65096f8f5fee1766e6aac9eeb8c1e16fb47bbb82ff03abc4f0d38dc932f6ad04

Analysis

max time kernel
92s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-03-2024 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65096f8f5fee1766e6aac9eeb8c1e16fb47bbb82ff03abc4f0d38dc932f6ad04.exe
Size

520KB
MD5

299663e92488c8526f732d9ab8f6b0e1
SHA1

88b0ec9a6fe10f870b2e53eafaf3ced3747885f3
SHA256

65096f8f5fee1766e6aac9eeb8c1e16fb47bbb82ff03abc4f0d38dc932f6ad04
SHA512

f06ecfb3204e6b1867eaed9d543474531b521b029ada72bec273730a828999ad6a9e2c0018b8884694658516f97b5b1058c9661fa112f7032b557218f072208e
SSDEEP

6144:03d5gWB10FM6234lKm3mo8Yvi4KsLTFM6234lKm3r8SeNpgdyuH1lZfRo0V8Jcg6:0N5pBaFB24lwR45FB24lJ87g7/VycgEH

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	65096f8f5fee1766e6aac9eeb8c1e16fb47bbb82ff03abc4f0d38dc932f6ad04.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laopdgcg.exe

Executes dropped EXE 51 IoCs

pid	Process
4824	Jmbklj32.exe
4256	Jpaghf32.exe
4296	Jbocea32.exe
2180	Kmegbjgn.exe
4112	Kbapjafe.exe
3956	Kkihknfg.exe
3160	Kacphh32.exe
548	Kmjqmi32.exe
4024	Kmlnbi32.exe
3136	Kibnhjgj.exe
5056	Kckbqpnj.exe
2200	Lmqgnhmp.exe
3276	Liggbi32.exe
3432	Laopdgcg.exe
2964	Lnepih32.exe
1592	Ldohebqh.exe
4692	Lilanioo.exe
4972	Laciofpa.exe
1156	Lcdegnep.exe
1924	Lnjjdgee.exe
3120	Lddbqa32.exe
4704	Mjqjih32.exe
3644	Mpkbebbf.exe
2212	Mpmokb32.exe
3452	Mgghhlhq.exe
3808	Mjeddggd.exe
1108	Mpolqa32.exe
5072	Mdkhapfj.exe
316	Mgidml32.exe
4048	Mkepnjng.exe
740	Mncmjfmk.exe
4888	Mpaifalo.exe
2148	Mdmegp32.exe
3188	Mglack32.exe
2124	Mkgmcjld.exe
4264	Mnfipekh.exe
4564	Maaepd32.exe
5048	Mpdelajl.exe
3036	Mcbahlip.exe
3080	Nkjjij32.exe
4724	Njljefql.exe
3948	Nacbfdao.exe
4736	Ndbnboqb.exe
3632	Njogjfoj.exe
1436	Nddkgonp.exe
1564	Njacpf32.exe
4756	Nbhkac32.exe
3652	Ndghmo32.exe
4944	Nnolfdcn.exe
1636	Ndidbn32.exe
2932	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Gmlgol32.dll	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Kmjqmi32.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lnepih32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	65096f8f5fee1766e6aac9eeb8c1e16fb47bbb82ff03abc4f0d38dc932f6ad04.exe
File created	C:\Windows\SysWOW64\Nilhco32.dll	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Kmegbjgn.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	Kacphh32.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jmbklj32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Kmegbjgn.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mjqjih32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2232	2932	WerFault.exe	135

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	65096f8f5fee1766e6aac9eeb8c1e16fb47bbb82ff03abc4f0d38dc932f6ad04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlgol32.dll"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	65096f8f5fee1766e6aac9eeb8c1e16fb47bbb82ff03abc4f0d38dc932f6ad04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jbocea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	65096f8f5fee1766e6aac9eeb8c1e16fb47bbb82ff03abc4f0d38dc932f6ad04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilhco32.dll"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdmegp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 4824	2816	65096f8f5fee1766e6aac9eeb8c1e16fb47bbb82ff03abc4f0d38dc932f6ad04.exe	85
PID 2816 wrote to memory of 4824	2816	65096f8f5fee1766e6aac9eeb8c1e16fb47bbb82ff03abc4f0d38dc932f6ad04.exe	85
PID 2816 wrote to memory of 4824	2816	65096f8f5fee1766e6aac9eeb8c1e16fb47bbb82ff03abc4f0d38dc932f6ad04.exe	85
PID 4824 wrote to memory of 4256	4824	Jmbklj32.exe	86
PID 4824 wrote to memory of 4256	4824	Jmbklj32.exe	86
PID 4824 wrote to memory of 4256	4824	Jmbklj32.exe	86
PID 4256 wrote to memory of 4296	4256	Jpaghf32.exe	87
PID 4256 wrote to memory of 4296	4256	Jpaghf32.exe	87
PID 4256 wrote to memory of 4296	4256	Jpaghf32.exe	87
PID 4296 wrote to memory of 2180	4296	Jbocea32.exe	88
PID 4296 wrote to memory of 2180	4296	Jbocea32.exe	88
PID 4296 wrote to memory of 2180	4296	Jbocea32.exe	88
PID 2180 wrote to memory of 4112	2180	Kmegbjgn.exe	89
PID 2180 wrote to memory of 4112	2180	Kmegbjgn.exe	89
PID 2180 wrote to memory of 4112	2180	Kmegbjgn.exe	89
PID 4112 wrote to memory of 3956	4112	Kbapjafe.exe	90
PID 4112 wrote to memory of 3956	4112	Kbapjafe.exe	90
PID 4112 wrote to memory of 3956	4112	Kbapjafe.exe	90
PID 3956 wrote to memory of 3160	3956	Kkihknfg.exe	91
PID 3956 wrote to memory of 3160	3956	Kkihknfg.exe	91
PID 3956 wrote to memory of 3160	3956	Kkihknfg.exe	91
PID 3160 wrote to memory of 548	3160	Kacphh32.exe	92
PID 3160 wrote to memory of 548	3160	Kacphh32.exe	92
PID 3160 wrote to memory of 548	3160	Kacphh32.exe	92
PID 548 wrote to memory of 4024	548	Kmjqmi32.exe	93
PID 548 wrote to memory of 4024	548	Kmjqmi32.exe	93
PID 548 wrote to memory of 4024	548	Kmjqmi32.exe	93
PID 4024 wrote to memory of 3136	4024	Kmlnbi32.exe	94
PID 4024 wrote to memory of 3136	4024	Kmlnbi32.exe	94
PID 4024 wrote to memory of 3136	4024	Kmlnbi32.exe	94
PID 3136 wrote to memory of 5056	3136	Kibnhjgj.exe	95
PID 3136 wrote to memory of 5056	3136	Kibnhjgj.exe	95
PID 3136 wrote to memory of 5056	3136	Kibnhjgj.exe	95
PID 5056 wrote to memory of 2200	5056	Kckbqpnj.exe	96
PID 5056 wrote to memory of 2200	5056	Kckbqpnj.exe	96
PID 5056 wrote to memory of 2200	5056	Kckbqpnj.exe	96
PID 2200 wrote to memory of 3276	2200	Lmqgnhmp.exe	97
PID 2200 wrote to memory of 3276	2200	Lmqgnhmp.exe	97
PID 2200 wrote to memory of 3276	2200	Lmqgnhmp.exe	97
PID 3276 wrote to memory of 3432	3276	Liggbi32.exe	98
PID 3276 wrote to memory of 3432	3276	Liggbi32.exe	98
PID 3276 wrote to memory of 3432	3276	Liggbi32.exe	98
PID 3432 wrote to memory of 2964	3432	Laopdgcg.exe	99
PID 3432 wrote to memory of 2964	3432	Laopdgcg.exe	99
PID 3432 wrote to memory of 2964	3432	Laopdgcg.exe	99
PID 2964 wrote to memory of 1592	2964	Lnepih32.exe	100
PID 2964 wrote to memory of 1592	2964	Lnepih32.exe	100
PID 2964 wrote to memory of 1592	2964	Lnepih32.exe	100
PID 1592 wrote to memory of 4692	1592	Ldohebqh.exe	101
PID 1592 wrote to memory of 4692	1592	Ldohebqh.exe	101
PID 1592 wrote to memory of 4692	1592	Ldohebqh.exe	101
PID 4692 wrote to memory of 4972	4692	Lilanioo.exe	102
PID 4692 wrote to memory of 4972	4692	Lilanioo.exe	102
PID 4692 wrote to memory of 4972	4692	Lilanioo.exe	102
PID 4972 wrote to memory of 1156	4972	Laciofpa.exe	103
PID 4972 wrote to memory of 1156	4972	Laciofpa.exe	103
PID 4972 wrote to memory of 1156	4972	Laciofpa.exe	103
PID 1156 wrote to memory of 1924	1156	Lcdegnep.exe	104
PID 1156 wrote to memory of 1924	1156	Lcdegnep.exe	104
PID 1156 wrote to memory of 1924	1156	Lcdegnep.exe	104
PID 1924 wrote to memory of 3120	1924	Lnjjdgee.exe	105
PID 1924 wrote to memory of 3120	1924	Lnjjdgee.exe	105
PID 1924 wrote to memory of 3120	1924	Lnjjdgee.exe	105
PID 3120 wrote to memory of 4704	3120	Lddbqa32.exe	106

C:\Users\Admin\AppData\Local\Temp\65096f8f5fee1766e6aac9eeb8c1e16fb47bbb82ff03abc4f0d38dc932f6ad04.exe
"C:\Users\Admin\AppData\Local\Temp\65096f8f5fee1766e6aac9eeb8c1e16fb47bbb82ff03abc4f0d38dc932f6ad04.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\SysWOW64\Jmbklj32.exe
  C:\Windows\system32\Jmbklj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Windows\SysWOW64\Jpaghf32.exe
    C:\Windows\system32\Jpaghf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4256
  - - C:\Windows\SysWOW64\Jbocea32.exe
      C:\Windows\system32\Jbocea32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4296
    - - C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
      - C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4704
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3808
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1108
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4048
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4564
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3036
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3080
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4736
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3652
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1636
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        52⤵
        Executes dropped EXE
        
        PID:2932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 420
        53⤵
        Program crash
        
        PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2932 -ip 2932
1⤵
PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jbocea32.exe

Filesize
520KB

MD5
af772700da0a4af748579697d17f9460

SHA1
82c514f3a1ac8a15b9232f31be9d326f575d1d6e

SHA256
4a34e5eb04c4bdb2312861ac46c20ecf36102336b1db6a0e60543089f6459fd2

SHA512
3578c1ae543721ff8ca613fccac68dc93357b188d47fb990e8d6e3715414593261ecbd2ce7034bf6a7d578f3600afcca755c3c5e94a4c6a81093795c76582c1e

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
520KB

MD5
b5962914370da2c8382ed316cd62ad20

SHA1
ac9e50f89177428db637f77187a5ad6860171175

SHA256
6b7bb513d498cdfd5d5447b15e7f510311cafea8a2fde5d9f928b1798eca7dee

SHA512
f883dbb3e9cf87f6e8edac5f094e10d7402fddc63b644c5032f89e2282d482fcd2a4d2025dd08616063e50887bf55c1cd80f4d66eb5aa52e33a5650570902d2b

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
520KB

MD5
795837544f0aa6df2aa7d6adeb0aadd9

SHA1
57bc0ba48dfd572608678084cd272865fed25c14

SHA256
92ec4fe3b367d13d54478b7f8f8e2d3f6c1b2563173eee77329aebd5e27b8632

SHA512
0f4056ac7431cd4436a69f6d44115749c75705f55f416d934a4f7871459bb6e2507032cdc2bfb47eadfbe9f340cbc2678315feebeb57c4c21680b720640bd2c9

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
520KB

MD5
dd3777ba7e808e3cd4db00e571d92247

SHA1
83da7f31be150b8eb47e223841123ea5e1f22c6d

SHA256
ccb3e8686b176774033a4e428615a2c39c016784d548b91fb91e1342847b0750

SHA512
081c45cac399a4af73c6a894858e0ca378a829fea2315ca4584085f70e567fe6bb3aa1fb5f5f0b02c000cce029b2e30239698cb3fe876ffc6d6b0c02db6007ab

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
520KB

MD5
0a13a18cdc584eaf702e6e6b261e4688

SHA1
226a285f4c8bf65ba13fb43b4829e1dc1c023307

SHA256
e9d2e6b8c6291c4465880c7ee3324341f9f2cfb5ec4b4f1d161c0f5e10426c3a

SHA512
747b2258fd24801939683a997abb0347d3fb25c617f4262a340450282e34c84df6dba16dfe80cf44343a41dc54b3061902bdfea31236163ac2bb26ba8fcdfab1

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
520KB

MD5
5897916aa2cfaf60e56d5adf93885432

SHA1
7298b5107e126bba28ec972cf71c39ab09d64f83

SHA256
08f97b4b7ada8e864f4d031f3ffed613306177a3451475ef3e46cea0723c32c9

SHA512
a217d646beb3a92f5087de47cdc7a0287c2376918f4417acd84dbb1c19ac5b4650565cd32307e5bcff20cd79f8c0e580c36e2c55058f39fa0fc6b7e881cec39f

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
520KB

MD5
8593a56b1777d44c95a7f2deccfdd0e6

SHA1
719f045466937546a8fc098f1a035442e0799f7d

SHA256
07e710437a649bceede560af230fc172d3b30764ff89966f0eeb7494c4795fdd

SHA512
f1caea521c75ffc8114ef66da47f7d645b8bbfe7e27ab9874c323ba0d89fbce052f6a6615a9f86579d7d16b442f4932787a6b3f3103d9daedbc3ce3e7348a731

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
520KB

MD5
a65e5bd97465751762855f55a5f95d1f

SHA1
4c831f4743cba26df9ba6d69687c75d287556882

SHA256
bec4d528c261c1895608b3502aec1a6a437691cefbbeeafd5180e3c7e9ad71e0

SHA512
9bbdcd3e4612beec6c6e2ad1d62dca88cb3b847f020fb00e496b69fcf8d0e9ec6acdcec97b45dc32e54c5e505571d250b6751b110fe414642ac2b74d4de4436a

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
520KB

MD5
3fd4d6f0c2cf9bb1bd569b9d081c02bf

SHA1
58710994b2ba997facfce137d6b3bdb2f3cf825d

SHA256
ba8aa08530bd70253a083c4ac9b0b678dd566f7d8123d0952a8368baa9137643

SHA512
b62eb094c1d76da3fdf696cdc23eaa084359b0b9469a39a9a5517138a07c7608a1e520b461dd6fdddb95e4d7b636af7ced8276665e994b9526d518586f3fc704

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
520KB

MD5
0e39e8c821c5667f5249baa812e9d7ba

SHA1
0c7dd01eed3623b5a4a6025cda35344b1adfd108

SHA256
67c2a192f59b0056441b57e0a8c925989320b43d504bb27d74e7f26b963fe302

SHA512
2ad804b885797e812fa5e7d2bff5af181ee1e28bad717c0f3265f11da5267f4f417bebdf2c154085964affee6c2c53ce60d41553aa4c885953be8edee89d3fd3

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
520KB

MD5
ee103b898e6381122d7e8d0e925d140e

SHA1
7235efa5d726e2b8f1b5ea5c2f3067fa40e5b390

SHA256
dee1a2b3405b877967a6eed1b31c6287a6ddb324f0687880746c5f94553b510e

SHA512
69978ffe906ed0b2b60b285fd187f130c541c4bccfc603ac389dab0d2ec6d775b6fb46d129b47257674ad51c4c5284e162d3d5dc5b25140429d42e5cb1300c81

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
520KB

MD5
2a8384dd035440534762c30f10fe54ff

SHA1
ddff3d6bad03152c44950d1a9ffe737f4121c96b

SHA256
fdf647e0fc7058fe5e31cab51d6382e14e6ab06b3c4a86779de0e663190be17b

SHA512
6b114dd428895961c909d1216849f0f55d5abf30f70c61c4fec0e6ad00864e5ec95035bd1aa225a66b77b0fbcd95c16dc3e27d20f5c94da16179dfc77edda7f3

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
520KB

MD5
9864c34f6333d8efb9f9ebc7d2865975

SHA1
e23725f7730d624b4c2866aa56136c00b82cdf91

SHA256
c3f6e31cb73f249c25d6b80aa5616e4fdf691ae0597c03ba216428f32fb7fcd4

SHA512
b3ed81363f6af50f7e66682ae6084f5718a8e2510ccdd4b74c6ff0b88de324a00ca22ef33946c70fa5a2df1526e31b1747d9f6ac365303e34d6a5f0577e2088f

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
520KB

MD5
4e24ec61977f1ab5fd8385acfa7c9368

SHA1
4bf697b7875b5a7e2b6a687bab498a17a0d3b721

SHA256
f37cc947cda11f9889b79bc9edd3e410bc1e8b5fa3f1d0793d9bc096b320bfc8

SHA512
68f80bdd06f83abd9b61aa1183aef2cc6aaedef9e8bee397d019e969b4f21abf719a0aaf397e08e66bade3e95f2d6b9b545cc6cdc9505ce84104cf944796c98d

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
520KB

MD5
bd7a0dd14caa30c19f324c0ac3cd5c87

SHA1
cf201a2689f80ff4e9e24413485be5ee7a3cf804

SHA256
5fa55a57ad3dfb39f51fccc52aea82999e044572f09f218141be5b8f7e0f0215

SHA512
b550c69512a6de4957c1c1a14b1936c873e28d7259420b01d765adfbbeab01591aeedeab877a27056496e94fc3d1155b01b8712967d5fe76bd1f5194cf0f1a27

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
520KB

MD5
23269185f9da613c5f9b46fd2d0fdd4b

SHA1
7eaba781348b6f8c7b07c93c2629047e742de921

SHA256
de5a0d2402c0b49979127827311aeddd282b7581bd5cb651ee6c6546fbf7bfdf

SHA512
b096861ff9a77bb39af9be50e4adf35b250f0ede16d60296dca493e92023f4ba6cfd9e316dcd95ce42f4c77f1812b97844e2459a6068ae761ab161b0709598f6

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
520KB

MD5
1da7221863bae09d3b4a689d59b721fb

SHA1
3d65639b981d4dabcf3eca7b629fa5d199b2b63a

SHA256
d8eba358ae8602802051c42af7d929a7d3622d6291c62d5ba3213dd87baf7292

SHA512
a0427fe2ed8e581ab9ba299f4498fbee99890eb51c2a71db69918916a6da7e38b7df7652961f0860e7d8b44bc767ed3cc1212f4b99e35650e98e03058756e079

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
520KB

MD5
9a7c5be7ae015c34398671dcd63424fe

SHA1
ba4e8095784ca820a56dd9717f8f60a28a4b8ddd

SHA256
3135daa2ce7bdccf6574df2958c224b1fc8d941a834befde603a7970f345ac1f

SHA512
c93e7e7aedea54e00fcac8e441ef6fd9563cc62249f8d6219b7b1c9e21f994c90ca557a789ec00abec1337d9b3a3afcdfc2e6bf771ab442998cfae9f49dd4bf6

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
520KB

MD5
e5f344f184cbe90b5ffd89abc04a740b

SHA1
b99cf30526e0427beca03cdb74c9a31cf5e8a656

SHA256
2c5694fef61b6b2e2aa2d59b22ae83a0989d70e47af688c3a44dd2016c46bbc9

SHA512
5d7944e1848c3eaf2b860533697d47d5775817b7c871ffcac6ce845576fb78d3645b368e896096caa450403783e61384ea25a59fce49bfd8a5d4b614e1ffd76b

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
520KB

MD5
ad0bbd8e9ac6d5f0fe7648b0c9da1247

SHA1
c11e209ece5f26d7f2c36b83dc7230e4f570b817

SHA256
3f3db2488c5da96b8c322f03a81a1a3b000b97107d7de50fd7cde1fdd02064e8

SHA512
3ab32e3bd60a1aff344a87b07610cebf06dbef216810d50b19b6f7942d3e9315464eb9f6538bcfd60d9eccb1b7d2a70e9b39eed955ddf7b528659cc7a6bbc54e

Download Submit
C:\Windows\SysWOW64\Lmmcfa32.dll

Filesize
7KB

MD5
bedb61091be994afb5cc11c9f364c919

SHA1
5449f8ab97f4cdac7ff35013ec9a3395d61ac9c8

SHA256
df18493ea2e0617b6bd1accfdb7a172318f84290d6f63763cb841d803cc5e273

SHA512
b6c1473b692c575afded0816041c60c5586b21a9c4b9164de6ea3604b82ee98b21e07656be4606419a2e263e6b3859df67dfc549c5d1339de449a9d174369c5b

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
520KB

MD5
2441b3c153aa5aec7daed668133232c2

SHA1
72172cb8ee511cd2bea941d5563f7ce9af6fcd70

SHA256
df07d885ba113e5e66af166d91972746b81c2b7120d9b809a7a0fc74583e4c50

SHA512
0f7645c6362d921f1d7a2cb1baf0025d97b61c60e314f2b2ee9086707afeba7789e598e842ec032f38d990f4569fb69720baedcb2c479a79ac0d5913d23b2654

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
520KB

MD5
8dbf6ca4987abc52190affedf78251c9

SHA1
33c45485975975ff1f671f5a57a89d25bb27ae28

SHA256
5f04e0c2f0af0043ece87feeee7610e64007b94aa31588f4d7ac2fec29bc69d5

SHA512
198d3a529b33ff8f8069144357771ea18017a7465a8b5a77d181f0fd062c5983c326b192caec8ef57d713339dfdef3a9caabd86b9ce90cbf4be23d2608c08969

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
520KB

MD5
5ace64869e5cd21a7c1531a9ab73a8eb

SHA1
3c35cfa894f2bcded30a3b492c1cbd8858407dee

SHA256
dcfc86c6950b7c55506966bb9b3949d933d1347695d1d50b842e2942a1347ba3

SHA512
a73b11688ec84a68d6c6125704c37daae04d0badde549e3a42acd3a69aea29b1a420a0d51034dd2d89f078f98fa4d08893f54c08fda2e1e6ee23e14e2cbed0f7

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
520KB

MD5
372d1c15feef20355225ff3c18ff1387

SHA1
169a27f3bf54cf4dd8c15143220ef7c6d308785f

SHA256
6d12347b736c5d96c1ec5892f792c344323822fe2207e029d5a2fc90c745552d

SHA512
4ed2961b5675ad2054171b89de01ef19f8b269a5acf204b1565b0b6e20d68a14dc070c963734413ce1e43e5caea856b5fa2e9418c5c7ec442345449784a5f7d2

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
520KB

MD5
94747b73527a3f3274e670cf6485ce98

SHA1
bc0952f767214154462c044d2ea1cb3949ac27bc

SHA256
6584f419a899eb166ccac6495a818f8e62492b20d582e935ca124b48ace211d2

SHA512
6a2d2c81ee1d32a58fde1466e8334dc387c5c60088052c2c369a081b0cc04be029f51c9d8e59d63ca7e8fbfebe64a72b4e6cdee7ee07129fb0c21fdbc84c91d9

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
520KB

MD5
d724365aef122dbd778b0a1da54a508e

SHA1
9bd5811af4c95f533578de628fca6cc8dc6a0760

SHA256
9eef4610ee547be0fa7f8232e9258292434716cfa7d400665e4b8d26ca0c3c3a

SHA512
178012e80dc1815ffaf771b5b7eb0b3d57ebdec014b214c6922445f0b9484ed9d4003c170983e920a61eddacd076d7e2cad19d3e428737c4ccf50e367b53f0d9

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
520KB

MD5
f3f2491bf8eab1fb0cb08a6397f50ea1

SHA1
9b480f469d9837e9810eb75e0b4bd807f358e036

SHA256
623e6f3b4307e2c3d1c98146004f6d9735fd436405029c26e4bd4a615f265f9d

SHA512
309200d3ac9e54c4884d855904ae7de2874408c38b20a695a8c8309eb4e5d9c30b3729940496cc007329cca117a93321b59a3d2c5206f5bcc585e66d2503840a

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
520KB

MD5
32d7c65cb0b645819c81f0c1456581d7

SHA1
7aa97d7ebf15e492c2a8b4ced8a122001c113b4b

SHA256
fe727250e3564c2b260f6f8ea4d1b4660e54f1842c45214c21f662b0bcf72525

SHA512
4b3ad7c0f3f97e9cf4527979b7136eb0b56148ccb4acc1783711a11cbced1989cdef797c3e5b7ca27ad01061acd5dfe83964963e9ab1bac8bb56b18187cd28a3

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
520KB

MD5
f22b48bbeedc0ee99de7e433f089d1f6

SHA1
564a277fb5696f3e5cc1ee0f45ebe3ac575a5dd0

SHA256
164c77bbbf56f87a25d084df4a6fafd3b9232de423fdfccd8b546c626722cefb

SHA512
c8f489872476cd56ee82db3506a4bc52eb0889b227d6afa22fb67d8537b90e2cb01810c6d132361374a3f5dc501f1a825b3ff10002b98004930faf8a779a76f2

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
520KB

MD5
1bb42d7309f7b4967aa4dba0fb466868

SHA1
38925c44adce23c20e05e0cabef70b6eaa255268

SHA256
f94c3adf7847e97c6aef1d80f7258baa1a092431471c5aa3f6dc68f6b9e736d3

SHA512
3863daf791a48651c46ddb436beab29ab05eec0f799988668aad4a25f826af79012edba3384288c6146ad9108a220d8447d2548d5410f7506bf42ef285c8127a

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
520KB

MD5
92a074d53ab22c23b43c65b75bde5830

SHA1
10e23fa0da559f88cf50e16888679d5312ee154a

SHA256
7456a3f1f52ac2a06469e8e66a3c1398bb1cc0952ca869784b17cebd7d4056fd

SHA512
f057e4d177d7d09a0bd45ba88fb7bebab0fe5e2f342a04edcacbb51e7323867a33b312ddd4cf46ea87093b7347ff30c8b9c62ce5dd0e19c3246bca71fbfb71fd

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
520KB

MD5
45e544f314617efa862aef7f6ed46ea2

SHA1
caf9bc7575ce3c20174788f12a599c5d19469e75

SHA256
9bc1730a516b568b9bfb08fc1fde75c6972753a0a5eddf0241e4bcd12f568e47

SHA512
b425bbf286c0047df0a17279169ed0e0b47da1abd7696a844797634a97a6ee2fa0372e870301a0e2251dda076bf1c0911ba456a369aadf87ccdc39072629a2fa

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
520KB

MD5
398c462885377eca8264019f899cabc4

SHA1
a12474ca6ad0fd7bd4ccd9cdad1e02fd22194c69

SHA256
9f18619d551227152dfb71d7113e5ec93be5bd98c7dcdb9019ffac734bdcb197

SHA512
10b1d47778dacdf9c394d2eeeb778dac8aad95e08686d7444bf8b570e7e39563eeb9e02d6ae3f8151a67909683d395531992a6b96fb62e08814633e9267cd2f6

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
520KB

MD5
bc9879c8aea5cf0b4215e77f2854a524

SHA1
fa7036ca71bb0fb5c1f5f8ac43b185fffcf8ffd0

SHA256
96a86c9773fd8dea8738fe1e186416436dd9161071cdf0c4b970d36fcc8198a3

SHA512
f7130772d7a5992c5bda3f5ce3218984da6668dc7ce816327822eece2e78a3e1727ab0b1d88bcaf1ca4f55cd35e016555bf8f1a0f68b62ce3005eca775fdf265

Download Submit
memory/316-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-63-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1108-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1156-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1156-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1436-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1564-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2124-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-422-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3080-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3120-172-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3136-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3136-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3160-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3160-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3188-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3276-409-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3276-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3432-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3432-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3652-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3808-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-52-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4024-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4024-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4112-44-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4256-20-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4264-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4296-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4692-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4692-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4704-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4704-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4724-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4756-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4944-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads