350e82cf1847a80188921568dcb2ee636ed0f58bb9d0643e59561d0fc60520d6

Analysis

max time kernel
130s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

350e82cf1847a80188921568dcb2ee636ed0f58bb9d0643e59561d0fc60520d6.exe
Size

224KB
MD5

6aa2dfb3732b981bfb5fa4642d491bf5
SHA1

78271c555a2c53da2c3414979d620f0851cbd025
SHA256

350e82cf1847a80188921568dcb2ee636ed0f58bb9d0643e59561d0fc60520d6
SHA512

77dd86f625a3f9c192edec7e3db470accb69bdecd6e631980f4911097bf296be98ddf074e56f04c7b4576d8543511502dbfb648c327aea92bf1c99cf58d759e2
SSDEEP

3072:7ogK2R8yjoNQ84WiVagzL20WKFcp9jRV5C/8qy4p2Y7YWlt63cp9jRV5q:7oU8lQltggzL2V4cpC0L4AY7YWT63cpq

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe

Executes dropped EXE 58 IoCs

pid	Process
1084	Lnhmng32.exe
1592	Ldaeka32.exe
1324	Laefdf32.exe
4884	Lddbqa32.exe
4232	Lcgblncm.exe
3028	Lgbnmm32.exe
4864	Mjqjih32.exe
2004	Mnlfigcc.exe
5064	Mpkbebbf.exe
3892	Mdfofakp.exe
3308	Mciobn32.exe
4456	Mkpgck32.exe
1468	Mjcgohig.exe
2248	Mnocof32.exe
1896	Majopeii.exe
5040	Mpmokb32.exe
2208	Mcklgm32.exe
1976	Mgghhlhq.exe
1000	Mkbchk32.exe
1588	Mjeddggd.exe
1984	Mamleegg.exe
3664	Mpolqa32.exe
4384	Mdkhapfj.exe
3236	Mcnhmm32.exe
4040	Mgidml32.exe
3172	Mjhqjg32.exe
2936	Mncmjfmk.exe
4792	Maohkd32.exe
1920	Mpaifalo.exe
4692	Mdmegp32.exe
3956	Mcpebmkb.exe
3032	Mkgmcjld.exe
1656	Mjjmog32.exe
3952	Mnfipekh.exe
716	Maaepd32.exe
1812	Mpdelajl.exe
3972	Mdpalp32.exe
4472	Mgnnhk32.exe
1372	Njljefql.exe
5092	Nnhfee32.exe
768	Nacbfdao.exe
3460	Nqfbaq32.exe
2028	Ndbnboqb.exe
3844	Ngpjnkpf.exe
3884	Nklfoi32.exe
1580	Njogjfoj.exe
3128	Nnjbke32.exe
3008	Nafokcol.exe
2184	Nqiogp32.exe
756	Nddkgonp.exe
2268	Nkncdifl.exe
3388	Nbhkac32.exe
3476	Njcpee32.exe
4224	Nnolfdcn.exe
4516	Nqmhbpba.exe
2100	Ndidbn32.exe
2516	Nggqoj32.exe
4000	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	350e82cf1847a80188921568dcb2ee636ed0f58bb9d0643e59561d0fc60520d6.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	350e82cf1847a80188921568dcb2ee636ed0f58bb9d0643e59561d0fc60520d6.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mnfipekh.exe

Program crash 1 IoCs

pid	pid_target	Process
4800	4000	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	350e82cf1847a80188921568dcb2ee636ed0f58bb9d0643e59561d0fc60520d6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	350e82cf1847a80188921568dcb2ee636ed0f58bb9d0643e59561d0fc60520d6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 1084	4536	350e82cf1847a80188921568dcb2ee636ed0f58bb9d0643e59561d0fc60520d6.exe	84
PID 4536 wrote to memory of 1084	4536	350e82cf1847a80188921568dcb2ee636ed0f58bb9d0643e59561d0fc60520d6.exe	84
PID 4536 wrote to memory of 1084	4536	350e82cf1847a80188921568dcb2ee636ed0f58bb9d0643e59561d0fc60520d6.exe	84
PID 1084 wrote to memory of 1592	1084	Lnhmng32.exe	85
PID 1084 wrote to memory of 1592	1084	Lnhmng32.exe	85
PID 1084 wrote to memory of 1592	1084	Lnhmng32.exe	85
PID 1592 wrote to memory of 1324	1592	Ldaeka32.exe	86
PID 1592 wrote to memory of 1324	1592	Ldaeka32.exe	86
PID 1592 wrote to memory of 1324	1592	Ldaeka32.exe	86
PID 1324 wrote to memory of 4884	1324	Laefdf32.exe	87
PID 1324 wrote to memory of 4884	1324	Laefdf32.exe	87
PID 1324 wrote to memory of 4884	1324	Laefdf32.exe	87
PID 4884 wrote to memory of 4232	4884	Lddbqa32.exe	88
PID 4884 wrote to memory of 4232	4884	Lddbqa32.exe	88
PID 4884 wrote to memory of 4232	4884	Lddbqa32.exe	88
PID 4232 wrote to memory of 3028	4232	Lcgblncm.exe	89
PID 4232 wrote to memory of 3028	4232	Lcgblncm.exe	89
PID 4232 wrote to memory of 3028	4232	Lcgblncm.exe	89
PID 3028 wrote to memory of 4864	3028	Lgbnmm32.exe	90
PID 3028 wrote to memory of 4864	3028	Lgbnmm32.exe	90
PID 3028 wrote to memory of 4864	3028	Lgbnmm32.exe	90
PID 4864 wrote to memory of 2004	4864	Mjqjih32.exe	91
PID 4864 wrote to memory of 2004	4864	Mjqjih32.exe	91
PID 4864 wrote to memory of 2004	4864	Mjqjih32.exe	91
PID 2004 wrote to memory of 5064	2004	Mnlfigcc.exe	92
PID 2004 wrote to memory of 5064	2004	Mnlfigcc.exe	92
PID 2004 wrote to memory of 5064	2004	Mnlfigcc.exe	92
PID 5064 wrote to memory of 3892	5064	Mpkbebbf.exe	93
PID 5064 wrote to memory of 3892	5064	Mpkbebbf.exe	93
PID 5064 wrote to memory of 3892	5064	Mpkbebbf.exe	93
PID 3892 wrote to memory of 3308	3892	Mdfofakp.exe	94
PID 3892 wrote to memory of 3308	3892	Mdfofakp.exe	94
PID 3892 wrote to memory of 3308	3892	Mdfofakp.exe	94
PID 3308 wrote to memory of 4456	3308	Mciobn32.exe	95
PID 3308 wrote to memory of 4456	3308	Mciobn32.exe	95
PID 3308 wrote to memory of 4456	3308	Mciobn32.exe	95
PID 4456 wrote to memory of 1468	4456	Mkpgck32.exe	96
PID 4456 wrote to memory of 1468	4456	Mkpgck32.exe	96
PID 4456 wrote to memory of 1468	4456	Mkpgck32.exe	96
PID 1468 wrote to memory of 2248	1468	Mjcgohig.exe	97
PID 1468 wrote to memory of 2248	1468	Mjcgohig.exe	97
PID 1468 wrote to memory of 2248	1468	Mjcgohig.exe	97
PID 2248 wrote to memory of 1896	2248	Mnocof32.exe	98
PID 2248 wrote to memory of 1896	2248	Mnocof32.exe	98
PID 2248 wrote to memory of 1896	2248	Mnocof32.exe	98
PID 1896 wrote to memory of 5040	1896	Majopeii.exe	99
PID 1896 wrote to memory of 5040	1896	Majopeii.exe	99
PID 1896 wrote to memory of 5040	1896	Majopeii.exe	99
PID 5040 wrote to memory of 2208	5040	Mpmokb32.exe	100
PID 5040 wrote to memory of 2208	5040	Mpmokb32.exe	100
PID 5040 wrote to memory of 2208	5040	Mpmokb32.exe	100
PID 2208 wrote to memory of 1976	2208	Mcklgm32.exe	101
PID 2208 wrote to memory of 1976	2208	Mcklgm32.exe	101
PID 2208 wrote to memory of 1976	2208	Mcklgm32.exe	101
PID 1976 wrote to memory of 1000	1976	Mgghhlhq.exe	102
PID 1976 wrote to memory of 1000	1976	Mgghhlhq.exe	102
PID 1976 wrote to memory of 1000	1976	Mgghhlhq.exe	102
PID 1000 wrote to memory of 1588	1000	Mkbchk32.exe	103
PID 1000 wrote to memory of 1588	1000	Mkbchk32.exe	103
PID 1000 wrote to memory of 1588	1000	Mkbchk32.exe	103
PID 1588 wrote to memory of 1984	1588	Mjeddggd.exe	104
PID 1588 wrote to memory of 1984	1588	Mjeddggd.exe	104
PID 1588 wrote to memory of 1984	1588	Mjeddggd.exe	104
PID 1984 wrote to memory of 3664	1984	Mamleegg.exe	105

C:\Users\Admin\AppData\Local\Temp\350e82cf1847a80188921568dcb2ee636ed0f58bb9d0643e59561d0fc60520d6.exe
"C:\Users\Admin\AppData\Local\Temp\350e82cf1847a80188921568dcb2ee636ed0f58bb9d0643e59561d0fc60520d6.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Windows\SysWOW64\Lnhmng32.exe
  C:\Windows\system32\Lnhmng32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Windows\SysWOW64\Ldaeka32.exe
    C:\Windows\system32\Ldaeka32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1592
  - - C:\Windows\SysWOW64\Laefdf32.exe
      C:\Windows\system32\Laefdf32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1324
    - - C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4884
      - C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3236
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4040
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3956
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3032
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:716
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4472
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3844
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1580
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3128
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3388
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        59⤵
        Executes dropped EXE
        
        PID:4000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 400
        60⤵
        Program crash
        
        PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4000 -ip 4000
1⤵
PID:4412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laefdf32.exe

Filesize
224KB

MD5
67da1514eafe70fc8cceeab32b77144b

SHA1
46c84a916fbf86b5716c9c3c8d7389392559ad6a

SHA256
f54935dbce90ce96ce48e5da69a37cbc8d56f5286339f222c0b9eac0e5bd3edb

SHA512
aabcad12fedf8067e4fda9d081e017c9884e8ea2f8c38e5fc08faf0197355b75ed4e4695e9cc25d09d66ca5536107ee7770bda37c505bd13c6fbe2190f3a3d3f

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
224KB

MD5
bc4c9fed9abb3233756ed1c41e8e30d1

SHA1
df846108b3c17c41883d295f0b821889191140d6

SHA256
61a7802d63883c58cbfd343965013f608e4c4b2a2a5e14d4ea2aac24eed7f6b4

SHA512
6ac22e954dc5993ead9913b1d97a04ab58e07c83f0835379fb297a39208278ded356ae0bdebf1b65ae1974cc2bf0204d696f8f3dd891eba8beda9b7ddbb5e679

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
224KB

MD5
2971cbde1156ee9b30fc39bfacf28109

SHA1
dfd99fb55393c3f6501a48fd5aff3478738d86af

SHA256
ca5da14b0b33e4b94a3b58c114425374725aeb7e27802ba92eb936056e735a65

SHA512
001c62adb558b8b52273747b48cee0e897a3c4bcf1bd8cb125374cfb9c5a5d697e5bbd54a7f37d8c026322e20fdaa8f45cadc771db453116f056af01277e3e1b

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
224KB

MD5
8390f2398a2985d5a4432150b6c874a1

SHA1
ce06f2831a17778695e27c06dcf1edaecda12723

SHA256
4a6a92b73e034fda6d011c72e51f020e460cdb563e526226309dd32f00255c59

SHA512
9fcf4186169e4df050bd62e37f9730fe8a4cc7b7508971936a9fbe41610af10affae88f1ba8298ebcee135bab94445991b6fff21ea9b7021e4d9285465066885

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
224KB

MD5
9ef09e1351bcfb2bd9b53ae975155c16

SHA1
ce07efe6b107552413804d1af1a9daaae2f35e8b

SHA256
6889d41740d58f085cbea07ec606a12c0b10b6a0cc542c537cce06ee618e742f

SHA512
ad021b5681685539101775726ec19bce0bbe6f1c8311f208294373c58f12fd46b9fc6c7a83afbec68ef6d3f5a7296bbfcc1b6f4998f134b341089c8b657fd340

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
224KB

MD5
835a8f29d8fcadfb9537aa5b7a10ff69

SHA1
6bc50fcc835086b418f0051f473536947ae4cf92

SHA256
cf4a86fe10e082ef112cbc71b4b80e95361754c0a50e260bb01988d92a7df97c

SHA512
be728ee072e49e75c66a0629310929e23ec97034431a3586cc684f74d72b936d3f240e303d3d0175614e308ccdba7b26b1d57fad1bce64530df2f5186e0d4607

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
224KB

MD5
ade8ccd765869baffba79987c5bbf80b

SHA1
de79c3e37d6b2bfdcaa2695f598dac8100729eb7

SHA256
3d043c8813d6921e007004729813c2adeac24bff9b6187598c217bcb5c588b73

SHA512
4b6c67736edcb1606d80ab3ea73f48d342240f221c4a8f72de7b32542b9397543d580be5f0fc756e52c32d54734cffbd691f7487803d774f422c68d65231cdde

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
224KB

MD5
f04f92d398f80de430fda462a69a8246

SHA1
a7f0db9246b0420ed21544937ff60df6d1f97d2c

SHA256
ccb575f40adc9c05d3f1c3b4d347e944a83e065098ea7fdd9ff8b63beaa75748

SHA512
7053f6f3773b5d3ed8280d96dcb07753b3106ba57f5ad39cb7060553ece3bc7478c2db4d5459805de5ad7e4bbbc0870dbad5d0b01418ccc53f76311dac17d950

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
224KB

MD5
0e91c7e30eb0374ebe77c5ef82091812

SHA1
9aa00fc040587e5095721f7f494d59093ba2e778

SHA256
90e1a1b141724521daf27ef869c54a135a9d4fed741c67817dfc0cad1e92ab22

SHA512
ad78fc939076d806c781eb5014860b1b33e2458048cad4a0f952e814d284718616abb966bdc3c6b320fad44649c77db5594fcad50465304151bcb77c7cf176d8

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
224KB

MD5
c66c2de7d8c3c07122157899f9fd6334

SHA1
0db93bf74bed460abfb8e0a7c79a6cde6c3c888d

SHA256
a7748a3ab7c7b4c5e61c757b3ae5a34c1e7bddf3dc2d5e729d6c412627a08eb8

SHA512
6df5cd73c629f180a6745eb6fed3121fb8ea634de4363dbcb97256c4adb5dfd10e7d9dba63fd1c7bd846c1f575ef6a02e3433ce916f9b38b7210925bdaececcb

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
224KB

MD5
2e6d6d20807b887bf3c75e7b48358d69

SHA1
c3ff476a7bc0fc9cbe9d6a819431a7d991b8522c

SHA256
17167a58de0abcd5789b3f3024eef95fa624c1ffa38d8986fb729edcc0bda929

SHA512
0f8f8000cf9e6c128f4dcb0da6f3a3a8d7e2129dd1a3e8184ca8d7b5d33c8a3500cfe803e94dd54b36ee2e1f689dd8039d0a0189d4387c24c84f40726fa948a4

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
224KB

MD5
be4db5515195b758f3ead34f92081aad

SHA1
1514246ff29e91ebf26ca330e3193a2febd008e4

SHA256
ef699028cb584e080a87c9662e40d5d8b8e3a5cec41b7d943aaf1f7d6272ee66

SHA512
9292221ecafb92936cb7aa88cd0d4ab85def9a9115bc37087edf15f5ce373d79f7f19e354885c0a6a079708098cf3fd248bce35dbe61eb180f6dc6e498890779

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
224KB

MD5
54a182ffa41066f3789793456d33c39d

SHA1
9fe86bcfdbfe4f262ac16e5c173a1ed66ad59b3b

SHA256
e5de10104570473901f7b7fd1b51766b6aebcfdd77dbae647f92f316b1ecc455

SHA512
b634896eb27763633f1e83f91d8beb8b5d6f2bdd2904e43dd9db833a6dd042ef8e31487ac3ef3f2f037c840c17cf063b1049d251e1f7761a9a1d96633b209aae

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
224KB

MD5
35cbcdad17ea050a0f99269f83e75d94

SHA1
f250ac9840f66d168f592f5c92a5d8b21a0461bb

SHA256
69f84bf1bfecc1b3b848d10ea92a2acf77010603a02d8dfc8b640ec488518c18

SHA512
1abbc6eda76ae8d4b19fe409b15a2bb0f997ee435674a50b3857638daf8132ce704c40a59faef8c31a4dccee4c457fec72eaa84e52c30655f7624f920b91ed4a

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
224KB

MD5
b6306c1f565efe65c33acfaf809b1c85

SHA1
d0ac6211c465b817497d597eda7ac127fd30f892

SHA256
edd11e972e65d5b41c6d72c450e742b1a9a6f01c5d394123dafb226473373f2a

SHA512
74c3cb94593163856891c1248e826c141cebb65a663a8f8aa19850ae012ca59596fa60865a7f8a4b80ab0c2d8f5bbb8589f2e771ba3df10b1af3132e452c3c6f

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
224KB

MD5
4baf09bd61fca2749554a75fa8ea2aaa

SHA1
32826d0d442cf5468c3d753ae9e2323f8cda5935

SHA256
4f297f41a61fe7e285c0a13e4b8de2410e54187d3c3e93add39ebd562725aa6d

SHA512
9eb000f7cac14de797725148911ad08fdd0afbe55e75dc222b365a9b7517a7ba2545e63246d673d35b7d83dad462d87e8267b183d9a652dd9cd175b279eccd78

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
224KB

MD5
3e34e13ec78d561012ad0a58d801d049

SHA1
fdc908d9202e36c5c3b164f655acd68f7e03ccf1

SHA256
71509db775ed6c30a631a75806413f93a2c3d03b666e9587438e8bf4702e6746

SHA512
4f51ae0556e14d3e32efcad9b82da1d41eb11968a3d6a52665e7e5c85ea0d29348c081cd0ab2a64c4cef8bbf5dba22f643d9be46ece234b69cdf7ec7bc6f7f70

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
224KB

MD5
eef6ee0cb40b2cafe0415ad736b4dce8

SHA1
d4e54034076bb519a11116d6fe1d6f99761176c5

SHA256
47625a540f2224ee8aab46e46602776ae9114d13bb55ce4558d14c6dd12c067e

SHA512
2035c84fefbc0532dee9cf202ac6773a31ce208c490be09b59218e712f62ef85dd1997fbb5eb301fa8594def4558983ad066b3cac5a3d1b4f47f091071eb607f

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
224KB

MD5
1cb6f13e439aa33fc1fbdd96c6d82a66

SHA1
c4f43dcb54c92705238927669779aa7dacbd2281

SHA256
4d5dc297f10b333f9392d2b890d3a40f0b7dc955d239b11933ae0db5595824f0

SHA512
02af2dc8f190adea8d6236e9477cec3d753a1a07083e0569bcfa78f9ed13ee3f5abc0b7878ffc5614962adbb17ac24e2197b6a3720300fd02cf556a91b64f431

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
224KB

MD5
35b58bda2b39121adc8a38b2d1b1f289

SHA1
5563abab61e86cf280a73515d2a01cbb6705aa95

SHA256
89a1c15f8d6c037b64d6c6f4b28f22aadfee3742787fe2cecd479c82a2157ecb

SHA512
1d3131f85bb4462731957e8cabdac3488c64c89895e9fd0a5f75ba7f12b3f40a90b72db2ea72abcc5aa1027bdfcd45e1aa8fa6ee5d7a605863a2767cfa41be03

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
224KB

MD5
44de4cf59122a4cecc9d0918f97461a0

SHA1
c8123f05cc7ef7a7879a5c87775f523a5bbcedfa

SHA256
f313ed31734adced57b1c46ccc1810f2f0b5770fb5a090518d40f5ed09a2c8b6

SHA512
98fc1b300a3bb4631bc178700593ba587616dfee29df2cc30e7c83161d5f2b0827931d161e3406e0f9cdfab39a5aafb72694210381a5ab279a6aef8f4c464a6d

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
224KB

MD5
43518c2fb2dbba7d99feec2f310b122d

SHA1
c462bc3339200573ae35d0e5f5815d322e76918b

SHA256
01e1d1e4ff72b34d8c3f8f31d5f34b53cf8028f2bd79899ccd17ee8ec91b8f93

SHA512
e9a9c56c50c32744d77d8b4f702c54391162e1e33537813809b3b90697aa7e801312cb33c4171bf6b7e0f0c13d59be87b20ade6cb5a669c4a44ce32d79d3d853

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
224KB

MD5
be47f1320d8c1b0eb4b9bc7ebe4e9c22

SHA1
a15d0db6049561962a3c7e61a31c4071750cc558

SHA256
9819869c5bccb7ec4a6dec8597c1fba40a28c02b6586d4220b787569141972bd

SHA512
37531b3609b811e3a3321bc72bbc40e882a1d18de7d3fe8c6bf0bb363d89a58371e678dc9d5dfc5054bc9982a660c4ff4790f131ab3d679d52688cba9f533eca

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
224KB

MD5
3bfe8ed086829680354344dbac11c3a0

SHA1
5b2ece2eabac1a5150ced8c3817ca0bd9cae121e

SHA256
c9846de1cd2ced6b4855c1050f30a613fa2f4f50ab94beb39065ac9dadef7432

SHA512
e8af898ce43e6c9f662559f148b6882c319f0f6efc063fec1be157cfcdd872385889d9dcdeab33bc04ab402546d886af9c828ef2284ff6126473663893ff2c85

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
224KB

MD5
2bec5194b417a0e36527743af4680d11

SHA1
e45c994d9d317298817f72f8c1ccfdc139182a54

SHA256
1ecc00580ac2c2e91333c3fb557cbb7127bc4faa1bac4cf2bf118d2475b69600

SHA512
915e2efe6b86b0c0337f01a7973183854d0c13577a4fcacc64db27cc13a1c3b67bbb30d5f5296b239a28804b17b1c1d5df88d4a7693fc42a3e610f03f57c575b

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
224KB

MD5
8328987fa39525ba1714b7820f54175d

SHA1
da44ee90286a0192a8bcd3cc94c2921a8a8e985e

SHA256
465dd2e2300643c55a59c360192c6e2f7c87a82f93d62ddd81f2f25a787be026

SHA512
15f69623bb84e1ba8afc424b981ce0dbf7505126d1aada7219b166193555cbd2a5d1b88389c9ec0c448bf37d7766e0679f70255c0aa3dd97797682a866aed6d4

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
224KB

MD5
c6863edaa0adf7ae27272598cffe1816

SHA1
0b26dabd534d5101de8744188e6664ef5996b651

SHA256
68c42bd2a599a1de96394aa5889eff88304c5767bbcc1892f1f627e6138b4eb5

SHA512
2eb32c316ae67a00ab5e2436364cb69dc70da5146a5785be4b788d7067e44bfc722ca782739d75d83142480762e823ca9536dc5c24d81712c81c26ee316b4c6c

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
224KB

MD5
f8cf4426d0cd5690511940d1dbe1b2b1

SHA1
b8e66fe0cf8acdfadd26218eae632f1d04ca990c

SHA256
0c715b341de025a673c001cbf8328eec44ad03613b86aa02a77dbb4548b1e689

SHA512
622be3b032c5189587d21288a8fec7cda52262a6b1f2d9b074dad3c619a1b68b27a6a47be7f53b2b2919dd8c34e649a8f0c9576d7202f5b20eb1452c98923b50

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
224KB

MD5
64bc03cba792683e9afc05cffdae4a6e

SHA1
761019e72d1dd90945c520794fc9dd2d365486ca

SHA256
7ce5178d96f23e5f4261454f78d9e707148660c09753ddfeb6441a7033d86ff7

SHA512
dc973fb9db1e6b29ff994913c90df203f20fa308a7aa69e6c4f98c2668a4296ebfefe5cc4b778e04c82aaa472ed8ee7c272d55f6ce2bc63475b6501d3c5d8bee

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
224KB

MD5
d17617e20e31505179c4311bfce952cb

SHA1
fd70b19e2a936ce76a7a712807c03a2c9f32d729

SHA256
6931dc2f0887d91d40a17bf13261a75f1194ff8c1beb0879e422d3992c787ca2

SHA512
63d0e44dadc28fbdf5cafa18cd3d9a9a450c256255f695c70ea0fb0eebd8363d378b4ae7130f247df1dd61ecfef4296e82b43390f2492ee5fff1c21641cc582d

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
224KB

MD5
464a148cb8290bd69112c3f6a0b8007d

SHA1
c88efa39d4496b56e1bf6bbca21844f9fde622f2

SHA256
93532e5e64e16060dcddac6d2ea7dcd65d1ea1efb214e8a8ef1b1a202d5bb1db

SHA512
23c006035b74229fd2fc0628ae5cf3acb5256f21a69f364c2182d30e5b2d1d1d09b1f7f8dd692c3f8f7bf6fe002b224c27e4e20eca75649786fe246432561049

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
224KB

MD5
0811c8b24183407561f502e97a5afdd5

SHA1
7ca677290829362004426dd61147ed08413139ae

SHA256
e57aae84cf0c6126d35116f08e33421239fcc2e4135c7475d8bdc11d059e3387

SHA512
459fa4c7267fc9f044ae01eb6515c19372d1139d4b39871d9ae1a6ddddb573b9579fe60e12ec1aae2d59d670c2070ae2e294ca095be97b827faa2909e2cacc97

Download Submit
memory/716-356-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/756-412-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/768-365-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1000-335-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1084-13-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1324-29-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1372-360-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1468-329-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1580-402-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1588-336-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1592-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1592-416-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1656-354-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1812-357-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1896-331-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1920-349-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1976-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1984-337-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2004-69-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2028-368-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2100-409-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2184-405-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2208-333-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2248-330-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2268-413-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2516-410-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2936-347-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3008-404-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3028-415-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3028-49-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3032-353-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3128-403-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3172-346-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3236-344-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3308-327-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3388-414-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3460-366-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3476-406-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3664-338-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3844-369-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3884-370-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3892-326-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3952-355-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3956-352-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3972-358-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4000-411-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4040-345-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4224-407-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4232-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4384-339-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4456-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4472-359-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4516-408-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4536-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4536-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4536-324-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4692-351-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4792-348-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4864-61-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4884-37-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5040-332-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5064-77-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5092-361-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads