80d6ce40c4fc9a49042ede3477e133cb7a14903efdfa445a6313933e4c62b1d7

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80d6ce40c4fc9a49042ede3477e133cb7a14903efdfa445a6313933e4c62b1d7.exe
Size

272KB
MD5

48e3abd5e6d48106277f2f0749a915ef
SHA1

5c38c7ff9edb1590f0d5578171513c6137a1c0f4
SHA256

80d6ce40c4fc9a49042ede3477e133cb7a14903efdfa445a6313933e4c62b1d7
SHA512

f4623f7c5dd1f8365dcecfa253a982140f5144298b619eed39a73eb39f21b18274f5f65fcdc3d2b488f4c01c0a2859beb0a568403a60071ce3cda8d6aeb6dc9f
SSDEEP

6144:nMhkDFZukD6xjC6ZgsOK4AHXwpnxGvN98gZ+/+:nMhk9ex+6ZxyhY97n

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	80d6ce40c4fc9a49042ede3477e133cb7a14903efdfa445a6313933e4c62b1d7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe

Executes dropped EXE 56 IoCs

pid	Process
4072	Lknjmkdo.exe
4932	Mnlfigcc.exe
1604	Mkpgck32.exe
4596	Majopeii.exe
2804	Mpmokb32.exe
1216	Mdiklqhm.exe
4992	Mgghhlhq.exe
3572	Mjeddggd.exe
744	Mnapdf32.exe
3332	Mamleegg.exe
4612	Mpolqa32.exe
3020	Mdkhapfj.exe
2176	Mcnhmm32.exe
664	Mgidml32.exe
2380	Mkepnjng.exe
2084	Mjhqjg32.exe
1512	Mncmjfmk.exe
3104	Mpaifalo.exe
4044	Mdmegp32.exe
4120	Mcpebmkb.exe
5100	Mglack32.exe
1804	Mkgmcjld.exe
4036	Mjjmog32.exe
1608	Mnfipekh.exe
3632	Maaepd32.exe
812	Mpdelajl.exe
3796	Mcbahlip.exe
2736	Mgnnhk32.exe
2344	Nkjjij32.exe
1388	Njljefql.exe
4740	Nnhfee32.exe
2536	Nacbfdao.exe
2520	Nqfbaq32.exe
220	Ndbnboqb.exe
1872	Nceonl32.exe
3024	Ngpjnkpf.exe
3188	Nklfoi32.exe
968	Nnjbke32.exe
776	Nafokcol.exe
2800	Nqiogp32.exe
4244	Nddkgonp.exe
4652	Ncgkcl32.exe
1592	Nkncdifl.exe
1480	Njacpf32.exe
3984	Nnmopdep.exe
3476	Nbhkac32.exe
2132	Nqklmpdd.exe
4688	Ncihikcg.exe
3208	Ngedij32.exe
2744	Nkqpjidj.exe
1112	Njcpee32.exe
4100	Nnolfdcn.exe
2640	Nbkhfc32.exe
3592	Ndidbn32.exe
1320	Ncldnkae.exe
232	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	80d6ce40c4fc9a49042ede3477e133cb7a14903efdfa445a6313933e4c62b1d7.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	80d6ce40c4fc9a49042ede3477e133cb7a14903efdfa445a6313933e4c62b1d7.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mpmokb32.exe

Program crash 1 IoCs

pid	pid_target	Process
1544	232	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	80d6ce40c4fc9a49042ede3477e133cb7a14903efdfa445a6313933e4c62b1d7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	80d6ce40c4fc9a49042ede3477e133cb7a14903efdfa445a6313933e4c62b1d7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	80d6ce40c4fc9a49042ede3477e133cb7a14903efdfa445a6313933e4c62b1d7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Majopeii.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 4072	4592	80d6ce40c4fc9a49042ede3477e133cb7a14903efdfa445a6313933e4c62b1d7.exe	79
PID 4592 wrote to memory of 4072	4592	80d6ce40c4fc9a49042ede3477e133cb7a14903efdfa445a6313933e4c62b1d7.exe	79
PID 4592 wrote to memory of 4072	4592	80d6ce40c4fc9a49042ede3477e133cb7a14903efdfa445a6313933e4c62b1d7.exe	79
PID 4072 wrote to memory of 4932	4072	Lknjmkdo.exe	80
PID 4072 wrote to memory of 4932	4072	Lknjmkdo.exe	80
PID 4072 wrote to memory of 4932	4072	Lknjmkdo.exe	80
PID 4932 wrote to memory of 1604	4932	Mnlfigcc.exe	81
PID 4932 wrote to memory of 1604	4932	Mnlfigcc.exe	81
PID 4932 wrote to memory of 1604	4932	Mnlfigcc.exe	81
PID 1604 wrote to memory of 4596	1604	Mkpgck32.exe	82
PID 1604 wrote to memory of 4596	1604	Mkpgck32.exe	82
PID 1604 wrote to memory of 4596	1604	Mkpgck32.exe	82
PID 4596 wrote to memory of 2804	4596	Majopeii.exe	83
PID 4596 wrote to memory of 2804	4596	Majopeii.exe	83
PID 4596 wrote to memory of 2804	4596	Majopeii.exe	83
PID 2804 wrote to memory of 1216	2804	Mpmokb32.exe	84
PID 2804 wrote to memory of 1216	2804	Mpmokb32.exe	84
PID 2804 wrote to memory of 1216	2804	Mpmokb32.exe	84
PID 1216 wrote to memory of 4992	1216	Mdiklqhm.exe	85
PID 1216 wrote to memory of 4992	1216	Mdiklqhm.exe	85
PID 1216 wrote to memory of 4992	1216	Mdiklqhm.exe	85
PID 4992 wrote to memory of 3572	4992	Mgghhlhq.exe	86
PID 4992 wrote to memory of 3572	4992	Mgghhlhq.exe	86
PID 4992 wrote to memory of 3572	4992	Mgghhlhq.exe	86
PID 3572 wrote to memory of 744	3572	Mjeddggd.exe	87
PID 3572 wrote to memory of 744	3572	Mjeddggd.exe	87
PID 3572 wrote to memory of 744	3572	Mjeddggd.exe	87
PID 744 wrote to memory of 3332	744	Mnapdf32.exe	88
PID 744 wrote to memory of 3332	744	Mnapdf32.exe	88
PID 744 wrote to memory of 3332	744	Mnapdf32.exe	88
PID 3332 wrote to memory of 4612	3332	Mamleegg.exe	89
PID 3332 wrote to memory of 4612	3332	Mamleegg.exe	89
PID 3332 wrote to memory of 4612	3332	Mamleegg.exe	89
PID 4612 wrote to memory of 3020	4612	Mpolqa32.exe	90
PID 4612 wrote to memory of 3020	4612	Mpolqa32.exe	90
PID 4612 wrote to memory of 3020	4612	Mpolqa32.exe	90
PID 3020 wrote to memory of 2176	3020	Mdkhapfj.exe	91
PID 3020 wrote to memory of 2176	3020	Mdkhapfj.exe	91
PID 3020 wrote to memory of 2176	3020	Mdkhapfj.exe	91
PID 2176 wrote to memory of 664	2176	Mcnhmm32.exe	92
PID 2176 wrote to memory of 664	2176	Mcnhmm32.exe	92
PID 2176 wrote to memory of 664	2176	Mcnhmm32.exe	92
PID 664 wrote to memory of 2380	664	Mgidml32.exe	93
PID 664 wrote to memory of 2380	664	Mgidml32.exe	93
PID 664 wrote to memory of 2380	664	Mgidml32.exe	93
PID 2380 wrote to memory of 2084	2380	Mkepnjng.exe	94
PID 2380 wrote to memory of 2084	2380	Mkepnjng.exe	94
PID 2380 wrote to memory of 2084	2380	Mkepnjng.exe	94
PID 2084 wrote to memory of 1512	2084	Mjhqjg32.exe	95
PID 2084 wrote to memory of 1512	2084	Mjhqjg32.exe	95
PID 2084 wrote to memory of 1512	2084	Mjhqjg32.exe	95
PID 1512 wrote to memory of 3104	1512	Mncmjfmk.exe	96
PID 1512 wrote to memory of 3104	1512	Mncmjfmk.exe	96
PID 1512 wrote to memory of 3104	1512	Mncmjfmk.exe	96
PID 3104 wrote to memory of 4044	3104	Mpaifalo.exe	97
PID 3104 wrote to memory of 4044	3104	Mpaifalo.exe	97
PID 3104 wrote to memory of 4044	3104	Mpaifalo.exe	97
PID 4044 wrote to memory of 4120	4044	Mdmegp32.exe	98
PID 4044 wrote to memory of 4120	4044	Mdmegp32.exe	98
PID 4044 wrote to memory of 4120	4044	Mdmegp32.exe	98
PID 4120 wrote to memory of 5100	4120	Mcpebmkb.exe	99
PID 4120 wrote to memory of 5100	4120	Mcpebmkb.exe	99
PID 4120 wrote to memory of 5100	4120	Mcpebmkb.exe	99
PID 5100 wrote to memory of 1804	5100	Mglack32.exe	100

C:\Users\Admin\AppData\Local\Temp\80d6ce40c4fc9a49042ede3477e133cb7a14903efdfa445a6313933e4c62b1d7.exe
"C:\Users\Admin\AppData\Local\Temp\80d6ce40c4fc9a49042ede3477e133cb7a14903efdfa445a6313933e4c62b1d7.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Windows\SysWOW64\Lknjmkdo.exe
  C:\Windows\system32\Lknjmkdo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Windows\SysWOW64\Mnlfigcc.exe
    C:\Windows\system32\Mnlfigcc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4932
  - - C:\Windows\SysWOW64\Mkpgck32.exe
      C:\Windows\system32\Mkpgck32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1604
    - - C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4596
      - C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3632
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:812
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3796
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3024
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3188
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:968
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:776
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1480
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3208
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1112
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4100
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1320
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        57⤵
        Executes dropped EXE
        
        PID:232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 400
        58⤵
        Program crash
        
        PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 232 -ip 232
1⤵
PID:4324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
272KB

MD5
288e73c2813f09bbbfa31936423e61fd

SHA1
9422db2c2f7bc2ecc12e66c501035e6398cb826c

SHA256
2a8316f2b27b2e7ac9234bb1cc18ea985429df2b6247feaaa31f8f6263579c16

SHA512
ad4f369dee5bb5adc5b9ad21d7ec462a6c7906032a466a445c4adee2692f1d78fe6d80f7ae78bb70d7640e29e8e775bc6fa408556d3b3dd543a13038107097bf

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
272KB

MD5
1869e83d0cda013d7ce30dc73c00b072

SHA1
8d5ff706f1785dea96ad0273f949da8bf13612e6

SHA256
3f0171aa02ccc75c9e2b45113a55681f220471b904937dde141c478333ee6ade

SHA512
f3e6afb8cec704986fca1c9013be4fbd82971259b8a98d31993f81b6e2b6f61164ac1364952d365b532832026f6e51f663b1bf9278a239cdef3784bb2934257f

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
272KB

MD5
e1c9bc979671f6896b0d8c073cc3d342

SHA1
024db8c7623b280d168a6ba696da054de5b76293

SHA256
a40b117fa9d3d6aeca9b077a4768c846649251641374f750f736a0e0d3efa228

SHA512
5cd6ebbd28151daabed99dbad0dc979e74c8087b4968886e7fd61dc696b1ace6576495153c9f04183a31a508001798036e4df0dea4cf4728778500461a6c24ff

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
272KB

MD5
c4c56d4472d1ec5d2aa03412f01806f1

SHA1
0eaa3734ecd1f2982805dd2c53d7d5a596512450

SHA256
c6eb1637486449f05ed22558dd21b55ea040785d23733f3d97058847bd01940f

SHA512
97616e830035e73d7827a806dc7bf8ab9ea4079fc76bb83ef1366dd79eff30ffbee81e8569fc826548ba77d6e7af0d0fba58d564065bb1962a0713f253e8dcae

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
272KB

MD5
0b499bcdefc17d3779201287e33f7d09

SHA1
d8c4739907c78356b778386c791aafd206a11efa

SHA256
4e3e1ec963e3a51d0644038fd0a62c109d3abc004391fa06e6d53960e6efad6f

SHA512
fff8b3fc875fcc68c9591d2643c69447706296bf92bd25529a7789436abfd498f298a9911c88b3ece8cdb26941989c6825b250c0ef70a1119f160f50a3c1c52b

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
272KB

MD5
036279d5f80276a92a2968e5dd0e311d

SHA1
c49a5b1deec7853d60be3b4e4e169aa016bb06eb

SHA256
4c455c126cbaa2221e78014dfd02c052c9438653348275f360031705f7bcd433

SHA512
996ff3c7eff57ff2d62012e4a7f70891585ca61523b571c81959708776f62a086417c786228e97b2e9e3e3aca71cecd67c81b154dd88022d197815a1fdf5d206

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
272KB

MD5
3a18c651879216995735d11670f805b0

SHA1
74e8b382bee2e2f3674f38a4176d1f75f3e17a5b

SHA256
ae16c2f4a33ff96917bb7d2dcb10fa932abfc9ee08ef5f4140f118cff639209a

SHA512
9ee6f7ed88313e4b24fd1fe523d8aba831d63b8f1499bef1bcb418d9f140862354298bf2f0652d9d239c9f46a38d2acc148b79fb8cd1e6b6628845e7f111e74a

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
272KB

MD5
4d0e5298f769b7ec67de189c85ab77e5

SHA1
3bc5622c8697e5bd5844eb3c5f1d6dc11843e17f

SHA256
2326754964a0aacd1f18943a9eb55bd84dff2f8f067d490b536beb579a9bc34b

SHA512
eeed59e0f98888cab56bfd93311eaf621c81497d8c1e5580bfeb2e41333729d851d80d8d432dc40bc9b282a3e41e8ee82008db6e707e8262b840b9d56305d960

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
272KB

MD5
f5ee8ecd709af5d6c23f95183930b471

SHA1
272ac435dd7cbc99bff056d3467c8b4e8f21609e

SHA256
4d4d90866650aeffcd63ea57f2f6df10fe5554b81f9bd6fd38154359ad5445fc

SHA512
a5acfe1de466052b4df852c54d7d7b80df948ac8c2694a3b06dd2ebfc59972f40ea6c9ae969d42a2b65531ec0b2d74cfea5afa6a35b7710120c0c271dc4bd6b2

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
272KB

MD5
73ed35699504191e2f7df757e62a39e2

SHA1
94121e932d3cedeb728ae6a6da389c439fd349ad

SHA256
64e5e86226c9ff1a7264a6d2db7c658778bd3a30d240436aed5a70137f1b343d

SHA512
67c850458275006fc6ac27509ea62d5a2c0f273b69820f150cf6c0e4e26a03228d7d29a246aaca87bfca770f4945af28b6ee0f11281293f976e4d210494980da

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
272KB

MD5
07e82e3cdfdbf6bc9aa3075aa14f33d9

SHA1
944cd85a1fdd902a0ae4101921d700d7d1a2ac4b

SHA256
999ec23ffcd2581c4777207e3742d364def988c75ea6609184e77821ae42f801

SHA512
f25163c88a02feb411451e8107a9551eb30d5acd5c7130f5015627ca414012ef3ad3b54f090472f55b9f84ccf770a4086b553970fab290d7f0dc8e1930e04d0a

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
272KB

MD5
1fb8f0f4597ad3c40b443f357ea32b0d

SHA1
7240217fd0f7f5d5db34d7d581af3030fcb82a09

SHA256
06a918ed6f84eb2cc743381a1bbb87cd3d9bdf945508daa29164df0fedc39e1f

SHA512
d3bd976d39b2cad8ecef17eaa530a06c1d49ac475b590edf2dc092f246d6247c01f435514064c8198dc55a3f613373630379aabcd141f8e194e7ca6c39f2c70c

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
272KB

MD5
cd62fe97cc1790675bb225ce307766a5

SHA1
5533255b84feb01d4300c7e5f432987a8ec3afa4

SHA256
e367d47bb51bb6dce11db178387a93ac9f453aed65b7a381408e2a0a8c188aa2

SHA512
9c2ba170888a8b2753593f63bf6f486d41fa0bbd80931ade5e6414ffd89fb735a24db48e1a5ea73e0971a8af442995715530a6b9bc90f295047ec373e3fd52d2

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
272KB

MD5
d312a82a53bfcb98da3aa88a837b0ddd

SHA1
e3324cd09e4e98c780b9fdaef4c8cf62fe91e3cf

SHA256
cf6fc9a3c5af8bd4beaaff0cb25298036849725ec12966e7bbc9fe870f463791

SHA512
5c82b7ec165e9872633f222d0280d8276058586b3f40c834a1cf9ff99ac72086f110399b4acd8d2e8c31f9f6d4dc2b805fed7e1140003fc46871394f48caffb5

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
272KB

MD5
6fa11e3349f16c17873c9ab3cb61cb7e

SHA1
ce78aa5df44c26fef49631b75fe01bc235790524

SHA256
9849e036fbbdd5af3cec3fdaaae1f3e65c8e8388c58f72cbfe47e2ed9bf0a089

SHA512
5ae089e4c3279ab2263c7066aadf72766e7dd0ff6395bfa748400eb57b615a5a1da7b15f1706ee99917b65932b9f3a3a179046a965d672455023357ff35433dd

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
272KB

MD5
ad5845430c5d0e14849bc687e11feabb

SHA1
cba0dff74002e73846b8950fbe70097059af62d6

SHA256
18e7abf3e908413cba0281b1098c4848e8261cb93a8438848aab61d4adb54af7

SHA512
48492bf978412bb2fcc56419a30223d0d1a620e97c0718a16fd4d29282d099266e9d84ff26e7313ed9bfef2b0d981658d62c5e84c1a79f9cab48849c95c3e956

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
272KB

MD5
7149cfad1104705da13d5dfd2a94c550

SHA1
0f572976e70b80d32a2d7a772941e393e92e187b

SHA256
a8b527999ef387c8764df455d8597593483d24befe45ab2c89ca3e6b18640697

SHA512
f703d3b9d0d3b08d967ede8da80b31e1cc8059c898537352c5d7e6ba01bf343c2d5de763352008ca1dccc32d6f4cd5f3498b17b5ff7ca32593afcc2f1a82a178

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
272KB

MD5
0eaad1855e0ba656b9757338fe878a89

SHA1
11b4c79a02db2e75011d428815728803929c5822

SHA256
b1ec8d7443cfe45bfa72c8e244b42c2f297fa8231379e3f44f1bb7fdb98907da

SHA512
f48266d47646863c497b386339163c6920e253b57e15d9258cde935259100fe9df850531b2dabb6a47f183502eb71f0ab71e9d00d83ef76485a81f9dbf58ea87

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
272KB

MD5
bc2fe311d1ebc46a1b40a748a09e0a80

SHA1
3e0207eed63c26cbc880c20856db3111b622ad1b

SHA256
1bea542b7e1cd7f76460ff93f4fdaf62cfe3bccbfba974d75fc11be51c581e4a

SHA512
33ca3cfaf06f1124d9540c7d69a51a70a17fc413f70eb5f44e78885f406cf8a3717c432f417150f968aedbee46b7926ef33cc45911c70856ea929959384d8a11

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
272KB

MD5
a96a87c500a763803754a4f3bd5c4750

SHA1
1e4eb49d8fe1ce6a271c92975dab2f5a794ef561

SHA256
933e94684903732036ea9f867596562958bb01229f7fe2cadaafaa7c0a2485f8

SHA512
1b22294a68da3b5ac496feb1fee9017a6335368fd65366e82b5f963e57092e47c431d4495f91dc20ba6f1062e3ed41d4592ab8ac5394383fe69d6275f9fe23b0

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
272KB

MD5
a89014b425775b20e665ebefbd4110cd

SHA1
40253feb283931e4be77fea23d82af4bc0ecd532

SHA256
8a9a722f80e33dd61522ea63bba0e8c74cb146af1199f39fd8c8cd2b752a51d3

SHA512
9ffc64d629fdc874930c9d95a834a5c77606a8dcf2f9faf94a9e2aaa6ddfe01cc637a4a524d3a137245bec14c6f8527f8113598654f390964bcbf09a3fee359e

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
272KB

MD5
477663ea99cec72d6dc7e86951144d17

SHA1
7b8aafafe2c6bc9d2c5cb0c18c11b248e8565933

SHA256
6adfb47318cca08721e71a00b9e9b803b27c355a1e6d622274566a70ff43992b

SHA512
ba6aa40bff8f61a7bb0150f3f7a895849b5aaf26f8e0eabc9ffcfda72a325524c00637c0994356f1339635eb57e0aeba0630a4111090b8c80ff68a16f988f22d

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
272KB

MD5
7630cab1cefa2c14a6a670cfa01c8687

SHA1
9ca7fc0d859640acba656cd745ce6de1e0f9cad5

SHA256
33c2f5d5cc5c6f73dd9189e9945ba4b4d2dd05b6890cd5e359e26bedca41cf28

SHA512
0abce8f5d96f0fed79d0d81c96e9d072f5ae0daf5bf25855420a9e94b476d4399dbdac5f54a1cd55b2d64e4e9dfb89881ab8cb56f8ba23fcb0c431b5c368d2a0

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
272KB

MD5
4bfa75f055ca4986f491b39149379edd

SHA1
e038c5a6d7889cd9c32342c08ee60b77a8418970

SHA256
723fb36e69d17d0a60adc05ae07f4f381ef439b443e9c1245299d4cd96a18d32

SHA512
06629d03056b2a8e72d3b332dab2ef232df63a871e37699fea07dca12d76be2745408e1ec09930d96bebed9c51f6c9888aef5f01d9de5dd5343766fc77108b14

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
272KB

MD5
6741793786ce3e61840c9585cef68cc6

SHA1
609dfd402c6804942c55b3eed1949b7fad51d8f5

SHA256
73bfc56fd851e55053d4e8540b29696ff0b77c7a89fb77f03c7f9278fa82b08e

SHA512
7eccd31540b5a5d2422380dd7277bcc5eb362ae1e2e3039d4feb3f4f30e9eb54b7ed685f811a90e09fb4c68c56685bee798e70e1a36729221fa671bfb4ecd177

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
272KB

MD5
8f95e6fab09e8e5a3c9bb188dfce8701

SHA1
8e5275282ae85948c50c69fda4dfe38b956f26cc

SHA256
da1ddc5e28a418c3ea744674049f493f15361bec41d077cf42ffb8067c9d2cc8

SHA512
bb81d32bba09a7be9ecdf6a186d99d5077ec7254c3209e54034c983dc9980dc9bc6236a2a7deadf5a32fe6db86f23c628f048b197f870d06bac62de139ca53f6

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
272KB

MD5
7b54ae16262af51f609b7738175f9eee

SHA1
5a3ac887bacf5439aad4d21c964af4d9a76c8ecb

SHA256
56d0a5c4c2c8e38594fda6d2997971608794810f943f1fe134d3d3a5fca4be96

SHA512
257cb6d089bf5dd54762108a0f9468e4da7fa808a0ca38320b639c26a90fd8b4a3e64cadd828ded097406904058dee979d25b3a73a3a35153c41e21fad730632

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
272KB

MD5
61d0f0f5214750f8fd559170f0504418

SHA1
6c2a3026d2503ac772c2623efcdd158a51c72e58

SHA256
f45bab7bcd871b738705c9e3d1ff709887ced1c3c838384340677e65c3388f14

SHA512
98a3625e6666588c45a95c6bb3a7019d0fa7f6faaea94ee8268b8c9e15d323d97de4b4cc957a5de7304380689b088994e1e124559932765db30c8e30adb33ce3

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
272KB

MD5
98dd984000481bdda5791c97ccef2e9f

SHA1
0c6f0ed22c7ddada51b09ffcab0be6f47fb75f9a

SHA256
9a1321724069818d816891fe91c8f211ceea07a7e4c1207502f42d042819f106

SHA512
0d9aca0c1f8841824ae09db214d6fcd90ac42b83f2952526c14c0234a4768926de0cd1fe8efb76f9c324a928a77157a436c99956be831e05a26df0ee8e4ce1a6

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
272KB

MD5
9196b0247b811870206b87ae67b5b7ba

SHA1
20fd49267dd3a064a3ed373dc1d1451cbbc370ac

SHA256
254500f5022a357f3e364547b94be9b7d23de22bf1632c02d2f6b1bafbd841e9

SHA512
fba0fa9e9b504cfb7211b7bda13f2102c6f9786eb786062fcd9e4454138ac8ea5eb9e5ebdd8fe5de13f0b25b7b79951ed4437075f3378e74e1598919aada466c

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
272KB

MD5
825d925f35e36bacf913cb18e9451da4

SHA1
9a75045ab5f4aca10ed19f0b1f9f5b296ee57d1c

SHA256
321ad81546c8500ab7d202110107d2a5caa1c0265375a690042d3b8f166a8958

SHA512
60e80fa79959c4b43073fa302e5775fbba7f1aea21d5b36715fcf2a0939db7f3066a248460ffd6e765512b3a2d7c4e8fc1644e7befabbdae9b18287daa98c2fa

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
272KB

MD5
a96f9099b876b640d15b50778bb85dce

SHA1
b20bc4095f436240778efaa620f0f94b36138c21

SHA256
fbce321c166d8b15b39b3ac77896e3042aa31dd68e32201d5332c43391b166aa

SHA512
2540a351fd3e5fdcbd647c2bc0c27a829fe7c0e803f0423a4878eca2fb7d5eaed6914754a142f51a8fe11897d1420ef06b1a3216ace75332f278cb62ee76c8ac

Download Submit
memory/220-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/232-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/664-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/776-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/812-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1112-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1216-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1216-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1320-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1388-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1480-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1512-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1608-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1872-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2084-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2804-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2804-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3188-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3208-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3332-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3476-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3572-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3592-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3796-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4044-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-463-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4100-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4120-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4592-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-457-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4652-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads