9d6c9fa0d7db8a264ece153598c67bafca87490e2521bed628a145fd2aa85cbc

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 21:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b5826e606b453916249ea1596ef1af2.exe
Size

416KB
MD5

0b5826e606b453916249ea1596ef1af2
SHA1

1a8cffd5b7416133aae38ad90b08668c3cc12d70
SHA256

9d6c9fa0d7db8a264ece153598c67bafca87490e2521bed628a145fd2aa85cbc
SHA512

83adea28aec36f367f433865672cf2e4d659ec5d2145dbfb32ad94167b62e8f903abbb239d720f2e676a473ebd4685211c218c1eaae52d2d80785c89f540c482
SSDEEP

12288:tal/QJYJ07kE0KoFtw2gu9RxrBIUbPLwH96/I0lOZ0vbqFB:tvYJ07kE0KoFtw2gu9RxrBIUbPLwH96I

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	0b5826e606b453916249ea1596ef1af2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0b5826e606b453916249ea1596ef1af2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe

Executes dropped EXE 43 IoCs

pid	Process
2628	Kbdmpqcb.exe
3656	Kmjqmi32.exe
4568	Kdcijcke.exe
3524	Kgbefoji.exe
952	Kmlnbi32.exe
2848	Kgdbkohf.exe
324	Kibnhjgj.exe
1744	Kajfig32.exe
2724	Kckbqpnj.exe
1316	Lmccchkn.exe
5020	Lpappc32.exe
4012	Lcpllo32.exe
2324	Lnepih32.exe
2120	Ldohebqh.exe
3028	Lgneampk.exe
2096	Lnhmng32.exe
4060	Ldaeka32.exe
3936	Lgpagm32.exe
4388	Lddbqa32.exe
972	Mnlfigcc.exe
3216	Mdfofakp.exe
4024	Mjcgohig.exe
2084	Mdiklqhm.exe
1428	Mgghhlhq.exe
3960	Mnapdf32.exe
3148	Mpolqa32.exe
3344	Mgidml32.exe
4764	Mncmjfmk.exe
4508	Mpaifalo.exe
4780	Mglack32.exe
4484	Mnfipekh.exe
2760	Mcbahlip.exe
3680	Ndbnboqb.exe
468	Nnjbke32.exe
3440	Nqiogp32.exe
2932	Nddkgonp.exe
1612	Nnmopdep.exe
2464	Nqklmpdd.exe
2236	Ncihikcg.exe
5012	Njcpee32.exe
3244	Nbkhfc32.exe
3360	Ndidbn32.exe
1536	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lnepih32.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Lpappc32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	0b5826e606b453916249ea1596ef1af2.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kmjqmi32.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	0b5826e606b453916249ea1596ef1af2.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4404	1536	WerFault.exe	131

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	0b5826e606b453916249ea1596ef1af2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmmkpmf.dll"	0b5826e606b453916249ea1596ef1af2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	0b5826e606b453916249ea1596ef1af2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcbahlip.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2628	2860	0b5826e606b453916249ea1596ef1af2.exe	85
PID 2860 wrote to memory of 2628	2860	0b5826e606b453916249ea1596ef1af2.exe	85
PID 2860 wrote to memory of 2628	2860	0b5826e606b453916249ea1596ef1af2.exe	85
PID 2628 wrote to memory of 3656	2628	Kbdmpqcb.exe	86
PID 2628 wrote to memory of 3656	2628	Kbdmpqcb.exe	86
PID 2628 wrote to memory of 3656	2628	Kbdmpqcb.exe	86
PID 3656 wrote to memory of 4568	3656	Kmjqmi32.exe	87
PID 3656 wrote to memory of 4568	3656	Kmjqmi32.exe	87
PID 3656 wrote to memory of 4568	3656	Kmjqmi32.exe	87
PID 4568 wrote to memory of 3524	4568	Kdcijcke.exe	88
PID 4568 wrote to memory of 3524	4568	Kdcijcke.exe	88
PID 4568 wrote to memory of 3524	4568	Kdcijcke.exe	88
PID 3524 wrote to memory of 952	3524	Kgbefoji.exe	89
PID 3524 wrote to memory of 952	3524	Kgbefoji.exe	89
PID 3524 wrote to memory of 952	3524	Kgbefoji.exe	89
PID 952 wrote to memory of 2848	952	Kmlnbi32.exe	90
PID 952 wrote to memory of 2848	952	Kmlnbi32.exe	90
PID 952 wrote to memory of 2848	952	Kmlnbi32.exe	90
PID 2848 wrote to memory of 324	2848	Kgdbkohf.exe	91
PID 2848 wrote to memory of 324	2848	Kgdbkohf.exe	91
PID 2848 wrote to memory of 324	2848	Kgdbkohf.exe	91
PID 324 wrote to memory of 1744	324	Kibnhjgj.exe	93
PID 324 wrote to memory of 1744	324	Kibnhjgj.exe	93
PID 324 wrote to memory of 1744	324	Kibnhjgj.exe	93
PID 1744 wrote to memory of 2724	1744	Kajfig32.exe	94
PID 1744 wrote to memory of 2724	1744	Kajfig32.exe	94
PID 1744 wrote to memory of 2724	1744	Kajfig32.exe	94
PID 2724 wrote to memory of 1316	2724	Kckbqpnj.exe	96
PID 2724 wrote to memory of 1316	2724	Kckbqpnj.exe	96
PID 2724 wrote to memory of 1316	2724	Kckbqpnj.exe	96
PID 1316 wrote to memory of 5020	1316	Lmccchkn.exe	97
PID 1316 wrote to memory of 5020	1316	Lmccchkn.exe	97
PID 1316 wrote to memory of 5020	1316	Lmccchkn.exe	97
PID 5020 wrote to memory of 4012	5020	Lpappc32.exe	98
PID 5020 wrote to memory of 4012	5020	Lpappc32.exe	98
PID 5020 wrote to memory of 4012	5020	Lpappc32.exe	98
PID 4012 wrote to memory of 2324	4012	Lcpllo32.exe	100
PID 4012 wrote to memory of 2324	4012	Lcpllo32.exe	100
PID 4012 wrote to memory of 2324	4012	Lcpllo32.exe	100
PID 2324 wrote to memory of 2120	2324	Lnepih32.exe	101
PID 2324 wrote to memory of 2120	2324	Lnepih32.exe	101
PID 2324 wrote to memory of 2120	2324	Lnepih32.exe	101
PID 2120 wrote to memory of 3028	2120	Ldohebqh.exe	102
PID 2120 wrote to memory of 3028	2120	Ldohebqh.exe	102
PID 2120 wrote to memory of 3028	2120	Ldohebqh.exe	102
PID 3028 wrote to memory of 2096	3028	Lgneampk.exe	103
PID 3028 wrote to memory of 2096	3028	Lgneampk.exe	103
PID 3028 wrote to memory of 2096	3028	Lgneampk.exe	103
PID 2096 wrote to memory of 4060	2096	Lnhmng32.exe	104
PID 2096 wrote to memory of 4060	2096	Lnhmng32.exe	104
PID 2096 wrote to memory of 4060	2096	Lnhmng32.exe	104
PID 4060 wrote to memory of 3936	4060	Ldaeka32.exe	105
PID 4060 wrote to memory of 3936	4060	Ldaeka32.exe	105
PID 4060 wrote to memory of 3936	4060	Ldaeka32.exe	105
PID 3936 wrote to memory of 4388	3936	Lgpagm32.exe	106
PID 3936 wrote to memory of 4388	3936	Lgpagm32.exe	106
PID 3936 wrote to memory of 4388	3936	Lgpagm32.exe	106
PID 4388 wrote to memory of 972	4388	Lddbqa32.exe	107
PID 4388 wrote to memory of 972	4388	Lddbqa32.exe	107
PID 4388 wrote to memory of 972	4388	Lddbqa32.exe	107
PID 972 wrote to memory of 3216	972	Mnlfigcc.exe	108
PID 972 wrote to memory of 3216	972	Mnlfigcc.exe	108
PID 972 wrote to memory of 3216	972	Mnlfigcc.exe	108
PID 3216 wrote to memory of 4024	3216	Mdfofakp.exe	109

C:\Users\Admin\AppData\Local\Temp\0b5826e606b453916249ea1596ef1af2.exe
"C:\Users\Admin\AppData\Local\Temp\0b5826e606b453916249ea1596ef1af2.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\SysWOW64\Kbdmpqcb.exe
  C:\Windows\system32\Kbdmpqcb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\SysWOW64\Kmjqmi32.exe
    C:\Windows\system32\Kmjqmi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3656
  - - C:\Windows\SysWOW64\Kdcijcke.exe
      C:\Windows\system32\Kdcijcke.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4568
    - - C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3524
      - C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:324
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3344
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3360
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        44⤵
        Executes dropped EXE
        
        PID:1536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 428
        45⤵
        Program crash
        
        PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1536 -ip 1536
1⤵
PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Akanejnd.dll

Filesize
7KB

MD5
0fd5e617be9d067c87348fbee639919e

SHA1
576e964eaf8589c5d49693d6346b726d261b5e3b

SHA256
d79e05c88ad66ec2e71109edbbcb4c01220353452317851b3b6d171f240ef4e4

SHA512
621d33016620b34e2cf0d38cacc982451ab3dfed8ee49d24ada8c1cc45817b7475fecc92778f9892cb16a067a804a7a71cb00512c6560aa792b63f47000f9f49

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
416KB

MD5
51a8dcfb45faa586f8ca1a21ac571f13

SHA1
4ef74a7d8f05ec326475b75839d715293e37a1f0

SHA256
065d72e4a3e65ab10db3accb948a071c0180938501cc08c236a608769472a20a

SHA512
29c164ea72a94a3ac368b985e96af1c99550aaf1864963be30a9b779aaa1a9022998632ba3444dd8a8da5aee02cdc7963619b8bd70b4a1680157ede7b98bf03e

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
416KB

MD5
f0cc00fca5f8fcd8f1547fb3ff4b4ac7

SHA1
ecd2599cf5e9f6b340be59debdd57b309e1742ba

SHA256
92a2c72c606671d8a9da19a84aba471860ee55543d9c17fda9e3b9c8b45d3238

SHA512
75ea8c14fee0840159a3bacb914a7747d270aaffe206f12188ada4a525e6360fe92f34f94347c2d4368527755df25a4b3f451916ce30b0e2ec0880b278c3ab37

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
416KB

MD5
104476d28c129a4f028130a8fdc44dc1

SHA1
005bb758ed6bf41cc73e006607b1e80a7d38a92c

SHA256
d8742c7073cd6a73e9421c4c98615ca303bb1f634c8105ee3f9338e19537b5db

SHA512
256c0c8f176a119b132fd7ec1266c67fcf4e7ab090d07ef82da2283fd68f64b81a0eb3615f0e80bab0144067d15d1f15b0c59ca4e8b57a9df8a898a3b02bea9c

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
416KB

MD5
a7c179cec1e808cbe7c88db32adcaeeb

SHA1
916f15c1021a697e21a0657677c114c5ca33ba40

SHA256
e943dbb4364cb6731d8a32d9c78f20577dea4df460b871c0c1bcf38aecabad68

SHA512
40f1309045c32ef69785b3d28497fc00e70700516c4260049a28b6ea9da27070dd472e841d5099b4ffe7c4bc6ef4668bd7309f074b38c7964478bc406d74a834

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
416KB

MD5
b0a52340091080c9c1baf0401b375ef4

SHA1
fbec857a1f517e9af709e97a0ac63db40b8e2f1c

SHA256
7b308dae75c5ed50405b111db2f6ff3ffef195b6884e04287f5fae92ed8b63d0

SHA512
ea6e681949902b6104c071a4ba6617cdc489f2d2a66d467d50a676222e5a166630740e95d441f0f1c33bcbd4af50a94d7768e6f29db9149a06a29d438cccda26

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
416KB

MD5
401f779597d51a8f0d24183d2c1c4e87

SHA1
5abcc2f61cc8bb71eedb51f8c4e754eb8b48326a

SHA256
d095da8840d8344f0e5606a71c4b8c80477157785f3e545c2080210e4499301a

SHA512
50a9593b4514c356e0b7bae130fe0bb56727792dae9ab3363c4afc433e4a15aecdbee79600e06911b4e10c7a8ed40c7a524eebff4fc80ff7f59f13d43129d4f4

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
416KB

MD5
f30844025b8e0b5132151b7cc87a9170

SHA1
49ee4cda4402cf436d09bd258b1807e96e521e18

SHA256
263543356694bdf3c0e49492af93b37b8094a37dcf932ae785a613e644c824c4

SHA512
f4d233ac545a55ae17845595c276563f05ebf70b729d64edfb27412d7942f47bdd29bbae1421bc11ac513de26bf444d956365cc68d416e8b7ec673938597eef2

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
416KB

MD5
c138c4f96900c4b510b97c2e1ee578e4

SHA1
4c0d5c0a2d0105e0ccaf92db2a5eefc75e9170d1

SHA256
da93e179712679f1099488e3a4c13cba84d0b42aa9f7e3429f8050b4b72d8872

SHA512
c08aa686df63c6688aa8d0f881447a5eac67d054c7747b9dd894032048751127f7669941199dd1f9b8f67b3d84c07fd83cb0f3bd38084ff81b983a32071c862a

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
416KB

MD5
8a5c7887d6317437b632b5cb84d5686a

SHA1
e33aa7c40a3d4f4c32abb1b69a9bb0db8e2bd702

SHA256
9e866de710c3ee355967ec2b3f4da5907de2073c4120f69e88f49dbe18f54e98

SHA512
cff3ecf44a8ad648919a918c7259fc32cc35ded0aa6116dbcecbde7321bdf31bafa6f8dc5b62aff6073841f369379bb1db6fca9929cc6cda654d89716f975405

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
416KB

MD5
22d22d5aea90493287a26b37e1e53df5

SHA1
ab72045359ef3bb903d6608768e0b392dc547469

SHA256
26fb00c646340aea8eb2b3388ec31b66bfde901c9b3838ffce94909798708b4e

SHA512
84a1c9362f047dade28c2f07d510b63de747021558c094dd130b6dfe4f4b31f514df896c61411b03ff99db5c0a7c224826b26aeba75e4c693537d04b73dc3edc

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
416KB

MD5
2f4fee3bf497363f8c6e2f3508254810

SHA1
9d54899ae917a0db207503b5174e2fd14975dbca

SHA256
e1672626e9f720049aa531256f935e0f70510c2baa2c62c4da4d00a969df576f

SHA512
44134cf868d90f4c94e313b4187fcd1eb1ecb9d515d96a0dff0af415c8fc34d525b408ebf1743d00692ba4adbaa362084f36284e7f65e38ee557c400b825fbec

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
416KB

MD5
2b108c604364c7a5f8602e2b4582ea3a

SHA1
8b70d2a068ab137ffd7e10f5876d985df9fe90ed

SHA256
4988d710d24e58d4bd4107ab1dac373bcbaea455dcd42f71b5526eedceabaeb6

SHA512
6b8b1397475f1700ce618b60b9986ac11c680619c0099cb6ff2e355880358cc1caa8a6b2006003334f28970e45942dc3b5c82a75fadbef92f77d66b27ad1fb17

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
416KB

MD5
f241b4eb749b33ad69ac6efc720c23fa

SHA1
378c346adda8f3a946c500c6c21efc4732e0c1aa

SHA256
69eace38858f8825701d2ab7fa9c7be07228eb82f7d6890486d08ee9e5a57eb0

SHA512
8224e54a3991ce3f150cd3f4b732e9c5df4d8de0cb75403ffb6a3d30e92af16e1570efb5f5c5893ee46ff75192a17863bead018e175509f792d3b64d6299d297

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
416KB

MD5
7feaa0c335f270c89ce8c5643bc10666

SHA1
c936ba0674e38bec7cba08716f3215d63283232c

SHA256
6f95dd562f04ed72af2d17570590a62d63e09d2b835128724499caf9f4771562

SHA512
da81fb3e41602be34fffc0f9e077d7ac091afaf7074f054c9d248c7a9cb58076c593c7a2942552a0110ec12f4b5fa12bef6e870e36954eb4906aef39e898772c

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
416KB

MD5
f50aec0bb3b120628049b5ad176c366a

SHA1
314952107b6104e06fe1925113d5b7843cf3f1a5

SHA256
2468be04f7ab72c7f1fe3816f2160649d0b5b03e2f70161800b2e33ee4348cbe

SHA512
575f7b7faaa1d0cf0b9135f0453a1d4144e23ff9e4adeed8c45f1d71d4a21e90c98b43dcb0b3097d885f0367bfe169c208d2605c8fa8c0b9bfdccb4d55a621da

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
416KB

MD5
2e71cc2bb17a2b4042edb8f8478a3c78

SHA1
9a84f60441f89f57c56e3effd6e9cd16b7b478a3

SHA256
b6326b05f0173e6e05b1c7425a7548d4845e6fb1b6d4830e5c7457536c71ec0f

SHA512
4fecb2b71af8f759ab4274b55034e0ec7ac0c7e87dcdf2050845d1173a5993421200b8b0751b4fee09461c0043eff053a6087d7c844e35f524fb53e51266da21

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
416KB

MD5
9fabf50c55ca1f91c281a67c99a9a792

SHA1
356be7f37e8a49c020ddc3bacae71fb7a6e4e146

SHA256
9b2df650af92328eba995c77003625987391047a688c49990b5c560fe4f3e072

SHA512
16a8498cc3873ef2b0e35e337cd43b96feb09e73705d709230c588e20b2c4f328e854df3a15d0e23eb86b82047e103f376388f49cf8f284eee05733dab08bcd2

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
416KB

MD5
8540800f152610090ae5fc9542adc707

SHA1
3765e55e4593130867a0a98c7b75461548d09947

SHA256
1bd14fbc5e04cd674cec97b743be60bf6cc9512aa586eb6827acc9be90798636

SHA512
0ea12b9e5f7c2e98d10f486f1b48b0856eb70618c3070bae79fcdc3ee753db54fb38f10ccdaadfd8a2c7f361c23eb081d19983e384c39993aee0a8d999296561

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
416KB

MD5
3a532e87a9d28e2db8db69a90f324746

SHA1
75e6055bdb2ac8b3a202cf6eaa0c435669182616

SHA256
a8054ed53e998a70766753bc5dea989ec59c032e70b66c004875f4dffddff910

SHA512
97aa38444cde045c433d0e89ef36bc5190ca74055d12f7b1b5ada094dbec5ad5183f5614bd87be417d28c61782aacdc690a741131433631d1e51290191686c89

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
416KB

MD5
06ad0c3a4e01a8420f1a5af63516b074

SHA1
30767bc9363f86cccd7a8e83031c95d8e85ce845

SHA256
4a2fc3ded702940125250636eafdb59e84a790b6861f1e3bd2179be2ae020bc4

SHA512
e28d0ae93fcff2049ea62c631a3fcb833a255a30b643c5528480697fd53da9ce46beb569bde5c707f75c55a0915190f079b494cdf11fcdfb715fe8e5c43ebd1d

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
416KB

MD5
96f99fe491ef8a54228b224b6970ce13

SHA1
27569af44525a81a87e4f6c8affb63e386ce96a7

SHA256
3b5d14a013d8bd8e71179ca1e3d3a48105a923f535c74fe832bb0b0fb0b3c314

SHA512
f4cec91a85f251efb79f8c659a04efeccc173c5b2c7c335af3316f81c22243a939d86ca214af5194a043013d4701fac47f61d636fdea07dea606bd317bc91a0f

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
416KB

MD5
29e0c7a953a45f705d1604f514d998d1

SHA1
1232906d849782be74082a609a7e47bbe964280e

SHA256
d82eeaf3760d5ca95365b6f96566378f0cf8a4ee1bd752e97fb0f005c5c5498e

SHA512
c2b65d2ca1cca1083251190eba834e8724ed687aeab71951afa7cd75dcf9d717a7d55bb9ef58e5e1bd78b075acf803ba805edb0e190680076c84e766633107b4

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
416KB

MD5
715e180c273e287334e6d5e4513791a5

SHA1
b7b3bccbdabf6c13c5c952a9591e8311501d84f0

SHA256
826eef6b585cd5ef92bfe8f3abe575b7bcb1ba83d8447bf913066318ece1780d

SHA512
abf5377980f10ab7a7c8e471e98c8a563103555b27d2087e411a9d3f197d24561f05495176aed4c41fcd838b867cea281b3432c5561e89b70479f4b40c1f3c20

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
416KB

MD5
72eb7ebf4c95f8324766f36e4ccd681b

SHA1
8c8e32e9bdeb989a269f5cd9eb1c2057d2e14440

SHA256
6701ff65d0b62a9e0d4d76576359999442d064d9e0acf71514663724c4806a1e

SHA512
4ba5c5653e0b50ffb69a544763f577cde1261bee419bb4d5afd419ee30b9dbf45b4251e2b2e92c46c793c213aaeb7121aebb5d92f43529eb92eaaae01d59945c

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
192KB

MD5
903e6c90c37b51aae0e0e74992dab0a6

SHA1
81f05f7a668ec79597524a2242f2212d3968cafd

SHA256
c775576bd0d7aacaaa521194f309c01024f420fe7dab3050859a279492c329de

SHA512
66c889b7260d4a8d0fd478b40ec536d322d593d8cc01a41050bb8895dace7aa8eb39a9467e129c087477a546bd9576fe101ece9f814907487d3bc356494463e1

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
416KB

MD5
2dafc4642046a1005eb7a5e6ad92d603

SHA1
4569d1481579843b8d2ecf5a362842d30a9f944c

SHA256
b072da408eaff16b1ea76fea2d60fe17d3c6bf83b683b347ada704667896e63c

SHA512
771f9070f48d3aec87f2a14832a15ec9ba18d1ea0aa0309a36e4687630d0d9f0d21033ceb5d211cf8ce082d66e0f9f52d9ddecd5ef4a4242a67d7bde969cd012

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
416KB

MD5
e8412f7bb84f928ed0608658a5fb2a41

SHA1
2b862313d9c8817d58860887da589d67da23bbec

SHA256
e9de26accd4dea6034d4fb0da3488df7e23c2095083b17bc237e7b7afa9d6a69

SHA512
72437edbb9da046413e45cbc7dc6e7e7362b77faa0145d2946821002ef35c7f993726f15923bf42d8f46cf7d87f8eb8426b3f531de0d37feb0873a1735c27178

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
416KB

MD5
f6b157c9f7273735cbfea320be648863

SHA1
10c7f5a0cfb9878065c7e6ebc4d77406ab80cb29

SHA256
cc4f259fdc4e9731ce972ad915d36bcaa677eafd668a93e580203219a0b0a87b

SHA512
6166494834f189dbfa9ca614f481aa4a9d9f97594c5f1628d6ffed3606cb204472368be34700e4d5e028d18d7663149f68d452fbdb5705833800aa211b23cfe5

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
416KB

MD5
c331b9526d503bf41c388ab312ec2f5a

SHA1
2b952128e230df6e2382743a2ec66c25346eed80

SHA256
1a31b50cfbe5ad96d63e0049d708d1d64e08ec1b331948fbd9baae1368e6416c

SHA512
b4ff754a64c40c4bdec16634daa538be76f7cab91a9aa723a856dff69a6627bfb0d127612d2fe8bb0438ed182cfa5d1a3ccf842a92287abf625bb251fa978519

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
416KB

MD5
0a417c701be5f2f93d86ccee8653112c

SHA1
adf1a322e84d1811d70bf26d1337e92d7c6c16d6

SHA256
4626cdee26cf8ec4d025fef4611488031898ea85fe59c7711677f3815800a05e

SHA512
e6f1235fb79f148866e8580dbcd4ff9b084f3a01ce147515259cf8995e2072129a7dc93fd5b2e2d4352784c5852913efd3d4e3315f5b02d64aea1085bb2f536f

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
416KB

MD5
a4ead07549356d3fc6467893da488e84

SHA1
2c1715f8544699f4e002ccdd84ecdf9f74ee7164

SHA256
4eed81c17dec25805e6cec1773958548c1d042e3ab5d7ea641e50d0f93f5f492

SHA512
abf3bc0b4b33138dc12b14e7659f34dff34fe84aac03cead829cddb22a40a5db0d11e1c100abe6292555811e6c266a54fd43104dd9f1070a9b7d6a62656dd535

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
416KB

MD5
68e0b0d62fa42ba2c3d148bd8cbfc941

SHA1
a71b6fc56cff47d1b114e8182da222fb9eaa9835

SHA256
751749db5c3d39b41261e878a02b6329d69a47fe190c4ef3dd1ae9732988153e

SHA512
ea424f2d2dab0245a02c64d09b7014466d958ed562db434741906c43f6302daf0ac6a0878d6d837462ccacaad3cb4b557850cc6a82cedf214a80ee32137bf772

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
416KB

MD5
24c1e71d25577d79474441e00bc45a3b

SHA1
151517fdc56c0101991e26a7a37c6c68c258366e

SHA256
3875df5654a460d6637073e645b2a1b2e3e6d9c38c856355c7e26f1cbc13e5bb

SHA512
061cbe9bcba775e2fb0d14e5f71855d168392f0cf3dc0f548fb919739e037820ea8fb45a39c278c17e5d981db3aa376e1f4e081d929940c2ba579c233eb4f684

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
416KB

MD5
5c29a2be0007d4ed7042f9ef8d28254e

SHA1
2c1b3af10e15cbde233b7f8f19f5e3a12d6fa4c7

SHA256
68f779d013149cc41e99cde69ed314361d26358291272d0dbef66b941f1bf639

SHA512
ae24c3e5c34446299c900c41c4af5384ec090224a3268f1345170ed89f3328f067d508ba833383ce03b0535a260bcb8d3e0e4f1a03f02e27cdfe69702313c487

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
416KB

MD5
392e38eeef83b49a69cb6ba070796208

SHA1
6ad2d8f9dd392117e69fd95490d0bcb4b258e2db

SHA256
28b193db956863e49cf22806023ff919bf94ea7e0cfee1cc5093d31a1a3b12db

SHA512
7a62d9d90c8a419305c1203c11348a37b1696480859f9a573882d7902d9ce59e8f0875c0ebc49ec0a08bd8708bba43a115eae992eb005b245e201f22a9d223f1

Download Submit
memory/324-60-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/468-273-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/952-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/972-173-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1316-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1428-333-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1428-194-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1536-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1612-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1612-326-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1744-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2084-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2084-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2096-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2096-339-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2120-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2120-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2236-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2236-325-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2324-342-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2324-103-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2464-296-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2628-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2724-71-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2760-260-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2848-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2860-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2932-284-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3028-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3028-119-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3148-331-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3148-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3216-171-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3244-314-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3344-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3344-330-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3360-323-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3360-319-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3440-327-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3440-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3524-37-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3656-20-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3680-267-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3936-337-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3936-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3960-200-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3960-332-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4012-100-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4024-335-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4024-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4060-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4060-338-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4388-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4388-336-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4484-252-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4508-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4508-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4568-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4764-329-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4764-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4780-244-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5012-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5012-324-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5020-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads