52736f07c65701e90a9a75347732747f7395b18a70549fe5f9dcb0a234d4f1a9

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52736f07c65701e90a9a75347732747f7395b18a70549fe5f9dcb0a234d4f1a9.exe
Size

45KB
MD5

e958e595f6618ad0f254f72da883a481
SHA1

f9c29406393f7c0273edd72e6c8e0cb67f3dece0
SHA256

52736f07c65701e90a9a75347732747f7395b18a70549fe5f9dcb0a234d4f1a9
SHA512

5245ac4a9956e30e07b4a57950526fa51380173b29b21118e1f4aff9c8615982e7a8e6e3d54d142c0fbbc9dec4f61d08ce8111f4c3748ad712ce3865d36f4683
SSDEEP

768:WpXT6SEIjoLz234vmw3cPQ7mTb8eqPIGW0nM/1H5i:GT6EjoFvmbvTTqPTWAC4

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe

Executes dropped EXE 64 IoCs

pid	Process
2784	Kphmie32.exe
1796	Kbfiep32.exe
1484	Kipabjil.exe
1808	Kagichjo.exe
3884	Kdffocib.exe
2896	Kcifkp32.exe
2340	Kkpnlm32.exe
1988	Kmnjhioc.exe
2488	Kpmfddnf.exe
2572	Kdhbec32.exe
2316	Kgfoan32.exe
4904	Lmqgnhmp.exe
4440	Lpocjdld.exe
2320	Lcmofolg.exe
2360	Lkdggmlj.exe
920	Lmccchkn.exe
876	Laopdgcg.exe
5036	Lpappc32.exe
4044	Lgkhlnbn.exe
4512	Lkgdml32.exe
5096	Lnepih32.exe
1648	Lpcmec32.exe
1464	Lcbiao32.exe
2936	Lgneampk.exe
3836	Lnhmng32.exe
1184	Lpfijcfl.exe
212	Lgpagm32.exe
2372	Lklnhlfb.exe
4788	Lphfpbdi.exe
2056	Lknjmkdo.exe
4928	Mnlfigcc.exe
4684	Mciobn32.exe
2576	Mkpgck32.exe
4416	Mnocof32.exe
4312	Majopeii.exe
4588	Mcklgm32.exe
1220	Mkbchk32.exe
3484	Mnapdf32.exe
1480	Mpolqa32.exe
3752	Mcnhmm32.exe
2568	Mncmjfmk.exe
3096	Mpaifalo.exe
4172	Mcpebmkb.exe
2884	Mglack32.exe
624	Mjjmog32.exe
3920	Maaepd32.exe
208	Mdpalp32.exe
4976	Mgnnhk32.exe
3268	Nkjjij32.exe
1388	Ndbnboqb.exe
1552	Nceonl32.exe
2928	Njogjfoj.exe
4868	Nafokcol.exe
536	Ncgkcl32.exe
1560	Ngcgcjnc.exe
3928	Nnmopdep.exe
3424	Nqklmpdd.exe
2584	Ncihikcg.exe
2772	Nkqpjidj.exe
228	Nnolfdcn.exe
4272	Nbkhfc32.exe
1176	Ndidbn32.exe
1084	Ncldnkae.exe
1812	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	52736f07c65701e90a9a75347732747f7395b18a70549fe5f9dcb0a234d4f1a9.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	52736f07c65701e90a9a75347732747f7395b18a70549fe5f9dcb0a234d4f1a9.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Ndidbn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3184	1812	WerFault.exe	155

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll"	52736f07c65701e90a9a75347732747f7395b18a70549fe5f9dcb0a234d4f1a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2784	2396	52736f07c65701e90a9a75347732747f7395b18a70549fe5f9dcb0a234d4f1a9.exe	89
PID 2396 wrote to memory of 2784	2396	52736f07c65701e90a9a75347732747f7395b18a70549fe5f9dcb0a234d4f1a9.exe	89
PID 2396 wrote to memory of 2784	2396	52736f07c65701e90a9a75347732747f7395b18a70549fe5f9dcb0a234d4f1a9.exe	89
PID 2784 wrote to memory of 1796	2784	Kphmie32.exe	90
PID 2784 wrote to memory of 1796	2784	Kphmie32.exe	90
PID 2784 wrote to memory of 1796	2784	Kphmie32.exe	90
PID 1796 wrote to memory of 1484	1796	Kbfiep32.exe	91
PID 1796 wrote to memory of 1484	1796	Kbfiep32.exe	91
PID 1796 wrote to memory of 1484	1796	Kbfiep32.exe	91
PID 1484 wrote to memory of 1808	1484	Kipabjil.exe	92
PID 1484 wrote to memory of 1808	1484	Kipabjil.exe	92
PID 1484 wrote to memory of 1808	1484	Kipabjil.exe	92
PID 1808 wrote to memory of 3884	1808	Kagichjo.exe	93
PID 1808 wrote to memory of 3884	1808	Kagichjo.exe	93
PID 1808 wrote to memory of 3884	1808	Kagichjo.exe	93
PID 3884 wrote to memory of 2896	3884	Kdffocib.exe	94
PID 3884 wrote to memory of 2896	3884	Kdffocib.exe	94
PID 3884 wrote to memory of 2896	3884	Kdffocib.exe	94
PID 2896 wrote to memory of 2340	2896	Kcifkp32.exe	95
PID 2896 wrote to memory of 2340	2896	Kcifkp32.exe	95
PID 2896 wrote to memory of 2340	2896	Kcifkp32.exe	95
PID 2340 wrote to memory of 1988	2340	Kkpnlm32.exe	96
PID 2340 wrote to memory of 1988	2340	Kkpnlm32.exe	96
PID 2340 wrote to memory of 1988	2340	Kkpnlm32.exe	96
PID 1988 wrote to memory of 2488	1988	Kmnjhioc.exe	97
PID 1988 wrote to memory of 2488	1988	Kmnjhioc.exe	97
PID 1988 wrote to memory of 2488	1988	Kmnjhioc.exe	97
PID 2488 wrote to memory of 2572	2488	Kpmfddnf.exe	98
PID 2488 wrote to memory of 2572	2488	Kpmfddnf.exe	98
PID 2488 wrote to memory of 2572	2488	Kpmfddnf.exe	98
PID 2572 wrote to memory of 2316	2572	Kdhbec32.exe	99
PID 2572 wrote to memory of 2316	2572	Kdhbec32.exe	99
PID 2572 wrote to memory of 2316	2572	Kdhbec32.exe	99
PID 2316 wrote to memory of 4904	2316	Kgfoan32.exe	100
PID 2316 wrote to memory of 4904	2316	Kgfoan32.exe	100
PID 2316 wrote to memory of 4904	2316	Kgfoan32.exe	100
PID 4904 wrote to memory of 4440	4904	Lmqgnhmp.exe	101
PID 4904 wrote to memory of 4440	4904	Lmqgnhmp.exe	101
PID 4904 wrote to memory of 4440	4904	Lmqgnhmp.exe	101
PID 4440 wrote to memory of 2320	4440	Lpocjdld.exe	102
PID 4440 wrote to memory of 2320	4440	Lpocjdld.exe	102
PID 4440 wrote to memory of 2320	4440	Lpocjdld.exe	102
PID 2320 wrote to memory of 2360	2320	Lcmofolg.exe	103
PID 2320 wrote to memory of 2360	2320	Lcmofolg.exe	103
PID 2320 wrote to memory of 2360	2320	Lcmofolg.exe	103
PID 2360 wrote to memory of 920	2360	Lkdggmlj.exe	104
PID 2360 wrote to memory of 920	2360	Lkdggmlj.exe	104
PID 2360 wrote to memory of 920	2360	Lkdggmlj.exe	104
PID 920 wrote to memory of 876	920	Lmccchkn.exe	105
PID 920 wrote to memory of 876	920	Lmccchkn.exe	105
PID 920 wrote to memory of 876	920	Lmccchkn.exe	105
PID 876 wrote to memory of 5036	876	Laopdgcg.exe	106
PID 876 wrote to memory of 5036	876	Laopdgcg.exe	106
PID 876 wrote to memory of 5036	876	Laopdgcg.exe	106
PID 5036 wrote to memory of 4044	5036	Lpappc32.exe	107
PID 5036 wrote to memory of 4044	5036	Lpappc32.exe	107
PID 5036 wrote to memory of 4044	5036	Lpappc32.exe	107
PID 4044 wrote to memory of 4512	4044	Lgkhlnbn.exe	108
PID 4044 wrote to memory of 4512	4044	Lgkhlnbn.exe	108
PID 4044 wrote to memory of 4512	4044	Lgkhlnbn.exe	108
PID 4512 wrote to memory of 5096	4512	Lkgdml32.exe	109
PID 4512 wrote to memory of 5096	4512	Lkgdml32.exe	109
PID 4512 wrote to memory of 5096	4512	Lkgdml32.exe	109
PID 5096 wrote to memory of 1648	5096	Lnepih32.exe	110

C:\Users\Admin\AppData\Local\Temp\52736f07c65701e90a9a75347732747f7395b18a70549fe5f9dcb0a234d4f1a9.exe
"C:\Users\Admin\AppData\Local\Temp\52736f07c65701e90a9a75347732747f7395b18a70549fe5f9dcb0a234d4f1a9.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\SysWOW64\Kphmie32.exe
  C:\Windows\system32\Kphmie32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\Kbfiep32.exe
    C:\Windows\system32\Kbfiep32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\Windows\SysWOW64\Kipabjil.exe
      C:\Windows\system32\Kipabjil.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1484
    - - C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1808
      - C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3836
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1184
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        30⤵
        Executes dropped EXE
        
        PID:4788
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2056
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4928
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2576
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4312
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4588
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1220
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3484
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3096
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:208
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        51⤵
        Executes dropped EXE
        
        PID:1388
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1552
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4868
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3928
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3424
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1176
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        65⤵
        Executes dropped EXE
        
        PID:1812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 400
        66⤵
        Program crash
        
        PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1812 -ip 1812
1⤵
PID:3860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kagichjo.exe

Filesize
45KB

MD5
63f3c5be8bb379578f21cffdb7be20d9

SHA1
f234121e3d1e8e1c01207a51d2d5f72aafdd66d7

SHA256
1c64ad89ca743986957028b703190fd57936241f148fe9340e3d01418a07eccd

SHA512
3d3001eb430214fc65772880937026b281d0b2ba4ccd05df6bfe2a91a2e9d8283adba086baba173f205bc0fb63ca971319c47025dbe1b01cf59752249c5053a2

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
45KB

MD5
e2a298af4c9acff73a8f4cc556f6b50c

SHA1
290f2150e30932834d49d9cd0c16dcc796f3f758

SHA256
c9a3bad3dba47fdc55ae293b48e77909aea10e40427007bbe4661123dfaf6ec1

SHA512
c28df0746efb616e7e36c69951ea7692edf8093580784e5d70225585e7a549d80f0d471cc37d71d55035a8229d27204adb06bc14715e3846aaa7401fda004d65

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
45KB

MD5
77a650f2308ab51d6d56602a44c8162b

SHA1
06da45f9a68e9cd2eafa654cced7aad7d9167b11

SHA256
05ed3acca475ae42cd94526fca6886ac7836dde1982a4ff48b11a36db01a8ff7

SHA512
6f5bca5768b34b6740707e19667c07c23a1d1e59655d03c47bfdcba94f249d54d070a8d28fa3312e2b4e87fa8b63d6b43d92586249f70bd4f209964d43ad49b0

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
45KB

MD5
67a3ed52c7170108892eb6e5c3294741

SHA1
4081a36924dedb93a85bf85b971d5b4242dc54c0

SHA256
fd6834df88e1fbed79829a235090f3bc088e5ded702fd21d9cec14c5388abf99

SHA512
e01fdc39b215cc09e47c6cabf99eca80e191904feec16261d0e82887ff631b93fd0ce101ef830a1464fb71a84b8946e8dace48f8eef142139146c72ff88fb617

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
45KB

MD5
49a5e89f788161b8b91f007a5a96b038

SHA1
5c83ac5d9a9a149c6368eb0ff257e09c5a3dd6ff

SHA256
d65526a80dd174ed789cab152f4e81390a4cdd12711cc57038fb82d6281d5f46

SHA512
101e545fb868fe7d73301fb99b7379550856fa708f7489c558a8c5d35c41ad745cf5b2af71b6a726cbe48e8dcc20b44a60b5f06f0a737bf8f24f5d116a755d27

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
45KB

MD5
8935e891c320229f3918aa92b20ccbed

SHA1
28e3374c6726c513898ac4f566d970f20265a953

SHA256
1b88cbb0cc863316701eaefae86c8ef3969e49a7a59a5a11bb7344f924ddbc3d

SHA512
2c867981a91379065f5a7fdae1a131688b1412d477a12bb41810dc28f54c7c7184d9479e281453a9004b4a91dcce35b17a4902a372cc26f8a57bdc359f1be6c6

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
45KB

MD5
77ae9bc65be67fd3f445bb9bfa0042a0

SHA1
0f8d5c42d1bbd23362614f5139907736bfcbf009

SHA256
78df4142af1fc3600be3a7bde8873dec15b58637c1ac2b9bb305584dc182b770

SHA512
653372e0db696bbc01ad085cff902136eb5798407114ec563ce438f39e620f6e8bb67c30ca4404adf68497452a2ca8834d1dc0966319b3bfedfe9cbc6bee74d1

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
45KB

MD5
77456b88c36ef203110cde32dbe71be9

SHA1
1fa1bc87425954d79e416e74ef5a15bcae370985

SHA256
a7d2bafe6dc39481927f9969ad76c23f54d6c2b1f8a7d0bfa207a6ed9091768e

SHA512
202cf2c376455ea72ff745caad7fe6975e8aaf1409433fbe64d70ffee465b7986c90e26cbb2eadda2687f66c876be268b89f21d9dec8d1c40dcf06d0290c1584

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
45KB

MD5
00f50d42b2d3edbb75ce4c2ce88f0a88

SHA1
ea6c3c78fab34611799f6f5db3494aec790300a8

SHA256
d07d97c25a8691da182a80976c0ccf8b0f75bd1d35f3cf0270642044f0421ffd

SHA512
b006105dfcdf29675ba601f82c8f3dbf9b1922a4c67b39e56cbb599e777de5dfe58927d7dc91b63fcc91e936bbf9b1414ecd50ea986a3c8ba2b4822ba532cef5

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
45KB

MD5
ba19636011fc5eaf5048a64357b22a17

SHA1
525e842a37202646360ee5e8281d5640f9cff026

SHA256
3ec51bbc29a73904cad41d555a70aafeabb4884ccb6e4fcc51877c37a59b4755

SHA512
6bc39579473980f9d8c9ec1d9c933e897df1d601cd1d3cd4387a5a002abb59c6434b0167dcf68845fbe4217b30a003288c9d1578fb88aaa86cc8087d0ac0bef2

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
45KB

MD5
c482f95cabd33a39825a4eb93959498a

SHA1
f7fd5029a895b429db1afb155b6d10b6ae769513

SHA256
990a4a0175ca05a8c9691bb77fe9fd6d22bd7146ddfde4a340d0b863c7a87161

SHA512
456a606237a884dc2e05e55168c150df3642bd5405a9061874fb0e282dbe75ca0a8d71cf02958d28a1b66f55b76380819946b511638967dba4dc3a6de0e903e1

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
45KB

MD5
03be9b188e429541632c2d61fd995673

SHA1
cbc3b6e843981a11e6c1053b3d167ce494fd84ba

SHA256
69382126bd7220f9cd6034377c50d49e6d5f26d5dbfc2a21e1af5b990f3e7d1a

SHA512
66379932e54722ffb3f37dda2b307d3c837b9b4c151ae327f9a0f3ac7981c32c3e5707d2a9164891b537b1827e307fc1e81f3d723b5a7851a98bca739671f475

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
45KB

MD5
031a376d1818a420c8d507d517464212

SHA1
e4a5e4604fd62d5b9639e56349ff15cfe1d65fac

SHA256
35970edd1b116271a9b5f6926342805028fdf47176016f0e5d7d32a1848c1a61

SHA512
004610790ca1e74126cc44ef6bde81838f8a8488fa6a7df00b79c8a944295a2b1887740ddf1dfdc05f305dd3c78f00da2826436832c8dcdb15092a95cca4e4ad

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
45KB

MD5
4ea38ef34a38689849e11c49d7f6dee0

SHA1
14f447f969696c772be229fd1358a74e83ff3c58

SHA256
815ff5681f7e73ed26afb2ea46827a66a8c0d2b2868151b3c0e9259a1b325f0e

SHA512
6af41a9e40078b8d741feadb54c4e1eba323c2f11cb3ef07d559d8a82ae5e9ca8ea302b06df227b17728a096f979f4be9505aacfc00410fd1ca6cc0b90eba751

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
45KB

MD5
d5888e6baf2687641df37764f7ed0aec

SHA1
c7a7104e50ab5355ba64e01391c7cebec45c1001

SHA256
c0b452a839ce2adfad84591969e4c0bf228cf57e65d321a42621df491836cee8

SHA512
c7d4944b2b531c2026851eb32999c0a42d3b71e7231ec39ab3dd5f213ffb9e246be96304f7c8872d48d0fa895e77fa2ae865be88662fd17ae557b8d6b78cc4d5

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
45KB

MD5
c9bee93dadec659c15da6422dd7dc1cd

SHA1
f487d3a7a2a681fca70e7c60f011ca571b699d42

SHA256
02c1ab18395ae673918424b83188b764577fb2723bc71279ca424e1ab457de39

SHA512
e5d1f1ca2dad5017130329c6d4eb65cab134ea0677743ef6b9c7ec5ee8007681c1dfd270a1e31485ac5be030ff72c42f39e1b3af8d2e0ed5148285ea82af4bba

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
45KB

MD5
4bdd7e0189d365e48d2274812fe86ad3

SHA1
26e24babf89424e16777e792995555255a06b251

SHA256
2f82961ff1dab5f83bc1fd926a21aae12fa128617caf29b8c323aa83dd7c6c94

SHA512
403c3b00302883335a51dd7a7a9cedaf6d3c78ddf676653c2dd4fc15c88300a431b32cf9fb2869f3e667628e597ad89ffdbed6743f50610f2c2d766986855da5

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
45KB

MD5
b333077e5a44b25648fbc15f9c91f350

SHA1
8eb3463af203e67f2536b5e6ab873434f29e0c2f

SHA256
b8c1f994470bfde5551fc1da622b7d1aaa26bceb0edf10396dd2db6b11d5a2da

SHA512
67396fe6a78e6ccf9f22388e8e9b61ff1c6a069c6b0b9a9b6f5f1043032612da1a24a41d9ea9df57b13282caca6235616bcb4056c3459eab1c881f466b921381

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
45KB

MD5
ae51cd5ae9ef7cb09595dcd48b077e9a

SHA1
91b522d8575aa764ca1fc763eb209b5122cb0056

SHA256
749ddd7ab2ed378dde2926f8180ac54d2e3fa6436de186406e039e8d18d2c912

SHA512
f14c81b042583f8621976d5e844108964fa0cb1f25ace1ee785513e38f61ee2618c1e38f70a90a8242bbf7e7f3b3d10db27549f2e15e214961e9b2e7278b4c99

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
45KB

MD5
73d3772989c829dee604a1f68067cac4

SHA1
1069c2fb926672e2f986ebb92d01faca8e5badb6

SHA256
c3d8907950687caf149bb12e03c31d56009879cddab127e09ccdb54bc32fae6c

SHA512
ffc09b243e5bcfd48ae6a7c485d2739fa871e16514776f1ec1486fd2715763e7582090a2cab27b686e4f05375efaabd9709391ad1363d6af425eb5750d689214

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
45KB

MD5
254ecee4718c851927e340a8822ac4aa

SHA1
4e9f2fc2256a31ea1052079d72a5c7eadff251fa

SHA256
0456c249753252e07f8d3ef6d0b4243c7b5f5fbdbe2cb55a1130990ec4b148d4

SHA512
e5a9abebbc4fcc7d152fbc1fa8f28c8b2eafe1d4651511c9e053e7ca3bde8f0fbe01ce29ed22c66869b483df3af86f2074a5f184de61babdc9313486b67170fb

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
45KB

MD5
2d148b9ae5b72878c86a6ea72ebcf969

SHA1
63f666ed8acf26ed2a6ba7a2357a730fc672671f

SHA256
fad40b896cef1e1c7f93ca166c3862057683a18433e50018a322bda6a6922ffc

SHA512
8ca9964687eae2532fb06725361f79afd70b4e3fc5a0a42a6d9ae2d48701217cfc3e1687d627677871de5c6c6b16bd19295505869b09fcdd660eb13d8d8e0673

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
45KB

MD5
c16dc1493d8bb20dfd52b5706ba264dc

SHA1
ef128ae36f4208b9d482b9191dc3559d63bf807d

SHA256
8eca0638fe0788b83170db85c43fa61349c620d84afff71d845fdfb51c4de505

SHA512
b7b0e5f773486d0a058012217a60b860c8f3889255b652a54189bdaf84e97645699b6b18682a341bb853225d2bc277ed7024ea804fcaf72080e2d981fc176a4f

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
45KB

MD5
7231d7a794fe0c89653897e0ea51447d

SHA1
648a36f7a376fe98703f72374034a9fc48dbd999

SHA256
6c2f1895d0f9fef1117293d9eb8134deb83799343bbc698f83670f91d59f1da0

SHA512
d087e903eb015aabc01dde028c18a1553f986f1c87c3645570fcb25a614306cb169007ce5ee53b9c4a2c31e17a6f1ee7082a12b3e24b974bede5231281289949

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
45KB

MD5
cb8fd69d546196a4546b6885c8906146

SHA1
7f33f2e0b6698a4b6adfe20ab41696c5cd144ebf

SHA256
17c956679743d3e8af150f731c9702b8b2921e3d903133418d247dd17cf9d489

SHA512
e6076db56f26fef5aed1570551b91bbfd5b5ca52b991cb48f5a16a9ebab907d421b481cf71052fc256f6cae378ea680ed011e5f277f3eb9530921488a9a588ec

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
45KB

MD5
45cdebc66cb10063b76f552b57b6a99d

SHA1
48592301f8fcc3ca4bbb82ed89c917db44289e46

SHA256
c5b2aa8936952e3b2b0723e30dc74b725410f01d1124c7badc00d38464d4beda

SHA512
af1ba29f3de639523d1f825df15c682ceb4adafdc43c5b3dc433a61e6ac0bba7063196a4a7d98e51f576a67b334250c9f16fcc0fa92b1a31fdc19322376ba8d1

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
45KB

MD5
7d93e8aef7ad77ce194651e156ee2298

SHA1
5a8838bbd36530910c88ab493b9a45137b2fa0e7

SHA256
eb54e8cf1bf9b0c744422a506bc0da1dc273934abee84f7cabe582e87fd0e337

SHA512
1dc76a1ebfddd6e5e32a0bd827341d7f8bdb8989b2e3a4aa52e621125291afab62ffae002107f6879a1bcb5533415ffda2ed77b7654ebf7d4c432e83312fa660

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
45KB

MD5
d218cfc38f5d12d1c92b19f1091cf1a9

SHA1
e8eb85c431b801622eb35a556ef69dd393881f19

SHA256
90c429368ce2cf5677504ad324847f6f8bd791710d4dd32545af6325d6c89620

SHA512
a65a763723058c7ddf185e2d935bc1862799f8a5dbd2a375020fbc8de4098d15d5dab86432cb8005999f5dd4c1cf9771cbad10ef12a9dafe05cb33d280142f35

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
45KB

MD5
baa0d5e38d2fa7df846ee951bc7f7bf2

SHA1
85592a535aa94074d48fa1f7f3a85349102c9907

SHA256
7dff644a9dc65fa40afeb9c29d94c012997221beb232f8ab61149a0a598d882c

SHA512
a1b50d2766c69687bca3eba75f648de9d0d20a996723e0991741bbd1a2ba52782ca8c7401d1a5ade96157351dd56d11e5c81ea8c507f23428785f3612ba637aa

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
45KB

MD5
c91f0b03f3da608a32cc1842ae348eaa

SHA1
03c077ebff8f68af10d9d737a310ef55af062c8f

SHA256
1e42293ea4a6144d701780dae8dd6ea065f9994b92c2ed90b093b0a8cf88bf09

SHA512
5255d3ad2a314244bbfce07a1d6db4e5efea85605d5aaf931eaa043648668b92a8ea67cd28c00768ae4abc21b7372deba79a25fc141ab1004cde8a209148a469

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
45KB

MD5
dd36b646bad7540e5fb2fed5d27c9fe3

SHA1
f86bce281106efbafcc6753754a2867459d49b2a

SHA256
2f464ae2eeecf898eaf228a2cb6e6093f7a64e9849efec4398a3e2f06a3884b9

SHA512
f8877d524a5a228dcc3583f933b51ed62d9edbe5f9082849a6e847c8a0dd4befc31857e14065b52361c6d0dcab2ddeeb31d813eda393d3e575d303f18798080a

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
45KB

MD5
f9be4ea356796525acf5c862b5f8accd

SHA1
6f84cd0009dffa04aace68bfd5d37586693cfecd

SHA256
92a5566ec73e56f12972cefe9aee3cc9d4f0b77aa20054d766acc03ea8367461

SHA512
faa99a3a053d817efe9db2d49f5df33c63f85265d006434753e3e88853c38efa8c480b47f3963216f9a25122097b28529689e105ddfe6488ba60cbc32385b875

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
45KB

MD5
9fe2af9eabc6302541f34b13d1ec7bf4

SHA1
b11f19497172f2c416ba17b7d2f3a754c1db63fd

SHA256
cfc4c9c9b7071aab1d997c7e5ec8db152ef52a11b7169d5c1cac9ee32893a556

SHA512
9bf441a40a3c809af230cb5326a80b935dcc8d91c03ce89d5af5cfe28df3f8f22d00fa213b2ad14d491161799e83044047e9d9ba9778dbd03077cea705f62407

Download Submit
memory/208-350-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/212-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/212-486-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/228-453-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/228-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/536-393-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/624-339-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/876-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/920-133-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1084-444-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1084-450-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1176-451-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1176-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1184-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1184-487-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1220-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1220-476-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1388-368-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1464-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1480-474-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1480-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1484-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1484-510-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1552-374-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1560-458-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1560-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1648-180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1796-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1796-511-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1808-509-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1808-36-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1812-449-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1988-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2056-242-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2056-483-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2316-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2316-91-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2320-499-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2320-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2340-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2340-506-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2360-498-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2360-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2372-485-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2372-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2396-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2488-504-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2488-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2568-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2568-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2572-503-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2572-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2576-266-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2584-416-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2772-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2772-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2784-512-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2784-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2884-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2884-469-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2896-507-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2896-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2928-461-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2928-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2936-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2936-489-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3096-320-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3268-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3268-464-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3424-456-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3424-410-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3484-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3484-475-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3752-473-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3752-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3836-488-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3836-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3884-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3884-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3920-467-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3920-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3928-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3928-457-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4044-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4044-494-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4172-326-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4272-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4272-452-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4312-278-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4416-271-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4416-479-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4440-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4440-500-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4512-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4512-493-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4588-284-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4684-481-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4684-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4788-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4788-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4868-386-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4904-501-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4904-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4928-482-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4928-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4976-356-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5036-495-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5036-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5096-492-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5096-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads