bfc1a8d2bda05bbab36b3a68c8d1c7c8e8b5b3a6016c8b6d82346acd5b34926d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16f6a4c8638cd1f64d5c54a9d08152e0.exe
Size

224KB
MD5

16f6a4c8638cd1f64d5c54a9d08152e0
SHA1

8e72d5f84de27882ea626f498a85658bcffbcf39
SHA256

bfc1a8d2bda05bbab36b3a68c8d1c7c8e8b5b3a6016c8b6d82346acd5b34926d
SHA512

141976fc3b8975ccf32bff149d7cf396e708bd373fc200a4b0b66096b01c5f078a49731e3b73cedbb82be4b53276933434056d7baa76edb3130c91de3f9248db
SSDEEP

6144:4O2aKjqBFfIWu6BSllf7Qbuv3p30u6BSl:cOBFY6BwUbmP6B

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wmiprvse.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	wmiprvse.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe

Executes dropped EXE 64 IoCs

pid	Process
208	Kmegbjgn.exe
2760	Kdopod32.exe
3464	Kgmlkp32.exe
2396	Kacphh32.exe
2720	Kpepcedo.exe
5424	Kgphpo32.exe
4976	Kinemkko.exe
5448	Kaemnhla.exe
5596	Kdcijcke.exe
5068	Kgbefoji.exe
3520	Kknafn32.exe
6140	Kmlnbi32.exe
2656	Kagichjo.exe
2452	Kdffocib.exe
5364	Kgdbkohf.exe
376	Kibnhjgj.exe
3724	Kajfig32.exe
3148	Kdhbec32.exe
4972	Liekmj32.exe
2752	Lalcng32.exe
4884	Ldkojb32.exe
4448	Liggbi32.exe
2172	Laopdgcg.exe
5528	Ldmlpbbj.exe
6100	Lgkhlnbn.exe
4668	Lijdhiaa.exe
1632	Laalifad.exe
1720	Ldohebqh.exe
552	Lgneampk.exe
2008	Lilanioo.exe
4120	Lpfijcfl.exe
4836	Lcdegnep.exe
1468	Lklnhlfb.exe
2800	Lnjjdgee.exe
6056	Lphfpbdi.exe
3588	Lddbqa32.exe
400	Lgbnmm32.exe
1480	Mjqjih32.exe
5852	Mahbje32.exe
4028	Mdfofakp.exe
2860	Mgekbljc.exe
1740	Mjcgohig.exe
5564	Majopeii.exe
1756	Mdiklqhm.exe
920	Mcklgm32.exe
4844	Mkbchk32.exe
992	Mjeddggd.exe
1724	Mamleegg.exe
1608	Mpolqa32.exe
1508	Mjhqjg32.exe
2832	Maohkd32.exe
5540	Mdmegp32.exe
816	Mglack32.exe
3008	Mkgmcjld.exe
4696	Mnfipekh.exe
4176	Maaepd32.exe
872	Mdpalp32.exe
688	Mcbahlip.exe
3172	mousocoreworker.exe
4344	Njljefql.exe
1200	Nnhfee32.exe
3132	Nqfbaq32.exe
4580	Ndbnboqb.exe
4228	Nceonl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	wmiprvse.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Liekmj32.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Bdiihjon.dll	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	wmiprvse.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kgmlkp32.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Ldobbkdk.dll	Kacphh32.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	wmiprvse.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kgmlkp32.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1380	5604	WerFault.exe	119

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncoccha.dll"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	16f6a4c8638cd1f64d5c54a9d08152e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	mousocoreworker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	wmiprvse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 208	3532	16f6a4c8638cd1f64d5c54a9d08152e0.exe	89
PID 3532 wrote to memory of 208	3532	16f6a4c8638cd1f64d5c54a9d08152e0.exe	89
PID 3532 wrote to memory of 208	3532	16f6a4c8638cd1f64d5c54a9d08152e0.exe	89
PID 208 wrote to memory of 2760	208	Kmegbjgn.exe	90
PID 208 wrote to memory of 2760	208	Kmegbjgn.exe	90
PID 208 wrote to memory of 2760	208	Kmegbjgn.exe	90
PID 2760 wrote to memory of 3464	2760	Kdopod32.exe	91
PID 2760 wrote to memory of 3464	2760	Kdopod32.exe	91
PID 2760 wrote to memory of 3464	2760	Kdopod32.exe	91
PID 3464 wrote to memory of 2396	3464	Kgmlkp32.exe	176
PID 3464 wrote to memory of 2396	3464	Kgmlkp32.exe	176
PID 3464 wrote to memory of 2396	3464	Kgmlkp32.exe	176
PID 2396 wrote to memory of 2720	2396	Kacphh32.exe	92
PID 2396 wrote to memory of 2720	2396	Kacphh32.exe	92
PID 2396 wrote to memory of 2720	2396	Kacphh32.exe	92
PID 2720 wrote to memory of 5424	2720	Kpepcedo.exe	175
PID 2720 wrote to memory of 5424	2720	Kpepcedo.exe	175
PID 2720 wrote to memory of 5424	2720	Kpepcedo.exe	175
PID 5424 wrote to memory of 4976	5424	Kgphpo32.exe	174
PID 5424 wrote to memory of 4976	5424	Kgphpo32.exe	174
PID 5424 wrote to memory of 4976	5424	Kgphpo32.exe	174
PID 4976 wrote to memory of 5448	4976	Kinemkko.exe	173
PID 4976 wrote to memory of 5448	4976	Kinemkko.exe	173
PID 4976 wrote to memory of 5448	4976	Kinemkko.exe	173
PID 5448 wrote to memory of 5596	5448	Kaemnhla.exe	172
PID 5448 wrote to memory of 5596	5448	Kaemnhla.exe	172
PID 5448 wrote to memory of 5596	5448	Kaemnhla.exe	172
PID 5596 wrote to memory of 5068	5596	Kdcijcke.exe	171
PID 5596 wrote to memory of 5068	5596	Kdcijcke.exe	171
PID 5596 wrote to memory of 5068	5596	Kdcijcke.exe	171
PID 5068 wrote to memory of 3520	5068	Kgbefoji.exe	170
PID 5068 wrote to memory of 3520	5068	Kgbefoji.exe	170
PID 5068 wrote to memory of 3520	5068	Kgbefoji.exe	170
PID 3520 wrote to memory of 6140	3520	Kknafn32.exe	169
PID 3520 wrote to memory of 6140	3520	Kknafn32.exe	169
PID 3520 wrote to memory of 6140	3520	Kknafn32.exe	169
PID 6140 wrote to memory of 2656	6140	Kmlnbi32.exe	168
PID 6140 wrote to memory of 2656	6140	Kmlnbi32.exe	168
PID 6140 wrote to memory of 2656	6140	Kmlnbi32.exe	168
PID 2656 wrote to memory of 2452	2656	Kagichjo.exe	167
PID 2656 wrote to memory of 2452	2656	Kagichjo.exe	167
PID 2656 wrote to memory of 2452	2656	Kagichjo.exe	167
PID 2452 wrote to memory of 5364	2452	Kdffocib.exe	166
PID 2452 wrote to memory of 5364	2452	Kdffocib.exe	166
PID 2452 wrote to memory of 5364	2452	Kdffocib.exe	166
PID 5364 wrote to memory of 376	5364	Kgdbkohf.exe	165
PID 5364 wrote to memory of 376	5364	Kgdbkohf.exe	165
PID 5364 wrote to memory of 376	5364	Kgdbkohf.exe	165
PID 376 wrote to memory of 3724	376	Kibnhjgj.exe	164
PID 376 wrote to memory of 3724	376	Kibnhjgj.exe	164
PID 376 wrote to memory of 3724	376	Kibnhjgj.exe	164
PID 3724 wrote to memory of 3148	3724	Kajfig32.exe	94
PID 3724 wrote to memory of 3148	3724	Kajfig32.exe	94
PID 3724 wrote to memory of 3148	3724	Kajfig32.exe	94
PID 3148 wrote to memory of 4972	3148	Kdhbec32.exe	160
PID 3148 wrote to memory of 4972	3148	Kdhbec32.exe	160
PID 3148 wrote to memory of 4972	3148	Kdhbec32.exe	160
PID 4972 wrote to memory of 2752	4972	Liekmj32.exe	159
PID 4972 wrote to memory of 2752	4972	Liekmj32.exe	159
PID 4972 wrote to memory of 2752	4972	Liekmj32.exe	159
PID 2752 wrote to memory of 4884	2752	Lalcng32.exe	95
PID 2752 wrote to memory of 4884	2752	Lalcng32.exe	95
PID 2752 wrote to memory of 4884	2752	Lalcng32.exe	95
PID 4884 wrote to memory of 4448	4884	Ldkojb32.exe	157

C:\Users\Admin\AppData\Local\Temp\16f6a4c8638cd1f64d5c54a9d08152e0.exe
"C:\Users\Admin\AppData\Local\Temp\16f6a4c8638cd1f64d5c54a9d08152e0.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Windows\SysWOW64\Kmegbjgn.exe
  C:\Windows\system32\Kmegbjgn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Windows\SysWOW64\Kdopod32.exe
    C:\Windows\system32\Kdopod32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\SysWOW64\Kgmlkp32.exe
      C:\Windows\system32\Kgmlkp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3464
    - - C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2396

C:\Windows\SysWOW64\Kpepcedo.exe
C:\Windows\system32\Kpepcedo.exe
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\SysWOW64\Kgphpo32.exe
  C:\Windows\system32\Kgphpo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:5424

C:\Windows\SysWOW64\Kdhbec32.exe
C:\Windows\system32\Kdhbec32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Windows\SysWOW64\Liekmj32.exe
  C:\Windows\system32\Liekmj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4972

C:\Windows\SysWOW64\Ldkojb32.exe
C:\Windows\system32\Ldkojb32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Windows\SysWOW64\Liggbi32.exe
  C:\Windows\system32\Liggbi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  PID:4448

C:\Windows\SysWOW64\Lpfijcfl.exe
C:\Windows\system32\Lpfijcfl.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4120
- C:\Windows\SysWOW64\Lcdegnep.exe
  C:\Windows\system32\Lcdegnep.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:4836

C:\Windows\SysWOW64\Lddbqa32.exe
C:\Windows\system32\Lddbqa32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3588
- C:\Windows\SysWOW64\Lgbnmm32.exe
  C:\Windows\system32\Lgbnmm32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:400
- - C:\Windows\SysWOW64\Mjqjih32.exe
    C:\Windows\system32\Mjqjih32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    PID:1480

C:\Windows\SysWOW64\Mahbje32.exe
C:\Windows\system32\Mahbje32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5852
- C:\Windows\SysWOW64\Mdfofakp.exe
  C:\Windows\system32\Mdfofakp.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:4028
- - C:\Windows\SysWOW64\Mgekbljc.exe
    C:\Windows\system32\Mgekbljc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    PID:2860

C:\Windows\SysWOW64\Mcklgm32.exe
C:\Windows\system32\Mcklgm32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:920
- C:\Windows\SysWOW64\Mkbchk32.exe
  C:\Windows\system32\Mkbchk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  PID:4844

C:\Windows\SysWOW64\Mjeddggd.exe
C:\Windows\system32\Mjeddggd.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:992
- C:\Windows\SysWOW64\Mamleegg.exe
  C:\Windows\system32\Mamleegg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:1724
- - C:\Windows\SysWOW64\Mpolqa32.exe
    C:\Windows\system32\Mpolqa32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    PID:1608
  - - C:\Windows\SysWOW64\Mjhqjg32.exe
      C:\Windows\system32\Mjhqjg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      PID:1508

C:\Windows\SysWOW64\Mkgmcjld.exe
C:\Windows\system32\Mkgmcjld.exe
1⤵
- Executes dropped EXE
PID:3008
- C:\Windows\SysWOW64\Mnfipekh.exe
  C:\Windows\system32\Mnfipekh.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:4696

C:\Windows\SysWOW64\Maaepd32.exe
C:\Windows\system32\Maaepd32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4176
- C:\Windows\SysWOW64\Mdpalp32.exe
  C:\Windows\system32\Mdpalp32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:872

C:\Windows\SysWOW64\Mcbahlip.exe
C:\Windows\system32\Mcbahlip.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:688
- C:\Windows\SysWOW64\Mgnnhk32.exe
  C:\Windows\system32\Mgnnhk32.exe
  2⤵
  PID:3172

C:\Windows\SysWOW64\Njljefql.exe
C:\Windows\system32\Njljefql.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4344
- C:\Windows\SysWOW64\Nnhfee32.exe
  C:\Windows\system32\Nnhfee32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  PID:1200

C:\Windows\SysWOW64\Nqfbaq32.exe
C:\Windows\system32\Nqfbaq32.exe
1⤵
- Executes dropped EXE
PID:3132
- C:\Windows\SysWOW64\Ndbnboqb.exe
  C:\Windows\system32\Ndbnboqb.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:4580

C:\Windows\SysWOW64\Nceonl32.exe
C:\Windows\system32\Nceonl32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4228
- C:\Windows\SysWOW64\Nklfoi32.exe
  C:\Windows\system32\Nklfoi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Drops file in System32 directory
  - Modifies registry class
  PID:2940
- - C:\Windows\SysWOW64\Nnjbke32.exe
    C:\Windows\system32\Nnjbke32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Drops file in System32 directory
    PID:4116
  - - C:\Windows\SysWOW64\Nddkgonp.exe
      C:\Windows\system32\Nddkgonp.exe
      4⤵
      PID:6068

C:\Windows\SysWOW64\Ncgkcl32.exe
C:\Windows\system32\Ncgkcl32.exe
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:4372
- C:\Windows\SysWOW64\Nkncdifl.exe
  C:\Windows\system32\Nkncdifl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Modifies registry class
  PID:424
- - C:\Windows\SysWOW64\Ncihikcg.exe
    C:\Windows\system32\Ncihikcg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Drops file in System32 directory
    PID:2188

C:\Windows\SysWOW64\Nkqpjidj.exe
C:\Windows\system32\Nkqpjidj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5700
- C:\Windows\SysWOW64\Nbkhfc32.exe
  C:\Windows\system32\Nbkhfc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Modifies registry class
  PID:5220

C:\Windows\SysWOW64\Ndidbn32.exe
C:\Windows\system32\Ndidbn32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1500
- C:\Windows\SysWOW64\Ncldnkae.exe
  C:\Windows\system32\Ncldnkae.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:2492

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
1⤵
PID:5604
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 408
  2⤵
  - Program crash
  PID:1380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5604 -ip 5604
1⤵
PID:4536

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:6068

C:\Windows\SysWOW64\Mglack32.exe
C:\Windows\system32\Mglack32.exe
1⤵
- Executes dropped EXE
PID:816

C:\Windows\SysWOW64\Mdmegp32.exe
C:\Windows\system32\Mdmegp32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5540

C:\Windows\SysWOW64\Maohkd32.exe
C:\Windows\system32\Maohkd32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2832

C:\Windows\SysWOW64\Mdiklqhm.exe
C:\Windows\system32\Mdiklqhm.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1756

C:\Windows\SysWOW64\Majopeii.exe
C:\Windows\system32\Majopeii.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5564

C:\Windows\SysWOW64\Mjcgohig.exe
C:\Windows\system32\Mjcgohig.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1740

C:\Windows\SysWOW64\Lphfpbdi.exe
C:\Windows\system32\Lphfpbdi.exe
1⤵
- Executes dropped EXE
PID:6056

C:\Windows\SysWOW64\Lnjjdgee.exe
C:\Windows\system32\Lnjjdgee.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2800

C:\Windows\SysWOW64\Lklnhlfb.exe
C:\Windows\system32\Lklnhlfb.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1468

C:\Windows\SysWOW64\Lilanioo.exe
C:\Windows\system32\Lilanioo.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2008

C:\Windows\SysWOW64\Lgneampk.exe
C:\Windows\system32\Lgneampk.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:552

C:\Windows\SysWOW64\Ldohebqh.exe
C:\Windows\system32\Ldohebqh.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1720

C:\Windows\SysWOW64\Laalifad.exe
C:\Windows\system32\Laalifad.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1632

C:\Windows\SysWOW64\Lijdhiaa.exe
C:\Windows\system32\Lijdhiaa.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4668

C:\Windows\SysWOW64\Lgkhlnbn.exe
C:\Windows\system32\Lgkhlnbn.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:6100

C:\Windows\SysWOW64\Ldmlpbbj.exe
C:\Windows\system32\Ldmlpbbj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5528

C:\Windows\SysWOW64\Laopdgcg.exe
C:\Windows\system32\Laopdgcg.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2172

C:\Windows\SysWOW64\Lalcng32.exe
C:\Windows\system32\Lalcng32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Executes dropped EXE
- Modifies registry class
PID:3172

C:\Windows\SysWOW64\Kajfig32.exe
C:\Windows\system32\Kajfig32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724

C:\Windows\SysWOW64\Kibnhjgj.exe
C:\Windows\system32\Kibnhjgj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:376

C:\Windows\SysWOW64\Kgdbkohf.exe
C:\Windows\system32\Kgdbkohf.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5364

C:\Windows\SysWOW64\Kdffocib.exe
C:\Windows\system32\Kdffocib.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452

C:\Windows\SysWOW64\Kagichjo.exe
C:\Windows\system32\Kagichjo.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\SysWOW64\Kmlnbi32.exe
C:\Windows\system32\Kmlnbi32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:6140

C:\Windows\SysWOW64\Kknafn32.exe
C:\Windows\system32\Kknafn32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3520

C:\Windows\SysWOW64\Kgbefoji.exe
C:\Windows\system32\Kgbefoji.exe
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5068

C:\Windows\SysWOW64\Kdcijcke.exe
C:\Windows\system32\Kdcijcke.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5596

C:\Windows\SysWOW64\Kaemnhla.exe
C:\Windows\system32\Kaemnhla.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5448

C:\Windows\SysWOW64\Kinemkko.exe
C:\Windows\system32\Kinemkko.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kacphh32.exe

Filesize
224KB

MD5
f30ed8748b165fa2a66fe469ab7e7472

SHA1
8ba6c1e4fec7a40eaf9c7e4ec9f65312454c2e9b

SHA256
f5990aca9298df13d9696a67245e0f395e33c365c740bd99ebfb04900171556e

SHA512
f986a7b9f68b03437f55bad8661582f17d0bb24a08f3c09a69f42385c3605ef2781810f56ac9ff62599a3d761b821fb200ae2d372d0f8aa20cf578ca573d195d

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
224KB

MD5
0d2fc487b2ba8f2960e0c65d7e0301c6

SHA1
856d4687fc9b439f85d6ec128df499eb71936732

SHA256
9b572dcbee25369089ea53e56d6a65b4da1375c0f7d380474d953b81efdb523f

SHA512
1cf5969c06b5f1583503683a5f9fed06b4234ee2d1537d195018c18f0413af5fa881c36460a44e06f13f72b57851803be95388ff15defb0c75f5169f92c61f37

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
224KB

MD5
201a5924a25c0c7d416a72852eecfb08

SHA1
463dceb00979d781704301b633e3071b6347dcff

SHA256
49e55ddc42e2364129e092a250cea0d09220f05cf3f095b03727976b367bce5f

SHA512
0eb9a0b7d21fe52c1ee461cf98987b8016b8968b23be51d9cffe47cc13b4e1a3349da4392851838b2fb0f788a01d02fbcf408535cf9771a525fc88b5cced9cd0

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
224KB

MD5
d60c2854e2aaf300c5bf49f91595e0a6

SHA1
cca27cdd176530db81a5f337f22ddbaf7156f094

SHA256
fabf192925742f445d01118533f0fea51dd35bbb5773aa7515c1beaadcbfbe49

SHA512
e252e74b9adf4a8b0b2dc58e2120929e4f13b02f931dbce562f18a5fdf8096e49679fb42ddc726c2604333684cef5d222a3f3948819e26b2462434d28a20c209

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
224KB

MD5
5dea7fccb4f27d04cb9161c66c81f138

SHA1
41c4131ea5e604c79b87860dbb0e489d5d59d205

SHA256
7957aeec27338ba08518b95a2eff9c111fcb8a8c9503eadf5c82d0834bb9bfd6

SHA512
bdfa1798a1d72e2f238aa31551e3a42beaf7aa929737ae64acb75890cae8e95fe166e1bfea3be918051abb31f060bab77e87c8efd124bd396a5fdfd000062f2f

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
224KB

MD5
f10e0bd85eba6ba6960539730b31aa32

SHA1
822139bffa6650f310dfd5af223cc692a718a7e7

SHA256
9bb3b5376b6cee6d5f99d3cc6ad2377fe377b7c4e4763d281df23cd6c1a30393

SHA512
64b9abb0d8bd501eb008411142c3861892e8d53f9ecf0b3eaaffe8f2d588f27a8dba145a12cdebdb81e67ec6895c61722e73f56115dae2df764c3800f8330f38

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
224KB

MD5
1910dded8974eff54ec9daebe3c99f27

SHA1
c624a0e7d31e7ea5f5157bfd267f2e0fea41843d

SHA256
c0320a548d1c644705d108aa799b24cf4185b4ff66138ef79c1bc57a70f6f4ec

SHA512
f673e0c92fb0d1bd4093c4b8cb92086c0546f7f6a96722ce9b8eb61792c64cda5308d633a3b8a6c96ce18c96ac28cbea5c545ece9b5a20c7df4ce9694e69daa0

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
224KB

MD5
22e496c742b27e0719c188fa5656a833

SHA1
16401cd10a6715e8bc8746d3ff272cea6f3c0bd0

SHA256
37f7d6647a21c96dff483fd425fe964b30bea7284c667d717a503f72e2206ba5

SHA512
caf43cc3da22a159e1eb1f02c40b1505c36520cc7c427e5af71a66d1a9b3bcf0f8a0b533908131564baa0a5441313502b68f10d93421f11f7f2c920d3d4e4b29

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
224KB

MD5
2caae06b01a13527debd7f9f576adabf

SHA1
d1acda58c61b77809c8c75f7a717b6c0ca6f7b03

SHA256
b119c430943c9473110b55a4d8b549b702bddbdcb30e73a959af65f577bcf74b

SHA512
43d5e083eb198f9b376de26a4611d5b4214c1c3019367ca8ff84aeca2a8cb44842f7c83286c3bd9e056e3969c88b20dcb636acecbf0d2a27ef76d9e887bc9d54

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
224KB

MD5
101c694a291fce598ef3d6988700e02a

SHA1
662f546bac6078d84f30f6cabf7250ab8e090f62

SHA256
d76f8feea760969350a765e0e0a53fab1111dd117d8bd28df694c5067b108922

SHA512
80567bc39bfb3803b2856043c25461816ac3156fb9f6eba622129278edc9a8707094184326d3712cc66b37a60886288e495ad2200c039b5735d7a60e51c09616

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
224KB

MD5
b9309c2f26d3e0926645ffd1805256f7

SHA1
024af985f9e9beb3e6e466a3909d721ba80f826b

SHA256
a10482006778d41c1771db35fdd2a0f3b0872be122076a0bf51f478c4d4fe273

SHA512
92bf033ae393492dab27a22504aed79a5f28267185fc6bc700871e5d5d5de0d78bd93a617bef29af12f7a8340a351a8186245fc87db00a1dac79d54dc93d4af5

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe

Filesize
224KB

MD5
eae280d4a01d05454566cfb86df92e93

SHA1
d47981ee0ff181b5e50005b812dd612d80a81788

SHA256
84e89b31fb2347c97db36b50f60a7c6c8d79dcca2ab3f308cec47bfe7492e41f

SHA512
f7ec565a914532d93dd9ede808c5ad1b5af5f9d838aa45bcb71f3ac67458de624bb150e46f7c669c66187d0e878cd66f4fb5f24a082a807fe673fbe97fef3443

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
224KB

MD5
019b1328b0bb5791961eb74fc4d464eb

SHA1
e1ce52f947140f401569145032a3ae57590960cb

SHA256
f215a43b2676a60099b2799254bf29b737008ef7f998607f80c248a6b59c71cc

SHA512
117143274654f1ebe4552cfbdbdf7e79d2a549b7b02cc12fe64df50dc6d6552fbd7e8d38b96c9a638f84c7f54edb64cc3d2ec22d61bfb5f139b39ad4fcb63636

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
224KB

MD5
ef31af178d98f600ee16a0bad1f48700

SHA1
cb5cea5df6b4ca9c466101c7a34fd6ccfd3e2a72

SHA256
cefe88e0696dd6e8c517cc98f87f2b1c695e727dbd75a9d5ae9867851207ea96

SHA512
20d84349252ad5bda0c70ffd2fb25f0e3ce13d8a80c95eba7192b07fe97d0fb01374c96817f422e567cb988fa350e059727589a98b98fa57a0c9e5ceb5e9e2ce

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
224KB

MD5
50294b5561868f738d8d5a55779fe74f

SHA1
ef4e1549f27c5dbdd4f9661085e487cc90702d60

SHA256
ca044df9271c0b4e909c7d9785b6372f943c401e7d1cf56137e8769b8a1f80a5

SHA512
db34f4045fa4656a9e0e029dbc92b5919e5fdacb98eac218b7d0f8fbc63431685f2955f0aa83170af015cd2953c1fa2f727e8f63bb7f3db5cfc8ee37823094f0

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
224KB

MD5
ec89e9e6d25808fb37a58991845061a0

SHA1
3a19950f4fda3794f9934e497984090a5836f4c2

SHA256
159908f8424cc33025970f28b95ff6a40b23be9bdfbc6704db0973c610691684

SHA512
5cc79958c49fa4ac9d97a99acc5fddf690ca57576d4985a90fdd01d432e53bdee927d9acabe7bcc2db730e03d3a1f514b6dfd4ebf1bdeb2813276d02f865ee8f

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
224KB

MD5
d9d1c91fcd676a29f77632c99b754f6d

SHA1
26f5dd3f052cabe875f1a45b644c0e6e47762778

SHA256
a847d2b85648f85bd35991500da26f852ad81f401cf99d0adbf95242587afdbc

SHA512
67935340be901337fdd07d2142e564984535126a67785ff934ed9458c4a0cd3ea136e5b13deaab7762caa99f1f13a97003f9604bd71c123b3dafc6b1946b2cb9

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
224KB

MD5
8885a1666f35f5926f684507bbfc467c

SHA1
33b2c9c3f16bfbfdae20f4698cf2dfacf019ae4b

SHA256
4ad3a4ed9560ecec54b3a399753d6eb4bc5b1c2c0d53579c6b2213df338d4d95

SHA512
535391a2bf929f5875c38b0e377ef422e74b34d1c3d6c6af822a4fd8fef959b304319236a725ce260966202b492ff388bc93d3bb4a688dca2b1d0a68d4996af1

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
224KB

MD5
a0746cd7355f20c921ff774fb63834f7

SHA1
28eb049ebdda159f328c9490fe0b789daf8fe844

SHA256
6382786a5a2d7fb9164f8b36e5f5d468bda279cdf1a6059c039705f53c239373

SHA512
90b7d18f636abe041b52f4dab681e0168a4f765f991f60a36b54775044d6acf255e6abacdfcd49659ff446db98577ce6d932144192d1b6943fd3da6ed3f048c0

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
224KB

MD5
2002bacf0b1448ade523502397e0aaba

SHA1
6ecfb49e518c09ba8ea784024d1e506ac18aaa5c

SHA256
8a7169e3cc0cc98b9bf9793ce0c861a76960af601e0bb74468fd9cdcc58152dd

SHA512
1f81ebbc6bf7ae012576f1476d003a67a9be4c3dbaf437231c16bdcce19734f2bbe1a8b85849814f5c34951e39ce129acaa07b0af7b41b8c1d290640b749f5e0

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
224KB

MD5
10cb42f32388b38e28a05eee65c7c38c

SHA1
bda7c3bfd47c0afbcd00adec6aac612e409ccc2e

SHA256
8eea9a8b267898f52e31ea1318b967ff7e4b9f47a61b6817dbfe0a62fb596280

SHA512
e931fa79eec5a16b26082a9a0f69dab4588c9765d1d5097f0245b92dfe161157fe58c0233e2606d524f295bf0e8e2f43a43152f19f01ce88617c270d4ce53aa9

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
224KB

MD5
2013685c0e81566734f25b3530f7fac3

SHA1
95cbd286d43e7baad8d4176831ec6023ca02ef82

SHA256
6933c7d24640f9e731ca4c66c4cf27765712b0d19d16f4d6ac3b131362eb8621

SHA512
307718df11fd08f4b938d720ab34df88a820c7374384018869a388fb2cf0c2c9f6597755ea81c8cdc7ece28325635fa7252201db4c722110b113506259c5142a

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
92KB

MD5
524bb70927000c4976d3deb96e6cdac9

SHA1
71c1f89fe138d6c7861f29ceca9685bc4c0f4fb3

SHA256
1defd8ff77632a05623125ee460f22ec2e2b63ef26050d91e101d2bc8ff7e86d

SHA512
e7bd356450d78e8effcbf527c7adf28c802d317b20de24d1094591fd7f346e1aaba0e93220558bbd850bfd03a023066874867187c1b1ee0e1617a892771de18c

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
224KB

MD5
65ade0132b232f0de06b555c831ad24d

SHA1
1f182e555e3fe9d3cb248aa792b68964ea0e627a

SHA256
9417ba85a20828ed607cd7dd78149ced98bcc074c6eca4eeefd082b8a7211f42

SHA512
460ecb81021666358b1b0a25e8b47127cbd523a95eb0ae57b47ce032e3c6e5c1e44413cbe17d7b92dde7184848ec79e532885dc999bd48d5db4bba37a9fc7f15

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
224KB

MD5
78d1abacb96337ead4c8f044b5318f6e

SHA1
757470c26e90324f39f4b060e8429fcb74b75c91

SHA256
bba848bfc536f72a98f914eafff95152f3bc1eb56b9cd31c996f54b51fd7dae9

SHA512
18af160e36f0f2f9de4a621a0bcb44f492e38b80b04abfeb1656e13a81816f215fa053756df44a80ca28126e79d996561f97e3b320d6b0d00bf2043da0a4cb05

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
224KB

MD5
8d73dd8608754946e415288bba9fe41a

SHA1
d81a08073696a3a66f318d0f4c68ea80b0820884

SHA256
ff1d568e88f85f4e4b7d3b0c7f11cc2183fcc818e2e9c062aba970d708132b6a

SHA512
a5924726386dd114f57b1c0da5f4a9d40de74ba64c68db1827810f04c8e7a57b61892794459c6d484a0db97ab8cc1ee1d2b22c9d91414532d152304e1f46703f

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
224KB

MD5
248b5dd3b4f3eb180e398f2ea6cbd00c

SHA1
fba6fc25a7608f093bd434ff1b44ce610db08e03

SHA256
482aa5012c652ca635ca13f940d9f49e9caf48981803bba2a1f6ac05cc82b113

SHA512
754cbab32260bd790705ee227e8f2a841d6fe5da7866d32fdb03bc2bee74a9f71d49a332a5d509fec5edbc7756a257f2a02d34496ad0cfaa47bfa2b69617a6a4

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
224KB

MD5
99373e98a236dd6c0fd2defa39526e21

SHA1
6beeaaa6ef0d83aa2dac0d921e54f4b03cd4a6e3

SHA256
5cbb8fd7a4f41233173257932fa5676dfc94a759797945bfc0fc82f195a75c12

SHA512
a178ee48806dd2fa44c7f2b6dc66938618e4d0111c017827b8ccff81f3d6bacd9f1622da614beaff8ce06989ae7a61517f205bcfe61a5f27c40f48be767a0b6d

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
224KB

MD5
74ac3f7becaa6f17d844b86ed4ad73d7

SHA1
b3302bbf4a145905a3439240c148ec33a67ab80f

SHA256
9c7df32bcaa81d0d7aecd1d0d1fe72d4e8435eb32bbc28cb31337c8d0e0abae1

SHA512
ca2880ca319456e94cefb2ccc246fe7501a0f20403be7769d612d40119829a3e77a20fc7da4e2182c4d1c2f208fc832798617ba143f7670a8eab75d044480fec

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
224KB

MD5
47a77d319c23e1a7b94d1d977034edae

SHA1
87889e9b418ace25694e21068e58709ca2f4746a

SHA256
ff0519d82128cd27c40e6cfea5b13ad0ea6619047121c9f1648ca352ffb4694f

SHA512
4228972acf83be266075b44fba5558723f5cb4f83d11e024d302a2cbeede268dd54971bd21e1e1a6c763d1f7c49247c43baa6a83c6c39ac0fb8716f84c6ff745

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
224KB

MD5
2b8fe86a74eac9b851519f12bdb0af4f

SHA1
50760237f6884128f8337a77d6ad39cbc13b45d8

SHA256
4d9b15ed7b3b5bbfe0dc1f8431691486ff8f2b20472c28ce1fc4bc09258e2f6e

SHA512
cddf11b037a131a17562f3bd4f6a4de7bb68a8983e6916051c698eeeee914e488e39ceef5803e9c2c44ca3a14a79723c15e79cad8407958b69fe71453a13f359

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
224KB

MD5
08f6a80b7c377137fd28685ef3fb3929

SHA1
159151840106d18d84866d755eb543103d7f7494

SHA256
782ce8a6c10cd8d346f74fa488736ec4dd50802d8ddaddbf6f9287a47bc0ea09

SHA512
d9f985c2b4ea4bc672ee248ddba93b9ef6626c917aa0b1254a807099d242af1483bb4a26e2bef1326d1b073b1fe15eda08ec0e72c66b9776c3098465b7f61d62

Download Submit
memory/208-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/376-575-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/376-129-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/400-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/400-554-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/424-522-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/552-562-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/552-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/688-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/816-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/816-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/872-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/872-534-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/920-546-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/920-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/992-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/992-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1200-432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1200-530-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1468-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1468-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1480-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1508-541-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1508-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1608-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1608-542-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1632-564-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1632-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-563-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1724-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1740-549-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1740-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1756-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2008-561-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2008-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-568-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2396-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2452-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2452-577-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2492-517-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2656-578-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2656-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2752-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2752-571-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2800-557-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2800-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2832-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2832-540-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2860-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2940-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3008-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3132-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3132-529-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3148-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3148-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3172-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3172-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3464-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3520-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3532-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3532-5-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3588-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3588-555-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3724-574-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3724-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4028-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4028-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4116-525-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4120-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4120-560-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4176-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4176-535-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4228-527-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4344-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4344-531-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-569-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4668-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4668-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4696-536-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4696-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4884-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4884-570-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4972-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4972-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4976-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5068-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5364-576-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5364-121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5424-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5448-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5528-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5528-567-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5540-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5564-548-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5564-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5596-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5852-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5852-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6056-556-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6056-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6068-524-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6100-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6100-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6140-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6140-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads