13c972c256c78981351d55e0939f990999559b70669a8c81caecff140966574e

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24/04/2024, 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13c972c256c78981351d55e0939f990999559b70669a8c81caecff140966574e.exe
Size

481KB
MD5

c9c194fc4b0445ec8f008514746413ad
SHA1

03e2aad349010df1851aaec7b8a715644718547f
SHA256

13c972c256c78981351d55e0939f990999559b70669a8c81caecff140966574e
SHA512

a7a09d28ff5bbe07c05aa2000a79b7e5395ed914ec3d91c28f427c797e2300455f9416ab77bc0abcffe5d679a1e265be29bc9733afdeeb09cf00157d4b9f88b6
SSDEEP

12288:po7Op/+zrWAI5KFum/+zrWAIAqWim/+zrWAI5KFl:po7Opm0BmmvFimm0G

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	13c972c256c78981351d55e0939f990999559b70669a8c81caecff140966574e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe

Executes dropped EXE 55 IoCs

pid	Process
4580	Lpfijcfl.exe
1544	Lklnhlfb.exe
1560	Lnjjdgee.exe
4676	Lphfpbdi.exe
4976	Lgbnmm32.exe
1280	Mjqjih32.exe
2184	Mnlfigcc.exe
2104	Mpkbebbf.exe
752	Mciobn32.exe
4412	Mgekbljc.exe
4320	Mjcgohig.exe
4784	Mnocof32.exe
1436	Mpmokb32.exe
3684	Mdiklqhm.exe
708	Mcklgm32.exe
4736	Mkbchk32.exe
4036	Mjeddggd.exe
3144	Mnapdf32.exe
1604	Mamleegg.exe
2408	Mdkhapfj.exe
2948	Mcnhmm32.exe
3708	Mkepnjng.exe
740	Mjhqjg32.exe
3668	Mncmjfmk.exe
4692	Mpaifalo.exe
3760	Mdmegp32.exe
944	Mcpebmkb.exe
4180	Mkgmcjld.exe
3368	Mjjmog32.exe
4996	Mnfipekh.exe
3640	Maaepd32.exe
1300	Mdpalp32.exe
4152	Mcbahlip.exe
5028	Mgnnhk32.exe
2448	Njljefql.exe
4684	Nnhfee32.exe
4400	Nqfbaq32.exe
3416	Ndbnboqb.exe
4484	Nceonl32.exe
1812	Nklfoi32.exe
4520	Njogjfoj.exe
4704	Nnjbke32.exe
3728	Nqiogp32.exe
4208	Ngcgcjnc.exe
4744	Njacpf32.exe
2552	Nbhkac32.exe
3092	Nqklmpdd.exe
4768	Ncihikcg.exe
3884	Ngedij32.exe
3188	Njcpee32.exe
460	Nnolfdcn.exe
1152	Nqmhbpba.exe
3148	Ndidbn32.exe
1180	Ncldnkae.exe
4888	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	13c972c256c78981351d55e0939f990999559b70669a8c81caecff140966574e.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lpfijcfl.exe

Program crash 1 IoCs

pid	pid_target	Process
936	4888	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	13c972c256c78981351d55e0939f990999559b70669a8c81caecff140966574e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	13c972c256c78981351d55e0939f990999559b70669a8c81caecff140966574e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	13c972c256c78981351d55e0939f990999559b70669a8c81caecff140966574e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mpaifalo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 4580	4440	13c972c256c78981351d55e0939f990999559b70669a8c81caecff140966574e.exe	84
PID 4440 wrote to memory of 4580	4440	13c972c256c78981351d55e0939f990999559b70669a8c81caecff140966574e.exe	84
PID 4440 wrote to memory of 4580	4440	13c972c256c78981351d55e0939f990999559b70669a8c81caecff140966574e.exe	84
PID 4580 wrote to memory of 1544	4580	Lpfijcfl.exe	85
PID 4580 wrote to memory of 1544	4580	Lpfijcfl.exe	85
PID 4580 wrote to memory of 1544	4580	Lpfijcfl.exe	85
PID 1544 wrote to memory of 1560	1544	Lklnhlfb.exe	86
PID 1544 wrote to memory of 1560	1544	Lklnhlfb.exe	86
PID 1544 wrote to memory of 1560	1544	Lklnhlfb.exe	86
PID 1560 wrote to memory of 4676	1560	Lnjjdgee.exe	87
PID 1560 wrote to memory of 4676	1560	Lnjjdgee.exe	87
PID 1560 wrote to memory of 4676	1560	Lnjjdgee.exe	87
PID 4676 wrote to memory of 4976	4676	Lphfpbdi.exe	88
PID 4676 wrote to memory of 4976	4676	Lphfpbdi.exe	88
PID 4676 wrote to memory of 4976	4676	Lphfpbdi.exe	88
PID 4976 wrote to memory of 1280	4976	Lgbnmm32.exe	89
PID 4976 wrote to memory of 1280	4976	Lgbnmm32.exe	89
PID 4976 wrote to memory of 1280	4976	Lgbnmm32.exe	89
PID 1280 wrote to memory of 2184	1280	Mjqjih32.exe	90
PID 1280 wrote to memory of 2184	1280	Mjqjih32.exe	90
PID 1280 wrote to memory of 2184	1280	Mjqjih32.exe	90
PID 2184 wrote to memory of 2104	2184	Mnlfigcc.exe	91
PID 2184 wrote to memory of 2104	2184	Mnlfigcc.exe	91
PID 2184 wrote to memory of 2104	2184	Mnlfigcc.exe	91
PID 2104 wrote to memory of 752	2104	Mpkbebbf.exe	92
PID 2104 wrote to memory of 752	2104	Mpkbebbf.exe	92
PID 2104 wrote to memory of 752	2104	Mpkbebbf.exe	92
PID 752 wrote to memory of 4412	752	Mciobn32.exe	93
PID 752 wrote to memory of 4412	752	Mciobn32.exe	93
PID 752 wrote to memory of 4412	752	Mciobn32.exe	93
PID 4412 wrote to memory of 4320	4412	Mgekbljc.exe	94
PID 4412 wrote to memory of 4320	4412	Mgekbljc.exe	94
PID 4412 wrote to memory of 4320	4412	Mgekbljc.exe	94
PID 4320 wrote to memory of 4784	4320	Mjcgohig.exe	95
PID 4320 wrote to memory of 4784	4320	Mjcgohig.exe	95
PID 4320 wrote to memory of 4784	4320	Mjcgohig.exe	95
PID 4784 wrote to memory of 1436	4784	Mnocof32.exe	96
PID 4784 wrote to memory of 1436	4784	Mnocof32.exe	96
PID 4784 wrote to memory of 1436	4784	Mnocof32.exe	96
PID 1436 wrote to memory of 3684	1436	Mpmokb32.exe	97
PID 1436 wrote to memory of 3684	1436	Mpmokb32.exe	97
PID 1436 wrote to memory of 3684	1436	Mpmokb32.exe	97
PID 3684 wrote to memory of 708	3684	Mdiklqhm.exe	98
PID 3684 wrote to memory of 708	3684	Mdiklqhm.exe	98
PID 3684 wrote to memory of 708	3684	Mdiklqhm.exe	98
PID 708 wrote to memory of 4736	708	Mcklgm32.exe	99
PID 708 wrote to memory of 4736	708	Mcklgm32.exe	99
PID 708 wrote to memory of 4736	708	Mcklgm32.exe	99
PID 4736 wrote to memory of 4036	4736	Mkbchk32.exe	100
PID 4736 wrote to memory of 4036	4736	Mkbchk32.exe	100
PID 4736 wrote to memory of 4036	4736	Mkbchk32.exe	100
PID 4036 wrote to memory of 3144	4036	Mjeddggd.exe	101
PID 4036 wrote to memory of 3144	4036	Mjeddggd.exe	101
PID 4036 wrote to memory of 3144	4036	Mjeddggd.exe	101
PID 3144 wrote to memory of 1604	3144	Mnapdf32.exe	102
PID 3144 wrote to memory of 1604	3144	Mnapdf32.exe	102
PID 3144 wrote to memory of 1604	3144	Mnapdf32.exe	102
PID 1604 wrote to memory of 2408	1604	Mamleegg.exe	103
PID 1604 wrote to memory of 2408	1604	Mamleegg.exe	103
PID 1604 wrote to memory of 2408	1604	Mamleegg.exe	103
PID 2408 wrote to memory of 2948	2408	Mdkhapfj.exe	104
PID 2408 wrote to memory of 2948	2408	Mdkhapfj.exe	104
PID 2408 wrote to memory of 2948	2408	Mdkhapfj.exe	104
PID 2948 wrote to memory of 3708	2948	Mcnhmm32.exe	105

C:\Users\Admin\AppData\Local\Temp\13c972c256c78981351d55e0939f990999559b70669a8c81caecff140966574e.exe
"C:\Users\Admin\AppData\Local\Temp\13c972c256c78981351d55e0939f990999559b70669a8c81caecff140966574e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Windows\SysWOW64\Lpfijcfl.exe
  C:\Windows\system32\Lpfijcfl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4580
- - C:\Windows\SysWOW64\Lklnhlfb.exe
    C:\Windows\system32\Lklnhlfb.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1544
  - - C:\Windows\SysWOW64\Lnjjdgee.exe
      C:\Windows\system32\Lnjjdgee.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1560
    - - C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4676
      - C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3760
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:944
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4180
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3368
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4152
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3416
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        45⤵
        Executes dropped EXE
        
        PID:4208
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2552
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4768
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:460
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1180
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        56⤵
        Executes dropped EXE
        
        PID:4888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 412
        57⤵
        Program crash
        
        PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4888 -ip 4888
1⤵
PID:4104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
481KB

MD5
79af9f18192dff70356281a2b35c6ea4

SHA1
1f0426b7faebfcddb1100069c4339ef4b6f4682c

SHA256
382222ad7c853147c9eee15a3735360122c93d29e8c81dd593f9d408b8432e07

SHA512
c87725cfe3015fee91eb47962d3e2f66ebbb8a1d0d04f1f0dc54933c2e0d4eb79b83a1e87b450baff05d09466dbb20c0045394cce1714ca17393b56b113ad8c0

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
481KB

MD5
bae7f66fd2ea95d429b4dc7cfe48755b

SHA1
42e2409dda7cc86279601308c2a79f1d2de86010

SHA256
a9b3f172f3b4d403d4d36801cdf3dec7a1d177e6d5aff456548d9f20b01fc298

SHA512
eee2f0cf37bcdf6148cbb3c81bd23dd3c5fccc77d30774bbf4c04d6d093824898ed6f66c982df083f6559db05ed8f6d19c5bf0151a9deb1288db26646eb37bfa

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
481KB

MD5
f824584faea1f3468e891a1b6be7879a

SHA1
bcf0fceb7108e10f49cf1bd3759df6ed6eaf4062

SHA256
2eb96c3fe92b9c4f2a87caa3073554144ffe30a5904b738a131387de5b99f95b

SHA512
43d6cef21f679694ef957e5e0a11b01587504cdf8bdd637160ce2511f7a9c206f73183ba5b3bc7784e5ee0fe95415dfff3267c773e7602d3a920697045eb1e04

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
481KB

MD5
81275bd962e1cbcf63a8d2cd60a490dc

SHA1
ed099f7530b94eb208ff870c4f777237c6fc6909

SHA256
cc011deea71760f010b6a9d0d6f14a5a08a7bd28e280e7c04e846c94ca6faab4

SHA512
6b9a5062f1e64994aaef56e0b5e0da68912763ed3b45f91e586d7ebbd4b06aa9ab2de11c2cf5329ccf9da2ec312cb02e7e004c967cea4baedbe81bfd75737a96

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
481KB

MD5
2253c82bced2a09c81ed3c4e3359dcd2

SHA1
f5941b5ce16c8f761564186c63f550291f682694

SHA256
9b2ac2a73b1f8c3771147c68ee66aa354e944829ab8100a4d9638a7f344b8795

SHA512
16f8c9c04c03d225157fb4eed85fc007a5e61a1481cf122b83842b37d5cf1b16c7b8f253078a28abe96fef9a71353a5574abe455521e12458346576394681340

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
481KB

MD5
74af0b7a8eb981446dc961f0d53c7de7

SHA1
92ae10d41c1913e3e050298e8cfd64f695980871

SHA256
3d6df90d40451b1e4c3cac4b530ed3e10dcd82bb74d72efe3f6523c1aaca2cdb

SHA512
7c868dcb61a7a7747dcd214eca04ddfad5fbd6fed427f9216d491a286e9ed3276facbb2ee2d92835dc29e48240d90562409834ebf01345a2cfca0533941e6b27

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
481KB

MD5
d39de966f2032f88e05f5ebdc740b0f7

SHA1
3aee72e2915ac0c4fcb210835d8ee4f53d26244d

SHA256
c95c45c8da4d7888b06d51b07580019c19331e79a94c05dc489cf8512be2bef3

SHA512
65b7e27ecd892b9f5a3fdf306a930d79eb7b43a9515a71074880f507b201e9d1a5282961d02ace2d714568b956e67180610e7b94e1f583a4f71a29700a3a59b9

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
481KB

MD5
916113b81ecaf11ade45e9c457b3f919

SHA1
95d48614714bf91c4a43b953b64514772db7e737

SHA256
d76466dcf3134bd33ebaeb3d9bea08bcabfae26ba08d711946a79da6b8000c8d

SHA512
23817a2e4ecfbcf2f5501cf8a41152364e44acb04612e86042d60833d462b02237b8dde82d4acdad37b4b81afc2efb8254fd155287845b080c1bff2c58f3714f

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
481KB

MD5
aba3d151017423b32bebd1a0947cf029

SHA1
0ad78c05bdd66ca0260eebdce86c14518238cb8e

SHA256
9f2c2e949fceff709ea27a94d1943622f3d716a536597e056246248b60974c80

SHA512
21ce50dffb53d4b1ae2561e0b8d95102fa2086ca735d57fefbd7d7c128ddddf5923ff24be05a15bcf2ce8728fa7136899e6ada9a6dfb78945b03fb782991fef2

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
481KB

MD5
b1610b989c5fef1ed4e1be83dab6d278

SHA1
d4c2db75877eab5520eca5a6224da8fc814493bf

SHA256
f0e843e59d8834ab723c6be7a6d9e9a53eb07dc1f9d418b1f0270fcc0bcfa8cb

SHA512
760119a42bbefcca92052bfaf063eacc66b1d5b77d76ec48cbd8bfb0cda3cfd9e1c61e152e5a70119d4078a78a5143f7753666abbc6e9e8049d7ddb59ca42b9c

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
481KB

MD5
f830fd9ed56e432ea058730a58451eaa

SHA1
650eef1fc0005089fcf2a7ca60b5460b708bbc2a

SHA256
ecad185dd6a53be3cc491efb7ee66c8c6ef36ffe74babcc39bc07f7366e2786b

SHA512
1a5bd2886b272cf1bcb79fc131536396c1a3ecd61b98906be9777a19bbf0b8a1734cd90a0d26841a08d1b476279fa14fa0bc1b2b068e95c672ff242544251007

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
481KB

MD5
e893fefa8a23188eea29a21be93127a6

SHA1
000ad006bfaff19dfc9ddde40ac7358d443d946d

SHA256
351fdc664e4d89e10f211cb155ad8d4c4b81ad5500dfbb5537ed8461194f1b6c

SHA512
613b2869c231939bb18fb6803ac07677c3821ce89409bea2559cd34a34de79d82c140aeade29d0e587350fecba8196e407c54a04c4c72d6511e57737dbd9b796

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
481KB

MD5
354202abe01d9555b3cef2984a056ec1

SHA1
a1517d4dbf85671778194475833363068256f598

SHA256
33c07c20386cb17cc763d683894f8df6fe152f19fe53d3d000f39b6789c5fe3f

SHA512
5f357bbb4dfc47044bdb2f4391a661887c6d66df6ca7fb3db64d5c9e383c7ffe29463148864bcba90695799b83621331e4195175b52865bae418840d5906a254

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
481KB

MD5
a57df9a97d9ece2c7bd8d7dab6a5d469

SHA1
cdcd10f82ab27370e61f95691b4dab648cbbfb85

SHA256
09be0e441cff02aa3bc730e768950f1c4b9abb3b19ce79feaeef0e32c556eb36

SHA512
75a1293cbb4852d227e6a05d754144c46a994fdd5eebc936e35cbeb19250a4b2d6e2d2c584ffb5ecf58dfacfb32634ec6b9e49067d5d223012985258b79a1b19

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
481KB

MD5
fb05ce2b2151e6e2007341790c160657

SHA1
915a1d531dc9f3af1cddded4cbd4b8324a51fa54

SHA256
1724258beba9a522a02045588c082930e1c8dac2f545bf458e2bb7140ddfc0f2

SHA512
5c478cfc96766f33521bcf1d62483a7dc3f61fe752d751e6b19dd78501710ae013b3d6cd39031ef3c03c604c9a2ea5d8ce65837e62b2b584a15ba16db6c0aa8c

Download Submit
C:\Windows\SysWOW64\Mecaoggc.dll

Filesize
7KB

MD5
f146bb904dead6998f90676e09cd4792

SHA1
dcd42af7b0c4230707bfbdc0e78cf8e2ae9262fa

SHA256
450f31a595cf7068768904727672d40d935076d95b1a399f5f2b05f56bd9a9e6

SHA512
d547c056dd970ebf70999e680dcdbe8699b57bee1ce632c0a2311233d5cef0c4648675f6dca9f4d3b7d66c0d4eaa34f5da242945398dd004f060f468f81596eb

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
481KB

MD5
dd89833669f4aa42af3a8dc86330e1a8

SHA1
78fd47686f2dc2d710a36479281d0d793be88f85

SHA256
7f4d1366ee0d4822b9ad194b1668d2fa651426efffbb3aa97c2b4d6573262e83

SHA512
d561767f1a566f82ae6baf102e781478b6150d355ae5c73b46288db1fedcb432d5d84131c7c162ce6d2fb59c5cff2548a47bcd031bbda94f1077fea4d740547f

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
481KB

MD5
89505476ce6bc92af5d49c53d8f17a70

SHA1
064ce4fa22d93a8a32fd00c803d0c9d7d41cadde

SHA256
2d97d0394639073fc2d1f85a807827be368e54481dffe3cc80dd92505548aa3e

SHA512
3d552bb2afcdb4862f63af3f55fa3a062e77f00182f09b1c93f3faac2b0cfb5072f746df5d29fcc18b557e581a200ed8681dcab225d980d2e3f7ab019174f0e1

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
481KB

MD5
3ade052df53c820dc558287cfb0f09e4

SHA1
32c56b1f12fd77d4af9d206009b25f4ce605dad5

SHA256
1281ac3ccd051fc417280724ff996e9e00ecf1e3f36eeedf81323861a1e5bc26

SHA512
7268b32cbe4e49cc70e75c98368d0ccb72020cd47e2217a885e7903928e1117e9d0e2e4b712ee7c829cf85b776deb087450cc3bf430d8d80a72849cdf295479c

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
481KB

MD5
956afcbd91dd92060550debba388994e

SHA1
d5c3351cd588c72515ee2dfeb1d90c1884ca862c

SHA256
f9ed3aa77069bbbef81509888a8b94916ab92ea74c507ceb240b5f76aedab9cb

SHA512
e6f6235c2329cd83030f6d331d52d7ce4c2e4710a4dc971c4baa098848fae13ab59a7e3139e78f3ef4b21b325bc1aa03db49ce65e79b4e3d7ad60fb7a705e102

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
481KB

MD5
1f191275759c64e2f44b44f184f68828

SHA1
3c89b7b32b38f2a0d9d93c2fe3549b8d23f43949

SHA256
16a3eb9fbff4a89cce228c98c5a9c979d521321d453f9bd54901e09bbf6a9d75

SHA512
3a730311be201c9dd3fd1c4d5bb83db61f6cf1938e4cfa12031ceafb31237a92859f07cefe443a84dcdcd4ea54e687d235d5868ea30771d67222512ba5abe616

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
481KB

MD5
6b1b4ff1ee0964fbe5ca01df935e6e86

SHA1
a5349600d365ce106812fd8a8d8bbd760ada3c8b

SHA256
dd8adc3ff2f24cb7f5e82312af1028545a338b7f50d2d3e12ffe87da7ca33b70

SHA512
1245e14b8c6e5dc56d2ac984899f41b480d79c7d9abcc25e6068fb64e209dd39a024aa238dabe6f2b47900644f42742da151d11ccbecbc98de3f70c6abf46bff

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
481KB

MD5
afe40c8ea955920ab2174c0612a64f7a

SHA1
48eedc6c4eac7ea11b7cb048b1955cb63c514b4d

SHA256
d756bc2a169953a5db2c5ec7fe9d721f62fe4b128af2aae1a4bbb62011a25fdb

SHA512
4a5e288ffcad22fe3075a7fa051d05be79c705dd6bea422810bd7e94aca7a51bdbfc21a3c2fb2d191ea9ec462bdd1541bb93219b14abce30dcc780d5a7d35afb

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
481KB

MD5
c003f2d2c8260bcf5722d09e20ec6447

SHA1
9c3d069e5c43d12fff5e0a6744050bff9bf767ce

SHA256
66bbb5947cd027d925b301cc978198774d281fbdee210f6d00ec16c92b163a31

SHA512
8c023df4f6e9f8f9ba305b8dbbf9315e1f5798933a9b26e3480a55eeb675ed931f379e7596f8f26fc0f5dfc98836e148e9a802dcf67f243f6c733019e745bdca

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
481KB

MD5
0085da2e9bdfdf025b676b6a4e4bbb41

SHA1
a8840dba7f03617c0b5eaa74ac5f0a33a0316b37

SHA256
4d56c022e5e86614f1d8730aa4686ec55f2fe75c9895b36e2b3bb4a0014d74f3

SHA512
1ec52aaeda0a1d224897a928c7d16263941f5fb0573752fd6ece1e3d38b1c342a4fa9aea143741aaf10fae3abf15a74c7d726936b3fedd85faab9b9cbee6c29c

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
481KB

MD5
b85195887263954efe2210c243abb91f

SHA1
05bc82784cf26409eadc2e4e4a1b6e4613348ea6

SHA256
32279b21fe92d4dbf9f0d2579fb266fdedbea41ba42adc459716271269840be4

SHA512
ada45d4a9012fd64d1b096f727c4043cc265e42ceb3d01aeb4547e51b8ad2f5c53023876a60b5cbaa82bd87f52026be005941c1d9104f5098f03d44e139a5b3a

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
481KB

MD5
b5380bf5b4f92b5e7a5811356d4f28a0

SHA1
5c3c7f4681ac5d87784a290e18bc6ae80af9e91f

SHA256
fb0dcf62b0ccf0702d453d71b30e6f98c5b9e4cf4be2c76c3d893b0d1ea717ad

SHA512
3f1af2ee874d95295fa826bebd2569cf42ac0aabe2c1acc5044c20416e392ab7fddd530b78c1ff07dd865aa5c68da81e4f54707364d1f366f09bf06dfd10b932

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
481KB

MD5
64473568eb4b81184b399722d03ff2b6

SHA1
58668fbcc021de22a0e4d09dfd827126695d810d

SHA256
a8929c43b13f91729f4258be11ca0432cfeaa3abddf0736d3861758679b479c1

SHA512
c11849afaa32797b6c32b1fef6358f021062a04f877d1c8162996b208e4d720fa9f6f2696f46bc75c35e6010c841f19c0924d3e36f8e82bb1824bcea84022843

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
481KB

MD5
5a2722726dd7c98240891eaa2acbcab2

SHA1
a8de5f9779ffc4759e75cfceabd283c083c3fd72

SHA256
1ceecf01bb39e80c389c232d68b365b515f715984e1b109a6c6c9a07060cb96a

SHA512
65ee0aeee4835cb031578e3bf8346b61957002ca7dec960efcfa1e272a7c9aba090817e4de7eefb5e626450b46851350c87a5b76b27f189a969ae7849d81401f

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
481KB

MD5
df3afda399e489a08bb3cb565fa062a1

SHA1
6b568152e22c281543e7e21eb9b447f0955181a9

SHA256
b57dc27be1bd03de850734ff2c811c922273bc1ec4878b69b88cbe3da698b593

SHA512
e0599d37776d2847319194bbbadb7f76d5a475f7458035262f5df883af357edd10f193b5079ee31a5562e45c3fff4fbc7a7976183ef3f21f651209e6bb32af39

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
481KB

MD5
b8fb41d44215669d534621480397c4ad

SHA1
444ddcc13189d062ac7440425b43f0fc0418deea

SHA256
b397ea9f003c1cd307f08a7566434b34bd82377a102d078f36335f804140ce76

SHA512
6dcbfce7ec4f4cd9b824f87163e0410e4b42e03502a7e072ff7165e97de9fb983e8979591139f934d5a1f7a9680e1243566e690463c9170b305def4aa200703a

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
481KB

MD5
e2dae7fc07f6b398f6957dd389c5a883

SHA1
a8c23e52e9ae0400df13058cf19b3f9a03b74895

SHA256
822545201d3a6e860b941bbdc1e0aac2ff0f434598b901d09cfdc04967b98893

SHA512
1fb32e2dd886d1bced581214b60d7064134c28fbb1211b8ba0bd691df4f1970629240f5f810831351020d6768bb4c17be7b1d1ba45b4af1e0d018d1786dc724c

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
481KB

MD5
bf4eeb9e59cc832cb64eb978e0871835

SHA1
5f617c1534a71ed9924350d73b221fc4ec7e73eb

SHA256
75c01212cb5a8b7edd620edd86b9d6a6c67a77aca7f7770e1101741ee0c0008c

SHA512
107ba620539fd6d5271ed99e357c29eb1de6dd77fef733619915501fa50a5cdd8c5c20bad709b79764de829afffe93d23d35c43fecb94358219faff6adea9ecf

Download Submit
memory/460-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/708-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/740-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/752-361-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/944-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1152-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1280-355-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1300-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1436-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1544-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1544-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1560-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1560-415-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1604-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1812-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2104-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2184-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2408-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2448-373-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2552-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2948-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3092-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3144-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3148-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3188-349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3368-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3416-367-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3640-379-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3668-391-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3684-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3708-392-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3728-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3760-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3884-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4036-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4152-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4180-385-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4208-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4320-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4400-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4412-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4440-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4440-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4484-366-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4520-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4580-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4580-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4676-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4684-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4692-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4704-360-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4736-378-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4744-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4768-351-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4784-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4888-344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4976-396-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4996-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5028-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads