002cd0fc713c6

SHA1
71d6958c4fc5a8a2bfd80a157807796c1f44fc0f

SHA256
4214d6395478d970326c30fe0dd0636d475846a3697f5a678a18aa7ffa7de7fb

SHA512
ab131ce1162284443dee7d66947640bff1212df93736c3b43c62bfd84b45ccda92b3c968d951534f5f44b0a699830d822c0f92dbe441ad969a09ef1592b2adf1

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
64KB

MD5
84f457ec22ee8af32e28e19f348f879a

SHA1
cbc0c119e0b7aa4ab5c9392b85974ec85ef77182

SHA256
951837cd5299603d40314966d2945e70402f119d8a9ff4955fe1fb7a98924a63

SHA512
49639bc43faeeb0b95b7a879ecf53b5e8871c430c9e850d064be761ae3b88bc32281a3d3cb712155bab1b01e2be88e213e595e0dfdcb24e4e30b8a491e0b324d

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
64KB

MD5
9f5a018e6112d75a3510b94749cb3bf8

SHA1
a0f74ba19bd204dd645cae44eb446eaa6c70c7aa

SHA256
fd7c878353702c640d994dc425363ee930935ec98464fd228990e08deaf42e22

SHA512
434f3ba429cf1d341ddb1ead3ab8e13271f18e151f18e7ce73ae6de4b62d60c1024178972755ae4e620c74a64e26792c0fc787442294e85678dd1763e06f4c3b

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
64KB

MD5
a27ef8792ef8b7cc3aab597d6150626b

SHA1
4dba6864da11e5b0014a98f9e7a34fe41360770f

SHA256
e069997cb3336fb166345f3a4d6239e9a8bd386f2194be13b1da51054b34f565

SHA512
05d614b32038d0691dd58302818e2aba5739ec237f85b8a2583d9ca858852f3e513ee612bc74d29cbe12d0d54f783312b6c24edca97c95f422c4b265377e89ed

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
64KB

MD5
aa7846ac80cabfa36c133c96e8559eb8

SHA1
a770d7df2d32dad9eef28aac4d88590cc045c4e1

SHA256
b142f0a0a17322dc2fe01f66abb619055271ab9de018852f071089dbb113e2b6

SHA512
87ba391e93cc06ec7c96a90fda27f3bf2d04e44459c5b1cd4d1aed33f8bc34d8ee54ebeeb1355f9973c1f43ec2db1b13d4a088fe0fddc6dbdc405a0f66d06712

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
64KB

MD5
946d562cb5a3d8cb6c822cfcc4757286

SHA1
4db066bd4bee3d2c9aa39627b5e6cec5cd4cce29

SHA256
c2ac552a199348d514608a69e48a47cd9838b9878974cdbb97b8185b24dd1ea0

SHA512
0de226cccb247c032590702f9e185d6f655bd2a82bd8e6bff62db1bb47a8ce1f986137a683740588ce86af909023cd174ab52735ff56276fd2f9228ec582e8fe

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
64KB

MD5
a30a99fd2d23f4fcea286ca887c338b8

SHA1
f3f32feee36509be1f57371575393a24d1559d3f

SHA256
41549f58fda6b6dfb4c41907b759c75f84e065ecbc257b77c6530e893d9c8616

SHA512
50165d53b49ddee9416effa2d39d33d430acb2780dccaad537662eeed909a66d42973d7c17d7e2f527f063a796242689be986d21805efaf0e7d03005dd2bde16

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
64KB

MD5
3deb18cec5d58fe8f907c5bca15a748b

SHA1
88af3816ec6e8598f1987852fbe7575b18fca6d4

SHA256
cda6680250bd2b14535556ff6c633cbd3e0b0e4a65e06f01bfc04ffc2eeaf7ca

SHA512
01e81683270571e7d51985e51955d93ca84f8e2e1d8cfafc60782dc2f9f2d8f3dc8e2f7fa406e334c75ff6716eea0bdc6e8e1762b0ec05cf3a5b3b1472791133

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
64KB

MD5
6914984c9cb7b9eb87fcd7cd09f17a16

SHA1
a72fa14f04fc81a56de35a035bd61751d50b0e79

SHA256
66393e2b01cee81aca38ec3c8be90fdd6fce1e1b917e3e4ec4b343443f5e24c9

SHA512
1f9eec3ea85712b517ddc4a8ad1165ac3c6a878fa9c0534c3aa58902f04d370ed20efdffd2c888b6d1c4cc8d2fe0c987464ca1fc4cbcb7fe9c0698319f1fd814

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
64KB

MD5
26c2d1a1ece67577a8741a9045255577

SHA1
2558f2238bfa77783f20ea96c58ea83c92fbb5c7

SHA256
6ee6c5f9a9cbf007fccbe51c50b96bd1539b09339e39730e10c196bdc7e8699c

SHA512
4a87edb0a62e73ee123c51cdc2e4188e40135b1601861b2e9a56fee62c94266513e66b821b5f5ea79d4f4736eee0d7ab8b42bebc97cb6dc2abb9fb20dccd173c

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
64KB

MD5
953b6cefca7727ac1326e6c27e12db94

SHA1
8089adce75056245615a6ba2479e857ccc698aef

SHA256
e15610031c34636a085d49e79168c54f903bc21b63a34c0bdb2f01ca0fa68b1b

SHA512
8221571e9d01d143ebde534073001a50f5b7b767d8f26afcd3f2ec6e3e560d4568d0062104b633361d413e31dc88e3d785525cdcec534b83b3c9b472b054bb94

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
64KB

MD5
4a6f879fa5594b7ac126b274da790b24

SHA1
1bc2380080b801acadd93850fccd65b815d387e6

SHA256
177e4e5f86e575585f6b10310d00cfaa905b7a7b3df96ceeacb22ed121c37926

SHA512
d15342897f303a6d86a8373d1c38ff4ffd5c161d9358c7fc76ffb0e3f942855118e39e56297e680da2d9ce04ac6c3abdb6797aa09c2257a93a38bfe47b3f2a83

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
64KB

MD5
8654d3e78b08ef2af1b6b8bc509caab5

SHA1
4e42c0f45a08c41808dbb7bbb62dd6924d202978

SHA256
0c6b68c151145d68826208486291ec0fbd034ae8544061657be3de32c90a9015

SHA512
ddfbace0ab5a7f69e237341d1a1d165339126f498b660b6fb2b4fe8233f9fce90b34cbbc360d9850e01a67e8d8b1a3f39a8a599ae02a9799b74d0a0de0901750

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
64KB

MD5
23ae392e3adb0a8961c867ff9fe6354b

SHA1
03eb85c09b0d9e029f8c1eb12a82975355612e1b

SHA256
f534eb23f15ab3e9585911f7709a3946bf49cc0110ad76f8caac68fcda9a4040

SHA512
cd45cd10b2059be7d92a776b508e5d3dadab9469b195a818465594414bbda104de31790687000a1ef600766ea04e22e9e223b137bd692163ad5bf415e2886550

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
64KB

MD5
75f5bd9643427af5545b10750b89876e

SHA1
3be44d086646109cdf02982748b799f4723a7454

SHA256
79169647e528cf03e53754e89b9ea9f1ab22be99c8a871c1dd390be2bea325af

SHA512
356edd779b3d8d53944f97dc621f3ba3a911b8b718cc9bd3f1bc4083d44858057442dbf85c5b7c863c3d21175a9194c2233cb26caa2c372c14c545c5f552c376

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
64KB

MD5
8ac8db3754a136ed63c73029967d4f84

SHA1
9ea1458bfe1fbf571624749a374d336bb92b37bf

SHA256
7e63dd34ac96c3f28ac0e4ce96497a119ff1e087b20987490f5c27861a2364bc

SHA512
2e4af3c8931d2750d9e3dece3f1b27a17ec964c57719a60728a874edf3959c221b1e3459e452d9865469055d28c33435cc3f22414f8257c511d2268648adbbf2

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
64KB

MD5
4affe3db6a0237fbb03f7768a2370ccb

SHA1
eb14e96dbc1e64a745a5c914c885a531f9340002

SHA256
50a91eeaff7464a727685ae890b81a0bcb69997c8b9e0b6912c5ab0fa031d911

SHA512
f25f241fa01415d94b4f25ca00fd24f2d55adb02eedb3b850610e7088e539a2a3ac8ad470a9578f49a6ccf296ec4122abe042a03ea88d80676190a63a0b65f12

Download Submit
memory/368-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/368-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/392-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/392-309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/560-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/560-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/676-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/676-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/764-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/764-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/784-250-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/784-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/888-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1144-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1204-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1204-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1420-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1456-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1540-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1672-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1672-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1756-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1856-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1856-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1876-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1876-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1908-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1908-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2044-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2044-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2524-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2524-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-301-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2552-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2552-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2680-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2680-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2996-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3112-92-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3268-319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3268-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3376-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3588-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3620-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3620-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3796-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3796-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3836-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4028-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4028-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4224-156-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4492-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4492-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4584-204-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4588-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4848-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4848-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4876-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5000-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5000-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads