d6c5aeda44e6cad311f8a5d9cacd16b1d0f29471530665d59cee10097d9ce309

Analysis

max time kernel
136s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6c5aeda44e6cad311f8a5d9cacd16b1d0f29471530665d59cee10097d9ce309.exe
Size

77KB
MD5

b8b671b13629abcb457a736d1e89b40e
SHA1

ca94ba121b830e35eec8d62cc5380d3e1b0d18ae
SHA256

d6c5aeda44e6cad311f8a5d9cacd16b1d0f29471530665d59cee10097d9ce309
SHA512

e6673a17ab152a2e72f5d0aaad44fd1bc7accb713071312b0ccfa2ca65874d038044b7412fdfb9f4a77f4a894d9174b64d81525b0ad84047bdd117790139de04
SSDEEP

1536:rH30Ilj6pywmpTuoBmLmU8/9ua2LtV5wfi+TjRC/:rX0Iljm6ioBmLmpunJwf1TjY

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d6c5aeda44e6cad311f8a5d9cacd16b1d0f29471530665d59cee10097d9ce309.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe

Executes dropped EXE 61 IoCs

pid	Process
4312	Kdopod32.exe
1176	Kgmlkp32.exe
2152	Kmgdgjek.exe
3360	Kacphh32.exe
3064	Kpepcedo.exe
1704	Kkkdan32.exe
1592	Kmjqmi32.exe
5040	Kdcijcke.exe
2648	Kknafn32.exe
1036	Kagichjo.exe
4052	Kcifkp32.exe
976	Kkpnlm32.exe
2052	Kmnjhioc.exe
2272	Kckbqpnj.exe
1696	Kkbkamnl.exe
972	Lmqgnhmp.exe
4924	Lpocjdld.exe
1676	Lcmofolg.exe
112	Lkdggmlj.exe
2088	Lmccchkn.exe
1116	Lpappc32.exe
228	Lijdhiaa.exe
4120	Laalifad.exe
4020	Ldohebqh.exe
1984	Lcbiao32.exe
3972	Lnhmng32.exe
2784	Lcdegnep.exe
400	Lklnhlfb.exe
4000	Lnjjdgee.exe
2348	Lddbqa32.exe
2660	Lknjmkdo.exe
4484	Mahbje32.exe
3744	Mciobn32.exe
1468	Mjcgohig.exe
2560	Mdiklqhm.exe
2492	Mcklgm32.exe
220	Mnapdf32.exe
4988	Mdkhapfj.exe
4728	Mkepnjng.exe
5048	Maohkd32.exe
784	Mdmegp32.exe
208	Mglack32.exe
1916	Mjjmog32.exe
4772	Maaepd32.exe
2404	Mgnnhk32.exe
2876	Njljefql.exe
4564	Nnhfee32.exe
2884	Nqfbaq32.exe
4136	Nceonl32.exe
3256	Njogjfoj.exe
2028	Nnjbke32.exe
1836	Nqiogp32.exe
4092	Ngcgcjnc.exe
4640	Njacpf32.exe
2092	Nqklmpdd.exe
1384	Ncihikcg.exe
4900	Nkqpjidj.exe
3012	Nnolfdcn.exe
5088	Nqmhbpba.exe
2388	Nggqoj32.exe
844	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Kpepcedo.exe	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Kpepcedo.exe	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Kdopod32.exe	d6c5aeda44e6cad311f8a5d9cacd16b1d0f29471530665d59cee10097d9ce309.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kmgdgjek.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kdopod32.exe
File created	C:\Windows\SysWOW64\Mghpbg32.dll	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Ldobbkdk.dll	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	Kkkdan32.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lddbqa32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4124	844	WerFault.exe	148

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d6c5aeda44e6cad311f8a5d9cacd16b1d0f29471530665d59cee10097d9ce309.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqncfneo.dll"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldobbkdk.dll"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d6c5aeda44e6cad311f8a5d9cacd16b1d0f29471530665d59cee10097d9ce309.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpkbc32.dll"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Lkdggmlj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 4312	3192	d6c5aeda44e6cad311f8a5d9cacd16b1d0f29471530665d59cee10097d9ce309.exe	85
PID 3192 wrote to memory of 4312	3192	d6c5aeda44e6cad311f8a5d9cacd16b1d0f29471530665d59cee10097d9ce309.exe	85
PID 3192 wrote to memory of 4312	3192	d6c5aeda44e6cad311f8a5d9cacd16b1d0f29471530665d59cee10097d9ce309.exe	85
PID 4312 wrote to memory of 1176	4312	Kdopod32.exe	86
PID 4312 wrote to memory of 1176	4312	Kdopod32.exe	86
PID 4312 wrote to memory of 1176	4312	Kdopod32.exe	86
PID 1176 wrote to memory of 2152	1176	Kgmlkp32.exe	87
PID 1176 wrote to memory of 2152	1176	Kgmlkp32.exe	87
PID 1176 wrote to memory of 2152	1176	Kgmlkp32.exe	87
PID 2152 wrote to memory of 3360	2152	Kmgdgjek.exe	88
PID 2152 wrote to memory of 3360	2152	Kmgdgjek.exe	88
PID 2152 wrote to memory of 3360	2152	Kmgdgjek.exe	88
PID 3360 wrote to memory of 3064	3360	Kacphh32.exe	89
PID 3360 wrote to memory of 3064	3360	Kacphh32.exe	89
PID 3360 wrote to memory of 3064	3360	Kacphh32.exe	89
PID 3064 wrote to memory of 1704	3064	Kpepcedo.exe	90
PID 3064 wrote to memory of 1704	3064	Kpepcedo.exe	90
PID 3064 wrote to memory of 1704	3064	Kpepcedo.exe	90
PID 1704 wrote to memory of 1592	1704	Kkkdan32.exe	91
PID 1704 wrote to memory of 1592	1704	Kkkdan32.exe	91
PID 1704 wrote to memory of 1592	1704	Kkkdan32.exe	91
PID 1592 wrote to memory of 5040	1592	Kmjqmi32.exe	92
PID 1592 wrote to memory of 5040	1592	Kmjqmi32.exe	92
PID 1592 wrote to memory of 5040	1592	Kmjqmi32.exe	92
PID 5040 wrote to memory of 2648	5040	Kdcijcke.exe	93
PID 5040 wrote to memory of 2648	5040	Kdcijcke.exe	93
PID 5040 wrote to memory of 2648	5040	Kdcijcke.exe	93
PID 2648 wrote to memory of 1036	2648	Kknafn32.exe	94
PID 2648 wrote to memory of 1036	2648	Kknafn32.exe	94
PID 2648 wrote to memory of 1036	2648	Kknafn32.exe	94
PID 1036 wrote to memory of 4052	1036	Kagichjo.exe	95
PID 1036 wrote to memory of 4052	1036	Kagichjo.exe	95
PID 1036 wrote to memory of 4052	1036	Kagichjo.exe	95
PID 4052 wrote to memory of 976	4052	Kcifkp32.exe	96
PID 4052 wrote to memory of 976	4052	Kcifkp32.exe	96
PID 4052 wrote to memory of 976	4052	Kcifkp32.exe	96
PID 976 wrote to memory of 2052	976	Kkpnlm32.exe	97
PID 976 wrote to memory of 2052	976	Kkpnlm32.exe	97
PID 976 wrote to memory of 2052	976	Kkpnlm32.exe	97
PID 2052 wrote to memory of 2272	2052	Kmnjhioc.exe	98
PID 2052 wrote to memory of 2272	2052	Kmnjhioc.exe	98
PID 2052 wrote to memory of 2272	2052	Kmnjhioc.exe	98
PID 2272 wrote to memory of 1696	2272	Kckbqpnj.exe	99
PID 2272 wrote to memory of 1696	2272	Kckbqpnj.exe	99
PID 2272 wrote to memory of 1696	2272	Kckbqpnj.exe	99
PID 1696 wrote to memory of 972	1696	Kkbkamnl.exe	100
PID 1696 wrote to memory of 972	1696	Kkbkamnl.exe	100
PID 1696 wrote to memory of 972	1696	Kkbkamnl.exe	100
PID 972 wrote to memory of 4924	972	Lmqgnhmp.exe	101
PID 972 wrote to memory of 4924	972	Lmqgnhmp.exe	101
PID 972 wrote to memory of 4924	972	Lmqgnhmp.exe	101
PID 4924 wrote to memory of 1676	4924	Lpocjdld.exe	102
PID 4924 wrote to memory of 1676	4924	Lpocjdld.exe	102
PID 4924 wrote to memory of 1676	4924	Lpocjdld.exe	102
PID 1676 wrote to memory of 112	1676	Lcmofolg.exe	103
PID 1676 wrote to memory of 112	1676	Lcmofolg.exe	103
PID 1676 wrote to memory of 112	1676	Lcmofolg.exe	103
PID 112 wrote to memory of 2088	112	Lkdggmlj.exe	104
PID 112 wrote to memory of 2088	112	Lkdggmlj.exe	104
PID 112 wrote to memory of 2088	112	Lkdggmlj.exe	104
PID 2088 wrote to memory of 1116	2088	Lmccchkn.exe	105
PID 2088 wrote to memory of 1116	2088	Lmccchkn.exe	105
PID 2088 wrote to memory of 1116	2088	Lmccchkn.exe	105
PID 1116 wrote to memory of 228	1116	Lpappc32.exe	106

C:\Users\Admin\AppData\Local\Temp\d6c5aeda44e6cad311f8a5d9cacd16b1d0f29471530665d59cee10097d9ce309.exe
"C:\Users\Admin\AppData\Local\Temp\d6c5aeda44e6cad311f8a5d9cacd16b1d0f29471530665d59cee10097d9ce309.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Windows\SysWOW64\Kdopod32.exe
  C:\Windows\system32\Kdopod32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\SysWOW64\Kgmlkp32.exe
    C:\Windows\system32\Kgmlkp32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1176
  - - C:\Windows\SysWOW64\Kmgdgjek.exe
      C:\Windows\system32\Kmgdgjek.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2152
    - - C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3360
      - C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:228
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        38⤵
        Executes dropped EXE
        
        PID:220
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:784
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1916
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4564
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4136
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3256
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4092
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2388
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        62⤵
        Executes dropped EXE
        
        PID:844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 844 -s 408
        63⤵
        Program crash
        
        PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 844 -ip 844
1⤵
PID:1396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kacphh32.exe

Filesize
77KB

MD5
3cf2c2bc25209749d8011fb5be3c0311

SHA1
3fe8922316dc35ebdb1b805b0a277623aeef85bb

SHA256
1dd389041258e465e2a98767354f29a9205be21b7a7e4f116b80e84947a1f9fd

SHA512
01b0829157c5049115bf259a41e337e0e59f71a39cc51540b3443719bf3453f027522873f01317c3203e6ae3e23246e4a9ae0237631b0eec468f9234588dea3f

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
77KB

MD5
7ba9250bb3645d4e10abf8c11e23d66d

SHA1
5d3954a64ddcecfe404a18d45573c94105353908

SHA256
d4c8e9b57146ef6fcbd92ea8ccff5bf5cc2afcc752be9502624cc47004bcf25a

SHA512
6e5675ca073d3762939c8435fb8e5b8a2b4f4d5dbcb48a9415b7f5ebeb2f9823ba99315300b8a06e06bd85caacb13f22ddbe85f060a326e3cb540df214542bc5

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
77KB

MD5
bb25370d13c50c522e4fb892d8bf6783

SHA1
2b5dd6774e80db0c41474557ea8cd73c008b4986

SHA256
8bd3479de485db5e9ce51a080e7ae3110108216b4298d3d6a9ab7af37b53bde6

SHA512
ca13844a8b5d0e26720491b61999c6d5f559cc5e90ef21c5112a45468d7d3459657a918454f4091687a3e0d78f5186b0718e1fa789c26fc62ce43c747d7329b8

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
77KB

MD5
11e82689e336ad65a99b44b9d906e9c9

SHA1
5f38098bdeecdda8b8bc90659183925c5cbb494b

SHA256
70c65359739c5ec847a20344dce82a2a81e471cd72bcb85c8957b86781c5189b

SHA512
8b3a8f90c29bbb6e3166b9961d9c2d2ba6294d4669604dcbe007194d29492acd676ecc8e3fa2eac1683e8eb54fcbe33f9516514c442bd5f2b11acd228939ccd2

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
77KB

MD5
0b2377051ef9c0dd399481eff93e4a36

SHA1
c49300463aeccc06acf850835a5825a83fc728df

SHA256
6d9f0293f3364ee4fe3af07b537a892c21d7955e675e5f5f982a2910ff80cd87

SHA512
961c9e5bf61fbd9ffb1a265949be652bbdca42646b617eab48d31bde045dd952c5a7e29d8c44da84d1a5977b335ab99675d3ea58e52a2af7ff830ffe66bf0328

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
77KB

MD5
b0afd3b099c61e2d8300d5dc9c9bf6ed

SHA1
231ed1c03b999511b58892169eb34ca5676ba898

SHA256
756174b169c4b49de04c84e2ee7664c8098bfeeef42eaaad54b8ab4838cdc516

SHA512
b605b19c09ac5e891b999067f8a4b61230a9f42107e80ab40afb1b10e658aa1a65836720355b00db6c75c54ce25cbdf8b889eff74cbdd4b4bbd822ab9cda208e

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe

Filesize
77KB

MD5
351e977f8f83f6340e3b6f62d6b317f2

SHA1
de1704ffac3d7b72fed420854e6e58d64ad1a407

SHA256
d8bbf26b3d8879884b5444cbd86ecfdb40d21bd38e4aca8bde3caa97ce65c1d4

SHA512
4fc25df5c64824496029fdcbcba8a8136e868d759155d39e241907080ece951ddbf7b133c7132a473f4da737be399b5543bea95ce56b05addfaadac913e14607

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
77KB

MD5
9f3d8e356839ed28fdd83d9cedf7efef

SHA1
dfb9db533ec4f93b1fa5cea159850a40011539e4

SHA256
384ac3f7ffd2fd3ee38b226a9253a0e7560ce4724ced197230bee5f511b58968

SHA512
05bbdcc89c67e6f5e7ed2ff091621b0c2316aea16bf68831cb86986e6d42ae4563e4bf29813ea5baa7301976ebe64aed426384bf0bac44dd9dab648da2ed6476

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
77KB

MD5
b59b9b16b9fd9e69927e667d561ab1b6

SHA1
037b7749d6445d3cc20a57fece6b7af43b0d60f5

SHA256
468344a45e5c5c54c649f83beee5a13a14ec76482078282ef96de39c354df924

SHA512
7d3ba8b1901e5e8d44ae1e6de7e55c75bb3fa751db69c32a7e5869d21a2ae70c444a4b9963b359bba1c0d91c0da14af4aff9656d65bf6f4f45c429ea7535a67c

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
77KB

MD5
4342a143cca469e42b80a43294e191d2

SHA1
b595099b0eb92d4012b5ef3e905dc7f1eed3beac

SHA256
ed23ff86fb591fab9da0b12e340081f1720e74419bbc4be3ae5129aa14dc02b2

SHA512
97c637392fd618617ae470ad0abe334e33ba70c0ca6e96d6b6a25957bf3e5607dc22806a8d2e993cc03ca4b2c60e492aead8fc7d9de66c2a33ceb0b7b6c76463

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
77KB

MD5
464e28d3b15324cf5a1540d6e90ac1d4

SHA1
ecda05179ca3ce782ac98da3e026ea127c9b472e

SHA256
f5422815230ec8f9231446cc52c453e46afc46179286ef3c2a31ae663db8abce

SHA512
b60bff2626cf4f540aadfb79dffbdc913dc6eebf371199c6b73acf4341220e813039d6e69047c965ddc7f6395dd2fecbee0fb627641a19764769254c4577ad2b

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
77KB

MD5
36f066daa47f54625cc792b16e81ee6b

SHA1
f98975bf0a0fa23c3badcc012e20ff8366239d50

SHA256
a9049dd97cf38af6756d2bec17badda80e5920a55657167b84c1e454dcb72f1e

SHA512
637ab856fb078a0cbef9aea1ef2fe459f99e206cf5f2cc0e2f90a90c0eed8524fc0a5134876f1698ab8a24ae72eb505650c2447039657188cd2a5784533a4805

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
77KB

MD5
e493280f83d5c5526209d033522d57af

SHA1
f2eb1477e52ead89d1f6d3545ac85901269662b5

SHA256
00b32a2af85c39f42367b89fd612f86ba952dfe4435a4d1f08691ad44310d788

SHA512
5938abaf581be797efe34c59e7d1f990349ec5a028a64bd4cc180e6c20342a833060ef3a32ea0dd6d0e977ea2f506a77efc5fc2478350a5a9ed2351d4856716b

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
77KB

MD5
bcb10a188bd247086f4edff976f8439a

SHA1
cac0a93a2c93f7191a8012007f665cf90ed9b260

SHA256
e7f68476f0b039a43eaac6ac3820ba77510077d71978bd4c6362bd0266f1335f

SHA512
761be313fedab15e569ff160c4932f0037593f1a47ea39f5acd20cab71fcdf39bfbff4f7a1005df1bab283ad2b3f5e4e5cae2032371f86f6060461c3e693848a

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
77KB

MD5
6752275f530d78b71eaeda0eabac1c12

SHA1
005e09e25a939ee424bf921391386a42971120db

SHA256
2f6e0c1a151e71e5db480345fffa9ce03fa9396d1ceeea2835976705d1f95e15

SHA512
c60cdd98f32998da2c3dca2387ca58a1909c69eeea277d3aa48a42ffef16b8625539bf6afc233213e69863975bf91679ac344aba7dd56f0e2a0cf1ece8f226dd

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
77KB

MD5
cf5e0d7c7ffc2875a02231dd93bea30c

SHA1
27b0d9804aa335e1e5b10842aedb3c0d2aa9f90c

SHA256
6545fa2c6eadec0ad5f43dbeb7cb95546f672e790d716382d7c83868379327d1

SHA512
069c0639241e776fc4979efd38542c8c213835ed5aa4ba108635b9221dfb6b5cf0afa0ce609da544f7cf8eb24da3532d319bc0bcf54d08f29f6fa63ff07f9c4d

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
77KB

MD5
370674427b33e91face2e16f0d80751d

SHA1
ffe8790ee5923b7c7f97c769345878a48a3dce04

SHA256
9ecbb1a71867721f6dc9fc436cd31390eae3137035cb9639dbe28c4b7209d98e

SHA512
ed2d2f3cac7cec2fd0c53f6173d73c0423b67d0f6ae8ad2b69d3fa0adfcd5bc6edeef93036674f3e08a97b80efe16e7441a2bdf7f15f275806c580ab75538580

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
77KB

MD5
78cdaa1de236c8407afecd1b934084f5

SHA1
51ccfc7320d9418d8faccff235b2f4a1c20da0b8

SHA256
0fbf54d7446e3acb4a919ee72fdc9812b6d2bf456b76f0cc7ac465d8f16b8a51

SHA512
950b84a8de199c038c81b8ad178d193bfdbefca1c64c3ad4d86d630813c2f0454017e211ef02b00bc442b6e5a820f46796ef35afdd78c54dbda5c73bff4beb64

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
77KB

MD5
a8d3e8fc19deb09a96555334e2fb0bc4

SHA1
cc57b6e1a22db23ffc6f359d741c1cdd31b39f2a

SHA256
93db5db36514c0cea73b2a21e6c0c62bf6f74ed5e8528047edcd29cb055248ff

SHA512
4209b7202fece038b3af3062ccce9f0ccd6e810e92248f74683ce50ef76292107597d8b23834e48ffaba8c643530b9f1a2ded5b8fe0c6d58ad7556793c129b0c

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
77KB

MD5
e24e1fa8ff7da71621903bb8fcf4f51f

SHA1
ac711abca4dd83e111f24e854127ed7218e8369a

SHA256
56052764a71173e61a627a8d3f4a3d4dcf504b91a6ed8637f38093f3549d0aa1

SHA512
fed80e394a0cb38909b31c48db54188dc02ce94ba2fb3f9d20078bbfdeed742149478782393708a1d4b6d89946d63c7292a5db7be9d4d454abbb6a7d2878c777

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
77KB

MD5
914e67e3590bc47fda0bedec82c9f600

SHA1
e9595eaeb40d939c7f9e3104a0ead4604d72d26c

SHA256
64222d13d5ca2ffcb76f78da0444ff2f8330acd24170bfdbbd98b59b1bec88e1

SHA512
7d32109f83590f312f47b6c3e15ebd2cfa92a0433997c982d4077ab7e4bcffed44d4eddda20249f481f0d7e5a32edc7f8908874fdfee9099280dcfc59c05039f

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
77KB

MD5
6e8d7174c5970f4c5766b28862c4a9e5

SHA1
56d51684e51d6d276acde98b7dbbb4704071c2ca

SHA256
2f18c5280fd1411522c81862496a131785aaf5a1cdd206f947a57933a9bdd485

SHA512
6ae55eba58646ce7004677cf88242201864cb77e5e7b8c112b23661ed462b034202f78cafd252c65002107de3d1bb1e174417ca891a10c291bd9a591a25689e8

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
77KB

MD5
63aaa51d8117d3e4aa36f967decb9100

SHA1
5741a1f927f36cd6028d9776881989fe3bf5fa2a

SHA256
64a69f88824f2bf782fd50b2e0b58126f53038ef1ba733b8fab18fa26fc6492c

SHA512
42a193f39323412163674a32fedb7d3c880867bc03f00b7efc4cca10890c9a50c881e8f329bca0f8087883ba2adc25cd9a3c8344d3bb655fc7c227b5257af472

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
77KB

MD5
e79956851cf4225c0e831e9f9c6b981a

SHA1
a6d85ea17ae1d8e71007d10b36d2acd5b319aad3

SHA256
214f87b0a1a6edd096a40b4abd890ea9ea9d91b173b63681a839193e3ae6c5c3

SHA512
110609b4dc3f28e8ba7caf65b04d2aee7eb6c204745490d8bd6e370fe8feb71237e7892025ab4154328acdf439ce1ae683fff4f8ae481ef29ee4a5a3c57f0dfe

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
77KB

MD5
2e3395163f29991824f7491e38ece24d

SHA1
3de25d6e0d4229cd64cc3d6ddbb27dc03e72b503

SHA256
506c17dc54ddfe6f70fc34068ce5221607b60d702e8b24846640841dde9a8869

SHA512
5f43413d613eebc89dca6927127ef5d4a4f2e2de6fd63055f115748955773eea90569ebe75926d32f6650029bec168a1e2fded4d6bbad4774344a920537e21cf

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
77KB

MD5
84b7484e0be19fa9954596173dbe535e

SHA1
6b356a2ceef8dff73ea6673bffb0160163652570

SHA256
aabed3d74e1df72f72b0bf78e274b0e7fca5c65f16758e5d6422824e7d55ffa1

SHA512
605262c0bacfdba01bac2b0f579b967d9631ddf41218f33cc239b1c0e2d5a45b0c9b3e8da21e8dd49ee92d2883935daa1eee9ac15c64e06ba916422364d4819a

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
77KB

MD5
e9ac659c393152ea9117ce022b46030b

SHA1
0ba8d78ab4a593a08ad4f8fec17734e867645f9b

SHA256
13176edefd5d317e962a6580bce65c2f2632504b977b8e9739462051f1120771

SHA512
e437adf945ace30a5d1e3cb6fd81dcd542b32626d9842ce1ec916bcfcc05d3d060e973d2dd66fa1849ff15fc2b394eeee0a80c67fb27b21742a43e0d04af31a2

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
77KB

MD5
2ae34acc6a3a85d88295a198dd137037

SHA1
a0168226689e31248268a5ccf8adc3ced0532413

SHA256
2446c3e8cbe0f7f886a270e1c9e01ca9cbd1c5ae15174ad3173de5c6603a0cc6

SHA512
a668b4bec0b42e1b159e44a985f85e172c8f3423e7cd3d58d785833b3724fbe4aeda9cf619414b74a00de2a5fc56d808b423430e34332001252fbb0976e83758

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
77KB

MD5
d483c149cc20150dc920f43dd04ecf70

SHA1
91f56972ab900e6286bf44564451e40ec2fbb5f0

SHA256
2dd99f96ea0c8e450e0a98a46d18f91d3941ebe7c7d11aaf4fa3e6738c1db232

SHA512
127cd0c9026acbed3df448b06d3bf1b228e47626fbbadb30197df76a8d7f70116c8bf6f1c61ee27164d1e8ed773964fe9c74ffbb53f7317ba1bf622655a96529

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
77KB

MD5
d9ec9688af446f7387ff08d48a63c60f

SHA1
51a9642a3d9d9e4b3e51cf8a63dab68b4b41e694

SHA256
7c1005284a66ef73903d2d214c6fc922ecab762ecac0e34b3590ce7d1b14fa71

SHA512
bab49fd5feebe8b21215ea59b9d43a7c66635eb6a0d193d0ba54f95f6d43f6bcc29ec94482287d0998cb406ba9456009b9d2fd7fc54c0eb5289d6d704e3d06e9

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
77KB

MD5
644eea59cd014e5912b490e3999938d0

SHA1
251da2f0553dbce076343c73cf859dd885dbbb61

SHA256
c0981ae67a0e2be6c782a5630edf32b8948f0397e56d5171418d31effeddd924

SHA512
3a26a52ed64c4be1779a3707c21a50cf039c4ae467715ee4a539825128cd8aa177914c99fc83f77af95ea7ec6f9fcc7556f7af01c3fca72e361be56fa6e20cf9

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
77KB

MD5
99179084f8f571f79fc837c64b122f65

SHA1
035441f4e88e7ca414bcb354dc1ab32fec525ae1

SHA256
2c5435577f101f49e9530bc1d73d28a5e2b402b714d4661decd13beb84a0959e

SHA512
20096c3d3a49d7af280fffecf944bb8869a47ba058830b7f6fff420b10d1d37953ebfc7af129ae9c51519204c2a8768632581d190a0973049e880c3e857f09ab

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
77KB

MD5
da60f91f66646fd411cbde3f6f26ca65

SHA1
670cafc9783a2391684c5383a2bf1be897802507

SHA256
0bc2cc3bcdd92ec046740209b2e37d4d6945c4c95082a97895965229374192d0

SHA512
4f29376c4a9ff2c796963d7cde0074b89cdf8c09f0f2bddb6390f974c1bc8bc8c381aa4110eddca55092677a3094953f07c5435e50dad7f8a5aba813b04fae17

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
77KB

MD5
c298defe6f4d5da841f48347f08666a9

SHA1
0ddc5f08e10ece03a2062d8b55c5a2aeabf7599d

SHA256
97ec23572e91c98109d95f1833b5d36e2c8830b6eba5a4e6215f361b0333ff5d

SHA512
55677672f60ab5be52e4dc8e7ce300811a0c4ff66d37f16b5b21931a35b7434d32f29efbe6b3de976d4bf4f3eaeea7231511f0fd5160a78b5437cc320e44edf2

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
77KB

MD5
2e3d25afa7e800d300476ce71d3c0942

SHA1
c0aaa01fccf13993b3b15e85faaa88a0e8f27529

SHA256
9b10a6798263353f03ab2ec6e6aec35ed42e1bfdf4772e27ce221ac22742dc86

SHA512
8d6c6cf59c4ffe69305419cad166cffd025b08009c8d53c2b51fbb50e529cdb520d11b7b61ebc6cf1db3bff6fbcb73d0c2626b2de9c3c8956181806432a95542

Download Submit
memory/112-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/112-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/208-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/208-445-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/220-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/220-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/228-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/228-459-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/400-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/400-456-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/784-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/784-446-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/844-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/972-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/976-101-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1036-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1116-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1116-460-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1176-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1384-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1384-434-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1468-451-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1468-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1592-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1676-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1676-462-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1696-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1696-464-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1704-53-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1836-436-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1836-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1916-444-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1916-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1984-205-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1984-458-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2028-438-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2028-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2052-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2088-165-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2092-433-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2092-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2152-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2272-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2348-245-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2388-429-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2404-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2404-442-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2492-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2492-450-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2560-279-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2648-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2660-454-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2660-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2784-221-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2876-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2884-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2884-440-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3012-417-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3064-45-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3192-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3192-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3256-369-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3360-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3744-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3744-452-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3972-457-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3972-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4000-455-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4000-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4020-198-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4052-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4092-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4092-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4120-190-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4136-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4136-439-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4312-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4484-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4484-453-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4564-441-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4564-349-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4640-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4640-435-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4728-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4728-447-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4772-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4772-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4900-411-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4924-463-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4924-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4988-448-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4988-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5040-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5048-309-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5088-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5088-432-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads