2f6f05a0c2e39dc66e01aec34fea8c9e1afaa2382bb009f2b372283016436a18

Analysis

max time kernel
148s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14-03-2024 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f6f05a0c2e39dc66e01aec34fea8c9e1afaa2382bb009f2b372283016436a18.exe
Size

80KB
MD5

b0cd8e5e33695342a67364cefa2f24d4
SHA1

ecafaa07f610a2da2c4ad89fa571c74c480e610d
SHA256

2f6f05a0c2e39dc66e01aec34fea8c9e1afaa2382bb009f2b372283016436a18
SHA512

2d9285ee731d4122ad3110873236aae40d2f301774220cc92bceea733632a2046450f4fb1cbe34cae51bb9235a3daa641cbab72a64bbb4b8b7818f88dc3d77bf
SSDEEP

1536:SeZtxKS3eeGMMTyrwuPJ29vue1zdb/R0B7B2LtWwfi+TjRC/6y:fxRehMMW7Def/R0FaAwf1TjYD

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2f6f05a0c2e39dc66e01aec34fea8c9e1afaa2382bb009f2b372283016436a18.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe

Executes dropped EXE 64 IoCs

pid	Process
400	Jfkoeppq.exe
5044	Jiikak32.exe
2888	Kpccnefa.exe
3728	Kbapjafe.exe
3576	Kkihknfg.exe
3628	Kmgdgjek.exe
4952	Kpepcedo.exe
3340	Kbdmpqcb.exe
436	Kkkdan32.exe
1912	Kaemnhla.exe
928	Kdcijcke.exe
924	Kgbefoji.exe
4624	Kmlnbi32.exe
2228	Kdffocib.exe
712	Kgdbkohf.exe
2056	Kmnjhioc.exe
4876	Kpmfddnf.exe
2956	Kckbqpnj.exe
5040	Liekmj32.exe
2240	Lmqgnhmp.exe
3692	Lalcng32.exe
556	Ldkojb32.exe
2852	Lkdggmlj.exe
4344	Laopdgcg.exe
2628	Ldmlpbbj.exe
4248	Lgkhlnbn.exe
4500	Lijdhiaa.exe
1604	Lpcmec32.exe
4316	Lcbiao32.exe
316	Lkiqbl32.exe
432	Laciofpa.exe
4836	Ldaeka32.exe
4556	Lklnhlfb.exe
1384	Lnjjdgee.exe
4388	Laefdf32.exe
1392	Lddbqa32.exe
1072	Lknjmkdo.exe
3892	Mnlfigcc.exe
1984	Mdfofakp.exe
4024	Mkpgck32.exe
3164	Mnocof32.exe
4684	Mgghhlhq.exe
2120	Mkbchk32.exe
2600	Mnapdf32.exe
2728	Mcnhmm32.exe
4776	Mgidml32.exe
4600	Mncmjfmk.exe
1688	Mpaifalo.exe
856	Mnfipekh.exe
2224	Mdpalp32.exe
2484	Nkjjij32.exe
3112	Nqfbaq32.exe
4492	Nceonl32.exe
3012	Nklfoi32.exe
3140	Nnjbke32.exe
2004	Nddkgonp.exe
3388	Ngcgcjnc.exe
4392	Njacpf32.exe
4744	Nqklmpdd.exe
2428	Ngedij32.exe
1976	Nnolfdcn.exe
4236	Nqmhbpba.exe
4640	Ncldnkae.exe
4912	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kpccnefa.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Jfkoeppq.exe	2f6f05a0c2e39dc66e01aec34fea8c9e1afaa2382bb009f2b372283016436a18.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Kkihknfg.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Nphqml32.dll	Jiikak32.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Kbapjafe.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Kpepcedo.exe	Kmgdgjek.exe
File opened for modification	C:\Windows\SysWOW64\Kgbefoji.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Jiikak32.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Kgbefoji.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1012	4912	WerFault.exe	155

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2f6f05a0c2e39dc66e01aec34fea8c9e1afaa2382bb009f2b372283016436a18.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	2f6f05a0c2e39dc66e01aec34fea8c9e1afaa2382bb009f2b372283016436a18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmmkpmf.dll"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmcfa32.dll"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 400	1556	2f6f05a0c2e39dc66e01aec34fea8c9e1afaa2382bb009f2b372283016436a18.exe	88
PID 1556 wrote to memory of 400	1556	2f6f05a0c2e39dc66e01aec34fea8c9e1afaa2382bb009f2b372283016436a18.exe	88
PID 1556 wrote to memory of 400	1556	2f6f05a0c2e39dc66e01aec34fea8c9e1afaa2382bb009f2b372283016436a18.exe	88
PID 400 wrote to memory of 5044	400	Jfkoeppq.exe	89
PID 400 wrote to memory of 5044	400	Jfkoeppq.exe	89
PID 400 wrote to memory of 5044	400	Jfkoeppq.exe	89
PID 5044 wrote to memory of 2888	5044	Jiikak32.exe	90
PID 5044 wrote to memory of 2888	5044	Jiikak32.exe	90
PID 5044 wrote to memory of 2888	5044	Jiikak32.exe	90
PID 2888 wrote to memory of 3728	2888	Kpccnefa.exe	91
PID 2888 wrote to memory of 3728	2888	Kpccnefa.exe	91
PID 2888 wrote to memory of 3728	2888	Kpccnefa.exe	91
PID 3728 wrote to memory of 3576	3728	Kbapjafe.exe	92
PID 3728 wrote to memory of 3576	3728	Kbapjafe.exe	92
PID 3728 wrote to memory of 3576	3728	Kbapjafe.exe	92
PID 3576 wrote to memory of 3628	3576	Kkihknfg.exe	93
PID 3576 wrote to memory of 3628	3576	Kkihknfg.exe	93
PID 3576 wrote to memory of 3628	3576	Kkihknfg.exe	93
PID 3628 wrote to memory of 4952	3628	Kmgdgjek.exe	94
PID 3628 wrote to memory of 4952	3628	Kmgdgjek.exe	94
PID 3628 wrote to memory of 4952	3628	Kmgdgjek.exe	94
PID 4952 wrote to memory of 3340	4952	Kpepcedo.exe	95
PID 4952 wrote to memory of 3340	4952	Kpepcedo.exe	95
PID 4952 wrote to memory of 3340	4952	Kpepcedo.exe	95
PID 3340 wrote to memory of 436	3340	Kbdmpqcb.exe	96
PID 3340 wrote to memory of 436	3340	Kbdmpqcb.exe	96
PID 3340 wrote to memory of 436	3340	Kbdmpqcb.exe	96
PID 436 wrote to memory of 1912	436	Kkkdan32.exe	97
PID 436 wrote to memory of 1912	436	Kkkdan32.exe	97
PID 436 wrote to memory of 1912	436	Kkkdan32.exe	97
PID 1912 wrote to memory of 928	1912	Kaemnhla.exe	98
PID 1912 wrote to memory of 928	1912	Kaemnhla.exe	98
PID 1912 wrote to memory of 928	1912	Kaemnhla.exe	98
PID 928 wrote to memory of 924	928	Kdcijcke.exe	99
PID 928 wrote to memory of 924	928	Kdcijcke.exe	99
PID 928 wrote to memory of 924	928	Kdcijcke.exe	99
PID 924 wrote to memory of 4624	924	Kgbefoji.exe	100
PID 924 wrote to memory of 4624	924	Kgbefoji.exe	100
PID 924 wrote to memory of 4624	924	Kgbefoji.exe	100
PID 4624 wrote to memory of 2228	4624	Kmlnbi32.exe	101
PID 4624 wrote to memory of 2228	4624	Kmlnbi32.exe	101
PID 4624 wrote to memory of 2228	4624	Kmlnbi32.exe	101
PID 2228 wrote to memory of 712	2228	Kdffocib.exe	102
PID 2228 wrote to memory of 712	2228	Kdffocib.exe	102
PID 2228 wrote to memory of 712	2228	Kdffocib.exe	102
PID 712 wrote to memory of 2056	712	Kgdbkohf.exe	103
PID 712 wrote to memory of 2056	712	Kgdbkohf.exe	103
PID 712 wrote to memory of 2056	712	Kgdbkohf.exe	103
PID 2056 wrote to memory of 4876	2056	Kmnjhioc.exe	104
PID 2056 wrote to memory of 4876	2056	Kmnjhioc.exe	104
PID 2056 wrote to memory of 4876	2056	Kmnjhioc.exe	104
PID 4876 wrote to memory of 2956	4876	Kpmfddnf.exe	105
PID 4876 wrote to memory of 2956	4876	Kpmfddnf.exe	105
PID 4876 wrote to memory of 2956	4876	Kpmfddnf.exe	105
PID 2956 wrote to memory of 5040	2956	Kckbqpnj.exe	106
PID 2956 wrote to memory of 5040	2956	Kckbqpnj.exe	106
PID 2956 wrote to memory of 5040	2956	Kckbqpnj.exe	106
PID 5040 wrote to memory of 2240	5040	Liekmj32.exe	107
PID 5040 wrote to memory of 2240	5040	Liekmj32.exe	107
PID 5040 wrote to memory of 2240	5040	Liekmj32.exe	107
PID 2240 wrote to memory of 3692	2240	Lmqgnhmp.exe	108
PID 2240 wrote to memory of 3692	2240	Lmqgnhmp.exe	108
PID 2240 wrote to memory of 3692	2240	Lmqgnhmp.exe	108
PID 3692 wrote to memory of 556	3692	Lalcng32.exe	109

C:\Users\Admin\AppData\Local\Temp\2f6f05a0c2e39dc66e01aec34fea8c9e1afaa2382bb009f2b372283016436a18.exe
"C:\Users\Admin\AppData\Local\Temp\2f6f05a0c2e39dc66e01aec34fea8c9e1afaa2382bb009f2b372283016436a18.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Windows\SysWOW64\Jfkoeppq.exe
  C:\Windows\system32\Jfkoeppq.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Windows\SysWOW64\Jiikak32.exe
    C:\Windows\system32\Jiikak32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Windows\SysWOW64\Kpccnefa.exe
      C:\Windows\system32\Kpccnefa.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2888
    - - C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3728
      - C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:712
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4248
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4388
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1392
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3892
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3164
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        43⤵
        Executes dropped EXE
        
        PID:4684
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4776
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        50⤵
        Executes dropped EXE
        
        PID:856
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3848
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3112
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3388
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4392
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2428
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4236
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        66⤵
        Executes dropped EXE
        
        PID:4912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 400
        67⤵
        Program crash
        
        PID:1012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4912 -ip 4912
1⤵
PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
80KB

MD5
abe5102e5b7ebc551b8dd8b8b33351ae

SHA1
a2204df3a05e926683d67a15872459f5ba28990c

SHA256
08005a2effa46e8f80fbdaa3c0bca254c56fc36ba1c9ee46d2e65da7b6dd9425

SHA512
34f65bf410f2e254ab5d43f0be0c6377d03c6b54f715ed05b4ce94eb665430acfa5afa19b4186c324238f26796ec45dbbc12388bec80ce0df1e2b6f2a27f947f

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
80KB

MD5
f8b502ad22df3abb1a561e440f64f70f

SHA1
5579158d97cd5c10ba8cbdaf594189a09ade2848

SHA256
190efa2164c6aa4b7e59850e0899093dfc5e15048db72d5293b3bc2c5497a34f

SHA512
08ee3c3d7024e6855001c15351b4cd6abbdfc6c9b79728c6d3f6cafcc81d022e4fd8c962a558b63b991a0c590e4fb29839c478cb2f80675c6b084dda8bd51575

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
80KB

MD5
328c68791c2986e60023b6701788bfec

SHA1
37a969250158a823bbd213e8f5b8bbd623047173

SHA256
71a8b2c125083aa12b043fc565735f0d95a92e38b786b735665c3ef69b37bfff

SHA512
8d8b0d88efa9dd764f94aefe7192fd242c841368aed065f57eeeea11aa92b71b9eabcc93cc0238efd59cd12a174d800a6ef387ea3059abc87f5c5ce155b43b89

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
80KB

MD5
c450b9c627d8969adc6732ed7d091e5b

SHA1
544ec26d948de91ee95878428f3d52c4af09beef

SHA256
e29ba59c133c4879cc431329f5793e077d9100c3c7a8ea7240437efa4dce80fa

SHA512
f4c3bced4b558d1d338a6c8330d6b8fc40e0128c6e3c8646ec530cfb606ce4858f08ba4ce4d61a41dfaa669fa59898caae6d8bb580dc831d2429ee55a80e4bed

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
80KB

MD5
97668d62fd8c29de118f7f01306ddff4

SHA1
f86414707ab42ee8c1b12b4b4632e13b8eba5424

SHA256
af542451750afc933f7130e3588d6016ef86dfe75a1e4e8ad08074d6376813cf

SHA512
1d16f3a87b44ad4afe88e3a509153e495e6a0350b1c8780406855e2081387b9efcc8563d8b7da33cc4503beaa8245ce8a9c4525f27926764fe0f614bcc8a2bb3

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
80KB

MD5
ccc0345e4d29ba05d63f162fe59fbbe7

SHA1
13c5a15f343d95fe61d30c5a2aa04aba2947ab71

SHA256
c14aef05999204af29091e9dc5fc8468ddf80869193e9f7868a43a5c1e6f23f8

SHA512
520bad40b00d0484273cb771fe77bb10bcc304b4883322253cb5d5ca664806852cdae260c097ecdbba52cd234086278f818914a8e58fa5b32466d10d65a8ffbe

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
80KB

MD5
ca2abddcdae54c0258e82f34ab64b563

SHA1
a831cee6c7f0e059d45e2b2202f0a941a9b8d25b

SHA256
48f1ea17af55e61c885dc133b766a8b080c08dafa329606bec1aa335859761a7

SHA512
1a2b052f947a508dd60f483d64398b42d78ab7992d12f30239baeff354bde2ed8df6420a056176a6f327206c885a8af4c105cb62601fbe8177c48cab4a771f9f

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
80KB

MD5
c4417243d0f73cb6019a7a47dcf4d565

SHA1
fd7b828d7fe52150cb60bdbdb9491568df064320

SHA256
7d9fd1d626acf8059dea8bc21d4e88b7793f7557cde6be874c395443de514185

SHA512
88a86def2fb21c3d15f92c3372c744464478ca108e3076822677a242924d1a6d982d02f1dd70dac7baba3fa0199d59d6bcda55fd5a6403f01c7cfbce5a1f4099

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
80KB

MD5
12fec051a1a6a6e1ac4c0bf092e1de25

SHA1
bff7fcfda74da1b1cf4dc706f166c538bf9c7db8

SHA256
9f70377bea5b788dbc620b5365a52b1dae531b9556f40482c4b10192e46ee3f0

SHA512
bd2960e350c3e95571a35d8fda706944c6196319789c31b3d45ce50297813b7530459e0f178fa192b9013889c556b4f0c4848c15ad199a6dd72f55aaff67d746

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
80KB

MD5
875445021cba95c36ad8ef86cfbdb787

SHA1
fec6697458c369444d6c225a83add4573398c67e

SHA256
1503de293dc0b7a0382cbf1b32f9404e81f50a705584cd12ca1a048fdafd3642

SHA512
63e09e96567e8f0c000e56bb639648205d080bb1d5d227c5df6c714d5c7bc1ad3883a402a3acf4ade2dbd13145cc2c93fae230fe45de64d1954ecb248dd1d40d

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
80KB

MD5
d22f5c926b54ea73a0f6f4652a268eb3

SHA1
5f56f28dd21ccd0d923b4e6db97dcd7ed2a26d2d

SHA256
90aa04914f2d7a3d8cbab4326c5d60e2de632abe4296ef5ac4ea1db9653c3baf

SHA512
a42cf10808d5256bae6f32fb3fefc38d97ee0d418ec7849648a65880881e919237f23d2d70bc9d237615808d75ff9556891e62f8df64b1a8a7dcf5b4cb8710c5

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
80KB

MD5
8a7c4c173c608d3fc94ec81667cf7ccb

SHA1
333bba6fe6bcdc39c1b3b6c736e9aa0116361bed

SHA256
3574342ab8ba67bdfeb5b47b2958e397b534ebc44e03b9b09c9f7268e68cc0f8

SHA512
d4eebba35891cfa58bff6a1aa9d4a14ed9cce8686d8c1ea9ddcaf6e4e36900a8b29273d2c93f6e26bfe948a2f97a704b4153d1b1e374c5fcfb307e1313642f51

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
80KB

MD5
a6ccf2e82802cd2d70478a51b0963a04

SHA1
ca61c7bf4d90038a7513a3b19cad1206a037d835

SHA256
78a57272b01ff1d13e8d8f99427e67bcbfa8f97d9dd9d9181b2233af69fd5957

SHA512
4e94ddf0a7fd59f7d70974ecdd4ad70e0376c1827df7d8c5ecb3fe7aba45b07bcfc3469a97e976ac03367a3e1ca7ceba683a6961f90e13b974aaf9355362421f

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
80KB

MD5
27d98fc3342a9bd749d734413ff46c6b

SHA1
d5e7b54aa48c768ae2b13862c0cb8afb18e3f095

SHA256
661fd9238f295b5593d9b82d19856882fd2db79bf3440b4ce70620a2cb0842d4

SHA512
d77fd135fac0036c1b6ee3bef7ef5d1a0ed148300a9e129b9a7e54be87b0792e2c7424c40f2ed902f84fc27417d48d4028b19c66b270d652a99d29a8ac82d8c1

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
80KB

MD5
96a66a42e986b03643ed1b91cf589524

SHA1
44eeca9b57f2d28fe31de6831ddac43137400a9f

SHA256
03abf589c53993fab04ea628cdf5131a8023f3d89cb5ba9bb741c1e07b06ee84

SHA512
e3d490af13c76e63af4a4ebd34621cfbfd978446a4a2d8c70db8150c2ce2fc8ca206aa982ef2d3c4d74de84a42dae09e5ee6a798d20175784ebdbdbf047d28a5

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
80KB

MD5
a2aeff3c56b081e3f8dc71281aaefd00

SHA1
a242228487cc91632cb91b5fc0acdba25e32345b

SHA256
4fe2475afaedc002de0e7ae37caca1b567fb119529afdd5002e409c9901e8d80

SHA512
b2476a605b3a3068d2a3ef4bed4b654c0483e2cd932d44d823654c3c0d809e169850a8d129fde735c0704645b329d9b1473b6f1ba4cba093a9e32d9d0e23e29f

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
80KB

MD5
cb5c919abbcd516177e62fa696f8d59d

SHA1
7a75670e59bb4a0fc0c7111335fa035e7a7ebe0b

SHA256
251f60e858a42c79b3fc4678d8ed90334c0e282304ebdbb2fff7a7ccc6f2d0b0

SHA512
884d9fd0a62f4e06d7e471d857b0852d2308884066a94c2ff3c5e52ec2f2dc8da756a61f3369e66742acbd30e46e59510b702bdf5725534617c025b2871722ed

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
80KB

MD5
752168c813f91ba86bd545e9f3ef2003

SHA1
448ec5b95b0cd9bfcde5b8d4831a864edbcb4211

SHA256
5a9785b6697c2ac82f9ec1ec793db11ce78596d6c6c2c3cfc4e48c660f3fdd23

SHA512
29aa09a1fda93e94f25fbfadc716e5bfc6245bd6c60759019d90dd69fe5a557925c4c44b4bd4720389b317d03818dbc9edbef0b29c7e39da4819e67a8aa3bef4

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
80KB

MD5
e56b0e0fd2666c96ba33339e3d08887f

SHA1
291bbd6259b44be6d68262b7c50e979bde84ea8c

SHA256
366744ab62f1e40ac8ad515b7aad12eeb4b28591f0be599aea23449e26dda5a4

SHA512
9634d8ff263c64b6a0b646fe229a7875021b1a57b6f02aa6211b25481182f3261871fcd1a99b2bbe1db88a0197a313331e2e3e0c0bf9a20574b8b9110f21ef61

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
80KB

MD5
0703b234d2b1cfb2c9a61046f9974dcd

SHA1
fcb84964b882104fd5bf05e6d55c9e424bf6b7a0

SHA256
b345e4555eab3cc7d00dfac4e6e0dabf2104349022259dc21146e46a0883ca24

SHA512
1b76c562f3968f678c2044fcc06893f2ea2606d5010308373b5236bcd7887a2eae0936c664828551d7f23f1bb5ddce213fa7c4a263ed71f287411a64fabf79d5

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
80KB

MD5
ad53bbd03804127a3851a2ab023eac41

SHA1
8eded43604cec8b43ed3fde306926cd47f8c3dc6

SHA256
201fd13fde3ae5c87e65bf3b8b92258c4d5c9d8f1e9daca25d02ea5da8450e21

SHA512
8a8a441b0824466ee0df3a23380668167986b33b3ae4eaee7a9c52532ddc70d886ba0c02b214cddb9a0db4449cb501938301ea8e36d263510d96eebb132a60bd

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
80KB

MD5
4ec55e48765776fa7bc5cb3efeaf47c1

SHA1
c6ce9faf74965c722eb4fe119365d3bf9ea739d7

SHA256
e617169d29149e62521c7127f0182f2f7f0dfc1e056086a269c71c697e40f1cb

SHA512
ec0a51d65689de9170b3695438e539b8ebf1e1de5aa04d7d9730fbe06c7170e9eef3178a3cfd310fc2aa05d455542d9ec4c2e815cd711d3a2148b42458693308

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
80KB

MD5
2782312cac45abd3d88f3a9d141c5078

SHA1
1094929237d66a1f1a7c0b0e96f3f75ef0986c49

SHA256
cc1e879df5c4d72d358937de5e1dc543e735e5c0b75ad8061e3993975bc7a1bb

SHA512
12cb0b2d10daf038c6e07d6c3a69dfb78d91fe6abb34cc3baf4a65f087b4fb670346961a71225174942d1b3c568f01cc83b1d30622950cddea900e83a0689ab4

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
80KB

MD5
8ad82b0f0c07d2dcb9cdceb3c4a3c5b6

SHA1
2aaa46bd44d577c49a67ecfd5d76afdb8848f8d1

SHA256
ca4347ceada914f94a6557d6d6fe9a87c01ed016aac52edf63c9b85743882f75

SHA512
f82dce145b40e04500cbb1b2712c6c4d3124211493fdcb2c4c5815cf5099dc6500b38127f040eba9c3c9d091e69bd0003617fc1ac27f0e5e23b0c8e919f3cfb3

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
80KB

MD5
809dddb692a74ccc93afcac03210c1a5

SHA1
9b19fd14b9772fc6b692af8a166b6d1e1d88c4df

SHA256
c4240309a6503e022d5e212797da84c651b690bf38b5484a27c8560db0ac7e8f

SHA512
76a015ab05eb8aa1ac79bd1acdee15f3f53533f8e45494a7345359ff85fea0d7621680f7964583482c45196350f984a7716e409dd5df78633da8aacc9dbd500f

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
80KB

MD5
5644b6721d18366da84d45b7a3d8f8d6

SHA1
a761bea920501beb7c09245cbf504cabd8c92e03

SHA256
f743a8c6b0ec712312ec450439eaa5ac3e213a678cbf8daf88f70b2b34755426

SHA512
581b85d443c6a6dedeba0ef989c1761c713c5a8268b890680398cd742994424da7ae36032b21e4bed8c9f03869d0eb3fe31694cb977e13646b67667eeb2e9977

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
80KB

MD5
e776372681eac92e54ad6833c8bef0f4

SHA1
d9e5a307cdc2b6d4750f8006fd6a8f708a724ffb

SHA256
4ff9675f3ba2571234c8b0d282c5861801026914be0e212bf8425052eaa4cf4d

SHA512
c8342689261ad4c10b5c0c57ba951db0f9e06b39ab75e0c8c2d84d1a50afc8c825ff26be248099ad4e76cdaebbf11448743dc92edd29d6739e62215acbec9ac2

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
80KB

MD5
932276f09fda5e631f7760a745f0dbc7

SHA1
69a47e3df431ba5ca1c4af16e9c4a927c2dd1bd5

SHA256
03d1ea54bac138bc1ee49ce46492919093eecc0571dfdbc22d81f7efbd392d85

SHA512
61e5f55f49b68cffcfb3d4ae2002e6ab098eee766cff0899477b27befb9a271566b342cad1c47b8cede2a745b5e6242644ceff8d4e3d15e36ea8593da997b54a

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
80KB

MD5
b6b0029f473f550464b490dcd9e62f7c

SHA1
9e54ce43fe19ee825409dceb9a55023901521fb4

SHA256
18ab430944e40f6789ae21e5c6b889809557108c8c66b9ad4961fc4e1f9c872f

SHA512
ecfb690d85a03d48472205d83d61250bed4268581880b66cdcd85244413d1aac7763bd05c5a5d688812e87abc3a881a7e01f701b045b36abc93a19e92b17d45a

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
80KB

MD5
256763899aa1c563c30c1180c7164368

SHA1
2c4e25c068eb9f8e374a7d32698cc6572e21c423

SHA256
378977c3ea9e9ed9fd16c1b9bef331591c6903f0acda8fdd5beff0678636579d

SHA512
db92305734c51e77a34bc034cf82b67bcde497aaa2d5a43460a480c14905cc3d14c0f156b5cd471b792ae435daf7700a2ff62f7ca9a80f68e1fb151e78195d05

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
80KB

MD5
fdbe90a003232df666397d3d7d2e7e1c

SHA1
16a785eec23a4103b094eb340dcb78f6f63f1e5e

SHA256
0927214aede1b7be61125317b89256d94060531718b0f77631ec9761a8d37148

SHA512
66f806e0b877eaa11efa439efadcfdf5f4c7f73c190a231a896a104a1502f7410b9eb6b76b1bb9c6e34eadab0df44f46302faaa1c94517c80f5a893c275c47d1

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
80KB

MD5
7c2a530294ab82f6aa04509f46bc1c18

SHA1
f0621a5939e987477fc0881abf62d54e70c684a8

SHA256
d0b860480e3e9065df5a2771b52bf9de2429a78d176b22aa90544da1593f4061

SHA512
720fe35a4e63963f98ec863fbb4ae0018efa73aedb2ddd8d6198d674762c7aabea0b71d3d3ce4e0eb8eb773a7fdf51c6fa8ffcf571d06a7d8cb32976f4c9236c

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
80KB

MD5
3dc573c5fdf6168c11904fab9e6f33a2

SHA1
287d853da7bf261b3dfbebfea300e586690d3290

SHA256
002d61a4213f864d53e6bbbf9e1bc728afe301736a3c7dba643a3aa85bf34af2

SHA512
6a5bb991c5374e60e3e41c23ef5f9169f5a9648334b36358002d66d2f7247263edd9528e2110cac2eda87b5065de761b6d9e169207bdef3974ec57b2aea27ce3

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
80KB

MD5
9ec1dc23d336592d672736fa550df72e

SHA1
a42736bf5e8fd63be37bcaad16f6a76219d8ff98

SHA256
bdefb541acba83b4e9e91da26b1009455498911c588b70e4c986190134240a7c

SHA512
12a2b71f5ff37f9fadd1ebecf1a279faa7c893064031c9bb8a2f3c290d62aea8a8c0287f142d56d546dc5cf7bb28a2a950be7c6c32e8220b86f41264f0fb8ba7

Download Submit
memory/316-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/400-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/432-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/436-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/556-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/712-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/856-363-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/924-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/928-93-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1072-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1384-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1392-285-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1556-5-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1556-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1604-228-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1688-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1912-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1976-436-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1984-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2004-402-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2056-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2120-327-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2224-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2228-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2240-165-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2428-430-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2484-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2600-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2628-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2728-339-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2852-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2888-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2956-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3012-390-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3112-378-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3140-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3164-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3340-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3388-408-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3576-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3628-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3692-173-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3728-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3848-372-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3892-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4024-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4248-213-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4316-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4344-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4388-276-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4392-414-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4492-384-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4500-221-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4556-267-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4600-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4624-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4684-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4744-420-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4776-345-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4836-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4876-141-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4952-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5040-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5044-21-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads