34619e4fa0f32af61d2ad0932a318d49fd24d35858bd0821991f92e5a9ff0a7b

Analysis

max time kernel
133s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 18:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ac718f4bac5a76e290b6c27a07c14561_NEAS.exe
Size

72KB
MD5

ac718f4bac5a76e290b6c27a07c14561
SHA1

bf44b2f27ea60ee0de46e9a7baafae77201289b1
SHA256

34619e4fa0f32af61d2ad0932a318d49fd24d35858bd0821991f92e5a9ff0a7b
SHA512

9def3bf43afb892af81cf0eb0025f7a124d3616d3b16a1641b716c034b8afcd48be6ad025d561c40829d8f90829172f0150c070258ded68c47b0ca4f49145149
SSDEEP

1536:axBCBIQTfxuWfAaoIbR4IDG2qgllc4HS3:aCBlTfXSQR4IDG2hl2aO

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe

Executes dropped EXE 64 IoCs

pid	Process
3972	Jaljgidl.exe
4000	Jbmfoa32.exe
3512	Jkdnpo32.exe
1612	Jpaghf32.exe
3536	Jbocea32.exe
4832	Jiikak32.exe
1020	Kaqcbi32.exe
2188	Kdopod32.exe
1160	Kgmlkp32.exe
1760	Kmgdgjek.exe
4968	Kpepcedo.exe
1012	Kkkdan32.exe
3084	Kmjqmi32.exe
4672	Kdcijcke.exe
2168	Kknafn32.exe
4612	Kagichjo.exe
4120	Kcifkp32.exe
3464	Kkpnlm32.exe
720	Kajfig32.exe
3208	Kckbqpnj.exe
1408	Liekmj32.exe
1856	Lalcng32.exe
2520	Lcmofolg.exe
2960	Liggbi32.exe
2276	Laopdgcg.exe
2624	Lcpllo32.exe
4068	Lkgdml32.exe
3592	Lpcmec32.exe
1500	Lcbiao32.exe
1276	Lilanioo.exe
4820	Lpfijcfl.exe
2384	Lgpagm32.exe
4480	Lcgblncm.exe
5000	Mjqjih32.exe
2184	Mahbje32.exe
1672	Mpkbebbf.exe
3028	Mgekbljc.exe
4952	Mjcgohig.exe
2840	Mpmokb32.exe
1516	Mgghhlhq.exe
3276	Mnapdf32.exe
2628	Mpolqa32.exe
3732	Mgidml32.exe
5100	Mncmjfmk.exe
4540	Mpaifalo.exe
2708	Mcpebmkb.exe
2136	Mkgmcjld.exe
1736	Mnfipekh.exe
2308	Mpdelajl.exe
3212	Mcbahlip.exe
3404	Nkjjij32.exe
2592	Nnhfee32.exe
1680	Nqfbaq32.exe
3256	Nceonl32.exe
644	Nklfoi32.exe
1280	Nnjbke32.exe
2764	Nqiogp32.exe
1136	Ncgkcl32.exe
1140	Nkncdifl.exe
464	Nnmopdep.exe
660	Nqklmpdd.exe
2380	Ncihikcg.exe
1796	Njcpee32.exe
4224	Nbkhfc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kmjqmi32.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kmjqmi32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Jaljgidl.exe	ac718f4bac5a76e290b6c27a07c14561_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Kaqcbi32.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kagichjo.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Kgmlkp32.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Jaljgidl.exe	ac718f4bac5a76e290b6c27a07c14561_NEAS.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jkdnpo32.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4772	1600	WerFault.exe	152

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ac718f4bac5a76e290b6c27a07c14561_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qknpkqim.dll"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqncfneo.dll"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeiooj32.dll"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ac718f4bac5a76e290b6c27a07c14561_NEAS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkkdan32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 3972	4544	ac718f4bac5a76e290b6c27a07c14561_NEAS.exe	84
PID 4544 wrote to memory of 3972	4544	ac718f4bac5a76e290b6c27a07c14561_NEAS.exe	84
PID 4544 wrote to memory of 3972	4544	ac718f4bac5a76e290b6c27a07c14561_NEAS.exe	84
PID 3972 wrote to memory of 4000	3972	Jaljgidl.exe	85
PID 3972 wrote to memory of 4000	3972	Jaljgidl.exe	85
PID 3972 wrote to memory of 4000	3972	Jaljgidl.exe	85
PID 4000 wrote to memory of 3512	4000	Jbmfoa32.exe	86
PID 4000 wrote to memory of 3512	4000	Jbmfoa32.exe	86
PID 4000 wrote to memory of 3512	4000	Jbmfoa32.exe	86
PID 3512 wrote to memory of 1612	3512	Jkdnpo32.exe	87
PID 3512 wrote to memory of 1612	3512	Jkdnpo32.exe	87
PID 3512 wrote to memory of 1612	3512	Jkdnpo32.exe	87
PID 1612 wrote to memory of 3536	1612	Jpaghf32.exe	88
PID 1612 wrote to memory of 3536	1612	Jpaghf32.exe	88
PID 1612 wrote to memory of 3536	1612	Jpaghf32.exe	88
PID 3536 wrote to memory of 4832	3536	Jbocea32.exe	89
PID 3536 wrote to memory of 4832	3536	Jbocea32.exe	89
PID 3536 wrote to memory of 4832	3536	Jbocea32.exe	89
PID 4832 wrote to memory of 1020	4832	Jiikak32.exe	90
PID 4832 wrote to memory of 1020	4832	Jiikak32.exe	90
PID 4832 wrote to memory of 1020	4832	Jiikak32.exe	90
PID 1020 wrote to memory of 2188	1020	Kaqcbi32.exe	91
PID 1020 wrote to memory of 2188	1020	Kaqcbi32.exe	91
PID 1020 wrote to memory of 2188	1020	Kaqcbi32.exe	91
PID 2188 wrote to memory of 1160	2188	Kdopod32.exe	92
PID 2188 wrote to memory of 1160	2188	Kdopod32.exe	92
PID 2188 wrote to memory of 1160	2188	Kdopod32.exe	92
PID 1160 wrote to memory of 1760	1160	Kgmlkp32.exe	93
PID 1160 wrote to memory of 1760	1160	Kgmlkp32.exe	93
PID 1160 wrote to memory of 1760	1160	Kgmlkp32.exe	93
PID 1760 wrote to memory of 4968	1760	Kmgdgjek.exe	94
PID 1760 wrote to memory of 4968	1760	Kmgdgjek.exe	94
PID 1760 wrote to memory of 4968	1760	Kmgdgjek.exe	94
PID 4968 wrote to memory of 1012	4968	Kpepcedo.exe	95
PID 4968 wrote to memory of 1012	4968	Kpepcedo.exe	95
PID 4968 wrote to memory of 1012	4968	Kpepcedo.exe	95
PID 1012 wrote to memory of 3084	1012	Kkkdan32.exe	96
PID 1012 wrote to memory of 3084	1012	Kkkdan32.exe	96
PID 1012 wrote to memory of 3084	1012	Kkkdan32.exe	96
PID 3084 wrote to memory of 4672	3084	Kmjqmi32.exe	97
PID 3084 wrote to memory of 4672	3084	Kmjqmi32.exe	97
PID 3084 wrote to memory of 4672	3084	Kmjqmi32.exe	97
PID 4672 wrote to memory of 2168	4672	Kdcijcke.exe	98
PID 4672 wrote to memory of 2168	4672	Kdcijcke.exe	98
PID 4672 wrote to memory of 2168	4672	Kdcijcke.exe	98
PID 2168 wrote to memory of 4612	2168	Kknafn32.exe	99
PID 2168 wrote to memory of 4612	2168	Kknafn32.exe	99
PID 2168 wrote to memory of 4612	2168	Kknafn32.exe	99
PID 4612 wrote to memory of 4120	4612	Kagichjo.exe	100
PID 4612 wrote to memory of 4120	4612	Kagichjo.exe	100
PID 4612 wrote to memory of 4120	4612	Kagichjo.exe	100
PID 4120 wrote to memory of 3464	4120	Kcifkp32.exe	101
PID 4120 wrote to memory of 3464	4120	Kcifkp32.exe	101
PID 4120 wrote to memory of 3464	4120	Kcifkp32.exe	101
PID 3464 wrote to memory of 720	3464	Kkpnlm32.exe	102
PID 3464 wrote to memory of 720	3464	Kkpnlm32.exe	102
PID 3464 wrote to memory of 720	3464	Kkpnlm32.exe	102
PID 720 wrote to memory of 3208	720	Kajfig32.exe	103
PID 720 wrote to memory of 3208	720	Kajfig32.exe	103
PID 720 wrote to memory of 3208	720	Kajfig32.exe	103
PID 3208 wrote to memory of 1408	3208	Kckbqpnj.exe	104
PID 3208 wrote to memory of 1408	3208	Kckbqpnj.exe	104
PID 3208 wrote to memory of 1408	3208	Kckbqpnj.exe	104
PID 1408 wrote to memory of 1856	1408	Liekmj32.exe	105

C:\Users\Admin\AppData\Local\Temp\ac718f4bac5a76e290b6c27a07c14561_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\ac718f4bac5a76e290b6c27a07c14561_NEAS.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Windows\SysWOW64\Jaljgidl.exe
  C:\Windows\system32\Jaljgidl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Windows\SysWOW64\Jbmfoa32.exe
    C:\Windows\system32\Jbmfoa32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4000
  - - C:\Windows\SysWOW64\Jkdnpo32.exe
      C:\Windows\system32\Jkdnpo32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3512
    - - C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1612
      - C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:720
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4068
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3592
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4820
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4480
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1516
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3276
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2628
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5100
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1736
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3212
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3404
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        54⤵
        Executes dropped EXE
        
        PID:1680
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3256
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:644
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1280
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1136
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:660
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2380
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3936
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        67⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 420
        68⤵
        Program crash
        
        PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1600 -ip 1600
1⤵
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gmlgol32.dll

Filesize
7KB

MD5
fd41c68c52ea7714023506e7082271c0

SHA1
cd7b6cf673134bbf30682e2bae4f9188f282328b

SHA256
d051557c4d0068e3a89bf14ccf43c051f1dea5b8f9c4d86189ad38252b6b0d99

SHA512
2abaf6488363adf004c13d4ba6c43ce155d4e7ae1ee05ebf3f3e93398266e880e0a9dfdb58510233a6813eee5f7e1c8de91250dc34ef579d0c516e9d05f7a0a4

Download Submit
C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
72KB

MD5
bc537581945c88a6f777713987c4bfbb

SHA1
8243d028e0e7e82109a6b59118f21f8dd9554ebb

SHA256
7261b6efc04830de5e67ef465a1b26399e6a8dc77a2ba390635653bbd9a1ddd9

SHA512
1f56950632be813faa30322d524353a6308cee75c6c620e3e569d68baf6afaadfaefc31dd1e3cfaca8c21edae8ef835898ea49f885e48bfd3866453f550bfc3c

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe

Filesize
72KB

MD5
599dcc786e78b29f8c255de322fa6b10

SHA1
67c0c9103dfb1831ede755ee3fc26a9fb0ea29ad

SHA256
342a8d13155bca5073a90dd2513c05588d7ebc2609deeb5986066e3380b9ebcf

SHA512
306a3cea828434713f4462304091cfb8b4cbab3f7f12a6b0e9a376ecb5854def422b52beaa49f6e21f7f46a248f9f81b726cad0c38d50924e8e9b15784bdd6d0

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
72KB

MD5
ddecfea2774fc4503d5d059fb18001a0

SHA1
31bd66bd4d643646e8f074f29b4a580aa3b6c373

SHA256
8a901944356be7385bbfa0b75d38b87e60a9aaa0cb37f2e3f6cf3b8d74981747

SHA512
cf3d60c83034b140ec84369471edfa39329cddb8cb4f368fd9993dc5b29e4ef8f60b93dd060984004ed317e3b4ade4090c9826c82611c04e744746dfb4e1908d

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
72KB

MD5
5c53b0141d44f1764245370daf2b718a

SHA1
8bde314d55de8735556ddcfac93de0de145af084

SHA256
11cfd582db966ab577ee599e308b666bb4368517e014f8055cfc925c80746858

SHA512
f7b4b85e201f51b2040cbdfe800f098db98902015d722bcce7794e802e1bee8cb6713f771e64f94e853a89f5a5945ac30c59660c08261d5b1f144b52e8d33bad

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
72KB

MD5
99dc84ea1d5ecdfe007e3c1c10c21b2c

SHA1
63f561ced88523ff781d6c1d3f4c1a5590d87a04

SHA256
e86822d47402b72dcd6f1f8f777f0be23cba52928009c014295385f250873294

SHA512
b2288c1adb5e913ea2b0de08a93cedfe8ae4eb1fed2206dccd4728589e11076a524e7de681c2396d8928d1a5d79e3624dc38749aa07024f5835662f37485a040

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
72KB

MD5
cb811a754841173a279126d651e77948

SHA1
b3af718313ddfdc677415b8884a4fadbf7d798cf

SHA256
047e7ec1d87830d4ded4333871a6c2465f17769a624c0741b86cca5d32bbfb60

SHA512
18222ebb198c7fd677cec228d1c57aab5e27eeb47a6b2bbfda219d6739994d4beb331841fb7e3051ca999525cd8cdaa2d3a42d88c9cf448a04dfbe1c5f063c30

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
72KB

MD5
af85272aa86fac12bafc755f7322a80f

SHA1
cddbe34897605914a44380fe4f1ad9ee143ccee2

SHA256
437ccab09b4e939c7237289dedbd55cbad1221eff89c94d52674804fbaf76b64

SHA512
ad6355a3c82f3e39cd0c1d3f996a25735573ebd7264e8d43074589f7a6434823c3a68fc307a762a307ca9d80281e498a444b9f625a4307a8c2fc4bedfb55fa98

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
72KB

MD5
d7560069e9275f62af890452a2797f00

SHA1
2cf3e45e8812f91f2f7c0be09f1f2c3e1e2000cb

SHA256
a20397f4a0117d36de9854f52221bbede1d8d57f7e66bdc9fa85414ef565505c

SHA512
37ce3036a91d8629505b51ce04d0ca8bf1c4feecaf0cace9483f2b7ccc615b916a0fd74e60e491395a3b36fde2867cddfc1ed6b497d9489c7700ed3da828c7ea

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
72KB

MD5
2e03cd9e5bcdaf663af1ccfa2519d414

SHA1
011ab522661650db08a1830e26f3d09bff9c0654

SHA256
a1dd5fbed6f8f65280e5e197cfb12a2c8ba10f2d9e10cc17092c33fd2bd5c8a9

SHA512
118bbd00c8508f9ad0efec7a7e71dabc9b657ca4c449e1af7f91f482ab776ade76e5fdd682a4e350935bd77513956ffbaf1b9f04e53b28218554224727482968

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
72KB

MD5
1b22d5f51542a66665628e0bb8bf70a2

SHA1
59523a505a44fd4e13dd76815c76540db8b3b3b3

SHA256
ddd5263804ba9c3e70ee9821a19d266882d809a09fc2aaccfb0744a56a144148

SHA512
8435028a2c7ed0b1060caeb7a6604ca7471fed435a5d843b4aee7f2d0591581010c1f89b1bc0579a0acd2256e65dc3dfa96bae62f42c4d93298b1e9b871fa28e

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
72KB

MD5
ec51f445635e84d660294cee6264e4d1

SHA1
e39f183b74504f4e71fafbef9fa52168fea97c77

SHA256
6a001759fcdb9b5b5b4517173bb8eccafda9a935431c95a475ce0e4aaf1fcc37

SHA512
f114cdf74f483d768dba41fef3fc435863acaaaedde2ba2cd6838e5b971707fe5778e6d41f8410690f2c1f939ee70666365a65b33fe83a77442431d8c05bbff2

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
72KB

MD5
aca7f56763b6ad468adffacb21fc47fb

SHA1
2822d3cf948a00f4f02841501b5229fb147062a3

SHA256
c63e5b4faf4157b77b9f91c1eef0f44012d511db18ef3cfcf59c84b7f7c119d9

SHA512
4223d55da420fe0ae9f1479eb79ccb564cb5967df22644b9a1902724f2d80e3f5faaead1ab508435ada4ef632b3208b1edd737b25bf6b8c2724686417265dfd2

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
72KB

MD5
08a0740198db52ed22ef208f420fc822

SHA1
c9ae7a81f93e9a2826675dab422c954a6eab830b

SHA256
4f7229334ac6d89d6a147ea3b09019d5e1d6af6cb57a71754aa4fbedc25f1c19

SHA512
399521ed13fcf605b4cbd9263b7be4d86f16b5f3a824e27130987455bdf62cb417d33911381715e3bc503034cf578995996d46a710ed07c898cdbbcdc5da4f1d

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe

Filesize
72KB

MD5
ffa6fc3f5406ade60fd2467307e413f3

SHA1
ac815be45f960db6291ef41ae4b3f097a438cf10

SHA256
47f14d20547e5d6181216f81ab9049c6ed3508f909f86579d8fc6509d4466307

SHA512
e4120bf2476e456cf8ce7c219d5f49b2777667c1d1a5e4073cf9dbd30de9545c8d22f08c7eb2986b4b5fd2594f42fe72fd7e31f3d35aa58353dd8765df7a62d3

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
72KB

MD5
7940ca270a16d10188352af8a9fc47cc

SHA1
c1f716d1f8f8faa62d6f37eefc28cee6190159ba

SHA256
94ab29b07653356d96b97783d04ebf7ff923626e46051f16bdc506d4d55d3282

SHA512
0d88391dd044a479b6f4536be687c66e6ac33aa3d31fc9e6a01c07138ce47a3787c97f74e55e0eda2e5890a07820def248e7926df0886bc6cc3b9e12fbde7cfc

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
72KB

MD5
d2096467440050542be8a4beaa206e50

SHA1
4659a9a5e20f57915ab292b849998c133932859e

SHA256
ba98356681997258ac46b5c38acf2a60cb144cf7008cb84e64594083ffb9ac56

SHA512
4feae16d8264d63c477383cbf0ef32950a81f1e4efac9dc874438ab1a34b9d2f9626f8580da4de0385c93bbf1717942e8b02156cb9bc769257fed31a4511fb34

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
72KB

MD5
3f8206324e6b9ac258561302c8de9f71

SHA1
bad3f51ac949ec15ad4f33ce24dc23fe1fd5ada2

SHA256
921d02a8991076aa4d19c594ea60f394b0164ac5afdd3adff9e0d3af3ef20be5

SHA512
03185b76de6831012d7a83000ebcc56ebc4a1ebb51099cf2f858d69341c86a8044294ae35276c32b94238458192e4c142bab5468f7f222a9a59fc6ff1efe8d8c

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
72KB

MD5
e0bc1bfc520b2cf62780363136b9178f

SHA1
ac931d9db96263bcd232f5e554b87ba4abfb5d43

SHA256
1e8e608655bbb8cb4f0ee471bacc77f5c20d2bc3fdf959a4786c71cf5f8d5185

SHA512
c062274034a2df3751c8c4928d6fba6e53a1ecf7b30ce8de0aa65c8d6d3c6778aec0db293af2e55392bca371bb24d7df659093047063c6ddf194446a2c9eeb36

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
72KB

MD5
724906eb16787582867b2a128a0af570

SHA1
114afdd452c8bf9ca2e4c432f4e95cb83d802306

SHA256
9fa4577477f9fe36269c18fffb2eef3fd46bf7aa2d15079f4f73bca05af1258e

SHA512
626374fff02079a3370aee7222b0ef6cabdf20d2d131572ab34a42436106414e788bb0a6e6ce74602ede2a64fb583d25b3ff4ded909e858912f68afbf2d8648c

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
72KB

MD5
5c042f831fc1a593e29a6d71d7d9bd7a

SHA1
ea39baaddf8315e7ac6f095e36eb2be5bb7f4ba5

SHA256
54c269f08808596bf6b9074edad6234e3073a6e30cb339f36b23290533a2c72e

SHA512
78f26d15cb724fff227fc7370b36f300d794f428806b6c426b1e18ebbe968bf91589b1fca50ec37c3a672eb21b2768bdec9bedb6083e43e3b24faad8e1d05477

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
72KB

MD5
8e1538b5e0d0172964329fa7465b6d98

SHA1
b71f214a17616962ed413c73e1731bc36fb97ea5

SHA256
cfbb7486c45c7498be54bd94402568b42802bb76d20c771a312f8285a640fd17

SHA512
c73f9889817bc0340ad096106e78fc49360636ac806a448ccef78260291105bed3958790e05b57b9ceb90b803590cb1048dc7c94c3750f8d92e48fb5903d3fef

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
72KB

MD5
afdd561a815d220f4ae3141fc09c3556

SHA1
bde54a108ede21251f872ff3c65d93497d4457ad

SHA256
2e1e19ace797f379b65e4442db65781a87c2451f8f5038265868fed5b710f8aa

SHA512
c1414de73a50b85635d2d594627233d6a8dc4501c65a9a7f113f4ec392968a465f5ad07ede1abe75429e5bb95a600e4a437f831509bc6c1334ffb422c5a06519

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
72KB

MD5
be834323ff44c240fa1680014e801798

SHA1
77f5a1d8316a07335af918185a669067cb28e058

SHA256
78cb19d3e0791fca4d8087a8d69dad468d27a89e91fa44b12ba3fa2a91f4bff7

SHA512
b9fd19d6ae0d6833cf8cb09d75634ea908c876df70b5fbd5de07b0ddfd13434b1a3b9753d7a00b78de2f761a2d69cda89afdf50b6d964e4314bf252b8f936a9e

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
72KB

MD5
aaf93b6bf070fb5c469ab104c2679d88

SHA1
2d08b27d30154a137f55b2ec2a0757a8b88cf8ad

SHA256
036066cc38eb0c183047b69128c7f237064d3741416a1f6f3bb28db72c7a10c4

SHA512
0b3b7eae8af951ba1fa6a05a509a8c62d40140f59583f467503b263b73f3a0e17d3c04cc896f2bab1579a1b2af3bb4a797a6ec49605c43c0778bb83148bc7b83

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
72KB

MD5
2a71bd62e687571c34fb5621edac2591

SHA1
b4490b907f33a31acebabc5e75132bd63d99732a

SHA256
8206a87a292271aea6447c418a5b51751452ad8350da558f3aa28ad82ffbe9a4

SHA512
666bf40cc9b76ecf459dc4f40fafaee63732099b79da076848993f7b0119ff4a5469013047a0b479587a8a3dbd15f5c31a6af522375158702013bebce2cd45bd

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
72KB

MD5
d06c1387a9fc00924cd80d75d2511480

SHA1
c77aa1877e807067665e034e4c54f7c402fcc3d5

SHA256
a1d40c15bac4f30163b43094795b15f29f32027ced3b0d7dd1e35d276de0b96b

SHA512
b06ab2b85c2b08534c8b83c22d77f8d3f42c9a0e8cd4349b3eecbf960dcba81499297632937a662c03870dafc7bb388e2aeb7b9d1076d1645c1c341d3f6e119e

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
72KB

MD5
2f6994ff252c1d927e05e64a5d26f6ad

SHA1
5a79449af762e1f36eb25da35692f8c1a67c9054

SHA256
c37c919b306ead03d393dc99f7dd4c48639c47aedce53cb49dc65fb5d02cce30

SHA512
bc3fc3b6d2cf701017264615817e84e4870e26dac4054e1ff25006d755d839747661e891da5d3175f77e8af67309635053e7c91320e0a2bad38102b592880a18

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
72KB

MD5
fd7e1ef82d13358be83797d2240a9637

SHA1
b8273ebc551cc7a0f75a4f0f358c38f03bb730eb

SHA256
900affd2f57918a8922826ad10c8b947a672b18671677c6ed742e2f114d504fc

SHA512
0e27784c1d7fe9f65a7a00cebe46b260ee3c10e8582b2e3c083fb5533f1ce1d224123b16fe9b136ea1cbf180a9bb2f4b6310e14a17d2014558237b7be5beb1dc

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
72KB

MD5
56f134940fa7a05d7f219bd1f0b708a0

SHA1
945196773f607ca66b3d74a1229a49603999fd20

SHA256
8d92a101566b3ae7bb491db6471fecb0e693b444b5a9afc64171bbc82c1b7afd

SHA512
b21eb2daff67d96df5efe7248cf66c274ff5e7e9274e7ebd315740490922d1a24a18f401211259258a1dd3ddb79fa295ae662755347c7ef54a28b91da0e2a54b

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
72KB

MD5
b1446c9dfc259b8ee3d5a2a6d462e4fb

SHA1
73d62dc75c563fee376b46f26b065f8dc3e742ac

SHA256
03413c5db961319ba9374c2ca30ac5542ba07b20fbf9a753ff8d8a9e8eda95ca

SHA512
0e23ce24a0b052dd32d4f9d9e361a1ef9b203024ca3b0af0c54c24021f2d517273b8b14c2363c671fced8eca08428cc6aef7dcb7d6d745b07d41356c47c55d7e

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
72KB

MD5
614ace49b02429d372dc22c8b5f44e24

SHA1
8ca70bd225939fefb5a92b5a6a5e2287d067c5ac

SHA256
b5e1725140a58fbc43c1c7d388ffdb25bd793a609bc4653d84f221895587d738

SHA512
e4afb298cf0ae0561e6c93b7cea7e350d9948439728a0ee05a5602a80e3b8dacb1023699442dea3819ea583c81ff4c0d9c4298cefa0ab47b96358da291c80d18

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
72KB

MD5
c982ef83f220475cc5b580df6a82a9e0

SHA1
1506efb0a56e4e09bd97992f4ad5666cb3ab31e6

SHA256
e4c6899fb2fee1a55b68e09807ba9974d6a9997c7892cf795b64809945d769a3

SHA512
e57911de97e66c1154790836c11de2ee10c2e93bd689aceb56d6fb146b57072cce76c5ede7e45f3b7d5b57011492a6348ca4642bb24b1db6dcafd2f863d316aa

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
72KB

MD5
14f85dcff8dcb51d48a4e144c2849968

SHA1
cdb99d75fa9dae996fb4dc8c4871a1927748d930

SHA256
0a4355d79c453f170ceecf2aa5f47cbfb2b9d4e2c45134c9228c118a53db2d7d

SHA512
b155ea7cc04b70f7308dcea14ff5274261c1d8b3c2f612616033814123a25a3985387174a8f0c2c42991f176b389a7e80f78c9bd6f8455f6f2e58a2ae080b854

Download Submit
memory/464-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/464-474-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/644-483-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/644-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/660-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/660-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/720-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1012-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1020-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1136-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1136-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1140-476-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1140-420-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1160-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1276-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1280-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1408-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1500-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-511-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-462-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1612-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1672-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1672-519-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1680-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1680-486-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1736-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1760-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1796-445-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1796-468-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1856-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2136-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2136-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2184-521-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2184-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2308-494-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2308-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2380-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2380-470-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2384-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2520-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-488-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2624-212-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-507-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-499-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2764-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2764-480-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2840-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2840-513-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3028-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3028-517-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3084-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3208-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3212-492-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3212-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3256-392-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3276-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3276-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3404-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3404-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3464-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3512-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3536-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3592-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3732-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3732-505-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3936-464-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3936-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3972-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4000-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4068-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4120-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4224-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4224-450-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4480-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4540-501-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4540-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4544-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4612-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4672-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4820-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4832-52-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-515-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4968-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5000-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5100-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5100-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads