9fd329fc6ec345c34521af31c3f1445a0ae003c7998e97e8eef8aabba94a2112

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2024, 00:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9fd329fc6ec345c34521af31c3f1445a0ae003c7998e97e8eef8aabba94a2112.exe
Size

135KB
MD5

49011b2588318f94623e7ca8caa0facb
SHA1

953e12c65630edb765d6e3fe4881bc1077604d26
SHA256

9fd329fc6ec345c34521af31c3f1445a0ae003c7998e97e8eef8aabba94a2112
SHA512

d6f541a09b4d674cf0ac3094188aad7fba805de5833ff0d050451c492dd2d906e44c81e0d0c211625019e343ea9c5119ebbebeae996fb9d0f5de7b0e1e70e38b
SSDEEP

3072:US+WKvz2b4T3K8Qr5+ViKGe7Yfs0a0Uoi:R+WKvz2b4T3K9cViK4fs0l

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9fd329fc6ec345c34521af31c3f1445a0ae003c7998e97e8eef8aabba94a2112.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	9fd329fc6ec345c34521af31c3f1445a0ae003c7998e97e8eef8aabba94a2112.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe

Executes dropped EXE 45 IoCs

pid	Process
2956	Lpfijcfl.exe
5056	Lcdegnep.exe
1708	Lklnhlfb.exe
1048	Lnjjdgee.exe
4432	Lddbqa32.exe
1392	Lgbnmm32.exe
2728	Mjqjih32.exe
1068	Mahbje32.exe
3044	Mdfofakp.exe
1208	Mciobn32.exe
4800	Mjcgohig.exe
3300	Majopeii.exe
1680	Mpmokb32.exe
4492	Mcklgm32.exe
3020	Mkbchk32.exe
468	Mpolqa32.exe
1444	Mcnhmm32.exe
2912	Mgidml32.exe
4908	Mjhqjg32.exe
2180	Maohkd32.exe
2900	Mdmegp32.exe
4600	Mcpebmkb.exe
2176	Mkgmcjld.exe
2544	Mnfipekh.exe
4108	Mdpalp32.exe
2304	Mgnnhk32.exe
3284	Njljefql.exe
4220	Nacbfdao.exe
4888	Nqfbaq32.exe
2360	Ngpjnkpf.exe
1516	Njogjfoj.exe
2740	Nafokcol.exe
380	Nddkgonp.exe
3312	Ngcgcjnc.exe
1188	Nkncdifl.exe
2932	Njacpf32.exe
2776	Nbhkac32.exe
3712	Ndghmo32.exe
4328	Ngedij32.exe
1856	Nkqpjidj.exe
1496	Nnolfdcn.exe
4056	Nqmhbpba.exe
5104	Ndidbn32.exe
4876	Nggqoj32.exe
5004	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4312	5004	WerFault.exe	125

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	9fd329fc6ec345c34521af31c3f1445a0ae003c7998e97e8eef8aabba94a2112.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	9fd329fc6ec345c34521af31c3f1445a0ae003c7998e97e8eef8aabba94a2112.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	9fd329fc6ec345c34521af31c3f1445a0ae003c7998e97e8eef8aabba94a2112.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	9fd329fc6ec345c34521af31c3f1445a0ae003c7998e97e8eef8aabba94a2112.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	9fd329fc6ec345c34521af31c3f1445a0ae003c7998e97e8eef8aabba94a2112.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 2956	3672	9fd329fc6ec345c34521af31c3f1445a0ae003c7998e97e8eef8aabba94a2112.exe	81
PID 3672 wrote to memory of 2956	3672	9fd329fc6ec345c34521af31c3f1445a0ae003c7998e97e8eef8aabba94a2112.exe	81
PID 3672 wrote to memory of 2956	3672	9fd329fc6ec345c34521af31c3f1445a0ae003c7998e97e8eef8aabba94a2112.exe	81
PID 2956 wrote to memory of 5056	2956	Lpfijcfl.exe	82
PID 2956 wrote to memory of 5056	2956	Lpfijcfl.exe	82
PID 2956 wrote to memory of 5056	2956	Lpfijcfl.exe	82
PID 5056 wrote to memory of 1708	5056	Lcdegnep.exe	83
PID 5056 wrote to memory of 1708	5056	Lcdegnep.exe	83
PID 5056 wrote to memory of 1708	5056	Lcdegnep.exe	83
PID 1708 wrote to memory of 1048	1708	Lklnhlfb.exe	84
PID 1708 wrote to memory of 1048	1708	Lklnhlfb.exe	84
PID 1708 wrote to memory of 1048	1708	Lklnhlfb.exe	84
PID 1048 wrote to memory of 4432	1048	Lnjjdgee.exe	85
PID 1048 wrote to memory of 4432	1048	Lnjjdgee.exe	85
PID 1048 wrote to memory of 4432	1048	Lnjjdgee.exe	85
PID 4432 wrote to memory of 1392	4432	Lddbqa32.exe	86
PID 4432 wrote to memory of 1392	4432	Lddbqa32.exe	86
PID 4432 wrote to memory of 1392	4432	Lddbqa32.exe	86
PID 1392 wrote to memory of 2728	1392	Lgbnmm32.exe	87
PID 1392 wrote to memory of 2728	1392	Lgbnmm32.exe	87
PID 1392 wrote to memory of 2728	1392	Lgbnmm32.exe	87
PID 2728 wrote to memory of 1068	2728	Mjqjih32.exe	88
PID 2728 wrote to memory of 1068	2728	Mjqjih32.exe	88
PID 2728 wrote to memory of 1068	2728	Mjqjih32.exe	88
PID 1068 wrote to memory of 3044	1068	Mahbje32.exe	89
PID 1068 wrote to memory of 3044	1068	Mahbje32.exe	89
PID 1068 wrote to memory of 3044	1068	Mahbje32.exe	89
PID 3044 wrote to memory of 1208	3044	Mdfofakp.exe	90
PID 3044 wrote to memory of 1208	3044	Mdfofakp.exe	90
PID 3044 wrote to memory of 1208	3044	Mdfofakp.exe	90
PID 1208 wrote to memory of 4800	1208	Mciobn32.exe	91
PID 1208 wrote to memory of 4800	1208	Mciobn32.exe	91
PID 1208 wrote to memory of 4800	1208	Mciobn32.exe	91
PID 4800 wrote to memory of 3300	4800	Mjcgohig.exe	92
PID 4800 wrote to memory of 3300	4800	Mjcgohig.exe	92
PID 4800 wrote to memory of 3300	4800	Mjcgohig.exe	92
PID 3300 wrote to memory of 1680	3300	Majopeii.exe	93
PID 3300 wrote to memory of 1680	3300	Majopeii.exe	93
PID 3300 wrote to memory of 1680	3300	Majopeii.exe	93
PID 1680 wrote to memory of 4492	1680	Mpmokb32.exe	94
PID 1680 wrote to memory of 4492	1680	Mpmokb32.exe	94
PID 1680 wrote to memory of 4492	1680	Mpmokb32.exe	94
PID 4492 wrote to memory of 3020	4492	Mcklgm32.exe	95
PID 4492 wrote to memory of 3020	4492	Mcklgm32.exe	95
PID 4492 wrote to memory of 3020	4492	Mcklgm32.exe	95
PID 3020 wrote to memory of 468	3020	Mkbchk32.exe	96
PID 3020 wrote to memory of 468	3020	Mkbchk32.exe	96
PID 3020 wrote to memory of 468	3020	Mkbchk32.exe	96
PID 468 wrote to memory of 1444	468	Mpolqa32.exe	97
PID 468 wrote to memory of 1444	468	Mpolqa32.exe	97
PID 468 wrote to memory of 1444	468	Mpolqa32.exe	97
PID 1444 wrote to memory of 2912	1444	Mcnhmm32.exe	98
PID 1444 wrote to memory of 2912	1444	Mcnhmm32.exe	98
PID 1444 wrote to memory of 2912	1444	Mcnhmm32.exe	98
PID 2912 wrote to memory of 4908	2912	Mgidml32.exe	99
PID 2912 wrote to memory of 4908	2912	Mgidml32.exe	99
PID 2912 wrote to memory of 4908	2912	Mgidml32.exe	99
PID 4908 wrote to memory of 2180	4908	Mjhqjg32.exe	100
PID 4908 wrote to memory of 2180	4908	Mjhqjg32.exe	100
PID 4908 wrote to memory of 2180	4908	Mjhqjg32.exe	100
PID 2180 wrote to memory of 2900	2180	Maohkd32.exe	101
PID 2180 wrote to memory of 2900	2180	Maohkd32.exe	101
PID 2180 wrote to memory of 2900	2180	Maohkd32.exe	101
PID 2900 wrote to memory of 4600	2900	Mdmegp32.exe	102

C:\Users\Admin\AppData\Local\Temp\9fd329fc6ec345c34521af31c3f1445a0ae003c7998e97e8eef8aabba94a2112.exe
"C:\Users\Admin\AppData\Local\Temp\9fd329fc6ec345c34521af31c3f1445a0ae003c7998e97e8eef8aabba94a2112.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Windows\SysWOW64\Lpfijcfl.exe
  C:\Windows\system32\Lpfijcfl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\SysWOW64\Lcdegnep.exe
    C:\Windows\system32\Lcdegnep.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5056
  - - C:\Windows\SysWOW64\Lklnhlfb.exe
      C:\Windows\system32\Lklnhlfb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1708
    - - C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1048
      - C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4600
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4108
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2304
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3284
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1188
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        46⤵
        Executes dropped EXE
        
        PID:5004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 400
        47⤵
        Program crash
        
        PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5004 -ip 5004
1⤵
PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
135KB

MD5
acad99e01e9ac0766fe1996d90d8d0c2

SHA1
7ed98f8e89127623bb9bcc504957d22edad7a588

SHA256
73fa338d317e3ffebce73a1fa7e4ba928583529fef94dc5aeba6d5c966a06155

SHA512
bcbcff89b6a646604dc0f8bc1dade013dbee308ab0236ea81469e8c852853ea812365d118f71eb5a4b2d31f3ddcb3106409accd956a5e01b2f9c94b0a7ee4b8f

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
135KB

MD5
689a710f3664ac34bf89b473f2170432

SHA1
598c8bad300ff28d009ee5309e0ee57f5e821bb0

SHA256
8e02ea32b3745d7dad60bb230eb356d32eaa71e3d93c9eadbace96352d563d1a

SHA512
eb8347315322d4ff856e8791638061eefb6632ac830c2a46f458993226ed8cc91f775fbe94a99782590c3ee81c5efcdb9f9bda10eeafe7ffc7252042a99fcbec

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
135KB

MD5
76ef2fdc798e2b24301451506ae0aaa4

SHA1
ceb1b7a1e92aefa010fd23ef3cb32321fabfb423

SHA256
1897733e74b737cc666d3e87add619074c9a389760c5f9b04639da2d395dddd3

SHA512
6913f0b344fe50e0d69f033245b34bc887377a4ee5023b51b2aaab27cced5861d8acf68694ee6e4e256f5f6d0d00172a4bcae922b6a262158bfb052a9e5855e6

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
135KB

MD5
07b06a87e909bd1ed1ef95dac01e084a

SHA1
e1ff5ef5ef0d98c6822693214e267f9699b0ef5a

SHA256
5dddd561f290d2df97c82bf44e0d3fdb17991f846d4a9669f9cad477c8d3e75c

SHA512
319078f7e99f24fd3500a8e3952bf32b7fe83d36991638f2739eb2095f80cb6afe6cb1ab2827bb8597a9b4a546b6f8f9183356eefadde1f54a3f43513d783e54

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
135KB

MD5
1761a80c6e136f65ce649acd525b8353

SHA1
827dd9f5c70e11e50bdc51aa0794fa989c1793f7

SHA256
1dade73ad517fad5fb3c0450954de5168c2825ef7e4709894f3371364de14005

SHA512
77a4c3cdb0e1e00c1e53aa6ce45ca53469bf6a652512c7bd172ed7f2eb0a2ffe59fee38ca058089c334c2d38d6e0097fd0033b4506e591aaa7533bcfb9890a68

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
135KB

MD5
569d217730482d2827ab82f7aeea1687

SHA1
a82ff89eca27abf525c91802fe020fbff04171ac

SHA256
46b13f4854457503dcb4975e9e00bfe9b7d2c1d3b6dad7bbb6dc43176d0c23b6

SHA512
0c78e19cfcf669f0079c01602a635add2b3a6d949d7841dab1bafda85affbcf8dd329c7cb0eb6a307079374275556263467ff90cc4358b85e18f7d5cc42f4d65

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
135KB

MD5
c8976764b7318bf5c535f3ff4b44c0f5

SHA1
8e6c9f08832dca0a7a0d43301ba379ac046cb195

SHA256
8efafe3d0ca2a31c88b368fe3b0750e718cb92623d096d9d48d8ee5855f71785

SHA512
fd58864b8bad17bb3ecdcb9056d76ca4063cf544bc9e5274535d711062a7e2eed0de262bcb558a33f32e5cb26733b32542f788c51f916170cbea14fb86def230

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
135KB

MD5
c7b03e8e9427f4c541822a6b3be19247

SHA1
996b886520be99b8f48c43c923e59752e9d6e7a1

SHA256
a2b81bc05b56b1bdc9dad6947aa2da0b81ce259589e4450749fc4779f04a7c3e

SHA512
2d6bfa068d541de68b4fdf73baad76dc8dae49c4fdb3cdc80da68cc14e9e7c3461f9814447940c112cbb72a50bdb677fa18d57bacbd373a210f16f009a0ccb7c

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
135KB

MD5
be73af64cc79b8eb699b0953be35f44a

SHA1
fc5a819e6fb55f5d58f86185726ce15144bef302

SHA256
a3e44245b7c6fd3e5331470a45eda8956f4d66849072393a8de97f8c3d58bc44

SHA512
0083aed046b302b0092b770c0bcac40581a96af969e76ffd172669051c97812c2d3249fa644805fb187825eb4571b396914ca41595bdb8fa86c3bce746143d15

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
135KB

MD5
538193230657641a58dcb054442d634e

SHA1
5f6e818d430183b3072b302a6febceae6787087d

SHA256
cc5dfcf9f53e07bc5e24ae5817ae3ad931117f08b9e478e24f46412b2942f088

SHA512
8c1a58fcf96d5980861ef1d7d8e6aff156dfccfbf5f5feb9f4cf2465affeca9d0a819ba461ae302b9ec12870001124b510286db4ec6e740a0d08ce6c708b8a43

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
135KB

MD5
0e66694849bfb5e362312725caf24d48

SHA1
2996e959342e00622a41ba77a406f05e1a067b79

SHA256
73156676ebe5f910a4ce2c895857fdbb16a97e47feb4034c8d3f1f26443ac4b9

SHA512
bea33167096ed64ee271c32815ef772dcdf114549eedbd9a52e146a2d9e22d609b996571a9ab68ab1bc6fc15a7812f7e3a45226f44ef5359001efc65dda78df3

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
135KB

MD5
e74da9fe3abc4815881aa9fbe0c6073c

SHA1
b0d7e860ce213b3e31a0126d2698f89433e4ad59

SHA256
b44f29af996ee5055b9ab0df66d48e2d79efc9f67e50f84ab0f07a8aea23e5dc

SHA512
d1781e056972d0c2a19896c9aee28c552ac880a1dba2167fd98d8a0de63fd703115d160d1add38520428f5bb53d6c5c5aa98caf9dde91e0f828cb8b5a142e5ff

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
135KB

MD5
644a84f97e00e450ce167113bd6e1207

SHA1
9928d87abe0213130d8cae9abd36763bff95d88d

SHA256
a9c7c507af75f1b5f81cfabc5454e9e9147f1f0cb5bd7cc56f9c810043c3ac7a

SHA512
b7b93219ede7f9847a8ceb036216f9571bf0f6426f82c11598e34291736afac3f9e9066393fb91f580013bcba013ca7b6f3f4b65f91c1d47c4b0f78e2f700919

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
135KB

MD5
0df25313943540fa04fbf15830d2b0e4

SHA1
4b0cdfd6c08bb49d711cf9e77c927d8130182371

SHA256
0e09202c520837b4f86bfa6b44a121cb347afeacfcfbd4b17d31f0044d33072a

SHA512
5a77fe9ef513445e6abada295e7124f3e6fcea9c5cc339881ca00b6d38c4a3c693e2abdceed7f0726a85c99c67116b05e6d00e8761d1b1a9a53ef429a07e4e9f

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
135KB

MD5
c489408d62a567b48ee1ba91a3912666

SHA1
47ab9ccedfac062cc37158bfaec9306df35b7b9e

SHA256
e3a478dd3b517cf8b59e42d1241988896919c1bb901f05e5327bf331c5e6a366

SHA512
25c8ba524c2c2e866c7c743556e2554be75e6739ab98de57b3de164a684cec343085d1f4361e9107bf4be59566bde322fba66c634d0294ca1fffd428cfa3093d

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
135KB

MD5
3ef2e7ed407110e793b70c7da7ee827a

SHA1
782fb8798fa68204fad93406b38d48090fb5b592

SHA256
7d7592d2cc5be19448019a9862c213d14b7c600821bf625bc3b32f5bcacd97af

SHA512
d93a27cb8a40d0ddeb6112dc8763642bd06c06bf3ad52437c589ca4b144a323cf224e5ab062c3454de6e50f8916aaab94f6d25c38478ade5e6cd8c2e3408d7f3

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
135KB

MD5
1ff78c0d98b522656edcfb43712439fc

SHA1
dc925014ffb4edd398f4c2fe0e08bb039d48a50e

SHA256
250605cc727264881068412f2a86ae78d075996d8ff66d0c25a89ecd25105f09

SHA512
9f6fa8234c9591c1a8d33dae99efef5c7470d4d6492a72259744a6ae60f76e3c47e6194fa8dd759a1673e82c98d70909676451d8ff69dedc6577055d003a76c2

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
135KB

MD5
1c38f3bbe217abc5be5d22a00445ed60

SHA1
ba0ca04700d92685ed597749ddcc0e18b79d452e

SHA256
f76271bf492c3b37430b0ddcef99016d8fb38847afc958900456a889d2bf2f51

SHA512
eb93ed06ddb5b02a8e2f97d8726b8898666a82a4e5b3a8d68f14e3fec06062e9c6a0bf12cec97ffca451f9c7d9dc98707b5a1f482b6fad9e7e36313001113f55

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
135KB

MD5
44d26e46579322fe86d541dcf28d36fb

SHA1
52b51cb9f1935955a2f842b9452fb49807012d78

SHA256
226265342121d2a40e3bbdf10400f92fcd3773363134ac2f3923d050264bd659

SHA512
bd665753c44a66aa35c82c207fe59003fccac1e30a2f1c85f71c2d80b705d74df30cb766f71f9615115ddbc0d29af2f7264f063b772d48991e3c3c13d378b6f6

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
135KB

MD5
f662632f4510f4d5afd27a5bc7b83fcf

SHA1
f6e15f1a9b19d33045d4714b9043653d9ba18085

SHA256
ad98817759cc6b616f7ffffdc604b3d956e1ac4ec4350432ffef4b89e32d83ee

SHA512
1128474e9713049a588add3da40078cbb1e500ccdf5ce4402e136302edb429aaf6d8d5a9b128980db05da22a813b7dc2df642fdc578dee1b1cbba574937491b5

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
135KB

MD5
d926c094d2da87cafaa84a9abd77ceea

SHA1
39ed0d2750928b7d6abb7f4313806d09ca129e91

SHA256
2e656c588b910a3fec4867bd7446e9583a34872a9838b18024f72bfd3dee2e14

SHA512
0c0d877e68690fc19be981fd2336e0ed9c7f93d8827b020ffd794b54dfa573f4810c4620c3a7047d36a651dbffdb65b490f000d53690653c48999500dd76d995

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
135KB

MD5
fd2ff01090a0199d9ca2d46478731b76

SHA1
49845c0d761964d80a47502ea1ef06541f0f59ed

SHA256
0f5241e19ccbba1aab3d78d57e4f87bda8195922b06bfa474dcf793099faebe0

SHA512
a4acddba462bb9ce072a16372c47615f56efbe83543cf7e77893b8528b3671dd9f738081c8114f5c88c05597958ad3edf0f44266b8569fdc9d920be8af48c07f

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
135KB

MD5
8272d2471e93639bd84149b2ada3e942

SHA1
44a71cdf7b7f08f44bc861ca3d0543205a9271b6

SHA256
abd719bd65c218b50d3057d5a700c690386edc40630e9127dad805f520dc731c

SHA512
ef5654894162f9cd5b317549a4d1dd49bd8c5f53f45f3a6ef47104ca4f23e2e58aada157dc48c90f03916d2c609764cdb28a4cf2135ae069d62836cfcb030b02

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
135KB

MD5
b9af2843d5384af3d9fb6b07b9b8493b

SHA1
de3e887129c9d65577970e10b25ce30d534033b0

SHA256
ecd78cdd916397db7b921488009c7a17718475fd05d816f4823895a52bbd826a

SHA512
ddca9c6bbeee0a2fba9ea6127942cae6eb050e5b75ae6ee0fc9c9ecac53aa219a8315c2d591a2b821b56feb9c7779f7bdc48fa7c9019e27d1dc4c50287615ae2

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
135KB

MD5
4d51bf245c80818fe239e48d3667c56f

SHA1
70360449526e631960c17fc3b49de66056b2fdb1

SHA256
412ca56fed59be16aff49eb18fa0d50da87528cb382725b64e6b604934272a18

SHA512
5eeeeb8821e3ab569ac7cbc51d99663bff02783057dd33fe58ae4a4fde767a6de7c689a1acea351ae09c79f643868442a5de522c587e5ef5fec5bc4d64e0ff05

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
135KB

MD5
cb0bc9b88815ac9afa0335f25c9f3b76

SHA1
8b98a6ac79fe91eb262cce2597dcb1c71b178bdb

SHA256
863760f85bc2278170a8cf89eead545e05232cb70b0a49b53f504fed51f7a72f

SHA512
9c9db8b6e365a4fe92650e3322488334362217c1fb1634385dd06335088d3272a4337603e7fd20a876bb7d690a6dd9e492bb5be582a8715136c5b6e89f1972f3

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
135KB

MD5
e21efe84e68f4611d1b0bb4b44290604

SHA1
94066c93795ae4e1c9a6aedc6a1d0ba57d975aa3

SHA256
926a1ff0524fdb4b4b6920601ce1c2b8891f5923a0a818978417376098da1111

SHA512
0b4b56141983d47b2ae07af8b29800188dbbb3e2015f58dfcb2ef5ab4e2bf1bef24c39764cd691eee15402f8c699b787313e56d20072724a080f77fc7b0066eb

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
135KB

MD5
1893c2ce577a24a3c4d64617b947e172

SHA1
9b74c564562ba97485f567ece0aa18607dc2dcbc

SHA256
d9f674af5421cfb5c58cac80b7ec9857e2ba1f361e9f66c486dab0a1389f5cf5

SHA512
0a5c9696edf50a6042e5c8e8872bd99c2bda5de0e9534fa2a0e51f13e9569fa89250ec25e93452d18d1e8c2fccb5ae10d519780b5001edeb85f800d987d00bcb

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
135KB

MD5
0259e81abb986fb36642954d5b085f42

SHA1
8e92d891b0ee363fee3d5bb15caaef143c263d48

SHA256
b8d7eca1eea0d81ed5a76a9774bdf935724db5de23d5ec9176baa517a1797450

SHA512
d3a7243dc6cc73f4c2ad46aabe57a5aca2df35ac11cc9622c469959a0b37b080db5797e9d3fbef2ae15565cf78f49414288250d3fabf63cb0de1c8e2740f5365

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
135KB

MD5
edeb2ce752ca5b51f1f396cf80f4b1c1

SHA1
8dea92f2c7455802936ef6fefa3146002fae0294

SHA256
878128674d97724b38061496563c029581159388958b054ca645f15cc1373af0

SHA512
ddfe82d842942c7f6cb740109a3c89b564f4037d08dbfae7614242f2176bc25a66be68ba846660e4d34bc9e95753e414d8829bbd2b91f6bc342740ac7ec5abc2

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
135KB

MD5
371d2a0cf52237e44c38ae04e58d12b7

SHA1
16a4f22c2d7962ba8e448e8b2117f2b0e431b1de

SHA256
9315cc37e9d8c2fe4b1ce805249f617ab576170bd20fa1da03e8c37480741df8

SHA512
d9168ac4281aa02ba7bbcc66c93ca25745d3ab5e2160957427b6ef6640456bfca70b3252b5aa5cca2aae4dc406426f0888c3d95e02ce0db9577054e1d02608ec

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
135KB

MD5
a13b72e002582a9f5cd1796467092eaa

SHA1
18297de532df2bd8888762b09d538d63da7fb346

SHA256
59a70d7955cc7a5c6a9e1e4055cf13e9abd6be2960278b28f42cb051fe4bdeb2

SHA512
d3cc006565c37b1b36d9cd7af70f7fff9999bbcdeb34eb99af76c8e96f105bf91e77e577782abc5b1d17fecb23ba3302312b9f1bfdf5630d9ecdce1d8c8c254d

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
135KB

MD5
2901e605047bd76da537244ffa834e13

SHA1
ae9be0d5aee66b916805391bbe7dc2b941725e0b

SHA256
2cffa1ecdc9550b96823c77110ba4c2ec64a93ad4badafbf8ac2934a295def4c

SHA512
6c7f943704aab43b68af1e3f2bded84e13b793b5b337bf6b8db3f95213b8cbb5798755f34baf36e3d3f1dab903847c1b728bed9898b979dc185031f7bcf40b7b

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
135KB

MD5
d84c44b1ac1fd06a51f825dbbf1d17e2

SHA1
b156a3d9fa69ea037d68e6e359031de99506d2cc

SHA256
7df39146664d093afd6db3c01e0cdd7430f37f06226ae2526d353380c1bb796e

SHA512
a8206e7fc8d82407f3ecbca2daffde091429c80c0398c23e9b7d3d898ab841d7c5849e46143e346358dece5376fd13eac2dac45b6b7042006d954768b6ac9da4

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
135KB

MD5
e378aca00a84751787790a4e28dfe565

SHA1
93c8fbe26ef3d6c62677d27ac113c0adeab34245

SHA256
79e21e19e3eb601b536723b56c493125405e96ace5ab2d0842ecd395bd360842

SHA512
a72a902be43447611ad993899d2545f71f053af19a59007d5bb1adf11c8bf11c0b8b09b1df2e60a3d56f6b770a884702ccbf2522278d4b2af43262d9ee0a4552

Download Submit
memory/380-272-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/468-351-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/468-129-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1048-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1048-362-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1068-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1068-358-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1188-279-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1208-81-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1208-365-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1392-360-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1392-49-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1444-141-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1496-339-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1496-311-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1516-253-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1680-105-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1680-355-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1708-29-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1856-340-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1856-305-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2176-189-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2180-349-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2180-162-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2304-213-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2360-245-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2544-345-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2544-197-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2728-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2728-359-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2740-342-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2740-257-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2776-291-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2900-347-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2900-169-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2912-350-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2912-145-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2932-285-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2956-13-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2956-363-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3020-120-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3020-352-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3044-77-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3044-357-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3284-221-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3284-343-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3300-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3300-354-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3312-273-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3672-364-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3672-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3672-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3712-298-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4056-321-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4056-338-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4108-344-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4108-201-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4220-229-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4328-341-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4328-299-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4432-361-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4432-41-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4492-112-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4492-353-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4600-346-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4600-177-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4800-356-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4800-89-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4876-336-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4876-329-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4888-237-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4908-153-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4908-348-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5004-335-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5056-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5104-337-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5104-323-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads