d50a335ace3a87e5e01c053a7a86d33955c242373aa2514875f4be37fdc863d4

Analysis

max time kernel
91s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06-04-2024 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d50a335ace3a87e5e01c053a7a86d33955c242373aa2514875f4be37fdc863d4.exe
Size

112KB
MD5

0b2bd46937127d03ceb3a35c9273d046
SHA1

04e0160d524e54efb1f1716994a96b9e5722e555
SHA256

d50a335ace3a87e5e01c053a7a86d33955c242373aa2514875f4be37fdc863d4
SHA512

4c18507b91b562803444b44832c4e66b79f28dbd5404be82487c412ed4834e050db45bd51bbef07719766fd21ce9e1c177e1ab68686d60b408f466dfdeb56b2d
SSDEEP

3072:mvZmieR+cyD3pRTFNVMDjCMs1K3r5+nE0eFKPD375lHzpa1P2FU6UK7q4+5K:riRM3wnE0eYr75lHzpaF2e6UK+4p

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	d50a335ace3a87e5e01c053a7a86d33955c242373aa2514875f4be37fdc863d4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe

Executes dropped EXE 43 IoCs

pid	Process
4108	Kagichjo.exe
948	Kcifkp32.exe
4796	Kibnhjgj.exe
4264	Kdhbec32.exe
2572	Kkbkamnl.exe
864	Lalcng32.exe
2920	Lcmofolg.exe
2900	Liggbi32.exe
4408	Laopdgcg.exe
4292	Ldmlpbbj.exe
4444	Lgkhlnbn.exe
1296	Lijdhiaa.exe
3624	Lpcmec32.exe
1868	Lgneampk.exe
2532	Laciofpa.exe
1420	Ljnnch32.exe
3600	Laefdf32.exe
2952	Lddbqa32.exe
396	Lgbnmm32.exe
1220	Lknjmkdo.exe
3956	Mciobn32.exe
3156	Mpmokb32.exe
4004	Mcklgm32.exe
2232	Mkbchk32.exe
4280	Mamleegg.exe
5080	Mkepnjng.exe
1644	Maohkd32.exe
1608	Mglack32.exe
512	Mnfipekh.exe
1048	Mpdelajl.exe
2860	Njljefql.exe
3460	Nqfbaq32.exe
2852	Njogjfoj.exe
3620	Nafokcol.exe
4752	Nddkgonp.exe
1780	Ngcgcjnc.exe
2004	Njacpf32.exe
4508	Nqklmpdd.exe
3684	Ncihikcg.exe
4912	Njcpee32.exe
4052	Nbkhfc32.exe
692	Ndidbn32.exe
452	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kcifkp32.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	d50a335ace3a87e5e01c053a7a86d33955c242373aa2514875f4be37fdc863d4.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Maohkd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2624	452	WerFault.exe	130

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d50a335ace3a87e5e01c053a7a86d33955c242373aa2514875f4be37fdc863d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	d50a335ace3a87e5e01c053a7a86d33955c242373aa2514875f4be37fdc863d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	d50a335ace3a87e5e01c053a7a86d33955c242373aa2514875f4be37fdc863d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d50a335ace3a87e5e01c053a7a86d33955c242373aa2514875f4be37fdc863d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgkhlnbn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4228 wrote to memory of 4108	4228	d50a335ace3a87e5e01c053a7a86d33955c242373aa2514875f4be37fdc863d4.exe	84
PID 4228 wrote to memory of 4108	4228	d50a335ace3a87e5e01c053a7a86d33955c242373aa2514875f4be37fdc863d4.exe	84
PID 4228 wrote to memory of 4108	4228	d50a335ace3a87e5e01c053a7a86d33955c242373aa2514875f4be37fdc863d4.exe	84
PID 4108 wrote to memory of 948	4108	Kagichjo.exe	85
PID 4108 wrote to memory of 948	4108	Kagichjo.exe	85
PID 4108 wrote to memory of 948	4108	Kagichjo.exe	85
PID 948 wrote to memory of 4796	948	Kcifkp32.exe	86
PID 948 wrote to memory of 4796	948	Kcifkp32.exe	86
PID 948 wrote to memory of 4796	948	Kcifkp32.exe	86
PID 4796 wrote to memory of 4264	4796	Kibnhjgj.exe	87
PID 4796 wrote to memory of 4264	4796	Kibnhjgj.exe	87
PID 4796 wrote to memory of 4264	4796	Kibnhjgj.exe	87
PID 4264 wrote to memory of 2572	4264	Kdhbec32.exe	88
PID 4264 wrote to memory of 2572	4264	Kdhbec32.exe	88
PID 4264 wrote to memory of 2572	4264	Kdhbec32.exe	88
PID 2572 wrote to memory of 864	2572	Kkbkamnl.exe	89
PID 2572 wrote to memory of 864	2572	Kkbkamnl.exe	89
PID 2572 wrote to memory of 864	2572	Kkbkamnl.exe	89
PID 864 wrote to memory of 2920	864	Lalcng32.exe	91
PID 864 wrote to memory of 2920	864	Lalcng32.exe	91
PID 864 wrote to memory of 2920	864	Lalcng32.exe	91
PID 2920 wrote to memory of 2900	2920	Lcmofolg.exe	92
PID 2920 wrote to memory of 2900	2920	Lcmofolg.exe	92
PID 2920 wrote to memory of 2900	2920	Lcmofolg.exe	92
PID 2900 wrote to memory of 4408	2900	Liggbi32.exe	93
PID 2900 wrote to memory of 4408	2900	Liggbi32.exe	93
PID 2900 wrote to memory of 4408	2900	Liggbi32.exe	93
PID 4408 wrote to memory of 4292	4408	Laopdgcg.exe	94
PID 4408 wrote to memory of 4292	4408	Laopdgcg.exe	94
PID 4408 wrote to memory of 4292	4408	Laopdgcg.exe	94
PID 4292 wrote to memory of 4444	4292	Ldmlpbbj.exe	95
PID 4292 wrote to memory of 4444	4292	Ldmlpbbj.exe	95
PID 4292 wrote to memory of 4444	4292	Ldmlpbbj.exe	95
PID 4444 wrote to memory of 1296	4444	Lgkhlnbn.exe	96
PID 4444 wrote to memory of 1296	4444	Lgkhlnbn.exe	96
PID 4444 wrote to memory of 1296	4444	Lgkhlnbn.exe	96
PID 1296 wrote to memory of 3624	1296	Lijdhiaa.exe	97
PID 1296 wrote to memory of 3624	1296	Lijdhiaa.exe	97
PID 1296 wrote to memory of 3624	1296	Lijdhiaa.exe	97
PID 3624 wrote to memory of 1868	3624	Lpcmec32.exe	98
PID 3624 wrote to memory of 1868	3624	Lpcmec32.exe	98
PID 3624 wrote to memory of 1868	3624	Lpcmec32.exe	98
PID 1868 wrote to memory of 2532	1868	Lgneampk.exe	99
PID 1868 wrote to memory of 2532	1868	Lgneampk.exe	99
PID 1868 wrote to memory of 2532	1868	Lgneampk.exe	99
PID 2532 wrote to memory of 1420	2532	Laciofpa.exe	100
PID 2532 wrote to memory of 1420	2532	Laciofpa.exe	100
PID 2532 wrote to memory of 1420	2532	Laciofpa.exe	100
PID 1420 wrote to memory of 3600	1420	Ljnnch32.exe	101
PID 1420 wrote to memory of 3600	1420	Ljnnch32.exe	101
PID 1420 wrote to memory of 3600	1420	Ljnnch32.exe	101
PID 3600 wrote to memory of 2952	3600	Laefdf32.exe	102
PID 3600 wrote to memory of 2952	3600	Laefdf32.exe	102
PID 3600 wrote to memory of 2952	3600	Laefdf32.exe	102
PID 2952 wrote to memory of 396	2952	Lddbqa32.exe	103
PID 2952 wrote to memory of 396	2952	Lddbqa32.exe	103
PID 2952 wrote to memory of 396	2952	Lddbqa32.exe	103
PID 396 wrote to memory of 1220	396	Lgbnmm32.exe	105
PID 396 wrote to memory of 1220	396	Lgbnmm32.exe	105
PID 396 wrote to memory of 1220	396	Lgbnmm32.exe	105
PID 1220 wrote to memory of 3956	1220	Lknjmkdo.exe	106
PID 1220 wrote to memory of 3956	1220	Lknjmkdo.exe	106
PID 1220 wrote to memory of 3956	1220	Lknjmkdo.exe	106
PID 3956 wrote to memory of 3156	3956	Mciobn32.exe	107

C:\Users\Admin\AppData\Local\Temp\d50a335ace3a87e5e01c053a7a86d33955c242373aa2514875f4be37fdc863d4.exe
"C:\Users\Admin\AppData\Local\Temp\d50a335ace3a87e5e01c053a7a86d33955c242373aa2514875f4be37fdc863d4.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4228
- C:\Windows\SysWOW64\Kagichjo.exe
  C:\Windows\system32\Kagichjo.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Windows\SysWOW64\Kcifkp32.exe
    C:\Windows\system32\Kcifkp32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:948
  - - C:\Windows\SysWOW64\Kibnhjgj.exe
      C:\Windows\system32\Kibnhjgj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4796
    - - C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4264
      - C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:512
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4344
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3620
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4508
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3684
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:692
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        45⤵
        Executes dropped EXE
        
        PID:452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 452 -s 412
        46⤵
        Program crash
        
        PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 452 -ip 452
1⤵
PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gcdihi32.dll

Filesize
7KB

MD5
ba97eb583adbd32147eb49023f88d903

SHA1
190d9821346198765d6e92f54d6d89521f5306bc

SHA256
b6f02de7086fafe97d2d4b9cccbc45c5f75bcc3009bf312aa81d3229ac5cd953

SHA512
c181b1ddb5758c05041e9bf9e07a9de0aaa5c50cb7d2555b8f049ed78849f57c17aea50e871b7216cbab73e3c872461cd9c83b9521bc0a504cf36b7bfa0f48cf

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
112KB

MD5
a4d4988c6bb10e6fc2d924eb2eeefbdd

SHA1
f1743128ab8fa8d942d9d18d127c0e479406e1f7

SHA256
262eff79283d13d451a44f526c799ade9245b1a7ff579cfafe90a30b91462b7f

SHA512
386903758d9956e6e6fb46ce2e2f9a595f75658582e6818f513918d72c9eff2e0f5f6f907b69d87e5125d8f17ca25b45a92d121bd0ce39484f6a50dfb1b1e310

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
112KB

MD5
89d893554024e2c25750dcedc109fea6

SHA1
dc3a90e8f2361f82bc5e00a0fa178d52a4feb1b1

SHA256
2cafa7c1e7f7bb8438e99b83f35172f7df5b1fe43a941bf0784394e771085ed3

SHA512
ba3b82ad77ac06161b289a1892d9b820a048dd9e62af6b22613f349fd0fde7233003b605b4cf7cb13037889d198e3b75d686629973fb2e939c38b795b3972721

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
112KB

MD5
78e4048e8cf59248ab8fb8ca6d7c80fb

SHA1
43a47e44e3c3b1f27bb94da122356fcd8eabe25b

SHA256
224fe46612e66ea8dbb34cb2466119fc1eb64eaa0eab42d5398b642cc9cd8aeb

SHA512
503edf36773b94e4a631fd6c10878d7ca704e85630e9e5f525acf9aca57c079fc3f1035d3201f5751e80a45fc018b7d8b93ab45ccc338873a8cb89323408b2ca

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
112KB

MD5
05f53d5719405577f380076e34745157

SHA1
d541a36a306615512e99d6591173751268fc793a

SHA256
a2835e3d3069c7b35a0e4549e77e24155618d8c5435d8a961dbe08481bd65586

SHA512
763e07358133b1a363a0d82c72bb8e0d1460e0251adf61a51ca83a8efdc0081926b5632807cd2cedf666245b8a6eed40f680b3d55c52196f78209fed5b1edeb7

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
112KB

MD5
d46e06a10bb806fae44655be6ccd545e

SHA1
2515bbb0b718c2e45ead6a7224ab7ae109db5c4d

SHA256
9464f196f2c82a72112da6b19d8490e1221ebd7ed48699b60c74cd200acc9781

SHA512
a4d305a08828c0305e738a5c0b48b3a6c79ee90a2b75cf151191ebb17238401197c7a57d02f93e5e1d10994129234dd1c7b472995eec37373fed7b5b9c2a86dd

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
112KB

MD5
165f2c5df27fb2b1ee28388019b26179

SHA1
e779944c3942f583218f5b33a8c842a9e3a5997d

SHA256
0af3dc2393081b17ff12da114e9d10d18d3052ea7d29779eee7e25b6cf8fc0db

SHA512
279ca9687a30937483c457b8feee1c85c2b9462e7746cfcc8714f0937f1124ae0d5cac63527ae8264947a0d92c0c22080340c568c7fd4f7a6d24d62cc564090c

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
112KB

MD5
bf91f995ad454cec4f0227b1fd2aad4c

SHA1
7cf4b18731fbdc7c6a67b9ca287accef7302b703

SHA256
598f7d131ddc7ef22e1e427cea3a0feb80d3756d6334d91e0756c3acbe0d9ccc

SHA512
f8fc3a2c0979570f2e916386946a2b6eb760e4d73a238f7828cf38ab4ce510db45f4780083c14773c527836c0bc3b1598144fc37d5a4b4aa7969d1c3d2e20b12

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
112KB

MD5
38c93380e5bde8f07528b290a70d53fe

SHA1
234aff6beb255874bd6bd004da908171b6069489

SHA256
0d337820fab7799f2e843a6ea9bdb42fb01dbaeaa646c81efe4c4dbdefed4487

SHA512
c6261a38f7e244653f5688541d46ea62afe17150b699e81d8ed775ad689795c935394a43a5544ed1ed20518c7985a8a98707c83f5b4fcaf8d836c19c427faf90

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
112KB

MD5
293f0e6c5704ec25afd29d8ee5441ae6

SHA1
fe956fbc5b9569ea386959ecde2fd778b115c9db

SHA256
7edc3407c9994f00e4d48659c9502b4b01dd6540e14135acb25be572e4ff0371

SHA512
c6ec649fcc74073a9c71da70f97d8a5fbbdc747d8e4a7c84468bef01092a55c71fb67518c6ce63fe0d70de8a9dd0382b76533578c4356ab89d5cb17213b1a419

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
112KB

MD5
5c8b948f35e5e73c62a54794c525aef1

SHA1
b8b6dbfe5e270459714dbc2fde810c9b6b391f57

SHA256
5ab2054ffb5f312a5d3933efcd2450b9d6916cd67986b374dfd585807cbe46a7

SHA512
13fd50392cb30940146033870c90c8301c2a78d3a5c19894cdf561c250ff4e1c04a25ec2896cc18cc7a8a6086cc7a10c669d5b284018e24dd5412921596a9fc4

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
112KB

MD5
008b8edb849bdb90bdfbbc8ae334b34c

SHA1
99b2be15aa6943a1b052f8af0d3f94c67465a4d6

SHA256
1eae508af859395cd59791de32148bb476f6f5190f034439c3ac35325a0d8650

SHA512
59a4bd2c8a937ee5b0cc49f170e58cc9bcacc1a24051938be3a303fc62cffe89ff1f0d39a17a51b7819f023529c70016f803b1470b7a42786ce4215d913498a1

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
112KB

MD5
6384182d876fb3d52883305c59e8dab1

SHA1
65b8eddbfb88a80c400646f5a25286c112a6ea3a

SHA256
399bf99c7e86fcb6135fba14d5b7eb0fa1f7e73740e455a19c4ac47a00a7a6ce

SHA512
20fe08fa46e273c83ef3b8f626426c37a0e1ac679e977974cad2f8a1e55dc9ef48078177fdd4a9713329adfe5c19448402200576dd953f97413f2f051168332f

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
112KB

MD5
ba5f010a6a0d065afed103f50c737c6b

SHA1
2a15208c9e104725d1c4526891f2fa724e4734a9

SHA256
ff8ed6f61d9d11f21dd31a2b6900727d972d430b28b84087ad0fdabbf5a5806a

SHA512
073712e7b26f7e65ddd4b36b5145b11a51ed8c2b75b0c29149f5decc5ab87ce1023e07f1a81de774b50fbb3bfe1506a86011822ad8c2cb97b38e3484a86d6fff

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
112KB

MD5
5be5132da5f73bf0845e6c30e3a40770

SHA1
57915791e49067cff4c2e392b5b2abea3a061cd5

SHA256
a1c1db3a860fb488eca21674ed58cd363a867123a8bfa606c5c208474330d4f3

SHA512
739de17e127eb6e8ac186d6485113769e4d8380f2256fa70d0d8493fe087bfc9bf576dd4ec3845d5fa4644f55bd80d5447d972251b1d68bd7e85a04756bd5a04

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
112KB

MD5
dcd6a349064f2f9d31e2d54b7758df75

SHA1
c29c7ab9767e48147c41c8fe06e485172d94df5a

SHA256
18d015468b986c801df50ba151db5ad1dcc2dcbf44d772a84d245d47a167a35f

SHA512
09c3407492ba5b04f55ac65621a8fdd86fd5d4002af86605aeca60c51e64ee3d6e3f356c4d0d410f447c65b6775b32662b59bce6bb79776d5625726c4bc0f9a3

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
112KB

MD5
67b1a8f47a5912a67541095f08bdf764

SHA1
8d7001d39013749162a63b546944c410ac0c7077

SHA256
6b6d494e4560edd36c62ff768d5b9f1fa9c8cd61000d0a72533183f3310417d4

SHA512
a9c30ccd20724289902b95beca7e4019770aa7c7b96e60383830183620d36879327f8cf9d657255a0d361e0db30b12ad5d075b366dcd20c9b20b4ca93586f371

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
112KB

MD5
adb6d59c35445902702885c31d969517

SHA1
5941d47cf7f4b96c6eca0ab158a14ace0a0be00c

SHA256
d7e654eee4ce035d9965b338ad1c79b830ac9b9b5b22b11852d70d44175447c9

SHA512
bea993bb0925ed21c94fe1053b163190349ead209a11e8c518341f090563499409a3400d688660fd374fe2e8f781e87866800948d4d83b8c034158ba6f6e24b1

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
112KB

MD5
df244f8191b549e2e9f91238d49f0f7d

SHA1
22128c1c18dba750ecc4a75e00eb689b95824f9b

SHA256
7718a81d236b748ad26f5b95618803aebec6ef74debd07f6077b4f32fa3fd7af

SHA512
63bc46fe5d41dcf626f09d267eed78de847d4f9814bd6ad2071ac567a64269dca84cfa16e884ddbca869cffc8a82faf87369b969aa8dfc4ca69f72c32481b51f

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
112KB

MD5
435ecd45c87fb25b4f0f5277d8d46bc0

SHA1
cafb4de499623c07a52ee69475161eaa3d70e018

SHA256
1c6815d49e3734b998cf764ddd085f30e3a6b0c9ab2305615734f42c3fb97866

SHA512
0abd8235a74f9a865f137aceef6b8414b9822564ef644c2d0c3101e3641c9ad2f5704767022fd7d3f2cc2cb619ec90825d46f9a153ce26c6db964ebccc799898

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
112KB

MD5
5dfde89af4748570a6470457b922499a

SHA1
1071faa6e0beaad28728a2be208008bb029596f0

SHA256
80571e40da07cc2bc9f38c1b4ce8aa06a908ccbc22a670dc0df8a36a4c679e45

SHA512
1ce9355e91ce85bff858303865b9b468e861716780336f5fca551bd445815b7af91e0fe5813d9cddbfabcefc583a884287221c22e604708db5c68d688f09dba5

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
112KB

MD5
4023f4a3f38cee7647a46dffdae0c507

SHA1
52d8ff6e49e31c5f265a46edcba9408fde5ac85c

SHA256
4df3bb852cfa7f67e062b5741749b2e2c810f457c8cea6a23f59ed10bcfddc30

SHA512
ebd45b416930324367a590bf0d0ae04a0c2d7a5d33cf2f923502a5a79578c4be19d14bd2b03cc5cde00baee29d9e5964d3a9dbaf1aa3d0759470d618e95a4908

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
112KB

MD5
b3ff314925091377bf0f2b5823da0972

SHA1
2c946e8a9e43115e673244217d443e14e5a2f5f4

SHA256
09c06285457f7d45267b444adb7139a276a6e29127eb3ec98a2cb8720cc9ec90

SHA512
355a8000447185d0f5a12c8c6a78275ecce9e50e65322ea8153444c8fcd49f63df52d42b975a48a4e125e2a4fb24d8c26108579200d26a2b4962ac04d840e1f8

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
112KB

MD5
9c23aa0d5161e1c03f73820529b73823

SHA1
19eee001cb2c03f199d134429ea4af69fa695c5e

SHA256
4d085210831bbef0762654250669c1b8d2bde2e80dfc8aee7915be01f83cc7a1

SHA512
1e36251235413d2635946d4b469cd00d0329b99f4274302bb6556070549aa28ce9cb29487437901c4e48bfe7199fc860fd0f7559cf85f7bda3d3eb6c7a4aef57

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
112KB

MD5
84cedc98893f657077f772eb87681fea

SHA1
44a313b9d3ffa7152233702d5189197d720cb9a6

SHA256
c20ceb3188e3a0c9a5c872e1e07a50a9b6428c394d3228bf2722345d2901f9ed

SHA512
5eca04f66bc07b007cb4b1218f9a8e18da0a82fd2553725e76cde97b08577cd1c8fca475e9c91c08ba3ff57843976d73ef790d9f4338bd903d005eff9f3059c2

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
112KB

MD5
b5bdcb518509aeb71830632307907d91

SHA1
8731f60523e354668560a469206e334f560ade18

SHA256
03f50c822254466aae227f1aff3047ce6d67895c6a6d9246c415379c7db44f72

SHA512
a1d9ab63ca56db757b077003249d8ebde8c9fede53019db716ec9fbb196f724635b44eab8f6f911cb5f540209f82e2067fd7bdf8ff5385019c35dd3f3fe75d90

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
112KB

MD5
951706b15d46a910ffc29d217882ab36

SHA1
39499f4c9663f80e8e38e73a3e34be700de5bc07

SHA256
723a07718305b938ebc61fc17e4c9ffadd589cb1441318f2b2f2411a5b5cd316

SHA512
41408b83286ce426feac523c853b3d42e280723c96b0bf47faa5194ab879498655c54ac4bfcd93cb8b5bedb053ddafd797b00d621d75b5de916e0c752894c486

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
112KB

MD5
827b821c2aada861581a7887fb99cb57

SHA1
4b31d2d4d5f15c5b2dcc33c04669bfee7bf70620

SHA256
a9b5f86ac3e2db2855ecd720ea973916eabea1cb14b0f0dae3837d2033d3c782

SHA512
c40748f32aea78d5dd38c4063ff60ab240859927457e28809268831053367d51cb441c7513f5ec420ffa51f5d537a66e62fc6246d10097851048878580077aa3

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
112KB

MD5
e5aefd84fcdd224b76bd3b2db2942b35

SHA1
ffc47c355dff12653b41430c29a1d65f32b53c17

SHA256
04908b9644b6c65408e78fe0732d127d957f1cd175a9a3bc0779ef88bcd3c622

SHA512
12a7add8117b28be18c04078496a8af62798a9f66e3a021ba98e440b8afed43f90a0baef53778c57fa22ffa3e39c57582d742246baae275e1b3f191c3c8fcfb0

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
112KB

MD5
209173b0841a591e4ad320e02224530c

SHA1
2c6351f049467eb0a81d3083331f887ac2aecade

SHA256
d937722d4f143d7d10cb93f8f676f11a4a8ee26076d0237f9eb011d46029c50e

SHA512
1b98356ecaa9aeba2fc96fde3b924069542695360ca275ce9a372e515f31517f24bea09a20f41620a03f04816bf326a997e937f0b7c0d4bc81334d6c211d9b56

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
112KB

MD5
d446cd7f8d4093e819f8e112e8d5a4b4

SHA1
d1d470c41396fd71c9e051cc50efe09869130626

SHA256
5ab4157dfebb52e25d666d3cbb9e893f2b7f896f93b28210f1c31efc5e9a36bf

SHA512
26ee9965038af1e7bab071e2e9d1d2412dba0310061a15a90f14af2297c48b58495b840155ac4f94651d3dce9609762d91d78af34d3116b8b3436c3b082af274

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
112KB

MD5
7c20e62e09b8ea29a2f55dd5c9d852da

SHA1
922932ba9763bd48e137d524101af67b7ffcdadd

SHA256
419385e0b25b67ea1735253fbce93af4180bf6a993016704b2e6e06e2d4494e4

SHA512
82c4cdce3389d43826c8d763342b483f7367194b009b3852116620dc9aa7f1f18afc7a9991da8331745c9a6a38e4d4b276e9cc9d33cd17b93efd646b72fe8f87

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
112KB

MD5
2094c73aa681e4677e4160f1020bfecb

SHA1
117d43b3b1173e7a8d8dc334d086c1f87302498b

SHA256
117b12a8a4823169afd027070ca114019692a27da29ac195efdbe756329e5c41

SHA512
042369bff1707489c3e96d568076170149509facf3edbdcd93f1f99fb0f13cce01fcf22730e4a86029c3a2a1fc5f1f1381d80ac6acc1ce948506c83ba5e61b4b

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
112KB

MD5
9b555e06d21de6805f26c782b152eb26

SHA1
d02ee69a055df789bb4493f328570b976ce7cb23

SHA256
78be2ed29f387e1332c88149f29a47a209b470fe78e10c2f8e27aefc64663a24

SHA512
6a18bfe4f416080f99f12f09d80a636993033924f702f605cad9adfc3a29db17becb4d10b69da1c05ac335eca6b2d5e89708a91f73988a930b88c7c0c47ed0bd

Download Submit
memory/396-166-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/452-323-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/512-236-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/692-324-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/692-317-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/864-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/948-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1048-244-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1220-163-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1296-109-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1420-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1608-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1608-223-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1644-335-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1644-215-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1780-285-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1868-111-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2004-287-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2004-329-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2232-338-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2232-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2532-120-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2572-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2852-267-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2860-333-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2860-248-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2900-68-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2920-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2952-153-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3156-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3156-341-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3460-255-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3460-332-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3600-342-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3600-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3620-273-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3624-107-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3684-327-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3684-299-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3956-167-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3956-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4004-339-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4004-184-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4052-311-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4052-325-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4108-12-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4228-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4264-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4280-337-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4280-199-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4292-93-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4344-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4344-330-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4408-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4444-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4508-293-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4508-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4752-331-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4752-275-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4796-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4912-326-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4912-305-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5080-336-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5080-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads