5bcb6aa79b4161d0fc70577567f8526f842f33edd7abf9da9556098ec1862293

Analysis

max time kernel
130s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

virussign.com_75bf7c78c82eddafb988ca5af78a3120.exe
Size

55KB
MD5

75bf7c78c82eddafb988ca5af78a3120
SHA1

46e0de32cfe9992a11568f2f0af4b043ef3a8a76
SHA256

5bcb6aa79b4161d0fc70577567f8526f842f33edd7abf9da9556098ec1862293
SHA512

e0f3f1a511e8fc67a18a95291bff2b0b5383b8ee70dbd24bf956c536b9f6989c8dfc5e3c6c6f05bea9e7545c40b84a2a69e82f18f54609edcd2edbf5c19fde5c
SSDEEP

1536:0ELI3SyjcIMqu1gWn6M2mGw5R7zsYQ0lg76ReUlMpQwnfpHg7PuMzU3EgkTyov2:0Cy4IML/sY0ULAg74EgkTR0U

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	virussign.com_75bf7c78c82eddafb988ca5af78a3120.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe

Executes dropped EXE 39 IoCs

pid	Process
3688	Lalcng32.exe
3584	Lcmofolg.exe
428	Liggbi32.exe
4492	Laopdgcg.exe
5008	Ldmlpbbj.exe
1936	Lgkhlnbn.exe
1884	Lkgdml32.exe
4928	Lijdhiaa.exe
3704	Lcbiao32.exe
2756	Lnhmng32.exe
4300	Ldaeka32.exe
4856	Lklnhlfb.exe
3720	Lphfpbdi.exe
2052	Lcgblncm.exe
3104	Mjqjih32.exe
4180	Mahbje32.exe
2036	Mdfofakp.exe
1944	Mkpgck32.exe
3272	Mnocof32.exe
4836	Mdiklqhm.exe
3288	Mkbchk32.exe
3644	Mpolqa32.exe
4316	Mdkhapfj.exe
1984	Mjhqjg32.exe
3004	Mpaifalo.exe
2452	Mcpebmkb.exe
2128	Mpdelajl.exe
4556	Njljefql.exe
4840	Ndbnboqb.exe
2916	Nklfoi32.exe
3100	Nnjbke32.exe
2308	Nddkgonp.exe
5056	Njacpf32.exe
2832	Nbhkac32.exe
2332	Ncihikcg.exe
2732	Njcpee32.exe
2764	Nbkhfc32.exe
1744	Ndidbn32.exe
676	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	virussign.com_75bf7c78c82eddafb988ca5af78a3120.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	virussign.com_75bf7c78c82eddafb988ca5af78a3120.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Nddkgonp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2272	676	WerFault.exe	124

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	virussign.com_75bf7c78c82eddafb988ca5af78a3120.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	virussign.com_75bf7c78c82eddafb988ca5af78a3120.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	virussign.com_75bf7c78c82eddafb988ca5af78a3120.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	virussign.com_75bf7c78c82eddafb988ca5af78a3120.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 3688	4368	virussign.com_75bf7c78c82eddafb988ca5af78a3120.exe	83
PID 4368 wrote to memory of 3688	4368	virussign.com_75bf7c78c82eddafb988ca5af78a3120.exe	83
PID 4368 wrote to memory of 3688	4368	virussign.com_75bf7c78c82eddafb988ca5af78a3120.exe	83
PID 3688 wrote to memory of 3584	3688	Lalcng32.exe	84
PID 3688 wrote to memory of 3584	3688	Lalcng32.exe	84
PID 3688 wrote to memory of 3584	3688	Lalcng32.exe	84
PID 3584 wrote to memory of 428	3584	Lcmofolg.exe	85
PID 3584 wrote to memory of 428	3584	Lcmofolg.exe	85
PID 3584 wrote to memory of 428	3584	Lcmofolg.exe	85
PID 428 wrote to memory of 4492	428	Liggbi32.exe	86
PID 428 wrote to memory of 4492	428	Liggbi32.exe	86
PID 428 wrote to memory of 4492	428	Liggbi32.exe	86
PID 4492 wrote to memory of 5008	4492	Laopdgcg.exe	87
PID 4492 wrote to memory of 5008	4492	Laopdgcg.exe	87
PID 4492 wrote to memory of 5008	4492	Laopdgcg.exe	87
PID 5008 wrote to memory of 1936	5008	Ldmlpbbj.exe	88
PID 5008 wrote to memory of 1936	5008	Ldmlpbbj.exe	88
PID 5008 wrote to memory of 1936	5008	Ldmlpbbj.exe	88
PID 1936 wrote to memory of 1884	1936	Lgkhlnbn.exe	89
PID 1936 wrote to memory of 1884	1936	Lgkhlnbn.exe	89
PID 1936 wrote to memory of 1884	1936	Lgkhlnbn.exe	89
PID 1884 wrote to memory of 4928	1884	Lkgdml32.exe	90
PID 1884 wrote to memory of 4928	1884	Lkgdml32.exe	90
PID 1884 wrote to memory of 4928	1884	Lkgdml32.exe	90
PID 4928 wrote to memory of 3704	4928	Lijdhiaa.exe	91
PID 4928 wrote to memory of 3704	4928	Lijdhiaa.exe	91
PID 4928 wrote to memory of 3704	4928	Lijdhiaa.exe	91
PID 3704 wrote to memory of 2756	3704	Lcbiao32.exe	92
PID 3704 wrote to memory of 2756	3704	Lcbiao32.exe	92
PID 3704 wrote to memory of 2756	3704	Lcbiao32.exe	92
PID 2756 wrote to memory of 4300	2756	Lnhmng32.exe	93
PID 2756 wrote to memory of 4300	2756	Lnhmng32.exe	93
PID 2756 wrote to memory of 4300	2756	Lnhmng32.exe	93
PID 4300 wrote to memory of 4856	4300	Ldaeka32.exe	94
PID 4300 wrote to memory of 4856	4300	Ldaeka32.exe	94
PID 4300 wrote to memory of 4856	4300	Ldaeka32.exe	94
PID 4856 wrote to memory of 3720	4856	Lklnhlfb.exe	95
PID 4856 wrote to memory of 3720	4856	Lklnhlfb.exe	95
PID 4856 wrote to memory of 3720	4856	Lklnhlfb.exe	95
PID 3720 wrote to memory of 2052	3720	Lphfpbdi.exe	96
PID 3720 wrote to memory of 2052	3720	Lphfpbdi.exe	96
PID 3720 wrote to memory of 2052	3720	Lphfpbdi.exe	96
PID 2052 wrote to memory of 3104	2052	Lcgblncm.exe	97
PID 2052 wrote to memory of 3104	2052	Lcgblncm.exe	97
PID 2052 wrote to memory of 3104	2052	Lcgblncm.exe	97
PID 3104 wrote to memory of 4180	3104	Mjqjih32.exe	98
PID 3104 wrote to memory of 4180	3104	Mjqjih32.exe	98
PID 3104 wrote to memory of 4180	3104	Mjqjih32.exe	98
PID 4180 wrote to memory of 2036	4180	Mahbje32.exe	99
PID 4180 wrote to memory of 2036	4180	Mahbje32.exe	99
PID 4180 wrote to memory of 2036	4180	Mahbje32.exe	99
PID 2036 wrote to memory of 1944	2036	Mdfofakp.exe	101
PID 2036 wrote to memory of 1944	2036	Mdfofakp.exe	101
PID 2036 wrote to memory of 1944	2036	Mdfofakp.exe	101
PID 1944 wrote to memory of 3272	1944	Mkpgck32.exe	102
PID 1944 wrote to memory of 3272	1944	Mkpgck32.exe	102
PID 1944 wrote to memory of 3272	1944	Mkpgck32.exe	102
PID 3272 wrote to memory of 4836	3272	Mnocof32.exe	103
PID 3272 wrote to memory of 4836	3272	Mnocof32.exe	103
PID 3272 wrote to memory of 4836	3272	Mnocof32.exe	103
PID 4836 wrote to memory of 3288	4836	Mdiklqhm.exe	104
PID 4836 wrote to memory of 3288	4836	Mdiklqhm.exe	104
PID 4836 wrote to memory of 3288	4836	Mdiklqhm.exe	104
PID 3288 wrote to memory of 3644	3288	Mkbchk32.exe	105

C:\Users\Admin\AppData\Local\Temp\virussign.com_75bf7c78c82eddafb988ca5af78a3120.exe
"C:\Users\Admin\AppData\Local\Temp\virussign.com_75bf7c78c82eddafb988ca5af78a3120.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Windows\SysWOW64\Lalcng32.exe
  C:\Windows\system32\Lalcng32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Windows\SysWOW64\Lcmofolg.exe
    C:\Windows\system32\Lcmofolg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3584
  - - C:\Windows\SysWOW64\Liggbi32.exe
      C:\Windows\system32\Liggbi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:428
    - - C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4492
      - C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4840
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2732
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        40⤵
        Executes dropped EXE
        
        PID:676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 408
        41⤵
        Program crash
        
        PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 676 -ip 676
1⤵
PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lalcng32.exe

Filesize
55KB

MD5
129357e30edfce93863f730298aa40d3

SHA1
105bd3f318e1d41c66d8ec94375e32fdc6617870

SHA256
0cd01dea4d9dcd30d8f1c745d723d565cdf0bdebe8ff6ab9ace0be5bf8983b35

SHA512
9d9cca1fe09644bf9596c70e574bab8b4b8fedf572f38809efebd2032e22fb1236f540363f005adf4dcbd04cf6838d7df0aee03a9fe04f8fd4bd6c1dc9b365ab

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
55KB

MD5
ba89531a2189fd87d1137eb2e0f22ef5

SHA1
92bd52579ef320a17bd7139ff401efc9386e9c69

SHA256
d9aa9a35c0f9f7671b7429fc2c34ab9358bf2a9bfb1da7989c056ffb0a3614c4

SHA512
ea77397ee2ceb7fcd6466fe92d799cf484dd88a62625276d511bdae2d158f7166ef7da4c60ef60beb758a67527bd007575c8cc03bbc216d882dfc13f8991dd26

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
55KB

MD5
9b1d66acc8a6ae9e5a6f6328e465bdbf

SHA1
a6b73f97f86dd9fa9a77d411669811dc0db2a0cf

SHA256
3bf36601aec79b8af5f309ee2033d872730eb13c2144bc89dfe6b778870faa6c

SHA512
af97c52a89db2013a4b0b12a8592ade9d42265364e8646bb7ad15fc686822e87d4fe6cec56b17339190c954b278492801572a0b24ec3180bba326c137bb93195

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
55KB

MD5
9d2da0aef9a39b2981c240639c2be02b

SHA1
3e880285a90a8d724b01ccc8628e5a95b44eaf7b

SHA256
b8c71d1b79e74a901914c258e20a80aeb168a88b61070e6334cd68988bb1722e

SHA512
e1628bbf69a2a75c4ffb8097e236d427dd35db750039588d8db24f91d244055a3f462b57541d26100db108230d4b8dffa81bdf39f72357b9d3c18586a0cc5cf9

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
55KB

MD5
efeae3d9ce0ccf5e15ff673d17525ed0

SHA1
1849c9b7917893d0513560d03d38c165724bff59

SHA256
57d1ad4f45b8081541d435e682ed149a1255af69db223af44c37c906be9ed5e8

SHA512
51b5d9faf72ad685564e2b343e7c144d11945af2047bbef94614e89cee5c05b517c423f86ba4a19af7e39acbe341b81cff0476cff09c78416c85370a6e146f2a

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
55KB

MD5
cf671ff1f561ff19201f81eb998b49d4

SHA1
2dabd106dbb8abddb10f05e41ac66c5a0951b663

SHA256
35ebd5fbb26bb8a6f6f2c434e2f87875ed04f4b6b12f5d218beed0c71ac8f228

SHA512
7f75309118df7852d4c14f5b89dcc8dbab2435c2fc078799934a5a7d9d3fbce24b93bbe2a8076b923bcb993e65c203dedf79f8d51ff80fc5670227dc592f6c63

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
55KB

MD5
4ca3e041718f50534291f29d69b9eb22

SHA1
68aaa5715fd9f279d9d7a5d00313adb8fa7c97e2

SHA256
3c1838a56f9817d1290506a9a0c1791aa749fe093507001003afe68929c78c5f

SHA512
8f5dac737a8ce713552772893cb4bd40bf66526cf4e1834cad82892e7e59a36531b55d48d195bf38cec3ac4f6b4e0de823f4b6d9092002be301900f462bd8458

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
55KB

MD5
f3e68b664c0b9289abcb992b051b6fab

SHA1
ff39c617dfe18ab91e5a274e20c9e5b2a1075a91

SHA256
ee43ec502a334a81f35fed107814430ebf880529734dca07efa8913bcc6f0bcc

SHA512
c9f7e65f7c5230eb353f295820441e64e251d3830061e7123cadadaea6d829616b8863d510c396c73094433d3463c7b6fb1079a439d137853a727e418a78abd5

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
55KB

MD5
73c7a085e3208d02b797806fea5d711a

SHA1
6642bcea0d91228f0d3055d660f9e6c08623e3dd

SHA256
dd19b156123a3049cd44f2c9c2900a6ff9a94075de38db1b4ce8460fd9ab2e08

SHA512
83675bee0bda127e8a1056dc2305fdea2e7085c77dee895861e4bb504de4c42a8c274d3e9a46ded5adf5394837c1ee3da6b9844333450f6e47500a12a6f8e2f9

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
55KB

MD5
2298da7b12ee26e3586dcb44fbff23ee

SHA1
9bcd946752b3bdd5312ab70ba89141dff32cbe0f

SHA256
7f4cb7634f0fe6fa56570259824673921a717ee4aacc968acddf7eb439156945

SHA512
d2b93f2ec72167dc88f714b76b9b6c5ffd6604f22e08b64c3ea6c11477acfa241252b50c5e9dbe63834bd089d4f81e6777215ac63eacfde4fabbd293acdeeddc

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
55KB

MD5
8ad3be7101e3997d28b766a53783f8b4

SHA1
4fef3e74c5cc43807fa11d35b1d012edc49bb1e3

SHA256
27c766ebe78a50ea2ab9ecac6275f8629ca000300df26b9785fb2b92fc590aa9

SHA512
c8dabecf00b2d181f9d353f5429543b823beeaafe8c65d593ce1d62152f8c45f1fcfa93ec25b31678b7b92f526181938cef056bc636520c39d9e0bf33ca2cff1

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
55KB

MD5
49f2b83d0be8118446f81bc2126f1e98

SHA1
54d3c9b49d0f4de3f88119f5c87c6b5f8a99c6ce

SHA256
255285f34eac424d72a8cdafa7f4c2e711f21ed957cbcb0aebe705acb3bffc41

SHA512
15eeac23fc5cb31c5016eeaa95423020fdd5f41b6651c31482ea38d9cde1ea125634af9a2ebcb8f6011e2e11b343ff890a635b119d475cac22ddd40685d3af2b

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
55KB

MD5
a97e419426dcba32e5a5938821073550

SHA1
beee171249efe8ed633df7afe6e23806c4be6e34

SHA256
441fe7931bf8d4d08b50c40599bc78c60fb583be92d2f355d1afaa2e7ed32838

SHA512
1bb2e475ca766aa4c5bf81bbfe97b86c1b40e427fd65b5d71150f3fb3cf677938249a9b2c307039d6176b7ee79827d65df22d56b988f3bac0d28c81efc0ec0a0

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
55KB

MD5
b9cf511ecac3e22988647c1c6b9104b1

SHA1
e4789fbed6da86f374cfb3b86d89cdd57e1b2988

SHA256
decafb1cf203bfac4a3053cf7af156998abe37fe1d498f9cbd5f9a6d507dcd40

SHA512
1a72da41c0eb3f05dab639f45f828431c439504554bd38d4c7052812b402b9aa2d4d34a815a3a7ffdf96acd2e68a7c71ead157ff510f058084d9b7aa9c2dfbb3

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
55KB

MD5
64ad34d4fb24d834d3656bcdd870a781

SHA1
30644abad5516af884e4bc38d5ab543e83121b74

SHA256
53735d04be28b3a69cf7e6b316ab6d7f7121c14b5ee9d6b241473a5c94584d31

SHA512
fb4ca8c8764b832e1806d9f806c84417bb24034a4d496bf053d4745726d640a191867bb7a3481cefe88c1bab25954adb94de91c59485a67aaee61c6c45311833

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
55KB

MD5
f3639eff08b0b8cd26b055f316ea1546

SHA1
4b7bb5a0355c9f0f0026a53f08c28c9bb1b27dfb

SHA256
e4ba8b4231b11acf4d9a36e9ca573bc5a7ee1c30e25fdc8fa4b8ee051ea0bcae

SHA512
7c238a78a7c6470e9ed2c9b93700b5396919e163239a2f5275f3562fb41992fa9d4c6fab8225f01124e178a48ec0b4a7f6c85ab7304a7926b721879ae27a6f31

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
55KB

MD5
d0be02925a3411ec75272a0709c1e0ed

SHA1
6ccfabeb53e762240ac779a09c3033ea3b7b9f28

SHA256
0670e2c17fb09ef851dd6537cb932fda2974a5de29d46d8b7d652d98b36a3c5e

SHA512
d319f109be4d3bf0eafa87af3153013c3c01d000f91338873b6487c22eed4e1331edadcfa016e0864b9ab3e747aeccce39e6796b0287869bf092fdd751d6cf49

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
55KB

MD5
7740b2a012d3a4821abb0221d06e101e

SHA1
c874850fa1d7ee4140b5d12f64d9c6fc0db49f15

SHA256
6a79229e8671029fd83650f831f2d72cd3dfdcb6a8a6bfbe668150bbc4ef3f47

SHA512
96af640b398decb624e54a7eb54a25fd1a197df6eee4908d797fef845159008cfe643d55e0e25650a6d645fc295928e90e3e449a9b214323ef1144f1fffc05f1

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
55KB

MD5
f8b737e1ecfca5a6aff5960a66f41f5f

SHA1
1e411d48652bf08edb62a351a0b278352760dcec

SHA256
28f8f935325328a61a8a9dc47345bff36b12dcf80d36b982a8fc07d7e1454aef

SHA512
59ceb096cf711e78454acf3f4fb0d2ac4bb312ee34abfac7c7c7389b7a2ff98efa0e1f7dfc6bd2b3e1e3182be487fef983fd819281031dfa55d71718a3d45883

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
55KB

MD5
04beef3ff1c274bee0d3442b2d86fbc4

SHA1
709e14e70bdf195ec327753c49b5652dbc1c49c4

SHA256
28f6322787211b7b386bb601370fd47dd4c9efcd2a022af5529dc70b3ea95f9c

SHA512
2b9ad7065e043a8ecee73e75230f0819640a483dcd61209ccd39c1b924e9a5b76c2e424ec64fafe829fdaad8500f7542b107321c4ab6774f2fffefb29296f158

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
55KB

MD5
846fe224afd261b01ede02af9de6410b

SHA1
9b10c05dafa3093f20681ad6a2bcab2cc283167d

SHA256
4565143ceae1f2eb2fbf69f72780db8e1ef0331d377af373f5e0f78875aed43d

SHA512
c626a46f3cf02259e3e48c968165f3ad62e3b9f60cdde38adeb698b172b42ddbf799e062a43e1d46da533a792c0e58066af0d872dc6d358cef82fcaac6f1eee7

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
55KB

MD5
29ccb056e35ccce73a2cd111d49158bc

SHA1
e5c81e4f0f571b242f137c30e1e2f2f16abdaad9

SHA256
67a07680128a623e5846217af905886bb012682aba5f29dd425ecc13aa9a0133

SHA512
526ce4d86c228e8c3a6c3dcdfa2b2627d889dd80be6992fe4904a17828f4a3994deb786f37364bd37c71569011645b39e6ec458ee5e2eca2de136dc94841fe19

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
55KB

MD5
fc4f6b3e5865605d4ae9b351f6e2739f

SHA1
de2005e4fbf1a17f5957a26d8e5612125dec48d7

SHA256
d45ab127d04170746c2376d7efd459541c102842dc1b9ec8c2f7f8f9514f7843

SHA512
d197fc5ead71cfe982189917454a8a6deb7c31833943ad562f4365c842f15530d6e3c8ff5999ae4bd659e57b5dc3c35fa14fc2c8b07d21d01182e553148f3b1d

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
55KB

MD5
0284ad0fc87480b2ab52f6cc7aa076d9

SHA1
54d4f0a67d6a886c305155b9d7f3ff222075f2ec

SHA256
04595bec52d644fe906f9aac4ee34421e90ceb6bc72d0e4ae4dcf424131c9c7b

SHA512
3c4b16d9ccc05c7cbdac50a746d1c26bac98fe566f91c4caa09d19b1c2075028a78b87013aff8658baeec4c232d22520658fba8dd21a3a143f4deb04b5a83e18

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
55KB

MD5
3aed4b4d00dcfe3d65103d6e84a1a96b

SHA1
d43557083a67d9ac3bc5421338b6cd89a7b0ddb0

SHA256
0b28828ac5b7d2277dc5d848f1d3b3872698bc0cb47719205a056fdc1948375c

SHA512
327eef9b9a898ed5b531478cfe4ae5b65056367b87e58070ba32abbfd967068c667f6ccb4579a3efb07863229c60649c7496d0780862d3ea2cb737cc5ef7feb2

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
55KB

MD5
7e2ba8398d93c1e8c59ec4d1a996913e

SHA1
71dd2bcc13a8233b940e63d4784a473fc7e45a3e

SHA256
825de90f96fcdc5e516060ee13cf396ff1ef8040852cd4e908265902200a9a69

SHA512
380eb99b0539fd7b0c30522c3cabdc6a3e8fec5641b09be9b7d1207224f007be3d0d1f12a8499fbd5f8530c986e4d8c4f7051f566c3692659f4329b8775eed00

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
55KB

MD5
9d16d1e8ad6c1830b9e7e6cf970eaeb9

SHA1
5528aca618a507ba81c3dbbe479d800d81f8095d

SHA256
6eafe2a6e723356ce37f793aa764f6b883235c1b3026940b3277a10764deaf8d

SHA512
f4eeb915717d72aac8be964454640b113cf8c98086c86366915bbc84910983d60a56a2d2543b85e09cfa2ee9bc2983d3c81ea1f1f0b31410e95a792404c005c0

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
55KB

MD5
af5565b618cae74f407392809fe54e9e

SHA1
7b18e5db3b7ffd9a567561de1d0ebd52019b93d4

SHA256
b7ea238f90f5035be2b9851e3965929bde4c971f3db8d35c1004b3df4f550f07

SHA512
7a6475349125786ae0156958b5817313edfe9380a991a07e9636edd8ae4b9c8f38e853d9bf3ca7c0497cc153b96eabb5cd356faf4c05fd6914c593f1e44bc226

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
55KB

MD5
41e663a7418034a4087d3489042f1109

SHA1
9b2c3b6b9efba7822fc5abf99a835e5f7961c9d7

SHA256
0bb79da920254e63101b8d788deb19998b20f790a014ac2eeb3d322a7a0d009e

SHA512
0b2f6e1c1d9ae212712d9c04ef93afe5dd1a49a2c99ead9db1dcbebdefc51791538c6e073820fe671932ed24ceac67843b7ac3b723bfbd3531402c251d85f743

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
55KB

MD5
1d4b47433dea103f448bed54c9b86bc1

SHA1
84644eb520a91421e2ef266729438d2e86d7aa22

SHA256
41c9cb59cd0f39ecb71276d07ceb99a19d34cf6a1ec4d81e4625f22a019030d2

SHA512
1525df29de58394c85a483d7cb72f9290cf346c4ee3e0b0c169d7639228d7848787419212c9fc67e9f6d40329d48fab0fa1cff1333afc809ecbef5c19ef82b0c

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
55KB

MD5
80169fb127e4bdb8bed76c448c52a34f

SHA1
c9958b8a4e92805b47a5be6de60cfb5e0b1e0e12

SHA256
f2062d112b88fd3bb505fe170c870236c135d8ff0bce486c4a1256ba2daf952a

SHA512
d6782fa9dedc11e2426ed9c784a44923f29a35f86ce4424c95713154eb06dc2c4d4838e0eba167034055bfc1bc7e28a476e160619219c5bf767f2569ce1daeff

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
55KB

MD5
29ebddf6bf087ad87f5c7dd8edecc952

SHA1
e158329ad63454459ab340bf6e44b2ef1ea0a6a8

SHA256
e559ec387db342709bfc179cb22d1c28ea676d835a33f2e9a4b085de7559bcaa

SHA512
3edb5394554aea36931ff03bdf7ee3ea4804b4fdaeebe6537868b68f9cd374fe65877ceb830ff514a1d9a05a11f1806d9e636ccd4752f917670478b0a64ffc99

Download Submit
memory/428-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/428-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/676-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1884-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1936-60-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2308-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2308-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2764-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2764-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3288-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3288-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3584-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3584-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3688-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3688-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3704-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3704-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4180-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4180-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4300-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4300-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4368-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4368-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4368-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4492-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4492-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4840-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4840-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads