2260e3f0a5afda4b62800ee894d08c3e6eba2ad3cfd97d252d06071da6e2916c

Analysis

max time kernel
135s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
03-05-2024 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2260e3f0a5afda4b62800ee894d08c3e6eba2ad3cfd97d252d06071da6e2916c.exe
Size

104KB
MD5

e793a9f48d9bd87c352938ae0562e4d5
SHA1

94616cbd47b550d43005f7d5e301042d33664d57
SHA256

2260e3f0a5afda4b62800ee894d08c3e6eba2ad3cfd97d252d06071da6e2916c
SHA512

29a7187c6eda960b2d0ec63373b22442a07270b7eef16c8e375af16ae152ea8964e46ff3d200a7d9b1909beb75e5f12c60e3ded37dfb15a9039a068ec9b16823
SSDEEP

1536:1BFrc4cvjBJ6fVlunsQieNXb1kCFqnxYRVkeyyVr3iwcH2ogHq/i352S:3FHc9J6fSXieF0K3kremwc/gHq/e

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqfbaq32.exe

Executes dropped EXE 57 IoCs

pid	Process
3376	Kbdmpqcb.exe
1392	Kinemkko.exe
4076	Kphmie32.exe
912	Kgbefoji.exe
2976	Kmlnbi32.exe
3252	Kpjjod32.exe
2440	Kgdbkohf.exe
1368	Kibnhjgj.exe
4868	Kajfig32.exe
4592	Kdhbec32.exe
3552	Liekmj32.exe
2628	Lalcng32.exe
3384	Lcmofolg.exe
2932	Liggbi32.exe
2044	Laopdgcg.exe
1476	Lcpllo32.exe
1692	Lijdhiaa.exe
760	Ldohebqh.exe
692	Lgneampk.exe
2328	Lnhmng32.exe
1168	Ldaeka32.exe
2608	Lklnhlfb.exe
2456	Laefdf32.exe
1416	Lcgblncm.exe
3588	Lknjmkdo.exe
1248	Mnlfigcc.exe
1308	Mdfofakp.exe
832	Mkpgck32.exe
4452	Mnocof32.exe
4160	Mpmokb32.exe
1852	Mgghhlhq.exe
4296	Mnapdf32.exe
3524	Mpolqa32.exe
1056	Mgidml32.exe
3596	Mjhqjg32.exe
1516	Maohkd32.exe
2884	Mdmegp32.exe
4184	Mglack32.exe
4952	Mjjmog32.exe
840	Maaepd32.exe
2904	Mdpalp32.exe
1440	Nnhfee32.exe
4088	Nqfbaq32.exe
1052	Nceonl32.exe
3780	Ngpjnkpf.exe
2548	Njogjfoj.exe
4100	Nafokcol.exe
508	Nqiogp32.exe
4960	Ncgkcl32.exe
3824	Nkncdifl.exe
4476	Nnmopdep.exe
428	Nbhkac32.exe
4152	Ncihikcg.exe
4340	Nkqpjidj.exe
2088	Nbkhfc32.exe
624	Ncldnkae.exe
2848	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Kgbefoji.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kpjjod32.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	2260e3f0a5afda4b62800ee894d08c3e6eba2ad3cfd97d252d06071da6e2916c.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	2260e3f0a5afda4b62800ee894d08c3e6eba2ad3cfd97d252d06071da6e2916c.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Liekmj32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kpjjod32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3576	2848	WerFault.exe	142

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2260e3f0a5afda4b62800ee894d08c3e6eba2ad3cfd97d252d06071da6e2916c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	2260e3f0a5afda4b62800ee894d08c3e6eba2ad3cfd97d252d06071da6e2916c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmmkpmf.dll"	2260e3f0a5afda4b62800ee894d08c3e6eba2ad3cfd97d252d06071da6e2916c.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 3376	4800	2260e3f0a5afda4b62800ee894d08c3e6eba2ad3cfd97d252d06071da6e2916c.exe	83
PID 4800 wrote to memory of 3376	4800	2260e3f0a5afda4b62800ee894d08c3e6eba2ad3cfd97d252d06071da6e2916c.exe	83
PID 4800 wrote to memory of 3376	4800	2260e3f0a5afda4b62800ee894d08c3e6eba2ad3cfd97d252d06071da6e2916c.exe	83
PID 3376 wrote to memory of 1392	3376	Kbdmpqcb.exe	84
PID 3376 wrote to memory of 1392	3376	Kbdmpqcb.exe	84
PID 3376 wrote to memory of 1392	3376	Kbdmpqcb.exe	84
PID 1392 wrote to memory of 4076	1392	Kinemkko.exe	85
PID 1392 wrote to memory of 4076	1392	Kinemkko.exe	85
PID 1392 wrote to memory of 4076	1392	Kinemkko.exe	85
PID 4076 wrote to memory of 912	4076	Kphmie32.exe	86
PID 4076 wrote to memory of 912	4076	Kphmie32.exe	86
PID 4076 wrote to memory of 912	4076	Kphmie32.exe	86
PID 912 wrote to memory of 2976	912	Kgbefoji.exe	87
PID 912 wrote to memory of 2976	912	Kgbefoji.exe	87
PID 912 wrote to memory of 2976	912	Kgbefoji.exe	87
PID 2976 wrote to memory of 3252	2976	Kmlnbi32.exe	88
PID 2976 wrote to memory of 3252	2976	Kmlnbi32.exe	88
PID 2976 wrote to memory of 3252	2976	Kmlnbi32.exe	88
PID 3252 wrote to memory of 2440	3252	Kpjjod32.exe	89
PID 3252 wrote to memory of 2440	3252	Kpjjod32.exe	89
PID 3252 wrote to memory of 2440	3252	Kpjjod32.exe	89
PID 2440 wrote to memory of 1368	2440	Kgdbkohf.exe	90
PID 2440 wrote to memory of 1368	2440	Kgdbkohf.exe	90
PID 2440 wrote to memory of 1368	2440	Kgdbkohf.exe	90
PID 1368 wrote to memory of 4868	1368	Kibnhjgj.exe	91
PID 1368 wrote to memory of 4868	1368	Kibnhjgj.exe	91
PID 1368 wrote to memory of 4868	1368	Kibnhjgj.exe	91
PID 4868 wrote to memory of 4592	4868	Kajfig32.exe	93
PID 4868 wrote to memory of 4592	4868	Kajfig32.exe	93
PID 4868 wrote to memory of 4592	4868	Kajfig32.exe	93
PID 4592 wrote to memory of 3552	4592	Kdhbec32.exe	94
PID 4592 wrote to memory of 3552	4592	Kdhbec32.exe	94
PID 4592 wrote to memory of 3552	4592	Kdhbec32.exe	94
PID 3552 wrote to memory of 2628	3552	Liekmj32.exe	95
PID 3552 wrote to memory of 2628	3552	Liekmj32.exe	95
PID 3552 wrote to memory of 2628	3552	Liekmj32.exe	95
PID 2628 wrote to memory of 3384	2628	Lalcng32.exe	96
PID 2628 wrote to memory of 3384	2628	Lalcng32.exe	96
PID 2628 wrote to memory of 3384	2628	Lalcng32.exe	96
PID 3384 wrote to memory of 2932	3384	Lcmofolg.exe	97
PID 3384 wrote to memory of 2932	3384	Lcmofolg.exe	97
PID 3384 wrote to memory of 2932	3384	Lcmofolg.exe	97
PID 2932 wrote to memory of 2044	2932	Liggbi32.exe	98
PID 2932 wrote to memory of 2044	2932	Liggbi32.exe	98
PID 2932 wrote to memory of 2044	2932	Liggbi32.exe	98
PID 2044 wrote to memory of 1476	2044	Laopdgcg.exe	100
PID 2044 wrote to memory of 1476	2044	Laopdgcg.exe	100
PID 2044 wrote to memory of 1476	2044	Laopdgcg.exe	100
PID 1476 wrote to memory of 1692	1476	Lcpllo32.exe	101
PID 1476 wrote to memory of 1692	1476	Lcpllo32.exe	101
PID 1476 wrote to memory of 1692	1476	Lcpllo32.exe	101
PID 1692 wrote to memory of 760	1692	Lijdhiaa.exe	102
PID 1692 wrote to memory of 760	1692	Lijdhiaa.exe	102
PID 1692 wrote to memory of 760	1692	Lijdhiaa.exe	102
PID 760 wrote to memory of 692	760	Ldohebqh.exe	103
PID 760 wrote to memory of 692	760	Ldohebqh.exe	103
PID 760 wrote to memory of 692	760	Ldohebqh.exe	103
PID 692 wrote to memory of 2328	692	Lgneampk.exe	104
PID 692 wrote to memory of 2328	692	Lgneampk.exe	104
PID 692 wrote to memory of 2328	692	Lgneampk.exe	104
PID 2328 wrote to memory of 1168	2328	Lnhmng32.exe	105
PID 2328 wrote to memory of 1168	2328	Lnhmng32.exe	105
PID 2328 wrote to memory of 1168	2328	Lnhmng32.exe	105
PID 1168 wrote to memory of 2608	1168	Ldaeka32.exe	107

C:\Users\Admin\AppData\Local\Temp\2260e3f0a5afda4b62800ee894d08c3e6eba2ad3cfd97d252d06071da6e2916c.exe
"C:\Users\Admin\AppData\Local\Temp\2260e3f0a5afda4b62800ee894d08c3e6eba2ad3cfd97d252d06071da6e2916c.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Windows\SysWOW64\Kbdmpqcb.exe
  C:\Windows\system32\Kbdmpqcb.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Windows\SysWOW64\Kinemkko.exe
    C:\Windows\system32\Kinemkko.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1392
  - - C:\Windows\SysWOW64\Kphmie32.exe
      C:\Windows\system32\Kphmie32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4076
    - - C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:912
      - C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3588
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4160
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4296
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3524
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4184
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4952
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:840
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3780
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:508
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4960
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3824
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4152
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        58⤵
        Executes dropped EXE
        
        PID:2848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 412
        59⤵
        Program crash
        
        PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2848 -ip 2848
1⤵
PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Akanejnd.dll

Filesize
7KB

MD5
6817691359acb1c54507cc367b727476

SHA1
f039cbf87686929f32f4a063f896dcea08cfd69a

SHA256
763ef70106dc44b60b68e6559ab68fbc178d6d30ba016ad5b72ee0d0d1e87337

SHA512
906d539e151b5c0e50dcb5c21dc8457e128e367f5f42b14df9b06cee30076220e0b4fdf7189c2f1403b48d9cb63279482a0c4d61d86c9eb3b459bb980f43a954

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
104KB

MD5
686f1db003584176bf8435ffffb6c3a0

SHA1
93d6a4f7af95db15a309cfb0e16b2f28193bcc6b

SHA256
466e1e79c599b10bb30bb18c94a3f4271fe4bfef8268fc869905b8d1b48a0191

SHA512
ae4081838882ba3a70f8920716312dc2711a375ac4b00a43792ae4d30fb3c101c74b3f2c22ba223b8d1a617edbca87205227a33fe4af98001080f0ae5035011c

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
104KB

MD5
58f2bed9766efc265bc97af4b0ae773b

SHA1
d309a4aaa90977c460e87b6772f77502e4d10893

SHA256
8ef5af2bd1de8f096add116fb34b69dd530e956c9fb2db76b27c01df2a5d6702

SHA512
3208a1fbba0a5f46cc14d01d649b3ae9de414ee178ee94e5bab0222841ce07a21858f2baa15cc33e419dc0a21c4423f1f034e1bb0fc66e48267948d56185ae56

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
104KB

MD5
4418e60636e7de533ba2012c0fa6b743

SHA1
8ebd2ef3b17cab4a912fac45efe5dd0c79bd4b7a

SHA256
79b33ce1954ba507d4b7e68ab0440e84a6fcdccdfb7c9371898785caa421538a

SHA512
4c1e8869f1247e1315cc3c91e7ee4a219699fb4549c95d1097885b9fd3e8d90dfc9f430a30b8abc4fbd2c0d12d6b611a88a1473f72024eb502386e49472602b4

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
104KB

MD5
db28a07ce8a6527156b138f033abc2f6

SHA1
fee795bd8edac501b434e27f3bd92423449e36d4

SHA256
b56c4bfbb0c21d0d3f4f6264cc364e7301b36fc0737ac4cd95a48bf226905a7f

SHA512
9b5dd7a043ac39845e65050cdf7a41e5c414d19b53c906571cf5ff2f20d04af9cbbb253d11a79f4aded5bacc1a5dc4d20f1e59a8a66f703ad02a3f9fa4ec71d7

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
104KB

MD5
cd4fdd1436de99c98aeb3493706375c0

SHA1
7a7610ff08a0aeda5736ae6376ed217c9f710c64

SHA256
9053c8af09bb1ed6b08e24509e9ef4e155ed71232984b772ac4936e23eb7e445

SHA512
16111d4c9d8aabfae513e5f5475a9ec81c35e133ebb91eabc82555d7b9196899a72c7be66fae1a09950bd11e6d3ae8ab645838a25316972d7afd6010fc5f653d

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
104KB

MD5
c0a310d8c7f3bbc0f297ac407dfea44f

SHA1
e3b55c69265af5c9f1937efec149d131cf93e618

SHA256
6ba5cc4332aba7da93899c3f796fe99e92d4cd46b53bda7427cc4ac3b1778670

SHA512
097caed65da44b1096c0ffd3cc5fe9507e999e8d4847b635056ebf9cb6e01714224579cb379563c052c187f5997d53761cae48c78eb46668f470980737ff9ab8

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
104KB

MD5
e29bac47c4f2c54a2483a0724e66549e

SHA1
0611fb2e603aaf7873a168ffd5ea1d758b304214

SHA256
d2b59038f852b390afcc769c9df1240af255bbc783269ce38ff60b48a7da9a5b

SHA512
23d256b190ad24bb1abc8df602ae80191dd4897972060cb8bc1f02bef0e5a2dee002ac3da5dcc9df71177ebe4c26fc6f42d5211fc3f3cd3b0729f9c10aa6da9d

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
104KB

MD5
0a7056703149a8272a6b506057bb2e01

SHA1
0ca820224f6cb3110c1097049d2207735bfc95fb

SHA256
52179a17f7ab972219345fbd718789b10266b392d9d19482c74321ce231a9789

SHA512
b7fc6add9cfa931451c11962009e191be3254c3ee5683dd091ea617d5da7e1cdc062dd333b75c1e5745c0bf90b9bcff6ca58a07b743bbecaaa2c4a3972dedfa7

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
104KB

MD5
18e60bdd904f37d6c18c1528c957477c

SHA1
ffa0a1a7a8ee575592af520febf15fd0796c99ce

SHA256
77bd706322d9a6c427dda8c61ed137a79833abe94677efc7ad6842b342494d86

SHA512
b561b81a843e068f5f4330e3c4eef6797474c5bc6f9e9fbeabfcde8e20f6f58c9851d0b31ffee270748ba82e553241e8682595b86519e9a331bca34686ae9e03

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
104KB

MD5
f3f0dfd44c0d3f86d7569d5a70908fef

SHA1
f4314a4093c0e5111bc1aac9149611028b4849ca

SHA256
232000984f04c367fbd5831cc6123c81eeb45d7c217dc7a553ff97f8656b3297

SHA512
c986b10e396d75125a768fb75f52efdcd8623353fb7bfd92500a0ecbd87ddc200424a4065203ea5845787ea1caff54d4d1318a61097ad50940e58f5b59eb040f

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
104KB

MD5
94f88c4640f33e54b8931da86683df64

SHA1
6fec2f0c95ba3b89cd449305ca52a31e33483cae

SHA256
df1431909939a55cb725802f3f6113f8b044459ea20574e9c7c42d20661d38b3

SHA512
4cb8a8bbb570e087c429d11fa62ffa576a68e5d4255c7fd8c8028b08c0974e2a8ed429e5615e3eccd518562fd3d57b66210c21f76ae31bbf36f82000bc5c138f

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
104KB

MD5
8fd2b40be7aa444e4175a2d118bd2dfd

SHA1
83c4d2852f95c4ed3a400881295daae8ebcc9380

SHA256
b24ddaab96a472b1364d110d5af608ea4e15a23f12db64bf2885b5ffcdbfee05

SHA512
0ba3fb121716bb9261e09f56c6463792c4f376a3d3b7ff83fc751e631b64e7bb9fce29315cfe30af46be241071218c20c3144deeeb97e86d1223e866b39526f3

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
104KB

MD5
d1b24e05bf3f047db93c435196ff9a3f

SHA1
ab438ead0ec44238228025234bc9231f319aa458

SHA256
1ba6f577724650674ae3324e05f1c9b746cc924fc07964122c5c876878104d3b

SHA512
f70ae7e9bd68741a5e76c2e07893b6cad8f9bf55e088d0e3b5af36a7bab2ba686516aa9726dd0c5ad9a2bf86dc7585966741bcda872b99c55d90db1afee751a3

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
104KB

MD5
d1b3cf07e8c42412fd0b0afdbccc1d59

SHA1
cc5025f1b360ea45524c761309b7274949382fb5

SHA256
80671d86acc3a773aa4020120f23c324cae0aff241663034002789081f02e5e6

SHA512
e202b452799bf2046159ce0631b31d2db0467f508b121afc059f1c86508e246808e80db6dad282b74c619af580e90d1cfbcf3015f6a7a3e220a473a5e0fd1086

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
104KB

MD5
7a0b024f5a10e39dc7c54b0788648ddb

SHA1
3f5d1e91d59f3b30bea7748ee0082371a851ff41

SHA256
3136a8f1a7764cebf555491d897708ce05fb5d4d92f82dc758c2597c4f5fbe4d

SHA512
c06b61db136e6fa8c3e86fc83313bf2207df46859454dcb1356b76fcd5ed863d6b17ed495cd58f42bb45ce801a3c17bb2cc4f7f8803aa1f22e5e0c8305a73e4d

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
104KB

MD5
b77bbd1fba5bea6b67df27aa88d8d124

SHA1
1d119d61b4ecf556da319e4d8366ed42223776c0

SHA256
415341821221795c42b62d7e99ecd0faaa4ef77fa8ea6b318d660514a3b12b33

SHA512
6e8b7b7cd8a6be94ae7f754d791ff800de3ad2cce2a7ead9915a6f2d38246a7b4cec72e2ae495dec7dbd4fdf57307fbce0231a8daf313608fafc3757874a6f64

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
104KB

MD5
121d580b58702d125e8f4d55ddcdfa7a

SHA1
00a665ac630d3f6129782c2e2a9c82e5c97c1ea3

SHA256
e88ba9847599418232cc995d7a39d100eeded931d924cdb9a90bce1d0f4615d9

SHA512
7f6b207adaba40d31b63498867ea1b2b232b452e3927872b0879cf517a3c1770f4ea14f1efd067a7c27cbd3cdbf8eadbee7b0ad0ce2d9db645af9031c5ec24d7

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
104KB

MD5
2bb8c28eb6bd7ad3b922a96a75a7fe32

SHA1
2befcd2baca164ae7f1384b3610f3e4be356ec3a

SHA256
424745bac61d14df429152566f1fe159d5b2e95f0cf2bb93ab56f25a37c4b377

SHA512
b1b7c64a8a77b48b3711ba28f2af9864e6f84ef0dcffa2b304be0597677b9b0dc4c5852c37a6cb6f39d6d098f2b67bdb9a3f05f73f25a2c7748fee72fc975fea

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
104KB

MD5
aa07dda9261e663f341df106db1ce2a2

SHA1
e8628c99c33843e4dad8967dd19f58b55b74f42f

SHA256
265b4f13cb813fafbd03e8e26208b708685a76a739ea02576d7cd9c992fcb790

SHA512
078800a1906873ef1b2a624ad7e8fa25815fd6efece3c6101adc959671fdd3a8857eee645553cd947080a5dad166ef1009f235420aa7c5505865732e136d30c5

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
104KB

MD5
4885a6f0e9cf8b8c72d94acd82c658a3

SHA1
3435251be5c5bf728a1d85ef7ef57a2b9c09f01d

SHA256
bd56fd41845a686410b04b846b875f72a94f858f525f4845dad6755d75f6f20f

SHA512
effb6db55ffcc7322bbcfa73a42426541aadf01acb476f4214bc8f0484abc0eaed052bf61ec4d533a8ca3ed994a67743485bcf56ec6c7107e914393aa5220887

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
104KB

MD5
de289110756cf01bd557d05d516c777f

SHA1
871d4caa316b799c7997778710a1b75addc51bfb

SHA256
18962f68a9325e73cb746ca822eedd16ed327d6e11b7cf19e370afdfeb396135

SHA512
692b93c62e7f3370e8a65dcbb0250b829b47cbf1ac72bb972d416145424d319ec4ef2b2925265b8a43ed97152b54a06c6110c5f5c9f52e47009ccd26c1922a17

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
104KB

MD5
97872b9a1f787f1e3c9a956bfa3a8948

SHA1
e25475dc777a3eaccbdc6d363e08e0755dd775e3

SHA256
ab351a8eb6e9992b930e80db2084a9e5ca1c9fad24dca90f4b160c1b0bbfe308

SHA512
f53a81e59a3ef1eda156eeb4a912ebb156d5097cfcdae0ec06534fce8ee7ef07ef2e12c5611fa1e853339a713a36f4ad199f0fb5e9408491beaf260ad1767437

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
104KB

MD5
d166c67650e2fe1810100fdfb5ab71c2

SHA1
23bc85e10ee2d494c51c9c82826672f4dda5fbc7

SHA256
846d4d295108f840f1dafbfb3f441c438542c7fe75fedc71964415d1dbae1959

SHA512
bd2fc4dc6dc8bc51d54703d4df9ff796f92a56972c58d661b3ad93094dac390aeb39325513406295ecefa0bd8d6baa58b35d320ebc11922e1fec99f4af89622a

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
104KB

MD5
622c1f8b308691d7e6d648e7af7cf21f

SHA1
173ba6e6b78f865f68bffcb800063be6d97720f5

SHA256
ec876a001a2ae569ffa6b565091d6a70952ccfa0e45c04851669e4335fb19b6d

SHA512
9c066df213ea4121d482e4a9a0c5f09d9db26d5a0c41f22bdb2557abf58420bb2c6cbbea069915910ac3127f55b52953efe75671348d4e1e98175bdee21bde9f

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
104KB

MD5
8adcc3c8d5fba3235433f2ccdfc5730b

SHA1
927b3bc944d116329e8f7fb2b0c6dc130409b0b1

SHA256
7393d43a8c36bc39f3c67f58b6c2532d3f2230969ceebd2b3334468eab94b6bb

SHA512
3439b152d1e5880ccaac8a7465c6ac5718e632f54d0bfe8f73af9cf95ed9929a27f92bc7eb2d069887d9cf4f48b13845d3b2742f9ed749f05e55b93b22d0da74

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
104KB

MD5
156948d0ae740220a9ccdd3ead3b353f

SHA1
4955b2f47f1b611c93485086055175dd6cd8b49c

SHA256
93afd5786a973b5798103feb39cbca43a97cd9556138109162f508aa3380cdba

SHA512
fe736e4943ada60a244da8329f35799fb77a1d0d897859b34d7ef65232d4438296b173ac9bc4ac5e154e6d9d9dd1ca5713fc70cdb450ded3a5a6a91cf30f2a72

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
104KB

MD5
ea992ad1abbb80705d0971a402c28f77

SHA1
e4bd0760433eebca86007b06bf4a2ea4fdadc59f

SHA256
e05f575356caf91e4ff6759f95f92e22e1bec04d1856567bbe6c168494c96b02

SHA512
38e6f634f3528b3f5f581f5e94ea73961999073dd3c4fe31c08267d28c6adff4afd9f829d69c9c3e9b8d1e60429437a0f27696289fd93d2e3e0dd7c3c17f446e

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
104KB

MD5
757c8dfe8592a989f848677220a3c327

SHA1
7d967b99996b8b8d6e28494b695745c3ec1f77ef

SHA256
4a7ec68ade6c87c1141bb4d0feaa9a8c73032daccc8458ad21e39d2e991fbad6

SHA512
3ac90f3d57dcafa9fa265dc6c2ec6667e480093e83f0a14a072f45b2ea28a48d1f3d03e075cade1656e36ce63f4c13154f29d2680c71960bf2445baadc80ddca

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
104KB

MD5
55b870897adc7dcb27557e1c3c9f471a

SHA1
94fe7d5726c8bc51a8c01ba2a4afa75335830b9e

SHA256
91beed9a9e0bc4653251baa1c0ea0103227b9323785f46e319f9da89e3d00092

SHA512
676ec7af74c14a6f150dcbb1bfed6c0f1a504cb28e4d1b724e838cbde01dd9552dc0ac06e746af453417fa867fae5e999ce5df1153480a2140cec27e6eccb534

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
104KB

MD5
78c0ac129e501b46f3b36d47fe1fb235

SHA1
ff397b41e60d94b4fff31f1cd81aab6f9e3d61f2

SHA256
64d36e05146da78610eafe99de02b258f44a0c401945a4babcdc1b50a97f4d58

SHA512
a0ca5b597eeb1448bf53b682c56e0b5e22d2c3ae19a907dc2d0bfa5ab8dfb167255ea7c64d205e24c010c24e8a62ac92042d0e131c89e63a4e8aa6ada8b0a7dc

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
104KB

MD5
cf5fe365c4b39ec03789fb092387ac80

SHA1
4f9dd97abe6386e3e460d670c6daca6cffa8faa4

SHA256
c04ca504b461a2138db82a1b95386259ebfabedcd6a09b06a94f92daf778afd8

SHA512
2bd21b9aea7a2253ecc0f72bd00e0dd543d05ccc2ef3b49fe23755b857b27edb7de052fb4ee90a15a0bb81f6babb5895b61ed540ffc89b1849ed4ee9606eb0ef

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
104KB

MD5
93bfa75fe59d243a87b6528477720a7a

SHA1
9a48d7e89973f347c2dbb760de6435b7a7c34c72

SHA256
631e8fec20341d22879a1a8763d7acf62094141b442435bd319b59ae2f589ef0

SHA512
c06540e997492442730ddda2d0eb8d79e7f83166266412c68aecf22074a4d0bbfcb60c00cb29ab052821e30bd4a24cebb493dbb1949569fea5f0b55742bd71b4

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
104KB

MD5
8494f92e45f1343c38b5b001da80b199

SHA1
b4fdf7b94b55ffccc0197d8cd0e06b20f0bf954f

SHA256
668761b99554c67cf36c6a337e317d49144b3b24f34f980d196fa8455a9c5f48

SHA512
eb6dee95051f373bfcb036baae7ffe5edf7f8e60e1632edfba25b46d89bf17059ee0644dcf774f21635d0481506d511ad3b68106c5bb0c2bd6e13dab9adc5439

Download Submit
memory/428-412-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/428-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/508-356-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/624-400-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/624-408-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/692-436-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/692-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/760-147-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/760-437-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/832-228-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/832-428-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/840-418-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/840-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/912-32-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1052-415-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1052-332-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1056-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1056-422-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1168-168-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1168-434-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1248-207-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1248-430-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1308-216-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1308-429-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1368-68-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1392-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1416-196-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1440-321-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1476-127-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1476-439-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1516-420-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1516-280-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1692-135-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1692-438-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1852-248-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1852-425-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2044-440-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2044-120-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2088-409-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2088-394-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2328-160-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2328-435-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2440-58-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2456-432-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2456-184-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2548-414-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2548-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2608-433-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2608-176-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2628-95-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2628-443-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2848-407-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2848-406-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2884-290-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2904-310-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2904-417-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2932-111-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2932-441-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2976-44-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3252-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3376-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3384-103-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3384-442-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3524-423-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3524-262-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3552-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3552-444-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3588-200-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3588-431-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3596-421-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3596-278-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3780-338-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3824-413-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3824-364-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4076-24-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4088-416-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4088-322-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4100-351-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4152-411-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4152-382-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4160-426-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4160-240-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4184-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4184-419-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4296-424-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4296-256-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4340-388-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4340-410-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4452-232-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4452-427-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4476-374-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4592-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4800-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4868-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4952-302-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4960-362-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads