e124536bb45018362a6b0d720fcb6b24ed9b4eb31fd0876856a49c7203816d05

Analysis

max time kernel
146s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2024 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff2f3454c652f82f72178c6d42cb90db.exe
Size

208KB
MD5

ff2f3454c652f82f72178c6d42cb90db
SHA1

7db18acb565aca38a94f1f179e177fce8fc911f9
SHA256

e124536bb45018362a6b0d720fcb6b24ed9b4eb31fd0876856a49c7203816d05
SHA512

e2efb7739b86f4af5a7deda3c97461e5fa7186bba3e776c7ea091fbcbc314756876515ff8bec477402d525adb526bfedfac51d10a25bd330a9aa4ad64e60d71a
SSDEEP

6144:DJTBS/v3XpQMGj6MB8MhjwszeXmr8SeNpgg:DJT+v35Qt6Najb87gg

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ff2f3454c652f82f72178c6d42cb90db.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	mousocoreworker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	TrustedInstaller.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe

Executes dropped EXE 64 IoCs

pid	Process
3952	Kibnhjgj.exe
3236	Kajfig32.exe
1996	Kpmfddnf.exe
4032	Kckbqpnj.exe
2632	Kgfoan32.exe
4704	Liekmj32.exe
2556	Lmqgnhmp.exe
1392	Lpocjdld.exe
2864	Lcmofolg.exe
4148	Lgikfn32.exe
1492	Liggbi32.exe
5024	Laopdgcg.exe
3852	Ldmlpbbj.exe
4076	Lcpllo32.exe
1060	Lkgdml32.exe
4840	Lijdhiaa.exe
364	Laalifad.exe
3056	Ldohebqh.exe
3796	Lcbiao32.exe
972	Lkiqbl32.exe
1464	Lilanioo.exe
4980	Laciofpa.exe
4392	Ldaeka32.exe
2320	Lcdegnep.exe
4232	Lklnhlfb.exe
3096	Ljnnch32.exe
2648	Lnjjdgee.exe
1052	Lphfpbdi.exe
2884	Lcgblncm.exe
4100	Lgbnmm32.exe
2184	Mjqjih32.exe
4788	svchost.exe
4404	Mdfofakp.exe
3148	Mciobn32.exe
4296	Mkpgck32.exe
4252	Mnocof32.exe
4320	Majopeii.exe
4636	Mdiklqhm.exe
2160	Mcklgm32.exe
4772	Mkbchk32.exe
4600	Mnapdf32.exe
836	Mpolqa32.exe
5128	Mdkhapfj.exe
5168	Mjhqjg32.exe
5208	Maohkd32.exe
5248	Mpaifalo.exe
5288	Mdmegp32.exe
5328	Mglack32.exe
5368	Mjjmog32.exe
5408	Mpdelajl.exe
5448	Mdpalp32.exe
5508	Mgnnhk32.exe
5544	Njljefql.exe
5584	Nnhfee32.exe
5628	Nqfbaq32.exe
5672	Nceonl32.exe
5708	Ngpjnkpf.exe
5752	Njogjfoj.exe
5796	mousocoreworker.exe
5832	Nafokcol.exe
5876	Nddkgonp.exe
5916	Ncgkcl32.exe
5952	Ngcgcjnc.exe
5996	TrustedInstaller.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	TrustedInstaller.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	mousocoreworker.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	svchost.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5748	5580	WerFault.exe	31

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	mousocoreworker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	TrustedInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	TrustedInstaller.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 3952	4264	ff2f3454c652f82f72178c6d42cb90db.exe	97
PID 4264 wrote to memory of 3952	4264	ff2f3454c652f82f72178c6d42cb90db.exe	97
PID 4264 wrote to memory of 3952	4264	ff2f3454c652f82f72178c6d42cb90db.exe	97
PID 3952 wrote to memory of 3236	3952	Kibnhjgj.exe	15
PID 3952 wrote to memory of 3236	3952	Kibnhjgj.exe	15
PID 3952 wrote to memory of 3236	3952	Kibnhjgj.exe	15
PID 3236 wrote to memory of 1996	3236	Kajfig32.exe	96
PID 3236 wrote to memory of 1996	3236	Kajfig32.exe	96
PID 3236 wrote to memory of 1996	3236	Kajfig32.exe	96
PID 1996 wrote to memory of 4032	1996	Kpmfddnf.exe	95
PID 1996 wrote to memory of 4032	1996	Kpmfddnf.exe	95
PID 1996 wrote to memory of 4032	1996	Kpmfddnf.exe	95
PID 4032 wrote to memory of 2632	4032	Kckbqpnj.exe	93
PID 4032 wrote to memory of 2632	4032	Kckbqpnj.exe	93
PID 4032 wrote to memory of 2632	4032	Kckbqpnj.exe	93
PID 2632 wrote to memory of 4704	2632	Kgfoan32.exe	92
PID 2632 wrote to memory of 4704	2632	Kgfoan32.exe	92
PID 2632 wrote to memory of 4704	2632	Kgfoan32.exe	92
PID 4704 wrote to memory of 2556	4704	Liekmj32.exe	91
PID 4704 wrote to memory of 2556	4704	Liekmj32.exe	91
PID 4704 wrote to memory of 2556	4704	Liekmj32.exe	91
PID 2556 wrote to memory of 1392	2556	Lmqgnhmp.exe	90
PID 2556 wrote to memory of 1392	2556	Lmqgnhmp.exe	90
PID 2556 wrote to memory of 1392	2556	Lmqgnhmp.exe	90
PID 1392 wrote to memory of 2864	1392	Lpocjdld.exe	89
PID 1392 wrote to memory of 2864	1392	Lpocjdld.exe	89
PID 1392 wrote to memory of 2864	1392	Lpocjdld.exe	89
PID 2864 wrote to memory of 4148	2864	Lcmofolg.exe	88
PID 2864 wrote to memory of 4148	2864	Lcmofolg.exe	88
PID 2864 wrote to memory of 4148	2864	Lcmofolg.exe	88
PID 4148 wrote to memory of 1492	4148	Lgikfn32.exe	87
PID 4148 wrote to memory of 1492	4148	Lgikfn32.exe	87
PID 4148 wrote to memory of 1492	4148	Lgikfn32.exe	87
PID 1492 wrote to memory of 5024	1492	Liggbi32.exe	85
PID 1492 wrote to memory of 5024	1492	Liggbi32.exe	85
PID 1492 wrote to memory of 5024	1492	Liggbi32.exe	85
PID 5024 wrote to memory of 3852	5024	Laopdgcg.exe	84
PID 5024 wrote to memory of 3852	5024	Laopdgcg.exe	84
PID 5024 wrote to memory of 3852	5024	Laopdgcg.exe	84
PID 3852 wrote to memory of 4076	3852	Ldmlpbbj.exe	83
PID 3852 wrote to memory of 4076	3852	Ldmlpbbj.exe	83
PID 3852 wrote to memory of 4076	3852	Ldmlpbbj.exe	83
PID 4076 wrote to memory of 1060	4076	Lcpllo32.exe	16
PID 4076 wrote to memory of 1060	4076	Lcpllo32.exe	16
PID 4076 wrote to memory of 1060	4076	Lcpllo32.exe	16
PID 1060 wrote to memory of 4840	1060	Lkgdml32.exe	82
PID 1060 wrote to memory of 4840	1060	Lkgdml32.exe	82
PID 1060 wrote to memory of 4840	1060	Lkgdml32.exe	82
PID 4840 wrote to memory of 364	4840	Lijdhiaa.exe	81
PID 4840 wrote to memory of 364	4840	Lijdhiaa.exe	81
PID 4840 wrote to memory of 364	4840	Lijdhiaa.exe	81
PID 364 wrote to memory of 3056	364	Laalifad.exe	80
PID 364 wrote to memory of 3056	364	Laalifad.exe	80
PID 364 wrote to memory of 3056	364	Laalifad.exe	80
PID 3056 wrote to memory of 3796	3056	Ldohebqh.exe	79
PID 3056 wrote to memory of 3796	3056	Ldohebqh.exe	79
PID 3056 wrote to memory of 3796	3056	Ldohebqh.exe	79
PID 3796 wrote to memory of 972	3796	Lcbiao32.exe	78
PID 3796 wrote to memory of 972	3796	Lcbiao32.exe	78
PID 3796 wrote to memory of 972	3796	Lcbiao32.exe	78
PID 972 wrote to memory of 1464	972	Lkiqbl32.exe	77
PID 972 wrote to memory of 1464	972	Lkiqbl32.exe	77
PID 972 wrote to memory of 1464	972	Lkiqbl32.exe	77
PID 1464 wrote to memory of 4980	1464	Lilanioo.exe	76

C:\Users\Admin\AppData\Local\Temp\ff2f3454c652f82f72178c6d42cb90db.exe
"C:\Users\Admin\AppData\Local\Temp\ff2f3454c652f82f72178c6d42cb90db.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Windows\SysWOW64\Kibnhjgj.exe
  C:\Windows\system32\Kibnhjgj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3952

C:\Windows\SysWOW64\Kajfig32.exe
C:\Windows\system32\Kajfig32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3236
- C:\Windows\SysWOW64\Kpmfddnf.exe
  C:\Windows\system32\Kpmfddnf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1996

C:\Windows\SysWOW64\Lkgdml32.exe
C:\Windows\system32\Lkgdml32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Windows\SysWOW64\Lijdhiaa.exe
  C:\Windows\system32\Lijdhiaa.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4840

C:\Windows\SysWOW64\Lcdegnep.exe
C:\Windows\system32\Lcdegnep.exe
1⤵
- Executes dropped EXE
PID:2320
- C:\Windows\SysWOW64\Lklnhlfb.exe
  C:\Windows\system32\Lklnhlfb.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:4232

C:\Windows\SysWOW64\Lphfpbdi.exe
C:\Windows\system32\Lphfpbdi.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1052
- C:\Windows\SysWOW64\Lcgblncm.exe
  C:\Windows\system32\Lcgblncm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:2884

C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4252
- C:\Windows\SysWOW64\Majopeii.exe
  C:\Windows\system32\Majopeii.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  PID:4320

C:\Windows\SysWOW64\Mkbchk32.exe
C:\Windows\system32\Mkbchk32.exe
1⤵
- Executes dropped EXE
PID:4772
- C:\Windows\SysWOW64\Mnapdf32.exe
  C:\Windows\system32\Mnapdf32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:4600
- - C:\Windows\SysWOW64\Mpolqa32.exe
    C:\Windows\system32\Mpolqa32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    PID:836

C:\Windows\SysWOW64\Mglack32.exe
C:\Windows\system32\Mglack32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5328
- C:\Windows\SysWOW64\Mjjmog32.exe
  C:\Windows\system32\Mjjmog32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:5368

C:\Windows\SysWOW64\Mpdelajl.exe
C:\Windows\system32\Mpdelajl.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5408
- C:\Windows\SysWOW64\Mdpalp32.exe
  C:\Windows\system32\Mdpalp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:5448

C:\Windows\SysWOW64\Mgnnhk32.exe
C:\Windows\system32\Mgnnhk32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5508
- C:\Windows\SysWOW64\Njljefql.exe
  C:\Windows\system32\Njljefql.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:5544

C:\Windows\SysWOW64\Nnhfee32.exe
C:\Windows\system32\Nnhfee32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5584
- C:\Windows\SysWOW64\Nqfbaq32.exe
  C:\Windows\system32\Nqfbaq32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:5628

C:\Windows\SysWOW64\Nnjbke32.exe
C:\Windows\system32\Nnjbke32.exe
1⤵
PID:5796
- C:\Windows\SysWOW64\Nafokcol.exe
  C:\Windows\system32\Nafokcol.exe
  2⤵
  - Executes dropped EXE
  PID:5832

C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:6032
- C:\Windows\SysWOW64\Nqklmpdd.exe
  C:\Windows\system32\Nqklmpdd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Modifies registry class
  PID:6076

C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6112
- C:\Windows\SysWOW64\Ncihikcg.exe
  C:\Windows\system32\Ncihikcg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Modifies registry class
  PID:1288

C:\Windows\SysWOW64\Nkqpjidj.exe
C:\Windows\system32\Nkqpjidj.exe
1⤵
- Modifies registry class
PID:5192
- C:\Windows\SysWOW64\Nnolfdcn.exe
  C:\Windows\system32\Nnolfdcn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Drops file in System32 directory
  - Modifies registry class
  PID:5280

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:5416
- C:\Windows\SysWOW64\Ncldnkae.exe
  C:\Windows\system32\Ncldnkae.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Drops file in System32 directory
  PID:5556

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
1⤵
PID:5580
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 224
  2⤵
  - Program crash
  PID:5748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5580 -ip 5580
1⤵
PID:5704

C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
1⤵
- Drops file in System32 directory
PID:1104

C:\Windows\SysWOW64\Njacpf32.exe
C:\Windows\system32\Njacpf32.exe
1⤵
PID:5996

C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5952

C:\Windows\SysWOW64\Ncgkcl32.exe
C:\Windows\system32\Ncgkcl32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5916

C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:5876

C:\Windows\SysWOW64\Njogjfoj.exe
C:\Windows\system32\Njogjfoj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5752

C:\Windows\SysWOW64\Ngpjnkpf.exe
C:\Windows\system32\Ngpjnkpf.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5708

C:\Windows\SysWOW64\Nceonl32.exe
C:\Windows\system32\Nceonl32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5672

C:\Windows\SysWOW64\Mdmegp32.exe
C:\Windows\system32\Mdmegp32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5288

C:\Windows\SysWOW64\Mpaifalo.exe
C:\Windows\system32\Mpaifalo.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5248

C:\Windows\SysWOW64\Maohkd32.exe
C:\Windows\system32\Maohkd32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5208

C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5168

C:\Windows\SysWOW64\Mdkhapfj.exe
C:\Windows\system32\Mdkhapfj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5128

C:\Windows\SysWOW64\Mcklgm32.exe
C:\Windows\system32\Mcklgm32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2160

C:\Windows\SysWOW64\Mdiklqhm.exe
C:\Windows\system32\Mdiklqhm.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4636

C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:4296

C:\Windows\SysWOW64\Mciobn32.exe
C:\Windows\system32\Mciobn32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3148

C:\Windows\SysWOW64\Mdfofakp.exe
C:\Windows\system32\Mdfofakp.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4404

C:\Windows\SysWOW64\Mahbje32.exe
C:\Windows\system32\Mahbje32.exe
1⤵
PID:4788

C:\Windows\SysWOW64\Mjqjih32.exe
C:\Windows\system32\Mjqjih32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2184

C:\Windows\SysWOW64\Lgbnmm32.exe
C:\Windows\system32\Lgbnmm32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4100

C:\Windows\SysWOW64\Lnjjdgee.exe
C:\Windows\system32\Lnjjdgee.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:2648

C:\Windows\SysWOW64\Ljnnch32.exe
C:\Windows\system32\Ljnnch32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3096

C:\Windows\SysWOW64\Ldaeka32.exe
C:\Windows\system32\Ldaeka32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4392

C:\Windows\SysWOW64\Laciofpa.exe
C:\Windows\system32\Laciofpa.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4980

C:\Windows\SysWOW64\Lilanioo.exe
C:\Windows\system32\Lilanioo.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\SysWOW64\Lkiqbl32.exe
C:\Windows\system32\Lkiqbl32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\SysWOW64\Lcbiao32.exe
C:\Windows\system32\Lcbiao32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3796

C:\Windows\SysWOW64\Ldohebqh.exe
C:\Windows\system32\Ldohebqh.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\SysWOW64\Laalifad.exe
C:\Windows\system32\Laalifad.exe
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:364

C:\Windows\SysWOW64\Lcpllo32.exe
C:\Windows\system32\Lcpllo32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\SysWOW64\Ldmlpbbj.exe
C:\Windows\system32\Ldmlpbbj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852

C:\Windows\SysWOW64\Laopdgcg.exe
C:\Windows\system32\Laopdgcg.exe
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5024

C:\Windows\SysWOW64\Liggbi32.exe
C:\Windows\system32\Liggbi32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\Lgikfn32.exe
C:\Windows\system32\Lgikfn32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4148

C:\Windows\SysWOW64\Lcmofolg.exe
C:\Windows\system32\Lcmofolg.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\SysWOW64\Lpocjdld.exe
C:\Windows\system32\Lpocjdld.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\SysWOW64\Lmqgnhmp.exe
C:\Windows\system32\Lmqgnhmp.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\SysWOW64\Liekmj32.exe
C:\Windows\system32\Liekmj32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704

C:\Windows\SysWOW64\Kgfoan32.exe
C:\Windows\system32\Kgfoan32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5996

C:\Windows\SysWOW64\Kckbqpnj.exe
C:\Windows\system32\Kckbqpnj.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5796

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kajfig32.exe

Filesize
208KB

MD5
3b8f84228a66bc6cd909f65ee8e68e98

SHA1
c81a355d3869120b0d0352c350c88e4593af8e92

SHA256
f6558447cec511764ce4ae3f82e1bb904e32e99141932e3158ee53db35560f32

SHA512
04d2e011c4f1908d654d214e1e29077062b58f697eab6315ab248b5c8861b8b099eea865b24ccf9a385d9ecc2d9025f3bb936f5cd0c0445068282363b3fcc669

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
208KB

MD5
31201b35393ce88bc4ce1509bc051b06

SHA1
5188f0c432b9de0adc2e5004544c846c833f17d5

SHA256
8b63bbcd1ffad58471ccdc57bbd0426e33bab0730914e0bed5ef8edfb8012d69

SHA512
44a14955a76bcaf2dc942a02b61d38e2ec6ead6facee87cc02eadcd81d403991e863429afedf022d2c28ef7797bde46601fd267dc2789d7c726457f353bbd501

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
208KB

MD5
8a945436fe4abeee1936265708095b90

SHA1
2b29f789a048d58be9d5a4952884b09d9d4ba26e

SHA256
98c07a67675002532a8f00895e1c623b9e6c94efbe184b2f9a3887faaeb921bb

SHA512
3b69aa9813be2d48f2e9012b7db50fb81d64adccc7783139a3dc851e4703ffe354662568ca75a581f43f98ef75020e3b28886fe599816e06f8726c12bd063566

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
208KB

MD5
368032cec25d3b17dadf82a6285b6d71

SHA1
90ab93f7539877f24c96023bb7e34da56029f2ad

SHA256
7ab86a70b37c2d80df38a60113c72d9af3aa88dbbc13468ab14971aeaacf85b0

SHA512
bdf2ce7ff2896e4365424b8fcff7af60d809ca6cd56a6f529c43cbc7b7019bb15a68b7d7bf4402182db10092bdef1654adc812c75059cc21ca584449449b51cd

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
208KB

MD5
dc4a0e92a226a74ff322321c3d10ef68

SHA1
ab74db9dd8f1dc0bbeb481439aedac18b6fc4a02

SHA256
8df7fd80b49c0baa5fdaa8926adf0741324a45632a856bb320a318bbe8ec5a00

SHA512
c5d52ccdb3e2b44b09051500e74e11ba796eefc085dd0b9140f5d38438605fb7248f5a7bc5138f014bf679cd429e2782181324db4b396f53a491c53255857e7a

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
208KB

MD5
e283ac8c4c671a5d9b0c8b26e601f1b2

SHA1
8e0faedace868a9eb2e080b0ae25bf7905ca9cf7

SHA256
4540b2574f234328caf3f99d7da7e3f82793d5e3615931d172ad9c5156b277ac

SHA512
ef44a2b461536f2fd7e4230f60d3ef32b41af4705206631e5100e1a7999942fcfbb94a8e0d5b4e9d5c4b99b7cbf64c7047514432e64eb8a140ec2c93a2d6fa66

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
208KB

MD5
e96b7edb325ad9d689f04970939a3496

SHA1
d9d12a631c914e8489ecab639177c9296caabb29

SHA256
4b617e918f479f06cb8e260919acfaa1d254a26938b8879cda5e70c42c8c24dd

SHA512
c71fdf3d3f34ebbe6971d1d7c03f8ac049ccb537fc677a16a94257dc1692b9832c564ee2fccb17740fc44aae59ada31790b7ae068cdb335ae0a7ea12871e9d7a

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
208KB

MD5
fcc395b947e8cb8f1672767053eb3de7

SHA1
daee3681874c4e5f1a38aeb8097c938bbacf2850

SHA256
2874d4812a4b1ebe1f0e77bab534856985e3ba511fac10228da94de502526bb6

SHA512
d57741112ea335b42dcee4e039dfb2eaa19e598ccef58d411dd7bccd171ce43358b713a8c3162b1481afe00a4ffabff76043a2fc3674ca842d1b4780248db04c

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
208KB

MD5
faf8e90178215cf13d076b93974a50b2

SHA1
54d2472f5cab48d7e0770f7026fd60a4358b1305

SHA256
333520a55e867eb224a71b082c04482f3a7c9ea066c6102e760dbab378a94858

SHA512
26d140627cdd76491fdd4b3ff4204e21bbf804155ee53b4c3f9a04ddab78309b9156f33c0a6a1f0347025e3823ae3c61673699806ccdf1b15053200a8a444fe6

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
208KB

MD5
a963b7cc44a93b3249a1da2489b77296

SHA1
60554ca6b750ffa09d0d766fcd091e76737d24fb

SHA256
79d0df1233c20ba28f2d5c2ff14855ee0e305cef3ed10ef601ac8d0230e5c9a5

SHA512
db91d12985989064780cfb9d197ef5114827774828944b8bbfe8fa2c84ad6ad9179444575863b9d058249f43a8b3c3b99ba42969addc91e9dbd8fc0cd5f7cedc

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
208KB

MD5
8fe364c253aa6f06db77d8bd042978cc

SHA1
f2bf0e1748f22877d6b82bab042f026ab8b66671

SHA256
be963b6e15e4766fd829a4e90c9d5c2ac2ce072ceab13a9d60e96dcf8ba739ca

SHA512
0cccb423d0adb6671fded273c08232bde81d4b3df4ecd8833c2dd93bf2f727fe545ee9b39beef419ec6256d886e1c80808732ed671b03a8aa5256a3f6c23f4bc

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
208KB

MD5
e0a348ee3241c25ea806e20709407979

SHA1
bac36b85c55dbcd190a652a82ea6e956e841bc06

SHA256
77d04806af593503e3f44f98870a363d83779be1dc5a76ce12e064e450fbe207

SHA512
7513bbfaf74007250dd7ce534e0fedfae935eee372ce3cbc9518c3f58e1d85dda85b56bb00617d5fb58c88591882f36b1a95ee47ce7a61b435266e450c818fbd

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
208KB

MD5
66fc6878cfb4661bf1200364d29a5f98

SHA1
11c1432e9bf16f50ae78fafbcb03fb13402544a8

SHA256
d9a1edeaf7f7b13ba30cd173cc3da941dbf04beadf61efe78d7cbc0237275a6a

SHA512
120230129c3ae96062ddc999ea02e0ee4baf318887a421e4100a75682e0d537184a45c5f90f75f755afb29cd806eba4df7aa7af4cb79a6542d7071277aa901bc

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
208KB

MD5
b930c54ef33a989b9fdc6696d98e5d20

SHA1
c1d72a0195eef6e769bf4d8190680e060752d605

SHA256
6d62d4f953190f067be54469a2859be82541b572c47a82449c9ae3acb833ba0e

SHA512
4f842e45e2c2360308e7481d45dd3f5626b117280efde7147d182f84f77e8d03f0eb3e93729e30b9d7be00f1b5d2d1a4f07482d8f8216bcf7d660b7db525350a

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
208KB

MD5
488d2fb93182110010a4e746867cbdbc

SHA1
e8f42054e9361532174ff7e9a9fd9e15cfd97dc6

SHA256
d3a3c03733cef20300fc2ba7ff941572e9ef9d2be29e3bbf6f4308d7caab7fcb

SHA512
d8a7f9b31879fcf04ea42475fb449e6b9593bbd86fe260218cbf477121f58376ba96b9e139b2f0cfd27d2af37fb04ac666bd25f1ddc2b6f43ad582fb04cb3112

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
208KB

MD5
90a7d688ab9b39b92a6291445352a8cb

SHA1
4f27780f5e83262a4e4cf3a817751d4688b97e30

SHA256
74a6b1f059e6812fa4c9c3283aef62c91bee46f8c98a4254c84f624bd75d60b4

SHA512
061b95e59ebe750b7452a508facd6a864b7fe9096aca8baad4a1a43687b88a21c1ab05b547dfdf67a58129b3d8e2afc9bb31f36af3e86fb9a93e70dc924b2370

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
208KB

MD5
de70fdd11535b1bb5df5effc22ff58ef

SHA1
2bf7c7c1ad65762bd97d461e7a28d060213b1ec3

SHA256
710f0480307459b302f5fd91ed6389c59a217c8f3ad60d8b31b60454d48cf430

SHA512
51e108b4ad6f78b2dbe3192fe4f42e7bd266db2eb09a9c6dd85e01a841cceb29f2a7e9e90b9716f9846c30de587b167c04d3ac7d47bddaef5a876703fad913f0

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
208KB

MD5
fd4d05666c2ae44059896d438c548b37

SHA1
267dce14651857e9960b4eeb17508691d0747518

SHA256
b5d28956dba86a26b0acf25fd0d2c0b4bb9fb9a1ceec56a71e9c9376f30d9ff6

SHA512
0af3c82770dc970b47d05eb2aac864c8c72fbc80e43683748ec9bfb9c97445f68347d1a396f27281f2633908ed74582acf1d3632fe260d769a62beb060d453a3

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
208KB

MD5
6534044d0c3b191d969d5f50159d6353

SHA1
89d0d190d87e7d1aaa948f7bbb1f9665f1dad944

SHA256
2372872dd793d9c51f93974b51d3e01b0bd998a92b452819d9840a71afc2ed56

SHA512
6777f4362d72f96464b877d5d249848274a4fd6f32c89922611d95468e1017ff26ea161869f6ff008e57f4ebac1e597577edb3be128b96ed8bc4128c886d16a7

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
208KB

MD5
018369f1cd72477a066592f4b785fcb2

SHA1
656d59af2d4475ffa2e8eb6a390ee3426ed35c0d

SHA256
3773062fdef1fcafbbabb4599aba044e6235a84f6118c04680231a5f2e5ed5aa

SHA512
bbd4f706f57bb26bea220929f6dd0fcd2fb197e079afdb1e412d2194cee6a23a72886a342ca0fd4236d3bab1204066e9eff931288e444766a374072301820c46

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
208KB

MD5
afa2e06f651c862f9de37e664b43f18f

SHA1
b10d2e665a4fd0578a68df10558205038865fb8a

SHA256
e128f5de23eb7095b8ab92b18fad21a28e4b57f74a2c60f22975f0529ecd1cc9

SHA512
eeff6b059c987284a1a076e4ea899212f76510436cdfd1ab274ada832ca6e642f30247f184d967bfe5be10a0540f9ba6189270be316bac5bfbbcb2f2b01ac9d9

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
208KB

MD5
26e7a15523b88ac641dbefad1d725451

SHA1
44b6f994561eae29eb95d90261b5ffe98119d622

SHA256
764cc8a836d1e16498f172aca9f8327d6c425cb8e588b2c9590e43e430192b2a

SHA512
7472d8b205d8a565df263b145e59686bac8e4e3f22ced9d4c57091bdc21efe169c31435ab98bdc3406d0be68c6643f53559fb2640664f86120ab76388eedd744

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
208KB

MD5
c495d71270a5f852314e2a06abc0ca8b

SHA1
1b02997e43b9a182f0a74a5e896d57cf30f6916e

SHA256
8146be6d88b80077868547980a1e2bc29193c1dcba6c6200e00c2b1d6e6e3b31

SHA512
024a31b65791fc6fe639a32135c74a7c0ebbb4f4510426f92998744822dc83afeaf2cee61a12e6fea3ab877d8913055b7fa344abbb96fd2e456cd3243de5519d

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
208KB

MD5
a1c619f0f7fda31e172d379a7ff83bff

SHA1
e6e6e687d2331bf08281a87ef5bdd520f0dd60b4

SHA256
608245a0418b3882d95d6126d163f6bdd01edb511bbe44ff502adf86e64d7994

SHA512
48dfdd2af52c64ff6e591cfb63a9517cb2084c86908d953d2c596da80ee3d7f839f53c14b398651e2d3507426687c2c6db6794b9725c3333018f8c249121dce5

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
208KB

MD5
bd558e08dc0e5d8de4ff24b81352450d

SHA1
e2f69e02aa39e07889326260a543b4cbbc0c9246

SHA256
fb267e0916a76b98ede127956b5035e3c48b50115427f4d754a990189e07bd8c

SHA512
f8683d45ffef5f256954a61593a1d5ddd90bdfd6e6cf77044dcac8a7d38de63e81d0a97cebc4b1978ff3e33ed51a02bcc295e8c73ec172864cd17a428cf370ec

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
208KB

MD5
032ff8496982eaad60b37003addeda17

SHA1
50500297cb815b1537237d236691f14e37e963a5

SHA256
260e79b4ed53b4b40d47d804351b3056a6f894c19354340cca8a5cc88a5d81f8

SHA512
77d090f7e098d7ee8a7054c6badb107100e157fdbe919719a5a269e9d11a19f7db638b55d7bb271da0b8bda7cc58506e1bdf72a612ff674a99256a65e0f7985e

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
208KB

MD5
5240e075438dd99c86ad9f7c449a4ebb

SHA1
4d06bdc2b5ec6c0ce75166e99c1eb52a95b7141a

SHA256
d6ffd9f125935d9e8afa92f2409b037b5e01d3354ba628859f8a4756cfa8cf0b

SHA512
aa63ab7d4695226b240af271cfa1251ea4d5a6dfc48c67596ba2795f26355942cbadb0c2dce9bb880efe3e72959dd61c3e42751e3b245ecbe7f10ed386c32d34

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
208KB

MD5
cec08e2d2c5098058db58a137e3608e3

SHA1
1c433ff64d60df0294e2d2184e4eea0d62001a74

SHA256
68b820a3003ef77421809064045c843665ec7ec2e80c4bc9cf9ad51650b3b6bf

SHA512
24f85c881a3229e0dd0621ffd346a301ea5e894f3482e765fc4b0f93f92a5a3b87c596f00c83bc56b8a8f813839129f400be9120dd0bdfd9a42eceaceb08c9c3

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
208KB

MD5
e20e0c5e8facc719144189e59c912aff

SHA1
d3241bbed5400da07f9667f9f09f46a9ac683d1b

SHA256
1cac513e9cc1e8bd20e6b80ac024116698c45b13e56fedc34f75431f4990ed20

SHA512
087cc480d03935446f954e3d6118bf811bb82f30e3080172cf51588b5ea534945fda8e2ca2c557913448f8cb782e46b826f8be984e34ae8ac437c042bebd02d1

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
208KB

MD5
5fbc229f1208024644e64cca7e96d2d1

SHA1
cdee79b96eb03766ae122e9ad6ab488995c86cff

SHA256
e757682c5dfad4f0a185f40d482601b20e5dbc92990fa0262d043a5af1297eb4

SHA512
54fe7a55a399996bc072a99ba3abd9d7a00c103961da7f80b3a53b312f1e368b17b4fca1cb70d68f8ad33c613b26cf8afb499008125ac30b24a4907360edeb39

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
208KB

MD5
ff3e0e075044a91e17cd36f0ccb42078

SHA1
3560b85503ad8b71a2ec660502dd28278c1cd33e

SHA256
a2034a428dbf37e3ee8f64ec083d5fc3657d531f7a73285d05d8c503bc8a1885

SHA512
4170008694eabe88ca17a7744bd0dfeed4773120b30e9c8954d69c09c4ae7cca06d49331be81571b4fba63ac3e8ed78c164d80928631349ed33c279a936d7e13

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
208KB

MD5
6702cbf4d332ab2d47d4fb3bb88ce68b

SHA1
56b4f6ef2056edf31a0430ac09a9df6735fd97f4

SHA256
dc7ff050ee8b5d5a3ebd62f12bee04919e0c811c1d798c604fd09e7475e16d74

SHA512
55ef4980720a8af5d2c3bcdfb391942a60f4302e87e22bc76449a4f005433a159e0093668dfc0c8323cb6bbaa1f74f5f4caa6c7eb2602ffeb63ac9f6c42f5e41

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
208KB

MD5
649fd7c0117926e5d58e1f319caf73c4

SHA1
cdaeb86c7eec0ab844dbcc482cdc3bd89c1ad805

SHA256
41e036e4d1f84578dca4724ac2603af6194cefb00ec3edd7192b886e218318e0

SHA512
31c87b81ccdd27578c811afbbf8f17e6909e2f3a515670b3048646aa5a0f8fb2f7c570ead92ac0aa8338c90dffe81c06a78f21c82ed85c4f8f20151e7362bd4f

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
208KB

MD5
fbbaa8f320d7ff57a91a1b8857e44fd9

SHA1
45b2faec9fa207626e158064588b6fe8b477b4af

SHA256
8bef9159c0d7cda42291927c9ae4bb8a406b15b811f0c92a4d749634897aa9af

SHA512
0856372449a7161b150d1222b83636aa41328676d8fc5ec9c6cd1686168d588641fc05562ab6c617e0f8f3a96e2ee2ad3bb51b6f5d41268504f9510083333bc8

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
208KB

MD5
f27d5991587b140c4da61c954cafe1dc

SHA1
5a1140d812492d6c3ae77f928e2e1f3e9c07d314

SHA256
d95f62d0655b47ceaff46fd46ca9318225c5d893b1d743957bc9cc99e22e3e39

SHA512
62eedb59d3b4a270fe276fa3802777f1367ae3b662abc237128876fec58a6488e12feed4e6628bb335565045849d6c6e9f8961180b7949020a78077a6eb5b851

Download Submit
memory/364-137-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/836-317-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/972-161-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1052-229-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1060-121-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1392-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1464-169-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1492-89-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1996-25-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2160-299-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2184-249-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2320-197-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2556-57-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2632-41-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2648-217-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2864-73-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2884-237-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3056-145-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3096-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3148-269-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3236-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3796-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3852-105-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3952-9-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4032-33-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4076-117-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4100-241-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4148-81-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4232-201-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4252-281-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4264-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4264-5-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4296-279-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4320-287-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4392-185-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4404-263-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4600-315-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4636-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4704-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4772-309-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4788-257-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4840-129-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4980-178-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5024-97-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5128-323-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5168-333-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5208-335-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5248-345-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5288-351-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5328-356-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5368-359-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5408-369-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5448-371-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5508-381-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5544-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5584-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5628-395-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5672-406-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5708-407-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5752-413-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5796-423-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5832-425-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5876-431-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5916-442-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads