96affd570731ecbdd8b24d0d237acdd249241ebec19024b77896d0d20c1f2d05

Analysis

max time kernel
135s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96affd570731ecbdd8b24d0d237acdd249241ebec19024b77896d0d20c1f2d05.exe
Size

55KB
MD5

144c92a00ad84a1084462e60daa26b1f
SHA1

ef4631a593c5b51d484aa0be9f2a6e1beecccd32
SHA256

96affd570731ecbdd8b24d0d237acdd249241ebec19024b77896d0d20c1f2d05
SHA512

b0ceb5e203951a5a1f7fda7f6122a9a2e066a59af13130bd31bb77f975fd7ed593aabd64b5169580e496c78dfae4f05397ce2ed6f938039602b5ac047c820ab3
SSDEEP

768:ZVpj3vTWRnT/rvYocXKiJ7RbPbW0JDFK8sNO1LFHO9XXiJZ/1H5LXdnh:bBbWRn1aKiNFPbWE5K3E5O9XXQX

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	96affd570731ecbdd8b24d0d237acdd249241ebec19024b77896d0d20c1f2d05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe

Executes dropped EXE 64 IoCs

pid	Process
1248	Kbdmpqcb.exe
2220	Kmjqmi32.exe
60	Kaemnhla.exe
3916	Kdcijcke.exe
2160	Kgbefoji.exe
3280	Kipabjil.exe
2464	Kpjjod32.exe
4696	Kcifkp32.exe
3232	Kkpnlm32.exe
3012	Kibnhjgj.exe
3208	Kajfig32.exe
3040	Kdhbec32.exe
1464	Kgfoan32.exe
3576	Liekmj32.exe
2264	Lpocjdld.exe
2328	Lcmofolg.exe
4744	Lkdggmlj.exe
3076	Lmccchkn.exe
3588	Lpappc32.exe
804	Lgkhlnbn.exe
4356	Lnepih32.exe
3740	Laalifad.exe
1528	Ldohebqh.exe
4336	Lgneampk.exe
1752	Lnhmng32.exe
4792	Ldaeka32.exe
876	Lgpagm32.exe
2764	Lnjjdgee.exe
3140	Lphfpbdi.exe
1028	Lgbnmm32.exe
2052	Mjqjih32.exe
3192	Mkpgck32.exe
2068	Mnocof32.exe
4352	Mcklgm32.exe
2044	Mjeddggd.exe
3720	Mnapdf32.exe
1208	Mpolqa32.exe
4988	Mgidml32.exe
4432	Mjhqjg32.exe
3544	Maohkd32.exe
1548	Mdmegp32.exe
1520	Mcpebmkb.exe
1576	Mglack32.exe
4100	Mnfipekh.exe
1956	Maaepd32.exe
3756	Mpdelajl.exe
4276	Mcbahlip.exe
1952	Mgnnhk32.exe
1552	Njljefql.exe
3112	Nacbfdao.exe
4864	Ndbnboqb.exe
3768	Ngpjnkpf.exe
3596	Nklfoi32.exe
4392	Nnjbke32.exe
116	Nafokcol.exe
2628	Ncgkcl32.exe
5104	Ngcgcjnc.exe
3896	Njacpf32.exe
4532	Nbhkac32.exe
1256	Ndghmo32.exe
2320	Ncihikcg.exe
1996	Njcpee32.exe
3952	Nnolfdcn.exe
2428	Nqmhbpba.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kipabjil.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Lpappc32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Liekmj32.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Kgfoan32.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lnepih32.exe
File created	C:\Windows\SysWOW64\Kmjqmi32.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ojmmkpmf.dll	96affd570731ecbdd8b24d0d237acdd249241ebec19024b77896d0d20c1f2d05.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kipabjil.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1412	2512	WerFault.exe	152

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	96affd570731ecbdd8b24d0d237acdd249241ebec19024b77896d0d20c1f2d05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	96affd570731ecbdd8b24d0d237acdd249241ebec19024b77896d0d20c1f2d05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	96affd570731ecbdd8b24d0d237acdd249241ebec19024b77896d0d20c1f2d05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Laalifad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 1248	1728	96affd570731ecbdd8b24d0d237acdd249241ebec19024b77896d0d20c1f2d05.exe	83
PID 1728 wrote to memory of 1248	1728	96affd570731ecbdd8b24d0d237acdd249241ebec19024b77896d0d20c1f2d05.exe	83
PID 1728 wrote to memory of 1248	1728	96affd570731ecbdd8b24d0d237acdd249241ebec19024b77896d0d20c1f2d05.exe	83
PID 1248 wrote to memory of 2220	1248	Kbdmpqcb.exe	84
PID 1248 wrote to memory of 2220	1248	Kbdmpqcb.exe	84
PID 1248 wrote to memory of 2220	1248	Kbdmpqcb.exe	84
PID 2220 wrote to memory of 60	2220	Kmjqmi32.exe	85
PID 2220 wrote to memory of 60	2220	Kmjqmi32.exe	85
PID 2220 wrote to memory of 60	2220	Kmjqmi32.exe	85
PID 60 wrote to memory of 3916	60	Kaemnhla.exe	86
PID 60 wrote to memory of 3916	60	Kaemnhla.exe	86
PID 60 wrote to memory of 3916	60	Kaemnhla.exe	86
PID 3916 wrote to memory of 2160	3916	Kdcijcke.exe	87
PID 3916 wrote to memory of 2160	3916	Kdcijcke.exe	87
PID 3916 wrote to memory of 2160	3916	Kdcijcke.exe	87
PID 2160 wrote to memory of 3280	2160	Kgbefoji.exe	88
PID 2160 wrote to memory of 3280	2160	Kgbefoji.exe	88
PID 2160 wrote to memory of 3280	2160	Kgbefoji.exe	88
PID 3280 wrote to memory of 2464	3280	Kipabjil.exe	89
PID 3280 wrote to memory of 2464	3280	Kipabjil.exe	89
PID 3280 wrote to memory of 2464	3280	Kipabjil.exe	89
PID 2464 wrote to memory of 4696	2464	Kpjjod32.exe	90
PID 2464 wrote to memory of 4696	2464	Kpjjod32.exe	90
PID 2464 wrote to memory of 4696	2464	Kpjjod32.exe	90
PID 4696 wrote to memory of 3232	4696	Kcifkp32.exe	91
PID 4696 wrote to memory of 3232	4696	Kcifkp32.exe	91
PID 4696 wrote to memory of 3232	4696	Kcifkp32.exe	91
PID 3232 wrote to memory of 3012	3232	Kkpnlm32.exe	92
PID 3232 wrote to memory of 3012	3232	Kkpnlm32.exe	92
PID 3232 wrote to memory of 3012	3232	Kkpnlm32.exe	92
PID 3012 wrote to memory of 3208	3012	Kibnhjgj.exe	93
PID 3012 wrote to memory of 3208	3012	Kibnhjgj.exe	93
PID 3012 wrote to memory of 3208	3012	Kibnhjgj.exe	93
PID 3208 wrote to memory of 3040	3208	Kajfig32.exe	94
PID 3208 wrote to memory of 3040	3208	Kajfig32.exe	94
PID 3208 wrote to memory of 3040	3208	Kajfig32.exe	94
PID 3040 wrote to memory of 1464	3040	Kdhbec32.exe	95
PID 3040 wrote to memory of 1464	3040	Kdhbec32.exe	95
PID 3040 wrote to memory of 1464	3040	Kdhbec32.exe	95
PID 1464 wrote to memory of 3576	1464	Kgfoan32.exe	96
PID 1464 wrote to memory of 3576	1464	Kgfoan32.exe	96
PID 1464 wrote to memory of 3576	1464	Kgfoan32.exe	96
PID 3576 wrote to memory of 2264	3576	Liekmj32.exe	97
PID 3576 wrote to memory of 2264	3576	Liekmj32.exe	97
PID 3576 wrote to memory of 2264	3576	Liekmj32.exe	97
PID 2264 wrote to memory of 2328	2264	Lpocjdld.exe	98
PID 2264 wrote to memory of 2328	2264	Lpocjdld.exe	98
PID 2264 wrote to memory of 2328	2264	Lpocjdld.exe	98
PID 2328 wrote to memory of 4744	2328	Lcmofolg.exe	100
PID 2328 wrote to memory of 4744	2328	Lcmofolg.exe	100
PID 2328 wrote to memory of 4744	2328	Lcmofolg.exe	100
PID 4744 wrote to memory of 3076	4744	Lkdggmlj.exe	101
PID 4744 wrote to memory of 3076	4744	Lkdggmlj.exe	101
PID 4744 wrote to memory of 3076	4744	Lkdggmlj.exe	101
PID 3076 wrote to memory of 3588	3076	Lmccchkn.exe	102
PID 3076 wrote to memory of 3588	3076	Lmccchkn.exe	102
PID 3076 wrote to memory of 3588	3076	Lmccchkn.exe	102
PID 3588 wrote to memory of 804	3588	Lpappc32.exe	103
PID 3588 wrote to memory of 804	3588	Lpappc32.exe	103
PID 3588 wrote to memory of 804	3588	Lpappc32.exe	103
PID 804 wrote to memory of 4356	804	Lgkhlnbn.exe	104
PID 804 wrote to memory of 4356	804	Lgkhlnbn.exe	104
PID 804 wrote to memory of 4356	804	Lgkhlnbn.exe	104
PID 4356 wrote to memory of 3740	4356	Lnepih32.exe	105

C:\Users\Admin\AppData\Local\Temp\96affd570731ecbdd8b24d0d237acdd249241ebec19024b77896d0d20c1f2d05.exe
"C:\Users\Admin\AppData\Local\Temp\96affd570731ecbdd8b24d0d237acdd249241ebec19024b77896d0d20c1f2d05.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\Kbdmpqcb.exe
  C:\Windows\system32\Kbdmpqcb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Windows\SysWOW64\Kmjqmi32.exe
    C:\Windows\system32\Kmjqmi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\Windows\SysWOW64\Kaemnhla.exe
      C:\Windows\system32\Kaemnhla.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:60
    - - C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3916
      - C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1528
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2052
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3720
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1520
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1576
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3756
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4276
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1552
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3768
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:116
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3896
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1256
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2428
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        67⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        68⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 404
        69⤵
        Program crash
        
        PID:1412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2512 -ip 2512
1⤵
PID:4408

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:1256

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:5104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
55KB

MD5
815d37e46bae1a299996266e9ee09ed4

SHA1
8641a13748676e24ab3454d3ae91acc69e828a4e

SHA256
bd907ee30bbd1ed8f09cc1c442fe3edd5f59c1e68f26a1bcf230c8a67d34c47d

SHA512
67721e7a55ac588bd97d91d66e3232f1df0b4a032598d39e6e7975aaf92963a2ecbda6c27b299acce64eecf79199db94eed05e576af30bb70afa738e837d29ca

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
55KB

MD5
57f8ddda58ca82a7dca37f95c00cd1b2

SHA1
730368ed9ff2cf10f518be849f954b2baa7d40a7

SHA256
9e23de216ee7d79080275086ebce5fd5b658572c57082b2ee1b27a36f8e7e9b4

SHA512
86568a1699f0f515ae0c6b0ab52027656766e209cc3655b84309411a02c7ffecbe3cb7be28b8c1e0d6c09e8d4a4a869ab848a13b889b095f0f3b463cc9758d17

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
55KB

MD5
58ea778384382d90f237c33a11ac1604

SHA1
aa1c87d98e621b71caaffc997b2a9951c6731e22

SHA256
b035737dcb40024a4dcbac979a18144d64cd79d7377b83e4fab2dfa02a5ca3de

SHA512
67d594a181fe740d89596da2c1f2bedcb7301cbd7b5fa99e9170096c991d50be6b80ee5d4a392ba21f37fab575856c3baa2b6cebc8b626e4a1706fec06570a92

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
55KB

MD5
68814aa8ee1dbdc8bc77818fdb8be952

SHA1
0c3b3b8068905adef6999d0310157267edb7a694

SHA256
315bcc870b4d5f779382dd21342be6d76caf9e65302ccb55008d8caf8d44fc7a

SHA512
81a00e8203c534f786558e048b25d612626cb91bbb9c7d5519804b4e5349ff8b2ea6441e6e14a8fe3aaf0c0ae344fd74766dd85551da1f9affb751201110beff

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
55KB

MD5
c9c6b3101f0086b5cdc1f40fd4b05fb4

SHA1
6bd0a8ddded7df70353dffbe477bef0a9c65e38c

SHA256
818ed113bc1c659cba6b09923046cbfb1fea33ba1fee395f42c8bfa4ab6c90ab

SHA512
a65e820655af9de3aa8c726527ed2747013d4830b063fdb3b85eefc847a20c1b4c1f30f188a5bf19a391c3a78f995b20de7fca755823c6cf5302a1083f4c6a90

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
55KB

MD5
cda21c051339c3085c82bc171700014d

SHA1
75471323a39b54b32633b48555efe1fa5e5ab2af

SHA256
81df6c63d3388e778529a15dabd874bdee99f6e8ee1f75fd825d894c0750ca04

SHA512
1b431ba2f3c4492327afd277b7fb1db8f2e9b9a3ec76976e20522fd1e43ceeda16f94dd0b4dac6d07ec38bc0c6c48d9ad63b02eb325ff3947aefc551ffa6cbad

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
55KB

MD5
891d99f76b340ad39ac39cfbbc284f75

SHA1
75500bffa00daa8ad827b97585b0b7ee97b7597c

SHA256
6df02e63a055c8077df4b2dee44108ef9a01e0b50ac5e3fc6d648aac7d51412e

SHA512
c2d9e548477e2ca76c9732ed785b1c110bbd2080f11bdd1f68287ddb813635eba307e6a5cf2c94a3fbeeb4fcf8a1c9384d9ef84bf616c5633ca4ff0dfd6460ba

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
55KB

MD5
d0ae61431bd15ee7040beb68f7f9c4c1

SHA1
f691217c0f16fe0b988d9a9c88ebe605125a0026

SHA256
c85a33d505fd6bc1d0b41b6dc6fe5f13bc225f74001883ba880633dca336088f

SHA512
81f192abd8ebcd399970784e7f479a5ccc188c838b7852824822ca00f4f127b0fa8c7d0d11e1ff416811014950489a16279a25a3a781fb978ad77574c74c0ac5

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
55KB

MD5
115020ef61b44f6e3583e9de272e39c7

SHA1
09833e639eb9afe9ace734097745eed0d6944d3f

SHA256
4eaa8f827bbc56e52e06acb67711cdee5bc30b124b3aa1d86aba487ed3e96b16

SHA512
67d7279bcef18c6ce274a57ce8e12d9272c9e0369b8723fb26e20e8d3fb250f07c740f4abc9d535667e814a9e51ac80e1a72e9e33a63368d71641e40ff051e5c

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
55KB

MD5
e468349ff73ea5007107991b2641a7d5

SHA1
d9c5f763b43558d38094dd4badd5aaf0cafa069a

SHA256
44d7d897fff395ba88e8af4985b8108af195b95516126be6d20a7fe71bf5a48c

SHA512
fde17d3bab8ba3700d4e1c17cd65268ba0d1d38960723d068d6b76a429c3d50769c11d71aa97dadf8c275f9407c14f506aa2250115e9b3c0aafed9fd303f1231

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
55KB

MD5
0445987299d08744f341157d3f052321

SHA1
bcc29582cb9a179c95c1faf90ff5ee2956889494

SHA256
da44397c667bdd29c4722bf71efc820b5b7715722ff9c180bfe1471094efe2c4

SHA512
64a65ebca0aff0264d9fa12f33cc48f99474a9988fab374e6760cf22cfc7fabaa4dabe7f4167ab41d9be67d6cea4157e0ac221eaaa7140e0b9f2c1e106cc4806

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
55KB

MD5
78fee4157ce33b72dceb24fd3b673623

SHA1
d80cf32e4a726124bd96adf96bc5578b59c258aa

SHA256
4d0c33a285934201dfcbdce80b7670f4bc93dfd7e3bc1c58fbdce68325ecceda

SHA512
c2b50546ef482ec6b3f9a2c9d00d85f4d0d28de23b9c8e36064f0d9d7e644088cae0badc7723ab596b3792ca329667d907bac6f50b70fc9c1dc349108dd5b3e6

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
55KB

MD5
d410288b99b177df2eeb98d0ae11663b

SHA1
3fd6d6daa9dff346c696cd0b6e9b35ba97ba96f2

SHA256
13dac380271e52b734a02f1a43fe172d9fb9bf56513ff3b3ed02cdf0973ab4bd

SHA512
95d015a6a7a56b36a5f28f863546dbad61e5023a5e0c4b252a6dbe1c13556147d16ddad7020dfbc8696f87bb0850a0f12b91f3a3a21506306cb772d52b4163a8

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
55KB

MD5
37d28b01cec20ed2599775ee89a86e64

SHA1
515225c555783fd0254a8e545b9b57160e9c2cab

SHA256
42e7e9d9884413d42ef1c5f915b8c62d6b5f0ab5627d6bff130a30d1f4a3b07e

SHA512
e2cd9a9fb3a873f2d691d5fd3d6e0ecaf288b9508c9a36d17d35ca85c81adea6f78072ca9c3b9746df8162c1152d138fa1037876d4a8e6397a6f84765fbe7a4c

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
55KB

MD5
9ed5d952c384292552d96bee347fe423

SHA1
a73ac53687613f10c044e4c2981d06e38363ba1f

SHA256
cd5dd03085b036292d7966929f9d6a1cd7e148b6c6640122bda3d8180ac9c7a5

SHA512
2e0e695aa6188acb4662d2d82f17bab642105fa377945f6e4de15679692ba98731fec6aeb7397e9eaf14000592b1be6b7066331d0580e0b22f3b8e2150de6e24

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
55KB

MD5
b10818a1cc9b6fe9e8f38b249d0c84d5

SHA1
df2c16f879498914ba4757ea172d7d469042b0dc

SHA256
5c2abd5154a27fdd1d501edae1484d0418ac71c35d8291438e1a077177ecab28

SHA512
0ce2c02cb07476090a5c0a88be06f6a9ea222848d147d6786ee89636f41427130aa857f1a0b01a94b5f468dec119c70a0c079437d5d58779453e517d39cb3944

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
55KB

MD5
3599c9a26d6f3e9922ca163370dda230

SHA1
d4475a86f721768933830abde5b82bf3b293c218

SHA256
449b9f524402d9b1eba2c7865dcf595b739b442cf33afd2e065f7ff9bd3daeaf

SHA512
1264dc45474fbba76349cdf5a6f0954dec6703f7e3acc611afaea224f6bab509eba679dd2e90dc13dfd5914e31a5100d7eba13469c7bb22037076f3b4a691329

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
55KB

MD5
b19d601ceb9a09ec4f7e2a0c025f2cb5

SHA1
f7add8c6753dd678b97be0753617454f534c78f5

SHA256
05b42795a74c0891264130a607f60f822c4da3998cf105180aab7037fddb2490

SHA512
7b11ee314a88a25aec862995d665ac3f80eb54eecb27ca42e1dccd5dcd7049fb039feb131e495ec08e95e56b638028f379fca6b637d95b9e72e645a990d1d728

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
55KB

MD5
7271a467ee0d5c32cd0835aaf4a4deb4

SHA1
7b9d2466f7064f64a62a6c0b40453bb53691d6df

SHA256
a874bb53bb3568c25f32462e2b31211af7926b6561c079c9111a6a41a6e4acf4

SHA512
82132667d94f04fc54cd3dbad233550d0d7a9a79fcabee8e6bc0865d4e56b5cf4fea21a6ca51c063b89cf788292ce9a9eb6c83916cf855372b82d58e7020852d

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
55KB

MD5
d78a6c682834dc002bffa02a4002acf5

SHA1
d866354ffbcab950aa8600cba830f7a059ab9402

SHA256
02ef3e72307099a623da6301db5f2ece3648885761cd47727bbb8f06d4b022b2

SHA512
a0c2255fb263bd866ba839c38f4981c088cbe3de17a12adbe7a66a294b2e0cf23a0fc7a25aef3b09b0a706ff67c26ad146b44212e8759615c622e93f3cd966a6

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
55KB

MD5
086585168abb8e4d50d4cecee58a4081

SHA1
42b7a36f3a75b05d92a7b3f755919b58c35e024a

SHA256
8efe86c993c142ed97f5190f186743d953a92408416e776273d74bd6d8bae869

SHA512
9dbf99418d0d538eeab8dbd0d5fa920d7b9aa7c1abb46b9508af2a17bcfca4fb70753768abe2ab2cf83b1ee536dc6f539036c234d9b94d6062a105ed1b3c55ff

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
55KB

MD5
40076e140ed1414d9195add7d19d5c96

SHA1
913f038e6d19290996f3275fdda960d4ca62fbfc

SHA256
b1bdbdfd1658bb5ee9d00d4f0b582e721125a81fb4956594df857288b4642172

SHA512
ce9aecfe545cd48df45dfaed321d70e033f838eba745cbead53ee87f2f34d3a065bfa8e68596c7b9dfc9563ed29a93e3d04c3c6d0e042506c048d7bf8776fe3f

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
55KB

MD5
7c1b1a1386e39efb9e68cdb2d05d6f15

SHA1
cac42132415128aa91970bea265cd9cd8aaf5388

SHA256
d3913bce33b5653a5e98c18898a7e08b8a7fa2ba72b9badd49df381d21f49960

SHA512
8a7a102e916bd2ff2aabd07dfe4c61ff3fba018978094fed3a0cb73a891f78411acdb1748097661424332f3f691758ef3e5872b49edf519ebb164934e478e44d

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
55KB

MD5
99863bab58b011592e7457a38ecf812e

SHA1
eb09fba41b7da299d21e8491085fa6ab056f4078

SHA256
54d4c5f8808b6a7913c4684aab6a5ec7f365f47061d98135cf155b460373ffc5

SHA512
f7dbd7e57886853972023642a3bead55ed79fa4a60f2b50bde0d1dfd4389fed2ffaed5e8dc1ffe33e20af57e178070d762dd59d224dc54c5285d2032f9f983eb

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
55KB

MD5
f985351dcf783d7518b72f49f43e5858

SHA1
df503f9b482b35ca4686a31dc2af37a327174100

SHA256
01fd9042300bbaeb8323c513f4002d1803f86a50bd9ab39bb90ee9914f35e26d

SHA512
edbbee83c51555f27e3c4f6ffdeff1f8ebec61541a964b49fb77a7be756592fae5ecc0c661c8d15ba37fc2c0189a97e4195f327c3ce97954593e38adab8e074f

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
55KB

MD5
dcdfa70e83a02ae2a76e419be33c971f

SHA1
c58894ebb38619114a38247d7bcd91066f9b5a86

SHA256
536d13a1449659d8ac4d5b45483ac523a397fa8d0418794415c810e8fa519e05

SHA512
4ffde55995260208f765a23bc6eb9e52ff44cfff0e918fd319756cf1600d5deb43854fb6de30c50ecb17417631e86dc43389d86dc952f7127bd897ca2dc6adaa

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
55KB

MD5
ceb26538b228129de8f458baae9c5b8f

SHA1
341fc9027c948119ac3d6b8e0f270efd3371badf

SHA256
6c132f1215309654c78d370e21e0715e7e9ffe39ef18c5d07134430f8ee92c54

SHA512
a65ad9d375a52ffd1019dd98d1448a8915aac1460ac6acad15bae1f3452b38b1fc3113974dff3950507bb3143c75d120257878aff85997b97b85d7940d3bce22

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
55KB

MD5
17d46b27beccf96634aef2b8f3db5257

SHA1
2f871b019d7a452146a689e2a42611a79ccc5d03

SHA256
2db6f40e0bd49f3426050a2cf7473135e369ca0356f0d776718119824600b80d

SHA512
f8a25d21ed761db6d75b0237848e8fa903d31919068f545db53b01072d49f8de35946b4aace0d92b4cb8e9eb81fd3c0f31c5410f1d1cc9f8dc6ec6e386c528d4

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
55KB

MD5
98a2b413ef85c587376e8adc05820fac

SHA1
55be693661e54f4b07f83ac1d0f0ce879780ee17

SHA256
214564eb5e1f1b9b5007b36845d075656f0a616d750db6b53adb17dd5bb4ba8a

SHA512
e1cbb3842b1cc4264c3761469e40653cfd83e84624f53dfd95c1d74227b9a3e9997ed90fc8f438a47776c4a5d4fbdda0ec4f07c750f613c202fe973fd11cd906

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
55KB

MD5
024e4c86c694af0cc2c18b3c40622aff

SHA1
d05ca4e0c0bbc3e1b91911b80dbf04005b47c771

SHA256
33421a710ab892d7a21c7acbba7169b5092b39ad96cfa4e48a0f4cf78c3e6dab

SHA512
75241b5bac698fccca7090b791834d05ec2f1c8e35d7e7483339de2518488fed8b7b380de9368d28b912e46b605742f58862047f08f1a4cdca09a6382b53d72d

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
55KB

MD5
06bd5a5f474afa55c1dad7e439f1d16e

SHA1
248c26a7c0b72c65e3357a7965416b4a2a6687b2

SHA256
24f1e8289df22f23cee8bfbd7023c373efed40022cebfcbf2269fb5f8759c78c

SHA512
b1f0f1727aa91cb5c4a3624352c458c22630b642c4201a8a28aa00344c02ecb6d237043789ee7319922c2df531e14b6fffe420e9e2e1b61366407516a41361ed

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
55KB

MD5
4065f9d10abd4c85a54434babd83f335

SHA1
207d52337fa8f62b7996a339838e88fda174e945

SHA256
9369b2e2016b3688e2c1430d20098138dafb92535c31d152c54de727475eaa05

SHA512
6a9964213bdc41e61d24165fc96b51d65ecd7cf166e6c43539933d0da5fb87118dee44b5963e11f2904250c5a16d82f93dc2c625ea92ecd6e48c70daaa2a9116

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
55KB

MD5
7b353ec77e789e790e08da0841a66888

SHA1
ea754457b3710707010ca979bc080908cbfb42f7

SHA256
23b1c258c37a9f2ddcbcb9b13f240b9e994bdfdd2dfdcd061801c704423eafd3

SHA512
e8f62d5811d03a2d1295ef84e54d8a046cbfd580941639ff271c6f79cec9c9b522c98456255535d33d11fb8a243761ad8c621ce475fa82d9a64392a36c1c14e7

Download Submit
memory/60-30-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/116-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/116-481-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/804-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/876-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1028-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1028-525-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1208-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1208-511-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1248-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1256-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1256-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1464-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1520-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1528-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1548-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1552-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1552-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1728-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1728-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1952-493-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1952-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-498-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-469-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2044-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2044-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-523-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-519-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2160-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2428-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2428-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2512-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2764-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2764-529-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3076-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3112-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3140-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3140-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3192-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3192-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3208-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3232-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-506-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3576-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3740-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3756-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3768-492-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3768-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3828-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3896-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4100-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4100-500-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4276-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4276-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4432-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4432-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-475-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4792-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-487-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads