50d749bf03bfc0fe77ea32c5acd1e7527bb8265dde94a4f10d40486ea06940df

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06c6940f9ca498d56f99e29de7223e6e.exe
Size

295KB
MD5

06c6940f9ca498d56f99e29de7223e6e
SHA1

550af0f494cdc6f999f41750e6650c9417d3c86e
SHA256

50d749bf03bfc0fe77ea32c5acd1e7527bb8265dde94a4f10d40486ea06940df
SHA512

fa9749800a303e8650310b26aefd55921915e7e0ca60cefcce992e589c7e4c0e3d4f2a0fd292101514dcc5495f0fae34d8a20196bb942879bebaf41f847bda6c
SSDEEP

6144:lEktPK16CbArLAZ26RQ8sY6CbArLAY/9bPk6Cbv:lEktsg426RQagrkj

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	06c6940f9ca498d56f99e29de7223e6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe

Executes dropped EXE 64 IoCs

pid	Process
2024	Kpepcedo.exe
3424	Kgphpo32.exe
1992	Kkkdan32.exe
3020	Kmjqmi32.exe
5044	Kaemnhla.exe
3380	Kdcijcke.exe
3924	Kbfiep32.exe
1940	Kgbefoji.exe
348	Kipabjil.exe
1528	Kmlnbi32.exe
1332	Kpjjod32.exe
1128	Kcifkp32.exe
3060	Kkpnlm32.exe
5116	Kmnjhioc.exe
1792	Kpmfddnf.exe
1228	Kckbqpnj.exe
468	Kkbkamnl.exe
2376	Liekmj32.exe
1028	Lalcng32.exe
3800	Lcmofolg.exe
752	Lkdggmlj.exe
3244	Lmccchkn.exe
1476	Lpappc32.exe
3260	Lkgdml32.exe
2088	Lnepih32.exe
2904	Lpcmec32.exe
2960	Lgneampk.exe
2932	Lilanioo.exe
4464	Laciofpa.exe
2452	Ldaeka32.exe
3528	Lklnhlfb.exe
216	Ljnnch32.exe
3032	Laefdf32.exe
2248	Lddbqa32.exe
2796	Lgbnmm32.exe
2780	Mjqjih32.exe
3040	Mahbje32.exe
4924	Mdfofakp.exe
2720	Mciobn32.exe
4824	Mkpgck32.exe
3252	Mjcgohig.exe
456	Mnocof32.exe
1764	Mpmokb32.exe
1344	Mdiklqhm.exe
1584	Mgghhlhq.exe
1268	Mjeddggd.exe
2228	Mamleegg.exe
4932	Mpolqa32.exe
5052	Mcnhmm32.exe
4488	Mkepnjng.exe
5036	Mncmjfmk.exe
528	Mpaifalo.exe
1580	Mcpebmkb.exe
1632	Mkgmcjld.exe
3840	Mjjmog32.exe
5128	Maaepd32.exe
5172	Mdpalp32.exe
5216	Mgnnhk32.exe
5256	Njljefql.exe
5292	Nnhfee32.exe
5332	Nqfbaq32.exe
5376	Nceonl32.exe
5420	Njogjfoj.exe
5460	Nafokcol.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Kbfiep32.exe	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Mghpbg32.dll	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Kmjqmi32.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Kaemnhla.exe	Kmjqmi32.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Kpepcedo.exe	06c6940f9ca498d56f99e29de7223e6e.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nqfbaq32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5968	5876	WerFault.exe	110

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghpbg32.dll"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	06c6940f9ca498d56f99e29de7223e6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 2024	1544	06c6940f9ca498d56f99e29de7223e6e.exe	167
PID 1544 wrote to memory of 2024	1544	06c6940f9ca498d56f99e29de7223e6e.exe	167
PID 1544 wrote to memory of 2024	1544	06c6940f9ca498d56f99e29de7223e6e.exe	167
PID 2024 wrote to memory of 3424	2024	Kpepcedo.exe	166
PID 2024 wrote to memory of 3424	2024	Kpepcedo.exe	166
PID 2024 wrote to memory of 3424	2024	Kpepcedo.exe	166
PID 3424 wrote to memory of 1992	3424	Kgphpo32.exe	165
PID 3424 wrote to memory of 1992	3424	Kgphpo32.exe	165
PID 3424 wrote to memory of 1992	3424	Kgphpo32.exe	165
PID 1992 wrote to memory of 3020	1992	Kkkdan32.exe	164
PID 1992 wrote to memory of 3020	1992	Kkkdan32.exe	164
PID 1992 wrote to memory of 3020	1992	Kkkdan32.exe	164
PID 3020 wrote to memory of 5044	3020	Kmjqmi32.exe	88
PID 3020 wrote to memory of 5044	3020	Kmjqmi32.exe	88
PID 3020 wrote to memory of 5044	3020	Kmjqmi32.exe	88
PID 5044 wrote to memory of 3380	5044	Kaemnhla.exe	163
PID 5044 wrote to memory of 3380	5044	Kaemnhla.exe	163
PID 5044 wrote to memory of 3380	5044	Kaemnhla.exe	163
PID 3380 wrote to memory of 3924	3380	Kdcijcke.exe	162
PID 3380 wrote to memory of 3924	3380	Kdcijcke.exe	162
PID 3380 wrote to memory of 3924	3380	Kdcijcke.exe	162
PID 3924 wrote to memory of 1940	3924	Kbfiep32.exe	161
PID 3924 wrote to memory of 1940	3924	Kbfiep32.exe	161
PID 3924 wrote to memory of 1940	3924	Kbfiep32.exe	161
PID 1940 wrote to memory of 348	1940	Kgbefoji.exe	160
PID 1940 wrote to memory of 348	1940	Kgbefoji.exe	160
PID 1940 wrote to memory of 348	1940	Kgbefoji.exe	160
PID 348 wrote to memory of 1528	348	Kipabjil.exe	159
PID 348 wrote to memory of 1528	348	Kipabjil.exe	159
PID 348 wrote to memory of 1528	348	Kipabjil.exe	159
PID 1528 wrote to memory of 1332	1528	Kmlnbi32.exe	89
PID 1528 wrote to memory of 1332	1528	Kmlnbi32.exe	89
PID 1528 wrote to memory of 1332	1528	Kmlnbi32.exe	89
PID 1332 wrote to memory of 1128	1332	Kpjjod32.exe	157
PID 1332 wrote to memory of 1128	1332	Kpjjod32.exe	157
PID 1332 wrote to memory of 1128	1332	Kpjjod32.exe	157
PID 1128 wrote to memory of 3060	1128	Kcifkp32.exe	156
PID 1128 wrote to memory of 3060	1128	Kcifkp32.exe	156
PID 1128 wrote to memory of 3060	1128	Kcifkp32.exe	156
PID 3060 wrote to memory of 5116	3060	Kkpnlm32.exe	155
PID 3060 wrote to memory of 5116	3060	Kkpnlm32.exe	155
PID 3060 wrote to memory of 5116	3060	Kkpnlm32.exe	155
PID 5116 wrote to memory of 1792	5116	Kmnjhioc.exe	90
PID 5116 wrote to memory of 1792	5116	Kmnjhioc.exe	90
PID 5116 wrote to memory of 1792	5116	Kmnjhioc.exe	90
PID 1792 wrote to memory of 1228	1792	Kpmfddnf.exe	154
PID 1792 wrote to memory of 1228	1792	Kpmfddnf.exe	154
PID 1792 wrote to memory of 1228	1792	Kpmfddnf.exe	154
PID 1228 wrote to memory of 468	1228	Kckbqpnj.exe	153
PID 1228 wrote to memory of 468	1228	Kckbqpnj.exe	153
PID 1228 wrote to memory of 468	1228	Kckbqpnj.exe	153
PID 468 wrote to memory of 2376	468	Kkbkamnl.exe	152
PID 468 wrote to memory of 2376	468	Kkbkamnl.exe	152
PID 468 wrote to memory of 2376	468	Kkbkamnl.exe	152
PID 2376 wrote to memory of 1028	2376	Liekmj32.exe	91
PID 2376 wrote to memory of 1028	2376	Liekmj32.exe	91
PID 2376 wrote to memory of 1028	2376	Liekmj32.exe	91
PID 1028 wrote to memory of 3800	1028	Lalcng32.exe	151
PID 1028 wrote to memory of 3800	1028	Lalcng32.exe	151
PID 1028 wrote to memory of 3800	1028	Lalcng32.exe	151
PID 3800 wrote to memory of 752	3800	Lcmofolg.exe	150
PID 3800 wrote to memory of 752	3800	Lcmofolg.exe	150
PID 3800 wrote to memory of 752	3800	Lcmofolg.exe	150
PID 752 wrote to memory of 3244	752	Lkdggmlj.exe	149

C:\Users\Admin\AppData\Local\Temp\06c6940f9ca498d56f99e29de7223e6e.exe
"C:\Users\Admin\AppData\Local\Temp\06c6940f9ca498d56f99e29de7223e6e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\SysWOW64\Kpepcedo.exe
  C:\Windows\system32\Kpepcedo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2024

C:\Windows\SysWOW64\Kaemnhla.exe
C:\Windows\system32\Kaemnhla.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Windows\SysWOW64\Kdcijcke.exe
  C:\Windows\system32\Kdcijcke.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3380

C:\Windows\SysWOW64\Kpjjod32.exe
C:\Windows\system32\Kpjjod32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Windows\SysWOW64\Kcifkp32.exe
  C:\Windows\system32\Kcifkp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1128

C:\Windows\SysWOW64\Kpmfddnf.exe
C:\Windows\system32\Kpmfddnf.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Windows\SysWOW64\Kckbqpnj.exe
  C:\Windows\system32\Kckbqpnj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1228

C:\Windows\SysWOW64\Lalcng32.exe
C:\Windows\system32\Lalcng32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Windows\SysWOW64\Lcmofolg.exe
  C:\Windows\system32\Lcmofolg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3800

C:\Windows\SysWOW64\Lkgdml32.exe
C:\Windows\system32\Lkgdml32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3260
- C:\Windows\SysWOW64\Lnepih32.exe
  C:\Windows\system32\Lnepih32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2088

C:\Windows\SysWOW64\Mjqjih32.exe
C:\Windows\system32\Mjqjih32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2780
- C:\Windows\SysWOW64\Mahbje32.exe
  C:\Windows\system32\Mahbje32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:3040
- - C:\Windows\SysWOW64\Mdfofakp.exe
    C:\Windows\system32\Mdfofakp.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:4924

C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:456
- C:\Windows\SysWOW64\Mpmokb32.exe
  C:\Windows\system32\Mpmokb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:1764

C:\Windows\SysWOW64\Mdiklqhm.exe
C:\Windows\system32\Mdiklqhm.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1344
- C:\Windows\SysWOW64\Mgghhlhq.exe
  C:\Windows\system32\Mgghhlhq.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  PID:1584

C:\Windows\SysWOW64\Mcnhmm32.exe
C:\Windows\system32\Mcnhmm32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5052
- C:\Windows\SysWOW64\Mkepnjng.exe
  C:\Windows\system32\Mkepnjng.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:4488

C:\Windows\SysWOW64\Mpaifalo.exe
C:\Windows\system32\Mpaifalo.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:528
- C:\Windows\SysWOW64\Mcpebmkb.exe
  C:\Windows\system32\Mcpebmkb.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:1580

C:\Windows\SysWOW64\Mdpalp32.exe
C:\Windows\system32\Mdpalp32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5172
- C:\Windows\SysWOW64\Mgnnhk32.exe
  C:\Windows\system32\Mgnnhk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  PID:5216
- - C:\Windows\SysWOW64\Njljefql.exe
    C:\Windows\system32\Njljefql.exe
    3⤵
    - Executes dropped EXE
    PID:5256

C:\Windows\SysWOW64\Nceonl32.exe
C:\Windows\system32\Nceonl32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5376
- C:\Windows\SysWOW64\Njogjfoj.exe
  C:\Windows\system32\Njogjfoj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  PID:5420

C:\Windows\SysWOW64\Nafokcol.exe
C:\Windows\system32\Nafokcol.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5460
- C:\Windows\SysWOW64\Nddkgonp.exe
  C:\Windows\system32\Nddkgonp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Drops file in System32 directory
  - Modifies registry class
  PID:5496

C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
1⤵
- Modifies registry class
PID:5544
- C:\Windows\SysWOW64\Nnmopdep.exe
  C:\Windows\system32\Nnmopdep.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Drops file in System32 directory
  - Modifies registry class
  PID:5584
- - C:\Windows\SysWOW64\Nqklmpdd.exe
    C:\Windows\system32\Nqklmpdd.exe
    3⤵
    - Drops file in System32 directory
    - Modifies registry class
    PID:5624
  - - C:\Windows\SysWOW64\Ncihikcg.exe
      C:\Windows\system32\Ncihikcg.exe
      4⤵
      Drops file in System32 directory
      Modifies registry class
      PID:5664
    - - C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5708

C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
1⤵
- Modifies registry class
PID:5744
- C:\Windows\SysWOW64\Nqmhbpba.exe
  C:\Windows\system32\Nqmhbpba.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Drops file in System32 directory
  - Modifies registry class
  PID:5792

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5836
- C:\Windows\SysWOW64\Nkcmohbg.exe
  C:\Windows\system32\Nkcmohbg.exe
  2⤵
  PID:5876
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5876 -s 404
    3⤵
    - Program crash
    PID:5968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5876 -ip 5876
1⤵
PID:5936

C:\Windows\SysWOW64\Nqfbaq32.exe
C:\Windows\system32\Nqfbaq32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5332

C:\Windows\SysWOW64\Nnhfee32.exe
C:\Windows\system32\Nnhfee32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5292

C:\Windows\SysWOW64\Maaepd32.exe
C:\Windows\system32\Maaepd32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5128

C:\Windows\SysWOW64\Mjjmog32.exe
C:\Windows\system32\Mjjmog32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3840

C:\Windows\SysWOW64\Mkgmcjld.exe
C:\Windows\system32\Mkgmcjld.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1632

C:\Windows\SysWOW64\Mncmjfmk.exe
C:\Windows\system32\Mncmjfmk.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5036

C:\Windows\SysWOW64\Mpolqa32.exe
C:\Windows\system32\Mpolqa32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4932

C:\Windows\SysWOW64\Mamleegg.exe
C:\Windows\system32\Mamleegg.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2228

C:\Windows\SysWOW64\Mjeddggd.exe
C:\Windows\system32\Mjeddggd.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1268

C:\Windows\SysWOW64\Mjcgohig.exe
C:\Windows\system32\Mjcgohig.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3252

C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4824

C:\Windows\SysWOW64\Mciobn32.exe
C:\Windows\system32\Mciobn32.exe
1⤵
- Executes dropped EXE
PID:2720

C:\Windows\SysWOW64\Lgbnmm32.exe
C:\Windows\system32\Lgbnmm32.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:2796

C:\Windows\SysWOW64\Lddbqa32.exe
C:\Windows\system32\Lddbqa32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2248

C:\Windows\SysWOW64\Laefdf32.exe
C:\Windows\system32\Laefdf32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3032

C:\Windows\SysWOW64\Ljnnch32.exe
C:\Windows\system32\Ljnnch32.exe
1⤵
- Executes dropped EXE
PID:216

C:\Windows\SysWOW64\Lklnhlfb.exe
C:\Windows\system32\Lklnhlfb.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3528

C:\Windows\SysWOW64\Ldaeka32.exe
C:\Windows\system32\Ldaeka32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2452

C:\Windows\SysWOW64\Laciofpa.exe
C:\Windows\system32\Laciofpa.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4464

C:\Windows\SysWOW64\Lilanioo.exe
C:\Windows\system32\Lilanioo.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2932

C:\Windows\SysWOW64\Lgneampk.exe
C:\Windows\system32\Lgneampk.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2960

C:\Windows\SysWOW64\Lpcmec32.exe
C:\Windows\system32\Lpcmec32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2904

C:\Windows\SysWOW64\Lpappc32.exe
C:\Windows\system32\Lpappc32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1476

C:\Windows\SysWOW64\Lmccchkn.exe
C:\Windows\system32\Lmccchkn.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3244

C:\Windows\SysWOW64\Lkdggmlj.exe
C:\Windows\system32\Lkdggmlj.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\Liekmj32.exe
C:\Windows\system32\Liekmj32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2376

C:\Windows\SysWOW64\Kkbkamnl.exe
C:\Windows\system32\Kkbkamnl.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:468

C:\Windows\SysWOW64\Kmnjhioc.exe
C:\Windows\system32\Kmnjhioc.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5116

C:\Windows\SysWOW64\Kkpnlm32.exe
C:\Windows\system32\Kkpnlm32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\SysWOW64\Kmlnbi32.exe
C:\Windows\system32\Kmlnbi32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\SysWOW64\Kipabjil.exe
C:\Windows\system32\Kipabjil.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:348

C:\Windows\SysWOW64\Kgbefoji.exe
C:\Windows\system32\Kgbefoji.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\Kbfiep32.exe
C:\Windows\system32\Kbfiep32.exe
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3924

C:\Windows\SysWOW64\Kmjqmi32.exe
C:\Windows\system32\Kmjqmi32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\SysWOW64\Kkkdan32.exe
C:\Windows\system32\Kkkdan32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\Kgphpo32.exe
C:\Windows\system32\Kgphpo32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
295KB

MD5
c0d2bdf15f8f5e0ab45a09ca541e304f

SHA1
8c06db3b47397bb6cceb85cd26d385ac9eb1eda3

SHA256
5ea41e910ae98dae801c3d7f90447c32cac6eee8b9068ddd0d08d41de64760db

SHA512
e6c95dba5eaa0341b561d9c49bbbdecd53e924e6593d9bf67a7fb064eeb8b516ffb9f7caa485fdfd7c21cc86ffab6cb88a11287bc50cd1a658a338e06c789397

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
295KB

MD5
ae58ca68b43e220144c6675e8df9cbc2

SHA1
ac3aab5d2369c9f3dbdf690038f300e2a6ccfd91

SHA256
b08ec90019e0a6e2835973ac31fdade268c513db05bbc97fb60293334161ebd2

SHA512
e1d9430813313772f8d21a313f9233e5dbe4ac354c69a53581b54e340d09a01eba719dae1078ec0c9789437870417e6f1f07d839460ac47e2f20ddf925240f3a

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
295KB

MD5
af0eb104da383eef996ca52889babdd9

SHA1
38f4bfd0547acb4564fa3e28d25833995580abce

SHA256
228dd751dcdb721886d32785e6f2e82f7953b0beb534796885c10f0b0d54ae38

SHA512
886681a70944d972906ca1bfa4e23c7e34e3d6f33ce2b5bab61c1477831bcff5bdb1408a2368e90a1b838a2834702a9e1bf2efa26509078b507384bd83349141

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
295KB

MD5
8e4e073b7445b28d5c2976ffc0065806

SHA1
d14bb9b08e3975d64ac6ee7669b78cc8a1968c4b

SHA256
7649f7ce649a4ec132cd4f96281093f3e4a9d6f490958721574f6e07f508ae8f

SHA512
af5490e9a0c0f22e9ef618e5e2e270b7b06535961e8eeee096d21c555d0028f4c573349f1636c35e615748ba506d02a4bfef5924ce35d6fb2d0aef8e7784fa0a

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
295KB

MD5
70d53d7d6322df9bf27896bd0477816c

SHA1
9a06201529656271391e308117e763f031b06a05

SHA256
8094b94ff57e4b994fc44a3396e2e73c9364869f983da7ccc3c1dd11be3563cf

SHA512
10a593e1394341c16dbe192b79260e34deb14541fb4ab3541f90d00e95117c9d695b54cb9ca6ccf94782f1e385937c218d6a58235cf68a6f1a2001a6cad0764a

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
295KB

MD5
3e1ad53672a49e8b6b8e03343b91340a

SHA1
2cbf8d2c130997f399b7e95eabc55ec33895262b

SHA256
3ed72d2e566f0916d509bf8cdc5ae7b981dcabedbe4f266f52a4b8b1f9381bb2

SHA512
4434a5a2a6c1c1363c756a8fb25968d6958b460a7449acb5266f0cdbf0211dd22be74b492db659fb3ccedf03691f8e33f6d1072033bac74ebddba0b3508e9e86

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
295KB

MD5
b2383cd52e6d4594e35336aa769ec291

SHA1
cd3b9af7ea185fa10b5e8f35be95f0e8ec070c36

SHA256
38af0dbd8d84a81269120713e1d2747e1ecff06ae71e14e84700d8ee2d8b2c7c

SHA512
c6a9a0af105325da7c46583f88d868ceead2965f35a2e25c30049448540276a49c40c8eb242e658e8fb78b279cf4dc55aea7f3d44669d3d4622bc1df68a51203

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
295KB

MD5
ac8b8164982f23ff8eb6ce6ae1047821

SHA1
b0ee0c27a28527d3afca0ff3f667e61470bfc488

SHA256
04af5e9353eec86a054a48347c89a4f4ab69d2ba1560dc7c2a9077c390508e9a

SHA512
324d2748a6d018fc51203c7786dd34e6f6a06f230a89f58efc650ed0e65ad1d422a59555438f52afc8f533e19221518a83b76c9b7b482587e431b1786c286e4f

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
295KB

MD5
55c56fe9a337e15af6f0a5603503b54a

SHA1
adb4a4d0e79fee5ef2e44e55896d5199d4f2cb65

SHA256
796af22074ece403c6f25bee237baaee81a6c54856b08b83ccb002bb154ed797

SHA512
522f72bcf5e2fae4f1452697a648563d9cc813facd351788d4cfb101aa5084113d422121f5ef5c7ab31e56baf099501e3f6610fdd599a328e704a97aae0a4da2

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
295KB

MD5
90b3c53c2a757598682ec5d21d50b71f

SHA1
b2ebe9ba7618e6e9cf107bff91cbb89da62c0c1f

SHA256
c1a87f0faea94189352c4de7807eb897cd4f89385f3828049cd97308cdc50817

SHA512
b5e5874fb855140c9ecb024f1570099d6640b5a0b4034d014b7aba27b2a34ce272f07c68dda47430287531559f8a7e8f98c88d2f4838cec8d59863c185f15b97

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
295KB

MD5
1ab31057be90ce67d63ec50af4bbc966

SHA1
1138a9dbe1e8ae20babcada6cbbf7c2c63348c3f

SHA256
d2e10c7bedbd41c6326e7d508763043b388d89a40b971cd50590451103a068fb

SHA512
677dfc666f5a2e6b6a0669b476635e15845994f26fb7a8cc5174a26f8d2809491dbb8760874d30f7e6269d507125244e026a95511b1ff4191691ad9b3fe998d4

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
295KB

MD5
18f9e853e7a6b86a3fe21708c83c77ac

SHA1
8e921b093d9f435cc79c2c35d327225bfd9625c6

SHA256
60c8e5976bd8cf2ce991681e9650be86cb4c11ea67ecb12f8e078373c1a91c12

SHA512
b5671583f431370d556ced3d66181e835dc6c9425d4fe8fd8c19c0d53dce646d64b72edc1703d53bdf8f6a784f63c3a6786a48db2c68138fd595ab884e4aebd7

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
295KB

MD5
6914dc316bb93ac6f846409dc0c75cd7

SHA1
3f0f979a2964d9362d2b232dbbb9f3f4593005c1

SHA256
53584c79639b60571f5b4e32a53f37d5dd4a2b325eef7331cf9f9e5ca6c91125

SHA512
588402449cdc478abe888d97716d710aa080fb4888b80eb984895172d5dc4a1ddff1b8e7a43c61e901fcb6c2125a1441708dbf747412a208edf8751bcd31ec90

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
295KB

MD5
9df5c8ad956913ab795b861d7eb24162

SHA1
f1bf16520d9516d9f2bf485ce38d9aee383a8004

SHA256
9f020f6248b8ccfb75d348a8f2811971731357defcb9a9bccef934f801b7f4e1

SHA512
c6e1f848ee2a60b1262d58124bcefb7e45e7b48e2c32c1a292f00f2f070d75633d731cce24321e243d170591c2be27a9c745b74a7cb9c2a3501f5ad1b26b296e

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
295KB

MD5
485071f8c44e04f3e36f7cfa3ef32ed5

SHA1
b9be0f32a089e9015c85382ec72f2c896034ed47

SHA256
12cdc23dc86aa3f210a0188453c2b90246021509d5c5919bfa7d71febe3d6495

SHA512
f8a93244f96d177d3fb693c45ea00545960ea40254f93f05bc856f9a0fa24bcdb77f0b3312e09eeca0ad5331eb154b3552720ff0bc234030b5ce865106629018

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
295KB

MD5
e6cadc11350cde326abe6762112bc429

SHA1
4c557202df6a7c545227d77af3d362298e0081ba

SHA256
e4be90c9a1efa3626570c2fb930f11d0d0bda615e92de66152eaf32e577d3a66

SHA512
4d13f44b25cad373e4749321217e4d92b68d707c3d54716f88a7eb24226e7af0cee27d5fbe87e4cde5aa48fafe15e565152fb4cadc840150ffc977f3db28634d

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
295KB

MD5
fe1c1361c413550e37ba98839858545c

SHA1
80e9ad5681d161d4346c6f73d14353976779ed62

SHA256
414dddf0f767c19df94adb6e8728e97342a74aecb263e028e878daf37bb349d1

SHA512
3331fa81142aba343b145b3bef2c2042205696d08fcb066b32da12ce165d13515d90f0c156afd558d39ef27c1e8c8b0c244df38844d82217f0bb7dea56653607

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
295KB

MD5
74cbdae91667504a813bd5141c5bf7f9

SHA1
172668268cd1cdb6f775ca4ea1311b96943d406b

SHA256
8cc918b187d6c9de1e2520987234f885857cf26bcf073160d99d9a482b1ecb5d

SHA512
ddbe6bb30f3691bdcdda23a1500ca6f7939affc3ff345d12e8a9a78c172fb2ed7a2c6bb90cab3204b656f68a29b344a2f2d794e572b67ed80097609f2a234dd5

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
295KB

MD5
3e35a38d71678fe30f56e76272fec43d

SHA1
1436757e6b0afd473a2728847eac49329833d9d6

SHA256
4c859256ded9547277099f0b84d8597aabdf4f277495e604be843da48351c341

SHA512
08ec6d06428e97f9e60a409d7683eadb9db6ae56c64483cdb691b14cab8ced917f801b74475fd4ebc733664a3dd2c10f67fa6a85b8385a26a8219b51539ba72f

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
295KB

MD5
0357c33c7a36bfe45dbe9e33a86d69e6

SHA1
7f68cb3b5666ef1327de18470cf1c671e3da94f0

SHA256
cc3b7ef6dbff4da462db1a080780b98f2a3047f17a9699924d54da9d5138157c

SHA512
c679061b365c5bc7b113907896d7a62f78a2a4271d1ab3c0fe2c2baf076ac781deb0c437214731d3861470a4739903f90f8d5849fe8cce4086fae74549d7ed19

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
295KB

MD5
1e26a398d5b2a4ec861936f47118bc13

SHA1
317edb926b7281cce4fe189f1cd009d6ff2d41d4

SHA256
111b91b6a378fb8cc39669fc496da0191108f2b71442a261b12dab812e2764bb

SHA512
9ab17be7bb4c81e658411e86fa3948faca1d74a355a2594dc67677332fc62e5293fc02dd5732e00524d70b96ef66ba6f7e385a941b0f8c8e39228001d4946b1f

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
295KB

MD5
1a4ccd7d77b001c931bcf126799d3103

SHA1
9266a4e3ee7275cb3f5908ec76878aa7af1b164b

SHA256
5c92a752d37cecf747be3d7726e7d6f1e8d269d11b172cad74f927b4d3121d8d

SHA512
7ce89fe7a094a842117d18c6a487cada1e5703031d2ec0a09eca149e2c907be7b86a47aac15763782b704f0d7d9f90888675d02f199026ead86c1157a43e6110

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
295KB

MD5
11794f045048b38d1505ed26e996ed26

SHA1
e2290215f4c9937aa3281bcdb6d70367d6ca1174

SHA256
b9abb678dda6dcea4b20ead855c77d0f4c2610358c52c682dd3879a27d83a35e

SHA512
30c234f20bc9cdd5b42a4bb773b2daeada5ecbd364932e53f33d296ed428d0ebccee40d3e52df82331a54f85ce5e3114cbdebdab1ce0e4b541ecb6e5bc721716

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
295KB

MD5
29e987b44bd8433be70ee80a8276844d

SHA1
9a1597e233ee0370052d8800154038a1eafbe9fb

SHA256
fdb7bbd708ab6364dce9a24fe823c78b69bb5bb9848884ea901adbea51f5c1d1

SHA512
452f8c1c3409e220f418a22b30667325a5b30b01238dab380b0ec8d1a5e3e42ef6cb93fb9a0e9b1b261053c4c61a434b30584df4a1aa61808ca5ea3ad87a4391

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
295KB

MD5
5c8589e599808d358025dca424b65100

SHA1
36e890cd9b2473afb26548ea9b6bacf3e8b1fb97

SHA256
a9d2576008b4e4334a1743f406b3cfc6ca70f16a967368c7a6e88d8b752c91e7

SHA512
f1c1369b66db4f1c1eb9256c4ef80167b843c52844ef2cbacecb17db6029e9df62a74ddd542a4b2782b1c8573aa819885fd6bd8da84a2fb4d91e74b6c348e866

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
295KB

MD5
586205cc360bdde646a90b2f1ba1123a

SHA1
e5cc62fc5eb9302bbf27abef8302a546037acce6

SHA256
67e5d8eec2857f99f8d47c4da2aa9defa7e3aeb0ac29a0f0ad957a44f846c12d

SHA512
7723eb4c8f9f565610d34cfa4a27c50ec37401c1472c8912da43e5d115d979324763ef5b400e5f67ee7342a5f8a445a00a0b7020c50c63f2ed94b00e65f526eb

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
295KB

MD5
5d4d13d852a9462b8bd0cf4c4c66f74e

SHA1
140370726b0209737d85fd652517f5542cca98a4

SHA256
93f47e0ca7790cf16576d0567320840c9d21bdaa63c2d5279e7ca1d3cff32fe9

SHA512
9d94ec8bb1d2e6e0bc5444d24167733db92ecb68cfc6fc989c58b2c960823e52d9e4f1f4eb6e0db41b123df52685dcdcc16bd0a238cd52ed3fc9ed35113108fc

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
295KB

MD5
ab432864b797d38c655d0d6577e1e4fc

SHA1
0d89ecbb5de269e3c5da7f8262ba14be51c3bc93

SHA256
42c8510e3d3a6bd161e21847110bce8c07c7614ca470c8ddf42220770b1dc41d

SHA512
cd877b4789fb1c4d257c4b2ae21818768a7f0b5e5c380667c8bd924a7d648480b883d0ea79fa5f466108ab60a2f407f092e75b23365b46c286560ff3b75d4a84

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
295KB

MD5
490bb65fcd6d26602f6f5c3821aa02f7

SHA1
c47d346bf2bf8e3749249c7caba0ea446c5e4cf6

SHA256
f630ac656a5130abe5bf33c0037f5a6fc2834b49caba23817b353ed4dc0ec423

SHA512
1461c989b856f21d1687be773295a8c8ccba355c430ba36f2fda1fbdb8af9248e38f5908c95f74841196a8665a5d2a25659fb91e3901a988f37bef453fb84aa3

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
295KB

MD5
a21efbeb889618a1bb8b50852761371d

SHA1
ba8f806d7435dfcd9950694a2574427e0d6149c8

SHA256
0818bbbb077b4bc4333477b8bb368f00a936f14a68aee26e9a8b0a2548d54310

SHA512
0e030a2f8ea9c8c50230bdd02e6efeaec7ac92635c8bd0f0b4786801a5e5d3bc50a65b33e91d4fc7b7451e1856816b7b023b6baa0f9f07070898f326a1903dfd

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
295KB

MD5
514f0fab432c9d6754b407aea2e1654d

SHA1
cc3185ade7f6b3a0d54fa954526381729f05837f

SHA256
2892ebd154dbdc1f6bfd500d7330860c03b41b15e629d29fde065aef3ee1926a

SHA512
814031acf008a68a68d45d862168c4873f9fad0cbbd41c1143ae4653dc7ea44470686cf2f979c25d762cd78972af89e526c3daf62d8badccf94d917875fcc91a

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
295KB

MD5
97c2ccb15ba6fa693a00b78d3e0ee50e

SHA1
8a1c838e7c3328a823ef3dce4340ef765b842200

SHA256
34b52b514021cf93e333d47aa41fa8263d643d4c65a92e664c2a0764c1e78c24

SHA512
791ee52ae6d60cb42ff29a26f2b9d8a0471bd7373ad246bd5b8a941c3ebf6687ebcb5863994b7848ae78a521ec9bea07a83f975c7897bf464615a25dc7059a00

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
295KB

MD5
a12f64ef0d629373e7667b51ea80a2a5

SHA1
d4543039ce2e3c2c5aae9d716c47d99078533475

SHA256
4ffb694089e31a60e7a7fee93accb86dbe7efd31be5f68ce4b93b16b6afef722

SHA512
8832da820b9c8fb3fb0aa23071f699450a98cebb8128cf50f1cc1f900f875f2cfebd514dc6e3a06807be5f40b58e0ff7a74f1708d4e58a5c41bb609f3c7cdc84

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
295KB

MD5
3d74fd43129a3329c2ce2df18a130716

SHA1
f329b8d501965107eacec3027606c8988c97eab4

SHA256
260055a558adf3ad6c87d3c16458d67c388afc7180afc57d9c8580e6d7ae6c00

SHA512
95c19520280da94bea3e273fb16d57aedf9c3e12146fbef4fbfffc945aee98783b4176bc732b0feb73b43cf2cdf7c1ddef7852baad0a5258d508fa1bf6108388

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
295KB

MD5
cb4305a76fef6c18b019611a4fc9d330

SHA1
42670706ae500012c21ecf739a5e68e273a25603

SHA256
a1c54ab9e2f0dfcb7235f85cf0f5af93342815b133a1201005a567be5f9c010f

SHA512
3f9fd0e6a07224726f19ac763c54ae63f65d1561f1dc7266b501f9331dd3726b7825e079d00f1d35352a957d87e03b12394adb2501f4e033e1b492acfd429943

Download Submit
memory/216-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/216-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/348-77-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/456-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/456-542-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/468-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/468-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/528-532-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/528-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/752-563-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/752-172-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1028-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1028-565-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1128-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1228-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1228-131-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1268-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1268-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1332-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1344-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1476-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1528-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-531-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1632-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1764-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1792-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1792-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-26-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-202-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-554-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2780-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-558-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-556-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-557-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3060-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3244-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3252-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3252-543-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3260-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3260-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3380-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3424-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3528-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3800-564-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3800-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3840-529-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3840-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4464-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4464-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4488-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4488-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-536-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5116-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5128-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5172-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5172-528-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5216-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5216-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5256-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5292-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5332-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5332-524-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5376-523-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5420-522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5460-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5496-520-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5544-519-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5584-518-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5624-517-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5664-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5792-513-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5836-512-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads