b838df1f38cd950a008f00e14c94424b537bb8fa15d543488e329a05e260b856

Analysis

max time kernel
139s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b838df1f38cd950a008f00e14c94424b537bb8fa15d543488e329a05e260b856.exe
Size

144KB
MD5

b1413ebf540f442badb3cd990d0014d6
SHA1

44202fa79a2485a3959e51c95ebd6bd8c4f23959
SHA256

b838df1f38cd950a008f00e14c94424b537bb8fa15d543488e329a05e260b856
SHA512

07aa8f22caee97266a5d81812b353e0ba3ae3dd08f3dd9d4787428ce71ebe694bcd8947257bc53fbca151ab6a9400c343d95c4a97c2cd003cf097bd3c419e1a8
SSDEEP

3072:2eHEN0i6/bdQsZSKxXszGYJpD9r8XxrYnQg4sI+:tHmI/bd7sKl+GyZ6Yu+

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	b838df1f38cd950a008f00e14c94424b537bb8fa15d543488e329a05e260b856.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcbiao32.exe

Executes dropped EXE 45 IoCs

pid	Process
4768	Kkkdan32.exe
4596	Kaemnhla.exe
5092	Kphmie32.exe
4892	Kgbefoji.exe
1600	Kipabjil.exe
432	Kdffocib.exe
2884	Kibnhjgj.exe
4432	Kpmfddnf.exe
4868	Kckbqpnj.exe
2108	Lmqgnhmp.exe
3224	Ldkojb32.exe
2008	Lkdggmlj.exe
4088	Laopdgcg.exe
2860	Lcpllo32.exe
4464	Lijdhiaa.exe
4196	Laalifad.exe
4576	Lcbiao32.exe
2548	Lnhmng32.exe
2916	Lcdegnep.exe
4100	Lklnhlfb.exe
2328	Lphfpbdi.exe
4840	Lknjmkdo.exe
2160	Mdfofakp.exe
4812	Mpmokb32.exe
3804	Mcklgm32.exe
2592	Mjeddggd.exe
3356	Mdkhapfj.exe
4912	Mkepnjng.exe
4472	Maohkd32.exe
4928	Mglack32.exe
4936	Mnfipekh.exe
4700	Mdpalp32.exe
1740	Njljefql.exe
2576	Nacbfdao.exe
712	Ndbnboqb.exe
3252	Njogjfoj.exe
3756	Nafokcol.exe
2476	Nddkgonp.exe
3652	Ngcgcjnc.exe
1868	Njacpf32.exe
4396	Nqklmpdd.exe
2628	Njcpee32.exe
2560	Nbkhfc32.exe
4376	Ncldnkae.exe
388	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Kpmfddnf.exe	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Kaemnhla.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Laalifad.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	b838df1f38cd950a008f00e14c94424b537bb8fa15d543488e329a05e260b856.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kdffocib.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lcbiao32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2288	388	WerFault.exe	130

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	b838df1f38cd950a008f00e14c94424b537bb8fa15d543488e329a05e260b856.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b838df1f38cd950a008f00e14c94424b537bb8fa15d543488e329a05e260b856.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncoccha.dll"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Lnhmng32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 4768	3576	b838df1f38cd950a008f00e14c94424b537bb8fa15d543488e329a05e260b856.exe	83
PID 3576 wrote to memory of 4768	3576	b838df1f38cd950a008f00e14c94424b537bb8fa15d543488e329a05e260b856.exe	83
PID 3576 wrote to memory of 4768	3576	b838df1f38cd950a008f00e14c94424b537bb8fa15d543488e329a05e260b856.exe	83
PID 4768 wrote to memory of 4596	4768	Kkkdan32.exe	84
PID 4768 wrote to memory of 4596	4768	Kkkdan32.exe	84
PID 4768 wrote to memory of 4596	4768	Kkkdan32.exe	84
PID 4596 wrote to memory of 5092	4596	Kaemnhla.exe	85
PID 4596 wrote to memory of 5092	4596	Kaemnhla.exe	85
PID 4596 wrote to memory of 5092	4596	Kaemnhla.exe	85
PID 5092 wrote to memory of 4892	5092	Kphmie32.exe	86
PID 5092 wrote to memory of 4892	5092	Kphmie32.exe	86
PID 5092 wrote to memory of 4892	5092	Kphmie32.exe	86
PID 4892 wrote to memory of 1600	4892	Kgbefoji.exe	87
PID 4892 wrote to memory of 1600	4892	Kgbefoji.exe	87
PID 4892 wrote to memory of 1600	4892	Kgbefoji.exe	87
PID 1600 wrote to memory of 432	1600	Kipabjil.exe	88
PID 1600 wrote to memory of 432	1600	Kipabjil.exe	88
PID 1600 wrote to memory of 432	1600	Kipabjil.exe	88
PID 432 wrote to memory of 2884	432	Kdffocib.exe	89
PID 432 wrote to memory of 2884	432	Kdffocib.exe	89
PID 432 wrote to memory of 2884	432	Kdffocib.exe	89
PID 2884 wrote to memory of 4432	2884	Kibnhjgj.exe	90
PID 2884 wrote to memory of 4432	2884	Kibnhjgj.exe	90
PID 2884 wrote to memory of 4432	2884	Kibnhjgj.exe	90
PID 4432 wrote to memory of 4868	4432	Kpmfddnf.exe	91
PID 4432 wrote to memory of 4868	4432	Kpmfddnf.exe	91
PID 4432 wrote to memory of 4868	4432	Kpmfddnf.exe	91
PID 4868 wrote to memory of 2108	4868	Kckbqpnj.exe	92
PID 4868 wrote to memory of 2108	4868	Kckbqpnj.exe	92
PID 4868 wrote to memory of 2108	4868	Kckbqpnj.exe	92
PID 2108 wrote to memory of 3224	2108	Lmqgnhmp.exe	93
PID 2108 wrote to memory of 3224	2108	Lmqgnhmp.exe	93
PID 2108 wrote to memory of 3224	2108	Lmqgnhmp.exe	93
PID 3224 wrote to memory of 2008	3224	Ldkojb32.exe	94
PID 3224 wrote to memory of 2008	3224	Ldkojb32.exe	94
PID 3224 wrote to memory of 2008	3224	Ldkojb32.exe	94
PID 2008 wrote to memory of 4088	2008	Lkdggmlj.exe	95
PID 2008 wrote to memory of 4088	2008	Lkdggmlj.exe	95
PID 2008 wrote to memory of 4088	2008	Lkdggmlj.exe	95
PID 4088 wrote to memory of 2860	4088	Laopdgcg.exe	96
PID 4088 wrote to memory of 2860	4088	Laopdgcg.exe	96
PID 4088 wrote to memory of 2860	4088	Laopdgcg.exe	96
PID 2860 wrote to memory of 4464	2860	Lcpllo32.exe	97
PID 2860 wrote to memory of 4464	2860	Lcpllo32.exe	97
PID 2860 wrote to memory of 4464	2860	Lcpllo32.exe	97
PID 4464 wrote to memory of 4196	4464	Lijdhiaa.exe	98
PID 4464 wrote to memory of 4196	4464	Lijdhiaa.exe	98
PID 4464 wrote to memory of 4196	4464	Lijdhiaa.exe	98
PID 4196 wrote to memory of 4576	4196	Laalifad.exe	99
PID 4196 wrote to memory of 4576	4196	Laalifad.exe	99
PID 4196 wrote to memory of 4576	4196	Laalifad.exe	99
PID 4576 wrote to memory of 2548	4576	Lcbiao32.exe	100
PID 4576 wrote to memory of 2548	4576	Lcbiao32.exe	100
PID 4576 wrote to memory of 2548	4576	Lcbiao32.exe	100
PID 2548 wrote to memory of 2916	2548	Lnhmng32.exe	102
PID 2548 wrote to memory of 2916	2548	Lnhmng32.exe	102
PID 2548 wrote to memory of 2916	2548	Lnhmng32.exe	102
PID 2916 wrote to memory of 4100	2916	Lcdegnep.exe	103
PID 2916 wrote to memory of 4100	2916	Lcdegnep.exe	103
PID 2916 wrote to memory of 4100	2916	Lcdegnep.exe	103
PID 4100 wrote to memory of 2328	4100	Lklnhlfb.exe	104
PID 4100 wrote to memory of 2328	4100	Lklnhlfb.exe	104
PID 4100 wrote to memory of 2328	4100	Lklnhlfb.exe	104
PID 2328 wrote to memory of 4840	2328	Lphfpbdi.exe	106

C:\Users\Admin\AppData\Local\Temp\b838df1f38cd950a008f00e14c94424b537bb8fa15d543488e329a05e260b856.exe
"C:\Users\Admin\AppData\Local\Temp\b838df1f38cd950a008f00e14c94424b537bb8fa15d543488e329a05e260b856.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Windows\SysWOW64\Kkkdan32.exe
  C:\Windows\system32\Kkkdan32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Windows\SysWOW64\Kaemnhla.exe
    C:\Windows\system32\Kaemnhla.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Windows\SysWOW64\Kphmie32.exe
      C:\Windows\system32\Kphmie32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5092
    - - C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4892
      - C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3804
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4472
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4936
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:712
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3756
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2476
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3652
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2628
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4376
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        46⤵
        Executes dropped EXE
        
        PID:388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 388 -s 412
        47⤵
        Program crash
        
        PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 388 -ip 388
1⤵
PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
144KB

MD5
3c619813d8fd84eaadef475e79313983

SHA1
da3f7fb004f7863681fe0dac0c62bb559133d1e6

SHA256
9806e50869b7cd4875d0aa868ee4d95d568d93badef2f9bfc8f63d394451a2a4

SHA512
6d14a79473e5aabf4f11f384152d2904473f4d804c4798aaf61bfe91eaf3f7ac94b04a1f1f325a6064eab68068cea77e569e09c96945189266b57f3270583415

Download Submit
C:\Windows\SysWOW64\Kbmfdgkm.dll

Filesize
7KB

MD5
5b6e043d8a64e7074a6184fa11c5fddf

SHA1
2c6d4b70f40cf05188869ef802c5c11bb3cf4237

SHA256
2c2c20d846aeb69bfeddb511aed4ddfbdc60e63b59c30fa107e56ed2b0e4a53a

SHA512
34f5bb4794099e3d735451002fa9b8b422e2547174ef6e698681b8d1ccf235ee2c376886031ad54516aec8e4b95eab3b7f4727116835151f3c77898fbbeec793

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
144KB

MD5
8c32cd98bbb9e344bc7b02e0239e97a2

SHA1
9a8ccfa9cc3455f09d57848850608512b7fcebb0

SHA256
f957080f7fedb2ec584671ffde701f07d8535cb7b1ae62daa65954904fffd625

SHA512
5dbe4e3f81adb8b346054425f34893c6dba85ae7d5bd32034edb5d72616ec19273b99085124cbccc71de553014633ecd16453f8c0412f666a8fafb7f8adaf1c0

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
144KB

MD5
71421e495ea0a944d918ab8c2f7b4907

SHA1
8e7caf4b2e17ec12e92070c490d6b13a9cfb37b6

SHA256
be6cc7ef7ba58707da368833ecd789d32d4cbdf626f9585b7bdb0c9056ac05a8

SHA512
caeedde67fd0e1dfe92c826efd800914833dad57e3b013445166a6f5d3c33bca0c2a84ce8207bea3a6239fbf58ed45b19ac6548524118073c2ed0d01b8079367

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
144KB

MD5
d07c9441e56678e3886259c7ac9da701

SHA1
d0315d60fb9d0fc0c0e09f6b98d8823e17d2ada2

SHA256
c76ba046eea165a3128fb6d9ebfa5f240b8189fbdc884ba48c8f2f7e2c328a65

SHA512
974f58fd5bd8f1c6f7cf7b63c43fa9403698184200b6cacad1a21249f91bce4696fed1910fe5578b118ced6ec2af338f8dbd9a4e56df8e0810a7dd70455a71c3

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
144KB

MD5
c9574a0d5b8b350f88f370fe242b86bf

SHA1
314b79a204ff4ab4dc001fa870f1af4f2b54d3e8

SHA256
fb24d59b61f5c3158dae5ab24270e3f8889317ad1cc2de31dd621c03b9312109

SHA512
6c7eb6345cd9c756ff798edc3acf960c5263e28d60b2be24d54f5ec6422f8a43c03756e3a223842f9a2ceeaa6b8da52ea910d6e4cf9f96158ca8aaa33c63295e

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
144KB

MD5
057911a08e9029ccbc505582fe4d141b

SHA1
25effc162b737d1ca7532320fc37c3e6757d007c

SHA256
9e1aec5a25cadbfc99ec2b7969a40e354105b89f194d1d81c6b9cf8a2b388f41

SHA512
c6a48311126c39aa6136f8619dddf7cf665f1304c2284a6528b856e7a1e464665f05869b8d1ee174e9c023f1fe72f3624f49926d5dab548690493914d3f16e8c

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
144KB

MD5
55a8f69d8e2418351577cb4409c883fc

SHA1
cce7a9320ea3904630274187934d5c105d164fc8

SHA256
0564cc6b83fb81b8755f63eb7c8dedb5d29949570dc9ae3c7d94d1fc63bcb354

SHA512
8028faccb9cd4e9aab96871137c3a5b3bf28a469e8a80810bbd07e0443a98561e88512f5e00023af7863578eeb062c5ae8621f1411a96f81ff903847da02b65e

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
144KB

MD5
1b2fbbf36ecc02970297537975807df7

SHA1
6ab33ee18adf051a5da729c008371a67bcc29ac9

SHA256
9fc4601de463cc9c8212faf3cc7892604ca0f1098eeb8ad93e088dbc93718515

SHA512
f23f9a64599d3f95393209b9511cbf43585737d75e2c750e6ed8e03ddf859c90bb7c2cface4c2007fbefcea7213278c9556b548dc933b919eef0082460891a2d

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
144KB

MD5
42b1f99437456a737474c283c898cbda

SHA1
a6ce7dbb3d7be22aaa90c2619882daf4e2c3d5a0

SHA256
e8bcead3f5dfe96e776a37868991b653785c985025964839875925ff19050349

SHA512
87f3b05ad6077ebbae12f4057ff6b19f9fc7ab865a1f67517cbb1ec763ece26bd4e3ff13bb194d4d7a067b1a8fd462a53780e7e83235dfbec9a9b9cd502384e7

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
144KB

MD5
028e0fe10888b4f2a1d3784681a6b668

SHA1
d66ee52d5aa22d29b8bd379e17c70c83a5d6a5b2

SHA256
7625cf3c133ae467a72ab26bc221cf9d0c3f64f0a7be1479acd0038dccdc82e8

SHA512
8c0640c083ffd6c94dfa3466787f19d1c9099dd6964bb3637e7553cf8102273d86ed4a65e03f2f2b7581f902387becae9a688c7b8a7f62496d941ce5bc9b8c85

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
144KB

MD5
dba95258f37f9d702935004ff23a6d83

SHA1
828616e64b0bd1f79d8d19aa4cc83b213e4209c2

SHA256
017410b2da3e4c694e99bce59a574e1078b9e950b8671958dd0665cec8aa4793

SHA512
7267cd1a90f604b02ae4e224858b9a422a0e017ab32257fd1c48a649ae158301bfb85f688424d740ceaefb3a036e614c47a523fb07645e53b727b8ef201937bf

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
144KB

MD5
762c15f37ca22db1dd8510a4c31b24ba

SHA1
a91de50eb549e8d9efc7b4e3d408e47cb7ea20c2

SHA256
7af98f321546e067ed14dc2eef94eb345986f8ef12d14c9b8d8288fe55701d1a

SHA512
8b1f019b254f7c2c5ba1164ecda41bab6b2352d7eb65e8a520db908fba7acadd51b56748603e13235978dd524aa43145bc40a39248aad278d55e21c7cd1b1e1a

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
144KB

MD5
167059427a02b9142138dbee8e9ecb0b

SHA1
563242511a16fa6eabdaf93fe390c0992c7bda58

SHA256
b2de9921027cfbdd9dbce5457e351423f599505f4dd27ecf511fe58389cf1b02

SHA512
35b5cd9aea4739cb8b49e172dc21e2fff19f8e57798d5bdceafa8289ff840c4376263a13b38878d708d90b7d178952ef227c04f6328fc7b2d5731419b06b57fe

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
144KB

MD5
9471a9e0e8bac1f035f2df9e4cfcae75

SHA1
4b6f7cc3086feead0bc326a5d1f3072aabe25f73

SHA256
bad29e15b84d5ac668b9971f08c2c604a48006caf98113ae6b16a6dce45de4ca

SHA512
8c7a35ea4842b519f4bf89284a3daf4c0dd21b81024a8d343a4641398d5685909754d0c49d82a691e405dbda70024607c1948cc567e29e62185a09bae8a1f34a

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
144KB

MD5
8c2de6907c6a5385b4f27efbb9b1740e

SHA1
80452485118d95b9b8d7707acde560f8e380218d

SHA256
261a74210681befcc656205b33f756f5f3f3d99ae869ac3004cb821571935e55

SHA512
8c1f63b2af21a173d9e367806d73c360ad1e3305c6f3f06e027928b92818c253392e685a94b02f2b996f4a45036d011c0397254706b64d85eca5d4cbb704dea7

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
144KB

MD5
5fb95aac624a029fc676bb036d606c51

SHA1
64544e132372875bb3c0ef2c5d9e090925fb2d18

SHA256
cc137aaa8ea4c6ffdd08eb55fc0033559d0feb4e49ab71409b1335e32b7c415e

SHA512
58199f22a38049df44e41054766f97e5cde4f9d052a85fbf2dcb337bff92603613844b4a5143aa67831cfbee12ef14383222986c9fd3697c0fbbf03729b745f9

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
144KB

MD5
3969ea647defd3faa5291505a378f292

SHA1
2a7dc7070ea654653e58a9bb7e4796bd2aa86847

SHA256
4f6cbb65842c64408ca60bdbf9d0652a83528b2017f960a5d1299343e4aaae18

SHA512
a86094436f8631a1f71736a1ffd311236e8e454ae064e5a4bea662636e144ea7702b36fd585e842e2b65662e351e9f84bcb17c43271919ef3fabf5584b559d78

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
144KB

MD5
dc53da49767057bd62ad3da5abc5c655

SHA1
347c587776dc54072f295db2d4ae2d34664d45c9

SHA256
d08bd273ae23f52cf31be15fca6fa78faff71f75f9c41905ef1b4d37c9aa756f

SHA512
10d42160437eef885f623d08af03b141e0493c7dfe80f86434b0f2fc587045ea14d4f611e4ba38e3a2372f1af0797ddba9180183c0bc9470e7be0600b41a4a08

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
144KB

MD5
4abb9eca0c621b9486a8cdd342401930

SHA1
611a4d6d38f56e938bd3b6f18bd3a6e0d56a355b

SHA256
19a1f6d23b637b2dbb3b9360f97c0df4defd54b57418ebeba22fb9be54bb24e3

SHA512
0cba86c3b1788d7dc01c12cf791e5b8293f92b9370c027afe73b73bbf835b8ee2bb9750dc15e87f288cb970d00d0167db688da6675fa73b1f047e21ae301e43a

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
144KB

MD5
c7f23cdd14b6ae28da66dd854b696e5e

SHA1
521a8453d233a920dd8812cfb36f82a94e0e88b5

SHA256
d6a91d00a01a65b69279adc34bd076080ddc4eee34bc3594e62f22a65eb4dc54

SHA512
60ef6c42bf689ee2a77d2c425720fba363a7299eef87ac4753199a79dae9034ccf01f1d159bfa3f1c486db64e0f499cf74e60b351d412574573ed418f89a7c18

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
144KB

MD5
092608c31cb5eefebdfd95356f0fd2c4

SHA1
b55ecbcd1ea2bc965099d3a1de941ebd7e3a6657

SHA256
a73a486ef29e7943454de178f74cd8a26ce654810afab1a8cc47822749286f32

SHA512
674c5109249fdc08a3f65c5badc30c97467fe79990af49d750b2ca326d8d21ffa0be3eb08c04060392d3af8304075ab9777d7f1e67c7a0052f527072448ff11a

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
144KB

MD5
4812004314f04810f5e59471204459d4

SHA1
e0fecee43a788d12f3078943f51fd9159dfc4847

SHA256
41bd8adacf2207f7dcb9587faa055bf0be146a2035dafc05451b83db180ff16a

SHA512
daeb538f472daebe6093c9e3df276b44be96872ead5cdec98c7467ddd484a19d41b4036054fd8ddfca989c95155175b232ef2c04af726639af8665f8558bdb26

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
144KB

MD5
466858a9019eb3205d7e869c5fb45df5

SHA1
48c229c0bef57afbd7a8dfd72e973cc6f9fb9f4b

SHA256
baa841d56fa50e510855c21f2a4a5f64de708747564b141d79f07c27019d6388

SHA512
89b9033e0b1cd30018eaa5d14032462f1f271b95b157878b864bed45fb3be79d85a8f70b41b6c6866513f75f6c0d64115d7753e9bbf65cb1dde43d08d3d9f706

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
144KB

MD5
1773c92a335e1cea3285ada120372cdd

SHA1
dd1c8755880ca73a745b109a9e67c5cbe14897c3

SHA256
c5f54f261f1e6950788e90ded28620e8f2ab794bb18c2629715ca652f103dcad

SHA512
32591b5aba21e57027a4a1570ca6b160f3e33ceebc683ebd56309ce7ea94ed44f4555adaf31fecedc3a75b810a2f9535c161ee2f47b60df37ef50a0f279f25f3

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
144KB

MD5
e21e0ce2d646154100b53ebee2f9e4c3

SHA1
07667806587a375129ec9c0be97db4504905cc02

SHA256
a0efbc96acedc929cd77806ae08ef998f47a47acc72cef361a192fc355cca0e4

SHA512
116c761d5471625d6c42d4260368783f7d02e8140d18c464e073cbe9763f47122ba338d9005d1570d3504d01233a2eadf87a7817b4998aae844a27d014e6c446

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
144KB

MD5
f315d9f0a468fd73c3b61d13f950833e

SHA1
58bf55a80d7aed4c76d2ee52dbda3774bd5e1dce

SHA256
82f49b8ae8cb3f2762224428c5f4ac0b144fde14d6dbf54d92d359d71d0b3043

SHA512
3904a777f913b2be224607da71261a220a4c72153a336cc32ed8c634455309b635989fd172b4bbd32c83b105f0b4279712a00628d6c661bd3d37efd888f5c0a8

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
144KB

MD5
ecf75592ae62e32e56e66c4ccbb115f2

SHA1
666c9bf98cf54663598b69c973a0f145b4469c4d

SHA256
0c5f5284a4eed6d33431b907fa68c498a60d97f5666650f92d7a29dbf3241acd

SHA512
00f23e2d7ca1677db1532caa39552206353e26074f8d030dff7004b75e738569fcc068e4de81774646a4fc1e74dba42bf37232915f249697aee4a66ad1da9f5f

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
144KB

MD5
f3125215eda4f4cb544238b01d8c2565

SHA1
53f3c2bde8c4d3bde64904f1bfd25678dfced5b0

SHA256
f68cf8bdff83842e716eb69e1620d854608385643c094bea4e71e44a4c90d475

SHA512
a52031f3cbc61493142ffbbebcfb030021904c320a82aa53f1e421c9320c44099b20134d82987e83be56a465422c1e14530ba98e8299303fceb0d683f53534e5

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
144KB

MD5
97c15c00c0374a67ade9865678b46772

SHA1
af8e71af53317cfc8291cd0bfdb35483d52994d9

SHA256
1e6d2feeabff1e8eb5c5d50c8c161dc3793256dbe2c9934e74898645c1a4854d

SHA512
69db9777a60145b94ff82c4597423d1ba58a0f7eb381d1670c390c87a9c7cd57cb1f8989eedfec5c979715c9e437769f4ebfb89f775ada100b8db15f87c1f636

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
144KB

MD5
3b744cb2e9f5e449ed2eee919d23cc49

SHA1
c183caa5882a8c74b9ca6e0057f0a747e0fea802

SHA256
19488abb690bfc6f7d629e3011704454bf3b376c95285086f5214b8996edadd7

SHA512
5b3b4b7e8fe9877129853633fbeb34cf483e006925fe072b4b7a9da177783525f8912f91d57b0415db361dc48683551d248b6b9d7a59395ec281e87cba6a63a6

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
144KB

MD5
6346ec3ae5e42da89ee573e3f6f031d0

SHA1
a483864f7e702da8ec2eeed26c7effcbbb6e09eb

SHA256
a9efdfb9e1e5b7bd6873383473fc1bfbf944868c65d090c830f680705913ed2b

SHA512
3508916603622a83deb979415d5a66813750296f92bcec08c2e81fdcb164982e3300d480988370c5010a691d0da99b87b394c7601bce17bbb7dabc4dfed2893a

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
144KB

MD5
dd546e732b8c06476398659e7408d7a1

SHA1
ae8e6ab9b0cad6d77a808f776e62ff921b7bd9db

SHA256
a7c578d3866456251473eb822222d7b69c6d19bf82358c9ba6915e6e8cbde630

SHA512
b581e76a2b975985965d90b1670857a46ca389f966a698b1876e34ca68386b17e7646f55f6a8adb00c238fa34663d0faf96064d208c6636b2a94a25cdc88e8b2

Download Submit
memory/388-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/388-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/432-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/432-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/712-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/712-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-409-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1740-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1740-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1868-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1868-343-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2008-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2008-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2108-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2108-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2328-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2328-378-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2548-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2548-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2560-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2576-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2576-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2860-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2860-391-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2884-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2884-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3224-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3224-397-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3252-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3252-351-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3356-366-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3356-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3576-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3576-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3652-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3652-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3756-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3756-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3804-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3804-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4088-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4088-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4100-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4100-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4196-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4376-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4432-403-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4432-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4464-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4464-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4472-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4472-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4576-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4576-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4596-414-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4596-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4700-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4700-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4768-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4768-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4812-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4812-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4840-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4840-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4868-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4868-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4892-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4912-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4912-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4928-420-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4928-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4936-360-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4936-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5092-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5092-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads