7d8eb89a06522b1ad5968a23a0de0fc1b29e8c7252121aa90138340e7463448b

Analysis

max time kernel
139s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 23:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d8eb89a06522b1ad5968a23a0de0fc1b29e8c7252121aa90138340e7463448b.exe
Size

112KB
MD5

220b1181b13a4e4601d5d32cfc3bb010
SHA1

1ea84f6ddaaec0002dcf24da0285fb0fe4bfd874
SHA256

7d8eb89a06522b1ad5968a23a0de0fc1b29e8c7252121aa90138340e7463448b
SHA512

c2a0a0ed4fa3aa22e1a8703fdd5e164f323f5aac56502980dd4a92f8c6b169c71110c8acdca6fc53a74b8df5f86f122b39c683159a6b6153c1d17ec30e7729fe
SSDEEP

3072:nSo2vOGWV5PvHRMQH2qC7ZQOlzSLUK6MwGsGnDc9o:n1GWVxvHRMQWfdQOhwJ6MwGsw

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	7d8eb89a06522b1ad5968a23a0de0fc1b29e8c7252121aa90138340e7463448b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7d8eb89a06522b1ad5968a23a0de0fc1b29e8c7252121aa90138340e7463448b.exe

Executes dropped EXE 42 IoCs

pid	Process
3972	Kmegbjgn.exe
3680	Kpccnefa.exe
1312	Kkihknfg.exe
4224	Kilhgk32.exe
2136	Kpepcedo.exe
1204	Kgphpo32.exe
4772	Kaemnhla.exe
3576	Kdcijcke.exe
1352	Kgbefoji.exe
2768	Kmlnbi32.exe
4332	Kkpnlm32.exe
4548	Kajfig32.exe
5088	Kkbkamnl.exe
3460	Lpocjdld.exe
4424	Lmccchkn.exe
2124	Lcpllo32.exe
5044	Lpcmec32.exe
2808	Lilanioo.exe
3528	Laciofpa.exe
4796	Lgpagm32.exe
3304	Lphfpbdi.exe
4980	Lknjmkdo.exe
3516	Mnlfigcc.exe
2424	Mkpgck32.exe
3144	Mnocof32.exe
3476	Mcklgm32.exe
4196	Mjeddggd.exe
228	Mdkhapfj.exe
4768	Mjhqjg32.exe
4732	Mdmegp32.exe
1536	Mkgmcjld.exe
1144	Mpdelajl.exe
1880	Nkjjij32.exe
1976	Nacbfdao.exe
2856	Nceonl32.exe
4560	Nafokcol.exe
3136	Ncgkcl32.exe
1052	Nbhkac32.exe
2760	Ncihikcg.exe
1560	Nnolfdcn.exe
676	Nqmhbpba.exe
3608	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Kkihknfg.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Kgbefoji.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Kkihknfg.exe	Kpccnefa.exe
File opened for modification	C:\Windows\SysWOW64\Kgphpo32.exe	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Kpepcedo.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Kpccnefa.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Kilhgk32.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Nphqml32.dll	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Kaemnhla.exe	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Kilhgk32.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Kmegbjgn.exe	7d8eb89a06522b1ad5968a23a0de0fc1b29e8c7252121aa90138340e7463448b.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Kpepcedo.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kajfig32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4744	3608	WerFault.exe	126

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncoccha.dll"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdeek32.dll"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	7d8eb89a06522b1ad5968a23a0de0fc1b29e8c7252121aa90138340e7463448b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nnolfdcn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3176 wrote to memory of 3972	3176	7d8eb89a06522b1ad5968a23a0de0fc1b29e8c7252121aa90138340e7463448b.exe	83
PID 3176 wrote to memory of 3972	3176	7d8eb89a06522b1ad5968a23a0de0fc1b29e8c7252121aa90138340e7463448b.exe	83
PID 3176 wrote to memory of 3972	3176	7d8eb89a06522b1ad5968a23a0de0fc1b29e8c7252121aa90138340e7463448b.exe	83
PID 3972 wrote to memory of 3680	3972	Kmegbjgn.exe	84
PID 3972 wrote to memory of 3680	3972	Kmegbjgn.exe	84
PID 3972 wrote to memory of 3680	3972	Kmegbjgn.exe	84
PID 3680 wrote to memory of 1312	3680	Kpccnefa.exe	85
PID 3680 wrote to memory of 1312	3680	Kpccnefa.exe	85
PID 3680 wrote to memory of 1312	3680	Kpccnefa.exe	85
PID 1312 wrote to memory of 4224	1312	Kkihknfg.exe	86
PID 1312 wrote to memory of 4224	1312	Kkihknfg.exe	86
PID 1312 wrote to memory of 4224	1312	Kkihknfg.exe	86
PID 4224 wrote to memory of 2136	4224	Kilhgk32.exe	87
PID 4224 wrote to memory of 2136	4224	Kilhgk32.exe	87
PID 4224 wrote to memory of 2136	4224	Kilhgk32.exe	87
PID 2136 wrote to memory of 1204	2136	Kpepcedo.exe	88
PID 2136 wrote to memory of 1204	2136	Kpepcedo.exe	88
PID 2136 wrote to memory of 1204	2136	Kpepcedo.exe	88
PID 1204 wrote to memory of 4772	1204	Kgphpo32.exe	89
PID 1204 wrote to memory of 4772	1204	Kgphpo32.exe	89
PID 1204 wrote to memory of 4772	1204	Kgphpo32.exe	89
PID 4772 wrote to memory of 3576	4772	Kaemnhla.exe	90
PID 4772 wrote to memory of 3576	4772	Kaemnhla.exe	90
PID 4772 wrote to memory of 3576	4772	Kaemnhla.exe	90
PID 3576 wrote to memory of 1352	3576	Kdcijcke.exe	91
PID 3576 wrote to memory of 1352	3576	Kdcijcke.exe	91
PID 3576 wrote to memory of 1352	3576	Kdcijcke.exe	91
PID 1352 wrote to memory of 2768	1352	Kgbefoji.exe	92
PID 1352 wrote to memory of 2768	1352	Kgbefoji.exe	92
PID 1352 wrote to memory of 2768	1352	Kgbefoji.exe	92
PID 2768 wrote to memory of 4332	2768	Kmlnbi32.exe	93
PID 2768 wrote to memory of 4332	2768	Kmlnbi32.exe	93
PID 2768 wrote to memory of 4332	2768	Kmlnbi32.exe	93
PID 4332 wrote to memory of 4548	4332	Kkpnlm32.exe	94
PID 4332 wrote to memory of 4548	4332	Kkpnlm32.exe	94
PID 4332 wrote to memory of 4548	4332	Kkpnlm32.exe	94
PID 4548 wrote to memory of 5088	4548	Kajfig32.exe	95
PID 4548 wrote to memory of 5088	4548	Kajfig32.exe	95
PID 4548 wrote to memory of 5088	4548	Kajfig32.exe	95
PID 5088 wrote to memory of 3460	5088	Kkbkamnl.exe	96
PID 5088 wrote to memory of 3460	5088	Kkbkamnl.exe	96
PID 5088 wrote to memory of 3460	5088	Kkbkamnl.exe	96
PID 3460 wrote to memory of 4424	3460	Lpocjdld.exe	97
PID 3460 wrote to memory of 4424	3460	Lpocjdld.exe	97
PID 3460 wrote to memory of 4424	3460	Lpocjdld.exe	97
PID 4424 wrote to memory of 2124	4424	Lmccchkn.exe	99
PID 4424 wrote to memory of 2124	4424	Lmccchkn.exe	99
PID 4424 wrote to memory of 2124	4424	Lmccchkn.exe	99
PID 2124 wrote to memory of 5044	2124	Lcpllo32.exe	100
PID 2124 wrote to memory of 5044	2124	Lcpllo32.exe	100
PID 2124 wrote to memory of 5044	2124	Lcpllo32.exe	100
PID 5044 wrote to memory of 2808	5044	Lpcmec32.exe	101
PID 5044 wrote to memory of 2808	5044	Lpcmec32.exe	101
PID 5044 wrote to memory of 2808	5044	Lpcmec32.exe	101
PID 2808 wrote to memory of 3528	2808	Lilanioo.exe	102
PID 2808 wrote to memory of 3528	2808	Lilanioo.exe	102
PID 2808 wrote to memory of 3528	2808	Lilanioo.exe	102
PID 3528 wrote to memory of 4796	3528	Laciofpa.exe	104
PID 3528 wrote to memory of 4796	3528	Laciofpa.exe	104
PID 3528 wrote to memory of 4796	3528	Laciofpa.exe	104
PID 4796 wrote to memory of 3304	4796	Lgpagm32.exe	105
PID 4796 wrote to memory of 3304	4796	Lgpagm32.exe	105
PID 4796 wrote to memory of 3304	4796	Lgpagm32.exe	105
PID 3304 wrote to memory of 4980	3304	Lphfpbdi.exe	106

C:\Users\Admin\AppData\Local\Temp\7d8eb89a06522b1ad5968a23a0de0fc1b29e8c7252121aa90138340e7463448b.exe
"C:\Users\Admin\AppData\Local\Temp\7d8eb89a06522b1ad5968a23a0de0fc1b29e8c7252121aa90138340e7463448b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Windows\SysWOW64\Kmegbjgn.exe
  C:\Windows\system32\Kmegbjgn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Windows\SysWOW64\Kpccnefa.exe
    C:\Windows\system32\Kpccnefa.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3680
  - - C:\Windows\SysWOW64\Kkihknfg.exe
      C:\Windows\system32\Kkihknfg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1312
    - - C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4224
      - C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1144
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4560
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:676
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        43⤵
        Executes dropped EXE
        
        PID:3608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 408
        44⤵
        Program crash
        
        PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3608 -ip 3608
1⤵
PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
112KB

MD5
efd531eb9350ac53f3592351cb7cf799

SHA1
412cdd44f9a1df7c16ff4b5fc92634e51f800f13

SHA256
debdb3b5de6b557d61cdbd4583c398fe4068cc64ee6137c569490fbda5cbbd91

SHA512
234a0c32bea6b5cf6f2bf185a131df1c8a950432651d9812f72027cad07eee6a9ee0693eae497c54c91effd62ae567185021c739d7f32d4103a1313b3aa6b7b9

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
112KB

MD5
7795da366861b55d802de30962fc9be1

SHA1
d5926068fe16a3d9a041f39ff0c71159f3821f58

SHA256
92d302427829dba2ab66f88fc1b9d50b6df3d6a9513e6bf83d36c78640f42c13

SHA512
d4157402126b60e0833dd01adb046eb3f16091c1fb5eb3c2e61f56c608daa5cecf1393a88780cdd260b85634982b0103ad8f15ef566b1a6c94e6afad9d7c22fe

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
112KB

MD5
f45d78548ef4102e271491c14c4265c2

SHA1
e077fe7e37527aae02a07edc7b48347ee1e7b4e8

SHA256
1d6355ab012043b1202e4a6b96ca8b95eebe85621f4e6cac7ff3bcc9c4736764

SHA512
9cf4719550a32ebaaee64d0efd8d338a80df6f7f72dd5ff00ccb02a105fcd8e79621e99373d4fcd687427ea39ac106763e4c46bcf941dcea21ff2747cd7b259d

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
112KB

MD5
016d8f531738788679b743b7fd4d0628

SHA1
d2f241a030600ba10ee0e246fdf2cbf12ff1f369

SHA256
049c1f54adae4d9328f0e7392a8732a769949ecc0fbaf7a8ae232755a6019a88

SHA512
e05766794fb5f038ced7a08befc0a75b3378940040ce7c37b6305b426cc00e4674e6cf824ae6db9515c11a32a74c5c540f0695e30c73037d593a42ea24e49303

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
112KB

MD5
908230fae126f20ab19180aef8ce909d

SHA1
d69cd894514922e02bb0914fe99633c6ae05eccb

SHA256
12eca8bc9b79aaac40871a6ce4912e099f81b57f2b3bd0fb1aebb244877c2bf1

SHA512
827b4c1c4d4f16bea57cc52253db8da4ef484d6cccf3cf21c1d1f85b296c4e490a0c93984c17aaa4de64140560f911b4d1704562aa55b7a131e8eb560df793cf

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
112KB

MD5
fa2d99b9bb909bec626c2a538b45a719

SHA1
1407ce67e9eb84ea0c8bd5063fef62768d3a586e

SHA256
446a2c1ab81299646ae23c92d1137fb1311d960a0a4631b702fa65770709d9d5

SHA512
bd9ec92cdadb9d0dfc754ac15e1af4230aaefd47af5e8692ed801782ffa2f0dba7dfea94fff3618c2892c32dd95128a9f792b3ec76ffeb3286ac00b05292dce0

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
112KB

MD5
183358e5be630d4a52e4b97ab032eb4b

SHA1
55e623e8063677f92c2ed095f72b32ee2da3ceac

SHA256
8d4bed67726ff29a218544b079d3dc66eed8a5efa7debd987010b66a270f6fb0

SHA512
401c137059ad78bceb8b1ae268b2fc954d3864095ff05a5d03dcde4772ad070e107354692a11788f22915777f08d0e9d2da067fb784e8f6634420937dc082a09

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
112KB

MD5
aba3f95a1f5b890836101212ed2810ac

SHA1
a013360e2580897759d0e926cbaa40f2da4c29cf

SHA256
565b80f324b5b0492a8c75207f5e0b12a29dd53da43261b78339381cc83f4294

SHA512
a403105f43b9233f85be7524008c0a421c32dc02aefc5649cd5b166abf8ebbc0ba835ea4119f8dd24cddb83a3524b1b33ec38c6328aea2b4b7787dc391e461d5

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
112KB

MD5
37e5906fb1ab11e05afbbbe67ca0e733

SHA1
c60963ef9b5b357f25dfc7ac79c7327d54a3eef5

SHA256
926d95b279ef92a42b7bc65f1813192cfd7ce48d5d24088ba43f5a6346267559

SHA512
3208435808a667f1da39feeb10e9560fc06c4974e1be2c6daf902668bd9e5c9c802d2ca3fef5691f34c70d27ffbb714d46488e9f5829afd46d7d0a9947bf9b15

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
112KB

MD5
73ca24d408b454decbbeca631beedc2d

SHA1
06a8479272e459f839f33525e3d803e85ccd3e26

SHA256
fd51e6663d27707fbfb25c73720c0ce72891bfdc75a15ede33b37eb38c39adf3

SHA512
cfa36d3902d489ec4d847279c21a1b1cfded72da222ce84514688aa71d87e7737758745dd781e662a8299126402704005288b99a6eb6f4ca78a038c9f976b39f

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
112KB

MD5
404a5e172ac02c5f841ad4904d777a2b

SHA1
8e0c3947812bc295b804b95e80d062b9ac35f72f

SHA256
ae0bda35918336b48c71613c218e8e140f4706bd7e8c76b4844d51234fe5f77f

SHA512
35ad98bb9d7d1516c01448558c13547a8eb30a71d40b60ecdbb390154caaff1fa7be1e1e1198735b1ba23062394adb7f2d080d8656c4dae52b5b5152cead8646

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
112KB

MD5
4fa56a3eca28a7abea6d15289070f1f4

SHA1
1b4360af3e2c15c2f442f9e90ecfc5367a9bd110

SHA256
acf25f17987d42459cb30abad0c3c51006853a63b2c20313c4912da22aab1057

SHA512
4b52e2fddc53ecaa4d80786fe2a31da7a41e5b86115bc03e22de1d8ed996924acff22a53a01146d1d55e2b36541b7c4e2524c13089400675261aed8b8c13d320

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
112KB

MD5
5d06d59efddf3900614db960cce8246c

SHA1
e86e8c041b9adfe4c99b20ea0d2eda38d1f9c6c6

SHA256
0da4d99be921a713c2832d37dbbd91183343c86041bd7afe7482c4e07ff1aed2

SHA512
fe38b7d028da237f40a133d461893dc60b61a19c1ddcdad27492b799e4ba7227a9a12224f0279b7cb898e6f3cc23ab33a051420e15f6e6d204d9a02a89241b44

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
112KB

MD5
5f510355386ea9ca0201e3a79d51bd7b

SHA1
ffe303bd67452e25441b322a1e4448ad8350c857

SHA256
61509dce168be5ed422be6301fe22d83a448e814d3f843c91543bde5ed90d6b2

SHA512
fa2b310a004872d7b24408369090f8aab285f36bc8e65a5471359c6a54872d4d42543adcf2f71e3a56c123ea61d1283cb0f205579e31352dce8fa7545d72c460

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
112KB

MD5
6a229eddcc66172032346aad035acd2c

SHA1
4416e62e2133cba8bbcafe9bba2c89eb94c6f2cd

SHA256
133d3999db7762ecee99eec2172c9f3e843c4b32ea414125d8c8cc456d4ce552

SHA512
0b9dab62304f7af38e73bf4bd09eb8ba10ad40064abf716b932ea7e4e800c3c549413c7fdd2a97af8a8766671f86736ae1278d99af9632a251e4d79006468b95

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
112KB

MD5
9707a688a21307517c262196d97d84d9

SHA1
10b8a453ced2af1dc4db50bfb4b47716000d88da

SHA256
6f8d565a728db14a1c8f724ede9824d7126cd324e0e8bbd77ac798a6a051c150

SHA512
adea643615fac70bb61691c00576d48aacea1418bc53dc9b6af3055ce2aa637a5a3f262957ad00ee0559c4d82c85c838cded8a777f7067462e103e695fa7a1b2

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
112KB

MD5
fa9a720c2466c97d6816346538d8a037

SHA1
a7faeb9a9fad178236965d7168b710ef23d86e39

SHA256
09af1fb0aff1a810fa3b91fd66d2571e341e53911cc49c52a9c23a2d4c7bc9fa

SHA512
ac37ae9e5b78a30099a91869358ba57324d2cc28feb771c61a2f0f14051116d41bcbb70f00bee8839e00c73f834b07a7dd51053a59995b09cd6b01e7461acd72

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
112KB

MD5
255aa603b5c07b60fa957d2fb9a1eacb

SHA1
39d78e5812c14eb8c50669ef2127e429e9f09361

SHA256
cd9f9968b758834d5077c6fcaae8a10ac0747e4cc5a1ef1c19be65b6c831f562

SHA512
01506bd470029d40ab3553084724d4f4d0b345bd864d65987203e0514aa6d179fc2822f5e9c881c1925683d2ef894b08a49cc758c09061176659042bc9189827

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
112KB

MD5
2f9f4157d5fc146dd1f0e65a3ebda761

SHA1
4d8a25a3642c0ce30d5a6912d10db8141195e737

SHA256
6098337c4e855c245a33eb0c6b9b2b9db93beb2c7bcccf9a4070223ed83da2cb

SHA512
5d971d30e3b853b3cd126e385b7d273d0997f37623494250496ef15d3b43b0907549404913f322427cea41359fb8eaee5928e2814bc7c1fff39d1b3a8eb42246

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
112KB

MD5
262103f9f4af9278d5084cc3dc2de72f

SHA1
be546743e953f22f8095c50e7d02a10274f1abea

SHA256
fd437dce211ad4858368aa211e276b0d852af104fa428a143e6cdd61292aee3c

SHA512
7f7c95c53a601355a2a61e1d662db9c84dbc5cf7363ad64eeeaee3fc7abf2adbccdf53e7482ee1f53312183f7a99334454868c029412a1e7ddcb44de39f74a8f

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
112KB

MD5
925d8aebab3230e7edff373efec18790

SHA1
a14094a7d11621d347a1a524cd0afc25541a4445

SHA256
ef9fefcf9a5c106dadb2e8509404ad6f62b0bcabd72f80d7cf81867f07454e06

SHA512
ed71380af4f6305fb34c050422d65cdcd065ea1ddc915941dbf152f66e5ed583b8b725d1ccadb5faca996b396633168ac7640066c3dfa8e3808bf5acccab5f4d

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
112KB

MD5
f058746fce4cf485e7a4a2a8bfc81c15

SHA1
43ba1d5354781562c04afdddfc409f717c4a6810

SHA256
3ce82d3f210886a30e469658d54e1561e21ffa9ab461180662803da7138b7f7f

SHA512
2c6619eb2d19a64f1674cdf2cd905b7988c1415bc8f29854a57785a0c84f3ecdbf43db3b59513743185272cf236c93c88847436da6017a637acad6b8d4d9b5c1

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
112KB

MD5
22def71ad34e959a2d612a8ed4eb8cee

SHA1
e5780b47e20983533c80f4840bdd272994933e8e

SHA256
fb26f765e3bf5910b862e12e6d5661710cf0c0eeb3e322b9ab9a8138c98dab56

SHA512
3c0548ab58308aaec155b84cde37123229a0d9eac0712113461b1004f52bea00e9f9e33eec11880a21d84cee60c7e01d1c285f7954eb7a2ca60a8b8b6c1fa691

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
112KB

MD5
34c9f27aa614eb975e8aa3bfa50a25dd

SHA1
cfb4a809e1f0e8d99186b697ed3a142ad7e83a40

SHA256
868c90cec01c8a24fc39f830cddd73f33949a07d155c8465f16a2d0e86c34b52

SHA512
eea2eb35ce0719f75ce887db1129dedd347f2ba9b0ca4f454251e3cb6785ca1ce851a79c803654c37bdcced18772acdbbde79fdd2ee912c627e8503d12b9e5fa

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
112KB

MD5
97c2240bae46605d06581fec6d6e5431

SHA1
59169bd8e2c48ea94ae05fe11fc6d761611f0ca3

SHA256
6a38d8198326d7f2799a8dcbf6d6125f30bf17b7f26343fe0649dd4fbd5a207f

SHA512
897d9a8c42d9f9ec4f6bce59168bd95d604ed612a6035030da8220628aec6f28785f1c0282d3a4f1d1191bd20ac3daf68f9724ec64af60f404e6b3a4b267dd38

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
112KB

MD5
a7d192c075b1dd2bb87bbfe69822d860

SHA1
b702e44523cb6d70cb7d23ea2b1dcb11f5b38aff

SHA256
06ba5f261c79d165a475377ee84521cc9bd2e964d8527745812c91994c6f054d

SHA512
f9aa9a3516a650c21ddef3531fae6f2f4e65781071f670ad75c93f23b0ebc8859da13e2230e0f4979c5547f749c4ba7d718147a85a548f50f911ac47f7c0b14a

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
112KB

MD5
dc6672f576e886e45565b5afcacf31c1

SHA1
927c8aa0099b2e9ead20b28383e64302f076ae32

SHA256
9be424b9f7f8fb90dd6c85b2bad11f7a253f99674483367ac41a47f132e5bd37

SHA512
5b3449b7ce757093b864a36ff02c1ba0f2251cefd0a39e6c86ba265f5277c1565eee00ad361a879a05d8f5f6b00fc17ffd3b0e9e1a13f902f67d333295508dd4

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
112KB

MD5
3818ad8e33c280ba23d66400d78278a0

SHA1
91230b5d767fb8ee82f8faea562f0339441080e2

SHA256
cdc2ef154c543fc81f8c4f8fbdd5ba7f07a9016ca0783a83b18170a1afe529fc

SHA512
f6218c0049919d61b37f0dfe4c01757f57d41193d05b0875c15f8dbe31fe3be075dee83eefbbf146392f84ddcbb6a882f5a902c8ffe19adf16ea859e3cc6451b

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
112KB

MD5
dc30b23794083f8e0edc4ba9b30175a5

SHA1
33ec191f18017bbc768954852b4af0b2579d2da3

SHA256
937a4d5f8faf181756d30f3114c6f80a1c89bfff4e79d0694cb44c54e34e9604

SHA512
170f4c5051ecb79add867fa508ce2a0e1d2058e26c0c019b381ac1b0c2ade854627805e3bfec880337b2a57932cae2a4fdb7d53fb3fc48e4319b48e7898dffa5

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
112KB

MD5
b8069c40afb19c518375c3611b22b38d

SHA1
9cf6ecfe55ac9ee360fcf1ad0c3fe6eb662b8083

SHA256
81981434c80bc8b8c41a7f453121cc5d25b019a4177d605d4c44d435bf29d200

SHA512
751ab81808aac02e2bd4ee427fc5795326ddb188d85a2bdccfe280025ef5c4055c18c2552c44c131c311541115fca70f5c5577cc3b202a3036cc9b7c8ef8e63c

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
112KB

MD5
8b7bc26f2de72196c359e78583d63d37

SHA1
4736334277ef3cd0995e485b04fa76a3ea4d29e7

SHA256
7759919fea79478146dac3a68a8b623dd7604fc0f75a770785283c1888c59dbe

SHA512
78bfa64bdca87c7ff7f40fa4c0ca0ef175b7efc32263a4e08cd1fbd97ac4c6b3c273dc76b172d330cb18f61d881eb5019a57b9297e60cb51a38515a1777cd683

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
112KB

MD5
b6f74563e60f7edb68724df183c39eb9

SHA1
4b0a5a85debd922348fa85ec97b938b6b6e43b63

SHA256
65c20307a42d557eac982728a5a010bdbf229df6a2dfd0eeba2d42ca023d6d41

SHA512
2f05724ae0029d7b241bbcc1806c071678002e152e1a2dd041d89b83b01b3c8f067681b24ffc83b7a4e531d06d82c0ff2f270bec9748ab49bf3a9c71c3cfb34d

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
112KB

MD5
b2d83c84d955ff1fa011388eaf59269d

SHA1
5b9af17013e5ed1246ec1d2131cce54d57cd5cc4

SHA256
862843d4b989a6da72b1b0d8aaa5081fa4735624244846d5fd36188016c80d2d

SHA512
e3d4446806ebbe5b3ee6d5ef514424a7933155988c94668cd885cd7739183845ef380abc71ddccc919ead7e85baccc43134f0dfe2a1d8a9fe598d803c08a6767

Download Submit
memory/228-242-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/228-319-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/676-350-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/676-341-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1052-320-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1052-352-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1144-278-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1144-347-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1204-134-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1204-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1312-29-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1352-78-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1536-269-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1536-340-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1560-351-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1560-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1880-358-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1880-285-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1976-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1976-357-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2124-222-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2124-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2136-124-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2136-45-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2424-291-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2424-206-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2760-353-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2760-327-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2768-81-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2768-169-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2808-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2808-240-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2856-299-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2856-356-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3136-354-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3136-313-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3144-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3144-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3176-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3176-77-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3176-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3304-178-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3304-267-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3460-205-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3460-116-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3476-228-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3476-305-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3516-284-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3516-197-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3528-249-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3528-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3576-69-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3576-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3608-349-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3608-348-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3680-98-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3680-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3972-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3972-9-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4196-312-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4196-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4224-115-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4224-33-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4332-177-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4332-91-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4424-126-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4424-214-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4548-187-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4548-100-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4560-355-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4560-306-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4732-259-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4732-333-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4768-326-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4768-250-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4772-142-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4772-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4796-258-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4796-170-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4980-188-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4980-277-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5044-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5044-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5088-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5088-196-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads