2d8a55d8c730577a03461615f141d8708542010d1ad8568e46e9c8a966cec839

Analysis

max time kernel
93s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 21:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13e35bcf4a48eedf83a4b89833044f21.exe
Size

136KB
MD5

13e35bcf4a48eedf83a4b89833044f21
SHA1

d09ce035ea1ddbed372a9569b5009bb141dfec8e
SHA256

2d8a55d8c730577a03461615f141d8708542010d1ad8568e46e9c8a966cec839
SHA512

e330d9f4e13ec68bdbf5e66ec33c4a083466e2979f3711ef3af46cd012b8088476e28a0af7c9eca8751943d1e827be6fe8bbb6c45719e3fa18f07fa903051405
SSDEEP

3072:2V+n+1WWJcaOPXuhuXGQmVDeCyqOGbo92ynn:2VxOxPXuapoaCPXbo92ynn

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	13e35bcf4a48eedf83a4b89833044f21.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe

Executes dropped EXE 64 IoCs

pid	Process
4284	Kpccnefa.exe
2840	Kgmlkp32.exe
64	Kilhgk32.exe
2884	Kpepcedo.exe
948	Kdaldd32.exe
4516	Kgphpo32.exe
1188	Kinemkko.exe
4872	Kaemnhla.exe
3288	Kbfiep32.exe
2528	Kgbefoji.exe
4180	Kipabjil.exe
4504	Kagichjo.exe
4592	Kpjjod32.exe
4652	Kcifkp32.exe
2160	Kkpnlm32.exe
5108	Kmnjhioc.exe
4564	Kajfig32.exe
2184	Kpmfddnf.exe
2420	Kdhbec32.exe
2756	Kckbqpnj.exe
4008	Kkbkamnl.exe
1500	Liekmj32.exe
2796	Lalcng32.exe
5044	Ldkojb32.exe
5020	Lkdggmlj.exe
2460	Lmccchkn.exe
1044	Laopdgcg.exe
1676	Ldmlpbbj.exe
4064	Lnepih32.exe
4156	Lcbiao32.exe
3624	Lkiqbl32.exe
4520	Lnhmng32.exe
776	Ldaeka32.exe
3260	Lgpagm32.exe
3640	Lnjjdgee.exe
4544	Lphfpbdi.exe
3352	Lgbnmm32.exe
2076	Mjqjih32.exe
1764	Mahbje32.exe
2728	Mciobn32.exe
1140	Mjcgohig.exe
4512	Majopeii.exe
4984	Mcklgm32.exe
1320	Mkbchk32.exe
2072	Mjeddggd.exe
3572	Mgidml32.exe
780	Mpaifalo.exe
4788	Mcpebmkb.exe
2116	Mkgmcjld.exe
4468	Maaepd32.exe
1544	Mdpalp32.exe
1656	Mgnnhk32.exe
3084	Njljefql.exe
1600	Nacbfdao.exe
4916	Nceonl32.exe
5080	Nklfoi32.exe
4976	Nnjbke32.exe
1404	Nafokcol.exe
2100	Ncgkcl32.exe
1648	Nkncdifl.exe
1776	Njacpf32.exe
1408	Nqklmpdd.exe
3416	Ndghmo32.exe
808	Ncihikcg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Kbfiep32.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Kdaldd32.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Kpmfddnf.exe	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Lnepih32.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Kaemnhla.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	13e35bcf4a48eedf83a4b89833044f21.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4836	1116	WerFault.exe	158

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	13e35bcf4a48eedf83a4b89833044f21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	13e35bcf4a48eedf83a4b89833044f21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphqml32.dll"	13e35bcf4a48eedf83a4b89833044f21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mgidml32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 4284	2408	13e35bcf4a48eedf83a4b89833044f21.exe	86
PID 2408 wrote to memory of 4284	2408	13e35bcf4a48eedf83a4b89833044f21.exe	86
PID 2408 wrote to memory of 4284	2408	13e35bcf4a48eedf83a4b89833044f21.exe	86
PID 4284 wrote to memory of 2840	4284	Kpccnefa.exe	87
PID 4284 wrote to memory of 2840	4284	Kpccnefa.exe	87
PID 4284 wrote to memory of 2840	4284	Kpccnefa.exe	87
PID 2840 wrote to memory of 64	2840	Kgmlkp32.exe	88
PID 2840 wrote to memory of 64	2840	Kgmlkp32.exe	88
PID 2840 wrote to memory of 64	2840	Kgmlkp32.exe	88
PID 64 wrote to memory of 2884	64	Kilhgk32.exe	89
PID 64 wrote to memory of 2884	64	Kilhgk32.exe	89
PID 64 wrote to memory of 2884	64	Kilhgk32.exe	89
PID 2884 wrote to memory of 948	2884	Kpepcedo.exe	90
PID 2884 wrote to memory of 948	2884	Kpepcedo.exe	90
PID 2884 wrote to memory of 948	2884	Kpepcedo.exe	90
PID 948 wrote to memory of 4516	948	Kdaldd32.exe	91
PID 948 wrote to memory of 4516	948	Kdaldd32.exe	91
PID 948 wrote to memory of 4516	948	Kdaldd32.exe	91
PID 4516 wrote to memory of 1188	4516	Kgphpo32.exe	92
PID 4516 wrote to memory of 1188	4516	Kgphpo32.exe	92
PID 4516 wrote to memory of 1188	4516	Kgphpo32.exe	92
PID 1188 wrote to memory of 4872	1188	Kinemkko.exe	93
PID 1188 wrote to memory of 4872	1188	Kinemkko.exe	93
PID 1188 wrote to memory of 4872	1188	Kinemkko.exe	93
PID 4872 wrote to memory of 3288	4872	Kaemnhla.exe	94
PID 4872 wrote to memory of 3288	4872	Kaemnhla.exe	94
PID 4872 wrote to memory of 3288	4872	Kaemnhla.exe	94
PID 3288 wrote to memory of 2528	3288	Kbfiep32.exe	95
PID 3288 wrote to memory of 2528	3288	Kbfiep32.exe	95
PID 3288 wrote to memory of 2528	3288	Kbfiep32.exe	95
PID 2528 wrote to memory of 4180	2528	Kgbefoji.exe	96
PID 2528 wrote to memory of 4180	2528	Kgbefoji.exe	96
PID 2528 wrote to memory of 4180	2528	Kgbefoji.exe	96
PID 4180 wrote to memory of 4504	4180	Kipabjil.exe	97
PID 4180 wrote to memory of 4504	4180	Kipabjil.exe	97
PID 4180 wrote to memory of 4504	4180	Kipabjil.exe	97
PID 4504 wrote to memory of 4592	4504	Kagichjo.exe	98
PID 4504 wrote to memory of 4592	4504	Kagichjo.exe	98
PID 4504 wrote to memory of 4592	4504	Kagichjo.exe	98
PID 4592 wrote to memory of 4652	4592	Kpjjod32.exe	99
PID 4592 wrote to memory of 4652	4592	Kpjjod32.exe	99
PID 4592 wrote to memory of 4652	4592	Kpjjod32.exe	99
PID 4652 wrote to memory of 2160	4652	Kcifkp32.exe	100
PID 4652 wrote to memory of 2160	4652	Kcifkp32.exe	100
PID 4652 wrote to memory of 2160	4652	Kcifkp32.exe	100
PID 2160 wrote to memory of 5108	2160	Kkpnlm32.exe	101
PID 2160 wrote to memory of 5108	2160	Kkpnlm32.exe	101
PID 2160 wrote to memory of 5108	2160	Kkpnlm32.exe	101
PID 5108 wrote to memory of 4564	5108	Kmnjhioc.exe	102
PID 5108 wrote to memory of 4564	5108	Kmnjhioc.exe	102
PID 5108 wrote to memory of 4564	5108	Kmnjhioc.exe	102
PID 4564 wrote to memory of 2184	4564	Kajfig32.exe	103
PID 4564 wrote to memory of 2184	4564	Kajfig32.exe	103
PID 4564 wrote to memory of 2184	4564	Kajfig32.exe	103
PID 2184 wrote to memory of 2420	2184	Kpmfddnf.exe	104
PID 2184 wrote to memory of 2420	2184	Kpmfddnf.exe	104
PID 2184 wrote to memory of 2420	2184	Kpmfddnf.exe	104
PID 2420 wrote to memory of 2756	2420	Kdhbec32.exe	105
PID 2420 wrote to memory of 2756	2420	Kdhbec32.exe	105
PID 2420 wrote to memory of 2756	2420	Kdhbec32.exe	105
PID 2756 wrote to memory of 4008	2756	Kckbqpnj.exe	106
PID 2756 wrote to memory of 4008	2756	Kckbqpnj.exe	106
PID 2756 wrote to memory of 4008	2756	Kckbqpnj.exe	106
PID 4008 wrote to memory of 1500	4008	Kkbkamnl.exe	107

C:\Users\Admin\AppData\Local\Temp\13e35bcf4a48eedf83a4b89833044f21.exe
"C:\Users\Admin\AppData\Local\Temp\13e35bcf4a48eedf83a4b89833044f21.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\SysWOW64\Kpccnefa.exe
  C:\Windows\system32\Kpccnefa.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4284
- - C:\Windows\SysWOW64\Kgmlkp32.exe
    C:\Windows\system32\Kgmlkp32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\SysWOW64\Kilhgk32.exe
      C:\Windows\system32\Kilhgk32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:64
    - - C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
      - C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2796
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5044
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        26⤵
        Executes dropped EXE
        
        PID:5020
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4156
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:776
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3640
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1764
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2728
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3572
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:780
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2116
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4468
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3084
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1600
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        57⤵
        Executes dropped EXE
        
        PID:5080
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4976
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2100
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1648
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3416
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:808
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4692
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3400
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1032
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        69⤵
        Drops file in System32 directory
        
        PID:2704
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        71⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 400
        72⤵
        Program crash
        
        PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1116 -ip 1116
1⤵
PID:4860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
136KB

MD5
e78d4d11607571de82f76eaed6baa5e0

SHA1
78d4ce6cf93ec36eaa0a6944086967b737ac2b17

SHA256
2b6ed6100be79027b84aea576fbbb8651cd2fc5d2f61007bb0667e56e19d59cf

SHA512
5804063d6b06ef2fef4b68a987fe94a30aac05f770b541cbcd6b040930129265757f39cc5db8411a2c361a0ed387e9d0f9ae6194ae7990e607f1c53cae6fb756

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
136KB

MD5
ceb361ba82a4cd8cd8a997e001949184

SHA1
9a951a9b221759ff0f5b003a860a5695f096013d

SHA256
41619e0afa1bbd592548990a6fba6381a1eda186b26b8a5776cceeb7cc7d92ea

SHA512
edd3599a8f99ec73420087bc22b3b50a517333360c14dcdcc1e75ea48fdad205a526a2f42aa539cdf038c711f2c2e349976e873ef16eea0f38570f3e29f6aefe

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
136KB

MD5
c85523622f96461de0fe9c709f0d13c6

SHA1
3126623df3f6df02139bfa550ffb3f2eb3421fe4

SHA256
133324ccc796063ac23334bc5bcdc81ca6bdbb0f78b838a28bde1290c9ee445a

SHA512
d6320682d7465fa4b55c61610b07132734b1fd68b7d1e8bc5fcab94a80747ed8e4a47470d84a028870df338d7f0ea68d32dfd9237cb0b1f0bf355ebe44a5aa86

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
136KB

MD5
72aae8e280062d40dc00668f41939cb9

SHA1
3fadd545309bdae741dd2a6d9796fe47a053c7bb

SHA256
ea79464dcf50caafd05f36da879a33f8f45884b997deaf9151b56fed9315fca2

SHA512
09f1ed0af4920dc16e837245ec469d68b798a8a066a94b27b0894a661d6e58272211e72f040b1879a0f04f141d1df5b3be91f9d5f8d429715368c03b010f0f73

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
136KB

MD5
2c2fbf77953c858f2b4707e15d1bd16a

SHA1
22530747a2cf1c5ff68e02bd90386918ac7e2723

SHA256
3944b7eca8656cf18722334935f6b62234c715c90498b5b86fd45ca112198cd1

SHA512
dc61d27e572d594a7facd3a86aba19edeb11b8a8390cab20128bc2feb404dfccf2321c86bc83fb8fb6004a4525752540cf2559afd900d3cc2447008f96e2c2c3

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
136KB

MD5
310b67767a8d7c9b360c177a03c4319f

SHA1
b24a92462d4bc0bcd91bf8ce2b31f80086827771

SHA256
abbf7fbe5a0ac1f6712683ff169e57bdbcffbec6b07a6d400b003e6856c3ea21

SHA512
a74b4b07dab7685faa82d76ad81bab439182adb8f057cfac5d1cdb543570139645e593988f29d268b23306d163997f3e8bb7c547f595a2ac236ec37168c19775

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
136KB

MD5
1cb0acf6b03ac17f90d13652a89d908b

SHA1
68800d7b2bb3ff949cecbb34a6da39f4d9c2d3da

SHA256
d8fb2d05896bab8a088273f3f23978cd1b9fc27cb862f91b732496595c0138c4

SHA512
8937725dc732be82619540b9a738cc9d336e4837e5760d97c6d9ff49d0084adf9a7041fb778b935cf8892a206f06eb396e712b11215ff217329738ad33a572e2

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
136KB

MD5
8ea4d63cbc95b74ccfbee82c7807677d

SHA1
7d38ae4cb59f9c387c9169334e08f494b95412c8

SHA256
04f1a6e14db0b089bdcefca59b97099277e26f8ca1e982b03d99dd51167bf83f

SHA512
04959e0d6b588ec930e09628e4935340d823e9a1b279d6ca75b13df2d4272205f3d02290564ffbe093951dab9fcbe8f2c1d09ca2aa692370ea2fc35db65cc722

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
136KB

MD5
de8bc735948c87527d0e0f5dec083f05

SHA1
238ac9dddd5ee5ee138643cad3d2f574644074fb

SHA256
9787909400f1fcdef9a7ee5b77db0c6c95d8edf82a8536aa225b05cad89cf1e1

SHA512
e496747367eb8b887f882f6dab8b8548cf118d1f4d99181330370e69cc511fa05ed81c0901f0ce20a8c3e854ace1ef509d6455a1abb8461dd5c8e5fb7859e741

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe

Filesize
136KB

MD5
5a20b49b28f28b38b7864bdac8a693df

SHA1
6d3023322209134d728fb6a1409fd3e58e8efb18

SHA256
3b3528812c3e7ed5ee25411a4e112b5d80ad51f55d63ae20645a98a9f57ed994

SHA512
62d8b99f071c6b3377e46d45f120a31eb371f830785657a6f7860a102653c08493c613dff4a54fda24f36da91f4295aa7cd1e38be2e99ed30d371ce9273c1f43

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
136KB

MD5
0cf14ea475d78993e8c3ce91f8c289d9

SHA1
ca70816c522b5221615714a983a6cca51b3b98f1

SHA256
da5b5272f423110b034def81278ec13aa699e9988341e49565cbe8553bf64813

SHA512
da2609821dd04ddbaf81d31f64a35521a672001eadf1116c7f86a81bfde8230e132443165f9464e016edb58a2e114caecff0b45157f28a324cabcefa26173761

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
136KB

MD5
1ea3f5c9059e8d43b8c6d3b379cd194f

SHA1
28b0b5cb52ca5576cedbc5eef79f82f11bedfab1

SHA256
b98523632f6fb827e0f2d733f9bf1a736e00c60dad93fd1c1bd09eeedf808a31

SHA512
18197a634d0380466a2d8f39c6020fc0202e805edc70f76aa4e97de79b7ce563081491c7b66d2a3c408c8077f9873ec21626e076c0c3f7d86b5f77a45018c1d5

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
136KB

MD5
8d0a3ca407758abc215be1619ab6c16a

SHA1
f3897883307fd02ce5018927e17d850447bdfaf5

SHA256
eadc6a701007e7310ec9fa907b50dfbe18a252a7203401e81abdd85b570db64d

SHA512
032f4f470709d7eb04c24f30441614c7f63992efab6ac842973d105116c33e6fbbafd5a41915d3b3e2ba302f2c62dcccc4f83015c8492877c87f5be3c7cbd7ca

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
136KB

MD5
ffe2a3918c39613c54d3df64988db009

SHA1
4a7d36efa1a63d04c392869640672a3f3b28987b

SHA256
ee868df3d86f9ae7432555d369f4cdc894417708769762cc7f418d02e4e72392

SHA512
0496b467384f5cbb981d82a97a43d929d104bad31d3651140020cfbf7b44d46f828bf1d75bb535767a8f6abbed2fc609cac64f28de0f2cc2772fe49c254777ba

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
136KB

MD5
27240871995b92b97649115e82991844

SHA1
e7e08f9d66fd85123a2da649eb2963340b390c43

SHA256
3ad63160c284d212999edae4a9c0c55379113fa044ed14fa54a3fd88b829a0e3

SHA512
a074fdd53b8a2569abb8b6807f24abdd38c93ba44495d95dba79927473814d03b079b45b1399680082f409302421a219bc95861fbc431b843fc474b372391c2a

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
136KB

MD5
5148d07353fe444fa0367c551f80de57

SHA1
ec038af30b9f919f46a9d27aabf5f4cf9ea0e3b3

SHA256
b7679e41c3e3d1bc25fe5212792308961b0c23ebd097d6abe4049d655b464fde

SHA512
dcb5e6b337de1c333d0073933b8639909ab4f238f5f7cd263de94fbe5172d6c7e019004d1053c6453e7ba42672d1f5196e0e804ea14191b2128ab71169ec05d3

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
136KB

MD5
17ec80b4ee7a7d772464cb0f74878d94

SHA1
212737594e0e83025dce6a1595245bf2b421f3e2

SHA256
b75452b887ef4d8fc050d37caa5c5c195d209c8e489da43226af5ba7706a3571

SHA512
96729c0b22a55f89a3e5aa734c1115ad5d56e47ef0a207e8405b7e221603927aa017dc657de99c1b8178d2d61c166f08778c024d367118b34f02abb703222335

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
136KB

MD5
a5f7c4682803e7e99671d686abd52c21

SHA1
8f947122dbe783304723c91517e31058020c7649

SHA256
51faeb0ac66024ac5d05c08722a70ccaab4773cde070642f5dd5e88a243e0c86

SHA512
4acb0de6b8541b6ad61476492a2cca922323ecfe724fba9a2c91c8a3b1a34c3d21a400cfc68d1f0c16379273fe3b2eeee7ea974b9da8e71b8d936c3ed4f345b9

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
136KB

MD5
a8f7567a2a31f116775d65a79ad7d2f1

SHA1
850cbe89cc13529365b91a5db845174d5d29d652

SHA256
8e3d87495e92a6f5a2f504ca3a94a702c7a3195db7e3ce03322d2ab2b5614a27

SHA512
bfe5f44dfa8e8c015a307dd5bfa39f8440bee5338d2344d74d30b9c631cd77af2eb811ffa8412d66c5478b404b2495b7a79b9dc4e73a5eb4349dbd65c8f70d44

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
136KB

MD5
f794e3cde90ede9c0a20fa6c69844923

SHA1
63aee672d718b46bb6112396d1a98da89f80d3a3

SHA256
9c93a3f5133113952bc57e23379df6f7a7a04cef3feb880e92f0538a62638e5b

SHA512
7ec0e9794976ce8d54e360868d5b2a97a94db10018b7ec24160b8a8a21da4e2682867674c2be354d6f7afe870ff7ea52490020c6d84ec0d695aae097c702dd7f

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
136KB

MD5
070ddfc7de72f374c9f6d857549bfb08

SHA1
4d6a58d5d8a6f5cea639e1b38efe96df37918acb

SHA256
88802f5f9787527b67a447deb3606c277f69475794b0b27b8bc47afb469584c5

SHA512
e4f704f3401e6394dc5b8f13c9d6c9eb3cb16178af7f55b4a9feec0da8b0cf9def4058c3270a5aac3a501cf5fe591a2c19408088a5eff8cfcc1c5198dc370a65

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
136KB

MD5
23a5b41a65080f49a476943f3cd27309

SHA1
7ad953f28701ebc1e2b77f7da74a274f6da54f1b

SHA256
6c7929e892e4339a9ba8c01580a4c762c1e17597b4ebc4d992ff2b79ed8fae50

SHA512
753e8ae29f5931177d2d261cec75884d48ee096835043fe6e20865e43d39bd11c66660aa5b9d41cebfb4807c4d750032c982f8bd0bc5513b679d5677ebf0b845

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
136KB

MD5
12689c4ee730d4c821baf994c2197067

SHA1
7e70dd7a2d039da812ca73866f9f48881e37134b

SHA256
190cec5f47252b8cc10b899b7ad746cb28f9dffde2583debd82950c6cb3cc457

SHA512
a4aa47b1819c4c3dfe00cda1d0e9e28c2b67114c4dde39003e398888457dd45acc71bca51cd28c99613683ec2897aa5b2a7440efdf320b5c6dfab0fbc15e2414

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
136KB

MD5
78903f00eff84c60403c775f63100d46

SHA1
4f8996ec2910f7dfe91bba28107a9f222d0e63bc

SHA256
1847a9408ec053a2c4845744a61f5b00657d07372745620d5b46321b9a2f642c

SHA512
8a97ef526c31b6916ad20b244b88301bf547af3a63d33742c9301b0a041cb1abd112370d3740560b1d5cdd1449739e7fa1e5f57b6c1d12c4d1af1173d6235f4f

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
136KB

MD5
2a8a0b9dd1c0a60f75dbb4c098ce3aff

SHA1
6839c6625b57c4aa37a7648e71e925f0b7324ab7

SHA256
6c54ca0292e11143f27c5a9171f0757fca54e8ecd7a6a2563d54bad32f87bd16

SHA512
ff569e5d286d935c927977d3444966fb6bbad9a0382d670249c73b4d8d7f9a672c9e203d2dfbd94154b4c08f2ad38535a4f974464c65c2050c71a600337a0371

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
136KB

MD5
a295d7bec520ef25d16e6e94b8ee3688

SHA1
39bd2e31cca232294b021424d84754ba6cb8b97c

SHA256
d9c74970edcacf84255adb9b0d357ab8946a7410dc22f1fb19ff31c98914b900

SHA512
6ebac8815b5fe45d39b9e3989219e7297d8911f08ca0908635b9aa0b03bd4e8185a41870af4d453264b1cb18616738b112c574904d42538e2eb5680ae971654e

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
136KB

MD5
d9ad233e564c67c84a721716de937ea1

SHA1
57ce6586b32d0610318912f68e0c9a1fe49b698b

SHA256
2ba95cd708a266ce8c38a152a5d21fbc29725a63085da83f08dd610b5ecb4d9d

SHA512
98f486e5d808d327c5ffec01290066c32bd648f869fc23ab92fc08420255a9879f1354fad0a3c16fe45b0d0eb5c5b1ac9aa7a38259427b0ae50fed3ab944a372

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
136KB

MD5
ad77d38ef05eebbb47af65898ded10f9

SHA1
545562374be6a151522bf5e224b46b4d26e15b0b

SHA256
cb96e89e8e757b16aaf81fffd362d7a8612f910c4e263e6f771f2b53daedca1c

SHA512
a9c613a6e46601cd38a533eaaa0c07a52c822efc54e48aca06c21409b8b48ea85e0c83575c614135e9e3965685b11906252851776367aa276b73e08d547cca43

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
136KB

MD5
79e915853d0d2ac9372b8289a31b16f0

SHA1
a85b13a390da05d21353ac0277468f6be081b626

SHA256
65a5dd895ec995b3b8377c66f63dc8deb2cbc006672378ebb41a5352f4d761d5

SHA512
a5ef6557695812410eb51bec4dee557d64687132abcd05616288369f9be94b2520ec74ef9edb0c51507801e75c12733c9124396701eb0c9a26bb47ed6a0c2eff

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
136KB

MD5
bd59907d05d07e9b1761dde6d89b0acd

SHA1
67fe55c6f87044f8659d1c10b4b3539ef4698049

SHA256
e17af31eb3af49aeef0d32b50a49a7fb1a5ed15235084a1207308d0a68a8364b

SHA512
02674d4d40ac41ee2c34384b757287244637de6791bb4fdd1ddd8d4eaf454eb9923a85c6741054ef9af57b54128962fb5bbf6f08ae7f0994e8956e7d6ad142b7

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
136KB

MD5
90fa17a503463feefd5d00f37f0b99c0

SHA1
a72c3309dc21d5532a142fb5c239d19b2d5210c6

SHA256
d41b7c648120fe8c7a3f7b0f8b5f857a5bb4a28c5473ab88c4141481997111ec

SHA512
be59be48659594ab85a46be64bb791e1b0ccb01f26e88df2287f02aa723b44744141f8edec1e13ef5c54f47029c859704b8eb9a77f7214d14546dc658c44b784

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
136KB

MD5
eb0824b73fd93ed1fe690bb27744f40f

SHA1
cac92f87e9be75fc3165a286d3a2d08819d8d0b5

SHA256
2f5b8ba6af7d9cf65902208cf4c4cd0061a0d9c9ebefb8eb2771b434ecdc4d5f

SHA512
d67a96eee593247d9b9041b7fd7729a6106f8740e22545e127cd913dbf269229ca6c9e84a836fd390d2d3707b91356c5ed8d0ad3fd66e8538597d5949ba85e20

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
136KB

MD5
7b1106f8aee485ba0307078fc2edbb00

SHA1
b35db91b508d6ed21a24bd77d943a3fd5bf24da8

SHA256
8e2f03b56783a28ca8c248df75c9c1e9e624ef0943d7cdb49cbca128c396eee0

SHA512
db0202198f15fc85db1c6811cbe78dfb2750ec2b5ae3d30877fd18c0f38c8e4089b9452c86a0d0c5d8628845c5c38e3083d0f40f78c526e158a10b0d18d07dc3

Download Submit
memory/64-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/776-264-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/780-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/948-44-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1044-229-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1140-316-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1188-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1320-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1404-414-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1500-206-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1544-372-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1600-390-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1648-430-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1656-378-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1676-231-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1764-300-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1776-432-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2072-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2076-294-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2100-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2116-360-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2160-140-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2184-190-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2408-1-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2408-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2408-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2420-171-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2460-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2528-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2728-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2756-198-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2796-214-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2840-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2884-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3084-384-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3260-270-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3288-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3352-288-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3572-342-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3624-250-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3640-280-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4008-179-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4064-234-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4156-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4180-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4284-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4468-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4504-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4512-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4516-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4520-258-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4544-285-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4564-155-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4592-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4652-118-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4788-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4872-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4916-400-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4976-408-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4984-324-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5020-221-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5044-219-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5080-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5108-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads