9036dcd3a255158f5e3707208b2747539ea4f5b263e35ee810c0c8daf3fe178d

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9036dcd3a255158f5e3707208b2747539ea4f5b263e35ee810c0c8daf3fe178d.exe
Size

78KB
MD5

8f834c3f40bcae0ba37bb23b78b3c420
SHA1

4e6cd15ad4a6ef8ca001890675a900398ac97bfd
SHA256

9036dcd3a255158f5e3707208b2747539ea4f5b263e35ee810c0c8daf3fe178d
SHA512

fccb7b6c1f9f74f14514bce3f721df07aa9ada4fa60221dfcba56c0349451c8e6f6b8e6759c8fd16ffdadc5bf77755d8fbd6aea61f8876cb82229a1a359ee36a
SSDEEP

1536:6g0OzWVX9bjXLPTA60ZeUs/Txx21psvUjdbkIggsJVHcbns:aVX93XLPTA60ZeUYNxKpsvUJbogsDes

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe

Executes dropped EXE 41 IoCs

pid	Process
4236	Kmegbjgn.exe
4024	Kpccnefa.exe
3920	Kkihknfg.exe
4376	Kmgdgjek.exe
4028	Kdaldd32.exe
2700	Kkkdan32.exe
4840	Kphmie32.exe
2748	Kknafn32.exe
4572	Kpjjod32.exe
1988	Kkpnlm32.exe
2464	Kdhbec32.exe
5092	Lpocjdld.exe
2916	Lgikfn32.exe
632	Laopdgcg.exe
3916	Ldmlpbbj.exe
4624	Lgkhlnbn.exe
4852	Lcbiao32.exe
1004	Lnhmng32.exe
2668	Lcdegnep.exe
3252	Lnjjdgee.exe
1692	Lgbnmm32.exe
860	Mjqjih32.exe
2488	Mpkbebbf.exe
3392	Majopeii.exe
2400	Mgghhlhq.exe
732	Mkbchk32.exe
4780	Mpolqa32.exe
4888	Mjhqjg32.exe
4352	Maohkd32.exe
3596	Mdpalp32.exe
4956	Nkjjij32.exe
1276	Nqfbaq32.exe
2000	Nklfoi32.exe
1164	Nddkgonp.exe
1580	Ncgkcl32.exe
3352	Njacpf32.exe
2148	Nbhkac32.exe
2504	Ncihikcg.exe
4732	Njcpee32.exe
1184	Nggqoj32.exe
3648	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Kmgdgjek.exe	Kkihknfg.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kphmie32.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Kkihknfg.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Cqncfneo.dll	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Iljnde32.dll	9036dcd3a255158f5e3707208b2747539ea4f5b263e35ee810c0c8daf3fe178d.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Nphqml32.dll	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kmgdgjek.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Kmegbjgn.exe	9036dcd3a255158f5e3707208b2747539ea4f5b263e35ee810c0c8daf3fe178d.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Kdhbec32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
396	3648	WerFault.exe	128

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	9036dcd3a255158f5e3707208b2747539ea4f5b263e35ee810c0c8daf3fe178d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll"	9036dcd3a255158f5e3707208b2747539ea4f5b263e35ee810c0c8daf3fe178d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	9036dcd3a255158f5e3707208b2747539ea4f5b263e35ee810c0c8daf3fe178d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghpbg32.dll"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lgbnmm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3852 wrote to memory of 4236	3852	9036dcd3a255158f5e3707208b2747539ea4f5b263e35ee810c0c8daf3fe178d.exe	84
PID 3852 wrote to memory of 4236	3852	9036dcd3a255158f5e3707208b2747539ea4f5b263e35ee810c0c8daf3fe178d.exe	84
PID 3852 wrote to memory of 4236	3852	9036dcd3a255158f5e3707208b2747539ea4f5b263e35ee810c0c8daf3fe178d.exe	84
PID 4236 wrote to memory of 4024	4236	Kmegbjgn.exe	85
PID 4236 wrote to memory of 4024	4236	Kmegbjgn.exe	85
PID 4236 wrote to memory of 4024	4236	Kmegbjgn.exe	85
PID 4024 wrote to memory of 3920	4024	Kpccnefa.exe	86
PID 4024 wrote to memory of 3920	4024	Kpccnefa.exe	86
PID 4024 wrote to memory of 3920	4024	Kpccnefa.exe	86
PID 3920 wrote to memory of 4376	3920	Kkihknfg.exe	87
PID 3920 wrote to memory of 4376	3920	Kkihknfg.exe	87
PID 3920 wrote to memory of 4376	3920	Kkihknfg.exe	87
PID 4376 wrote to memory of 4028	4376	Kmgdgjek.exe	88
PID 4376 wrote to memory of 4028	4376	Kmgdgjek.exe	88
PID 4376 wrote to memory of 4028	4376	Kmgdgjek.exe	88
PID 4028 wrote to memory of 2700	4028	Kdaldd32.exe	89
PID 4028 wrote to memory of 2700	4028	Kdaldd32.exe	89
PID 4028 wrote to memory of 2700	4028	Kdaldd32.exe	89
PID 2700 wrote to memory of 4840	2700	Kkkdan32.exe	90
PID 2700 wrote to memory of 4840	2700	Kkkdan32.exe	90
PID 2700 wrote to memory of 4840	2700	Kkkdan32.exe	90
PID 4840 wrote to memory of 2748	4840	Kphmie32.exe	91
PID 4840 wrote to memory of 2748	4840	Kphmie32.exe	91
PID 4840 wrote to memory of 2748	4840	Kphmie32.exe	91
PID 2748 wrote to memory of 4572	2748	Kknafn32.exe	92
PID 2748 wrote to memory of 4572	2748	Kknafn32.exe	92
PID 2748 wrote to memory of 4572	2748	Kknafn32.exe	92
PID 4572 wrote to memory of 1988	4572	Kpjjod32.exe	93
PID 4572 wrote to memory of 1988	4572	Kpjjod32.exe	93
PID 4572 wrote to memory of 1988	4572	Kpjjod32.exe	93
PID 1988 wrote to memory of 2464	1988	Kkpnlm32.exe	94
PID 1988 wrote to memory of 2464	1988	Kkpnlm32.exe	94
PID 1988 wrote to memory of 2464	1988	Kkpnlm32.exe	94
PID 2464 wrote to memory of 5092	2464	Kdhbec32.exe	95
PID 2464 wrote to memory of 5092	2464	Kdhbec32.exe	95
PID 2464 wrote to memory of 5092	2464	Kdhbec32.exe	95
PID 5092 wrote to memory of 2916	5092	Lpocjdld.exe	96
PID 5092 wrote to memory of 2916	5092	Lpocjdld.exe	96
PID 5092 wrote to memory of 2916	5092	Lpocjdld.exe	96
PID 2916 wrote to memory of 632	2916	Lgikfn32.exe	97
PID 2916 wrote to memory of 632	2916	Lgikfn32.exe	97
PID 2916 wrote to memory of 632	2916	Lgikfn32.exe	97
PID 632 wrote to memory of 3916	632	Laopdgcg.exe	98
PID 632 wrote to memory of 3916	632	Laopdgcg.exe	98
PID 632 wrote to memory of 3916	632	Laopdgcg.exe	98
PID 3916 wrote to memory of 4624	3916	Ldmlpbbj.exe	99
PID 3916 wrote to memory of 4624	3916	Ldmlpbbj.exe	99
PID 3916 wrote to memory of 4624	3916	Ldmlpbbj.exe	99
PID 4624 wrote to memory of 4852	4624	Lgkhlnbn.exe	101
PID 4624 wrote to memory of 4852	4624	Lgkhlnbn.exe	101
PID 4624 wrote to memory of 4852	4624	Lgkhlnbn.exe	101
PID 4852 wrote to memory of 1004	4852	Lcbiao32.exe	102
PID 4852 wrote to memory of 1004	4852	Lcbiao32.exe	102
PID 4852 wrote to memory of 1004	4852	Lcbiao32.exe	102
PID 1004 wrote to memory of 2668	1004	Lnhmng32.exe	103
PID 1004 wrote to memory of 2668	1004	Lnhmng32.exe	103
PID 1004 wrote to memory of 2668	1004	Lnhmng32.exe	103
PID 2668 wrote to memory of 3252	2668	Lcdegnep.exe	104
PID 2668 wrote to memory of 3252	2668	Lcdegnep.exe	104
PID 2668 wrote to memory of 3252	2668	Lcdegnep.exe	104
PID 3252 wrote to memory of 1692	3252	Lnjjdgee.exe	106
PID 3252 wrote to memory of 1692	3252	Lnjjdgee.exe	106
PID 3252 wrote to memory of 1692	3252	Lnjjdgee.exe	106
PID 1692 wrote to memory of 860	1692	Lgbnmm32.exe	107

C:\Users\Admin\AppData\Local\Temp\9036dcd3a255158f5e3707208b2747539ea4f5b263e35ee810c0c8daf3fe178d.exe
"C:\Users\Admin\AppData\Local\Temp\9036dcd3a255158f5e3707208b2747539ea4f5b263e35ee810c0c8daf3fe178d.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3852
- C:\Windows\SysWOW64\Kmegbjgn.exe
  C:\Windows\system32\Kmegbjgn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4236
- - C:\Windows\SysWOW64\Kpccnefa.exe
    C:\Windows\system32\Kpccnefa.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4024
  - - C:\Windows\SysWOW64\Kkihknfg.exe
      C:\Windows\system32\Kkihknfg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3920
    - - C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4376
      - C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3392
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:732
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4888
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2000
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1184
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        43⤵
        Executes dropped EXE
        
        PID:3648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 400
        44⤵
        Program crash
        
        PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3648 -ip 3648
1⤵
PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
78KB

MD5
1fcc96b860b9ce62ed5b5bc7b88c2e90

SHA1
dd9847a77b619494bb143219d76ee7dfa0f66e6f

SHA256
bf8a4992e6ee43de932cfdd2180024a2793dc955825e75d3d01ef42760e1b014

SHA512
c4e230c5b501e67f001c1024284216017e1ba77b45cf7b6d2155a52f2cf0d2e88397bd29bb388378e27961f2d4a52848fabe3ce4dd4a0a73ea29e5ee75fba41f

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
78KB

MD5
5dc80ab1de19afb5d583c6ff534c22c7

SHA1
c97bcc941bb500786dd96c0db3766b907f892dd2

SHA256
7040247b7224e6766d6e3a89e77662998e3422a88fbf7a9f3f00ba1da5d57246

SHA512
51f1731052633f03b75df533a30d80cd97c67b07e2f7953f8da1bd42f65a63461edd3c81a883040c2bf0c57628f0e2299aca618383c6ccb71e345a90c5ec96a1

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
78KB

MD5
7eb374ea425fb1bb5466acf57fed49bd

SHA1
dff41eafc69addc46e4c95dc041a50a8eb22febd

SHA256
c59a1823295766b3c6d2687109cb107cfd90b50eb04a291be952672ed8f1f716

SHA512
83c5d6c698197c3114e0b5eac9cf919e00c5cdc53118de2408a774a0c573880230b645ec091105e865f4c27fef9f31907cd814fd6c6ad9c3c46028f457902ffe

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
78KB

MD5
d645b273babed561409c5756643388c0

SHA1
1f9975b9ad5b26dedc5f52d23e35ba071f030725

SHA256
2b0997d97cd3a86795ad77a5754c8653196a670c64253d0f2a02bb8537493522

SHA512
ab255372dfd53e90d249ae52e7b75993180c18f58dca61ddb883e5f42c73e7e5731b11660f36a3c4e38c35127ad54b894d0424cd169ccd1a0bfeeaf384fa575a

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
78KB

MD5
62fa3ac5c1329856260d1a8944a7398f

SHA1
928add8c27a528b6b7aa4f2b4eeb4da93b7c71a1

SHA256
9b92b3020383f24757a53630ad5acc43e00157c8eb919bb11d03e4cdbfeaa6ad

SHA512
fa457cbff17870279e26b01eeb375171557b710f1827658501bd1587d33295794ee1e34fb377c8d2c35bd1deba2a822ce7c7f4b31b664f27482588c52b013191

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
78KB

MD5
17f23672670774545df2d0dd29c010d9

SHA1
03012eadbdd328a6fe616325c5ad00ab0ae29e26

SHA256
f0f1d38d5cdee9f8e03b720525fe73fc27a170970e26cd5cd3eafabf475fc949

SHA512
1126d8e62d14e2cbe4071e87ea3c1b6d4114f6267b41ff258ddcb81c610bdf390a3255c9888bf796137b992df32262a6f4b4e616921a364c811e8480cec76f58

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
78KB

MD5
bee1723901f158b3a5042e28ce2c0b14

SHA1
c294e1f9cb5b755e87c9f5124dbfdb3aa8f640de

SHA256
d1f442fe7180f88919ad2f185662a9b39d4599100fc82b21a90d6d09b3eb174b

SHA512
24051fbfd4a45bcb3add09dc7ad6f8eb6de78713b07afebfe770bf9b19d42a83df75ac9320015e2efe4c356a1eea7f8dab815be57d1f66027644494233948573

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
78KB

MD5
797e07121b6324347a0e2158a19c82d1

SHA1
94eff1f2f6c0877e4d21be2af80296ecfa088f2f

SHA256
5020a458dbf1d45dcf5cb41b46799da24979b4555044aa97767f4df944ce53fd

SHA512
0523d5f5a4b1d8ba2a3882dae22e814a6babc042047d0537f7e45f994ec160e672f52c6a9362bdd0b1a3c7f916c31661b55616947d47321866075407fc564fc6

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
78KB

MD5
5515ea19360ec5ea9dd0cbe2b0b22c0e

SHA1
aa42888aeaee39bd07e11c59b39ed5a90ce1e654

SHA256
f9d6f4a8a11f9793e7d0988e27444efcd1650117a7965da57e2cdc96551c936d

SHA512
27ea1e80feec23d4cc768d009add38fdfce3b1a3d2a0ad94ed5dabea78e859b3e16a58935461e1bd9c9fc96f4bfff74ddfddcb1279d03a585bfc4523647a5ab9

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
78KB

MD5
71d42477b59e7e9e048dc3fe46079302

SHA1
f340f1c79f58f7f43a497c33522dd49da994fd40

SHA256
97fb6c146a643fe38906b3eca675ece3199483eaa74c8cfba4f17cc8f2c32139

SHA512
92f05ab1af8a50ff095ad55d0e2e674be3e91ce7104d27a25212748a21d611d0d08fd2f3ea5c568ac85877b968a48dce8a00cf7125c01724a713cf719e75f1b6

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
78KB

MD5
c8b6af697f2bb6d4af6e70180c109abb

SHA1
4e2abd96743a0e6e5491028b2a4326dc0e1e8a9f

SHA256
7b678b846623acbb498a2e3fe15127704fea2ea4c4bbc9e3336f2c642ea5aaef

SHA512
1a7bc7c840b1773e81b2077a56e8f341cd4330361660fcfcc2e09511cced77e79300bac504b6801a78a8770e390b450c599a2397b295dcf6d94a59125366a4bf

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
78KB

MD5
779685b37553b6f7941d22bb508fec27

SHA1
43c1d7f257b0113d852e1df1d0ec03182fefe14f

SHA256
3af736c415be7c08cfc76004ba0e6ef75bb80b79cced031aef3ff3750242bbc4

SHA512
63c84b3b18b5bfedd55e780dbf02cf70314055f5a198536a9660840d4c9ccf9e896b8ed1bd2acd2ac1e3ac0c1a331ad58f53971f4b8b0183e69c0b20dd396db8

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
78KB

MD5
85013a22585782bc602f300250e2a934

SHA1
b1144c18fb296e1f6d7fd830285ec14ea82666e2

SHA256
ab5094f1d25c8aa671e02c317ad4a2b671e0875642d7f4d803facccde284a4fb

SHA512
5259259ffb5037ff3d5ae4c79d838f8f2704e9b5b54323176d9672f1635ed6914389091cfb64fe278e473eabf649af83a01d7e579a3e5c7f1f66bbc51d7d31f1

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
78KB

MD5
f63a25ae714b4e87ac94f5c3bd458287

SHA1
a350e3c19fab4aa71e5f2c817e69dad5b6ec5eee

SHA256
5d9213f140053243565b3eff5987e5ca5573ba8fb095e2e6daf1b1b8cdda5efb

SHA512
55414bd37b64ea578a85fe6a9fb3353a5e47c671baff77d194bd2928edc174558c2746a5ddd53275b9505291d4888f4f456741715d2c866d8c44f62939728220

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
78KB

MD5
dbacf2de64eaa2f47011cab8147e6c84

SHA1
a6cda98d0252ab83a727fb4de39c882c9ba5d4e0

SHA256
f63334578b10532a3f3e18e30a83583e57293346711a81fdee2ba70891411e77

SHA512
0fe9697ea00efe9cbb3636a2ab5d84e9225167fa95ec07a2e6b1dc6d6609506f5f9e09fa53b40fd1ff722b195e929ad5712217194c6b5be5d1b234f647c48dd3

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
78KB

MD5
e0d5d00c0477cdf5967d23ac474cddaf

SHA1
f68694fef432a28b43e39d8bb0dad1921c7359b2

SHA256
d0c5930ac7491ed22b29a7c5093158ae3a94707a9ef719745b7a09aa71eddc22

SHA512
58211d53b11b22599249a3d61c15b72e186dd9c9932982d4830f273aeb1debbcdb504a0f2ca254c141cbedbadcec7ab63af74b2027baac69398eaa1c72619f02

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
78KB

MD5
0fac9e8447c9a835ddb2411b027f05b0

SHA1
03cf22d30a54a53de959738fa387bb23702826fa

SHA256
ae8d47f06ffbd9e46a987bf3f581b09c4c35820eec674a0dd4c6607b8b45f549

SHA512
f0d7c7f1df16c0579c615dd7e42add539dc16eeb52f59595830d15265f801295e8d6cc47a3d5296a2796f3a5657142a5c01ef9eb1ccfcb2c49162207b7778ad2

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
78KB

MD5
151c5677537746651ee338711ffca157

SHA1
2be601bf54c976a0b1f8b2f9fdcc192cf0066120

SHA256
7139b7ef560649dab7cf12b3fc2aed2307d2005367a426ba857fd9b16f40d9c3

SHA512
fdf84ca1238d4d24792b1fb7c45300ab6a11f7c5be0ff751d51a6d6010ad40be4bd8e19c3b4be219ffcfbf75ce09150384237b1ed9e33c4eead8cf8d53e778b6

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
78KB

MD5
e5b859823f25611d4c442ba5b003055a

SHA1
223fad1e0789897c3a6b530b337d76d90d9a5b0f

SHA256
3722dee472c1033f21b57c655aed72be43b90194fdd31b77f6b9c7f13463c291

SHA512
ffd7ad47bf661fd372e5d95177537518461bbe6f78ea37735caa0c9c15608bd6757fa095f8718fce7732b145fe5c4ef6f894de0ec2c6d1835cc777f7bcc6642c

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
78KB

MD5
3f9a12891edf5412df19ac6b101f2a3d

SHA1
2bb0bda173d240c65001aefee68233cd3d243604

SHA256
1655c7834b7a55a626e0316366e4efcda0e490433c66dbe0bef9bf7ecdfb61d5

SHA512
348fe64a6835c83558c41c8166fcb1b191b7f05a67742f2b4483238176ce9819c01edf79c18c986cb5e2f76f52643ca309bed12005fb667a84d8ee77af430f43

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
78KB

MD5
324b49adcb35ad520ad0f87cdee2c631

SHA1
c22a578f46fb10c207a398f05eb93df2ad949332

SHA256
23522f1919483819dd08900d231f3a49c5c8882ebaa269ab1878847b7b3f5c8b

SHA512
b82c170ad93e579aa3accad80f8e72ec3479b3b3ba91088b836f786ba630cad8157081b294de4ee3b835c2e7273aee8cd31edf6380f173dd0dd1b4dcd37152c5

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
78KB

MD5
1c29a2783b9cea4db14c07b7e1ce7005

SHA1
f44fe3d805e69613f723d7acb724505908d5f1db

SHA256
77a94e13c56b665f6a33781cb8c76e3a324752db3d0862994738ad00f1a5a4b4

SHA512
a76b658cb730013be9196a50f156ab5051af320c3a1f7d6dac506935165f8f55e403af9cf414e34708d1da3387f0c8f4cd6378469731a04f27e1a1c417532b5f

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
78KB

MD5
64c89a0cbcfa4002ec283e913d66c7b4

SHA1
115d403ed314c1cb59e5f092a2051a2523036aaa

SHA256
b2fd768d948a4e107f8f868742efeb1786b0ebc8bf0f05b0bf3c00cca8ba26de

SHA512
8d4ed29223a1f66e501caee2fd730e4db94d92be1360dfaa6775753e5797357155b0197bb5274d2c8ccc41ba11a6ce20d2c48982434995b51a25396494750f7b

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
78KB

MD5
7000efa14672f3594c58a8db52f31bf1

SHA1
2e19fe817b2d8381b264b1bbebbf6559a2a6f432

SHA256
0da805d963c2e279b3bac6aba84c9294346f3d155f96c4ddfc024a364c32c238

SHA512
954b0e3e4cb51f40ed71a697a8e105ff158077d055911445fe8c2585ce36ceb7697a2dc343fea8383b1090e9a1605f733d6c13cc38169d9fd10a2d23458db05d

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
78KB

MD5
dcdab82796b2992bd49aa4c0d231261d

SHA1
1bd836b44858f4bf38e7bef8dff283165b61dd6d

SHA256
267416fd663fa2db60ef8bd1dc2b86b1e63e0a94695b17283f8f437164537873

SHA512
73c317acb9e1d32c9ef998cc463c56696378d112026c60be320bb2e7578b05ddd16e9d375420e990de701f681c169d9f6f2622eea25baa0f15318733454c8551

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
78KB

MD5
c0107420468b3bf42bd4eaf8a70e6860

SHA1
3114e9c0c707607fedc88174230c0fda32fb96e5

SHA256
cb73acf30949de3f35bc5a5bbe3b14cd9c7b93fd632d0b34063b36188874609c

SHA512
5a482b50d07ad6ad1a05bc1519996a3f31c9c9b67d2e1496f6df347665c7702eb816b131e21e78e8e65caee4a26cad2bc3ea7323f90576a73bc901dd8005c6e8

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
78KB

MD5
bff10b19a402f9b8e2b47dc2c608606a

SHA1
76a883e3130a3e79af08a1aea9fd988250ce0231

SHA256
cbbe45f384ee581150636d98a4d8d2db4613d1ad7669748013f17aadefb24eaa

SHA512
68b5fda34241ca159bf56c76818c38fe6b18adf91c84fc35ffbe25d2c4fcfabda1be7bbd62e864ed4ac5c0f558a9c17b03441f39cd349ee7c549f718acc52e88

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
78KB

MD5
7f8db36ee45a3fdce6b16e2b32dc19db

SHA1
44f9097c1c53c9d0e800944c00e3240a7b269f9a

SHA256
9f3891d8a5825f74e869bdd8dc10d72753b8cc3a2b3396af611c8b0297301797

SHA512
91f00c8e19ac5966a3a89a4b2b275ee46e08a90ecd124403ab0cd9c2233ae9ba9a5303f45de6b521893940e6c174be62cccce351d81c35e87e0dcd763d42a1ea

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
78KB

MD5
452076b7b51dbdb7fc32909174baedd4

SHA1
c3cdced7c26d40af814872c161fc5ed037a59377

SHA256
125e79ea3c7971bab4e34a740b270b8abc5c36a292f09f0e23c573631304326c

SHA512
aeae4015fef8452ca3b55192434b37fd8784c5b90a5928e2ef969dd4d1890fd852ea9e6793a0df4d59e8bb4d1d28871abf4f59051068f887554e8654a2711e23

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
78KB

MD5
3c92ea8e78182014a8f9cda3f94ef8bb

SHA1
bf94b71d2bc90ab2bb1ce58922f4f2cc0ad7c774

SHA256
249db0c1a393eb9bb1462550bd40445e7fa017a525f85e773b3308999b557055

SHA512
395a2c9d979bac714158a62892d9c9824dca2106aea11eeb6ee9b659f7ec57269fe016c13d1354710532be0e114d924c3d89171d4ae94ddcdef7c04130cf1191

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
78KB

MD5
8d0d56483357c0c3c8f6a2126a7e93a0

SHA1
d947bcf55a1f623a8d06faf00168e5db60699426

SHA256
d3b3429df46997af95d78b1e848add64806194550061e27436de722249acc3dd

SHA512
457238586a385acef8785d6b117e21cf38761cd6eb82fcfcdc3e5628db88d19b19100ef0dfc49c23f196e23aa3303a1d63b31f17d594c5cf5069c4f4628484ed

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
78KB

MD5
d10a26217364a8b7d9efe46c33be5b9e

SHA1
35aea7ae56c05a7022a2a28d79fc757f14abb70a

SHA256
b69fdcc82c5a9d43897f69d23a798272dfef28d1a5e97c7d2024b70913314cb9

SHA512
2936684b0cbd82e2bcabeec02dccd0891ccfbd6b2b7b1dfe26026e291acd8c73a65eb54dd5fdfd886547ff25516feaf559ba16c399f4ce6fc57130dc94b5f84f

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
78KB

MD5
0800e46055e0c0a2e75e1c177e77024e

SHA1
9cab8300d0d6dc9be0219f5bfa8668941347659b

SHA256
191a5d831421fd81d02bd6e054a91f1a591f07361f024eba7e76c2b5223ade59

SHA512
8096e4f870d1a5ae47fd6edb5de764031824f99230cfa0fb3ca6e6c21e8a183fd2f4810e9c36083899d6adc34b686b4c933cde61d41a7fb7a64c77bdd37eb836

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
78KB

MD5
5c797718ea6cbcc14f5acd312156f122

SHA1
14d9902902f2db48ad3bfa3e109370567dec9a19

SHA256
18bb2f0365c764a6c682a053689b2cb2bb2d793cefe7a421cdab0fabe12f469c

SHA512
b04a5d7a936545fbefd059b02d10c7be00564262b9f715c0e173425d01aaecaaac70d18b6f765e70a7dd6fbfbf53e14aecfd123d9b6b079e7f8a4e80f2b015b7

Download Submit
memory/632-206-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/632-122-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/732-229-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/860-269-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/860-190-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1004-154-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1004-242-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1164-298-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1184-345-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1184-335-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1276-279-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1276-348-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1368-327-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1368-253-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1580-300-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1580-349-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1692-185-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1988-81-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1988-170-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2000-287-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2000-347-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2148-318-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2400-216-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2400-297-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2464-91-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2464-184-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2488-278-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2488-199-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2504-325-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2668-250-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2668-163-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2700-49-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2700-135-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2748-153-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2748-65-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2916-109-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2916-198-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3252-252-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3252-171-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3352-310-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3352-346-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3392-207-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3392-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3596-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3596-261-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3648-343-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3648-342-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3852-73-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3852-6-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3852-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3916-131-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3920-29-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3920-108-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4024-99-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4024-17-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4028-41-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4028-130-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4236-13-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4236-89-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4352-251-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4352-324-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4376-33-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4376-117-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4572-162-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4572-74-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4624-136-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4624-228-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4732-344-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4732-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4780-234-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4780-306-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4840-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4840-144-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4852-233-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4852-145-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4888-315-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4888-243-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4956-270-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4956-341-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5092-100-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5092-189-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads