53e7dfca225707db3221d9c725b61b9de42419dbfdcc22b5c1eb0d01725d8616

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53e7dfca225707db3221d9c725b61b9de42419dbfdcc22b5c1eb0d01725d8616.exe
Size

63KB
MD5

030a29104ce5646bc1cb50fd8fafb244
SHA1

fc25ba3c1a56ac04a666e7f1e7db555561fef44f
SHA256

53e7dfca225707db3221d9c725b61b9de42419dbfdcc22b5c1eb0d01725d8616
SHA512

76203cd3e53716c9f01eca25197a8ef443edfef536c91cf5249b7f5c023cffc13093b2711387ce89e2a4eb7fb5819bc450591501fdad23fbc04042aad36acbcd
SSDEEP

768:oD/Q/qd1sqvfXTpAgQg9XmfUVQWoAYDdMvRLXDDQUjnMuRWqrl/YuJ/3mQ/1H5oD:WYCcqvFtNDX/KuJ/7+VlEn9rjDHE

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	53e7dfca225707db3221d9c725b61b9de42419dbfdcc22b5c1eb0d01725d8616.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe

Executes dropped EXE 60 IoCs

pid	Process
348	Kbdmpqcb.exe
1612	Kinemkko.exe
2732	Kphmie32.exe
1380	Kbfiep32.exe
956	Kipabjil.exe
1524	Kagichjo.exe
452	Kcifkp32.exe
772	Kibnhjgj.exe
4556	Kajfig32.exe
2908	Kckbqpnj.exe
2848	Kkbkamnl.exe
1072	Lalcng32.exe
4728	Ldkojb32.exe
1476	Lgikfn32.exe
4488	Lmccchkn.exe
2800	Laopdgcg.exe
3768	Ldmlpbbj.exe
1076	Lkgdml32.exe
3040	Laalifad.exe
780	Ldohebqh.exe
4436	Lgneampk.exe
1252	Lilanioo.exe
3844	Lpfijcfl.exe
1016	Lgpagm32.exe
4628	Ljnnch32.exe
2744	Lphfpbdi.exe
4552	Lgbnmm32.exe
2204	Mjqjih32.exe
3104	Mahbje32.exe
1916	Mdfofakp.exe
2836	Mkpgck32.exe
1992	Majopeii.exe
5076	Mcklgm32.exe
4416	Mjeddggd.exe
4268	Mamleegg.exe
4004	Mpolqa32.exe
1452	Mcnhmm32.exe
3484	Mjhqjg32.exe
4520	Mncmjfmk.exe
3568	Mpaifalo.exe
3376	Mcpebmkb.exe
3720	Mnfipekh.exe
1644	Maaepd32.exe
2808	Mcbahlip.exe
4228	Nkjjij32.exe
1980	Nnhfee32.exe
3716	Ndbnboqb.exe
4768	Nceonl32.exe
5100	Njogjfoj.exe
2000	Nafokcol.exe
2796	Nddkgonp.exe
2944	Ngcgcjnc.exe
4640	Nnmopdep.exe
4040	Nqklmpdd.exe
3220	Ngedij32.exe
3840	Nkqpjidj.exe
4848	Nnolfdcn.exe
4844	Nqmhbpba.exe
4412	Ndidbn32.exe
1052	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	Kajfig32.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Bdiihjon.dll	Kbdmpqcb.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kagichjo.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Kbmfdgkm.dll	Kbfiep32.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Ndbnboqb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1920	1052	WerFault.exe	144

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	53e7dfca225707db3221d9c725b61b9de42419dbfdcc22b5c1eb0d01725d8616.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	53e7dfca225707db3221d9c725b61b9de42419dbfdcc22b5c1eb0d01725d8616.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaaagol.dll"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 348	1300	53e7dfca225707db3221d9c725b61b9de42419dbfdcc22b5c1eb0d01725d8616.exe	82
PID 1300 wrote to memory of 348	1300	53e7dfca225707db3221d9c725b61b9de42419dbfdcc22b5c1eb0d01725d8616.exe	82
PID 1300 wrote to memory of 348	1300	53e7dfca225707db3221d9c725b61b9de42419dbfdcc22b5c1eb0d01725d8616.exe	82
PID 348 wrote to memory of 1612	348	Kbdmpqcb.exe	83
PID 348 wrote to memory of 1612	348	Kbdmpqcb.exe	83
PID 348 wrote to memory of 1612	348	Kbdmpqcb.exe	83
PID 1612 wrote to memory of 2732	1612	Kinemkko.exe	84
PID 1612 wrote to memory of 2732	1612	Kinemkko.exe	84
PID 1612 wrote to memory of 2732	1612	Kinemkko.exe	84
PID 2732 wrote to memory of 1380	2732	Kphmie32.exe	85
PID 2732 wrote to memory of 1380	2732	Kphmie32.exe	85
PID 2732 wrote to memory of 1380	2732	Kphmie32.exe	85
PID 1380 wrote to memory of 956	1380	Kbfiep32.exe	86
PID 1380 wrote to memory of 956	1380	Kbfiep32.exe	86
PID 1380 wrote to memory of 956	1380	Kbfiep32.exe	86
PID 956 wrote to memory of 1524	956	Kipabjil.exe	88
PID 956 wrote to memory of 1524	956	Kipabjil.exe	88
PID 956 wrote to memory of 1524	956	Kipabjil.exe	88
PID 1524 wrote to memory of 452	1524	Kagichjo.exe	89
PID 1524 wrote to memory of 452	1524	Kagichjo.exe	89
PID 1524 wrote to memory of 452	1524	Kagichjo.exe	89
PID 452 wrote to memory of 772	452	Kcifkp32.exe	90
PID 452 wrote to memory of 772	452	Kcifkp32.exe	90
PID 452 wrote to memory of 772	452	Kcifkp32.exe	90
PID 772 wrote to memory of 4556	772	Kibnhjgj.exe	92
PID 772 wrote to memory of 4556	772	Kibnhjgj.exe	92
PID 772 wrote to memory of 4556	772	Kibnhjgj.exe	92
PID 4556 wrote to memory of 2908	4556	Kajfig32.exe	93
PID 4556 wrote to memory of 2908	4556	Kajfig32.exe	93
PID 4556 wrote to memory of 2908	4556	Kajfig32.exe	93
PID 2908 wrote to memory of 2848	2908	Kckbqpnj.exe	94
PID 2908 wrote to memory of 2848	2908	Kckbqpnj.exe	94
PID 2908 wrote to memory of 2848	2908	Kckbqpnj.exe	94
PID 2848 wrote to memory of 1072	2848	Kkbkamnl.exe	95
PID 2848 wrote to memory of 1072	2848	Kkbkamnl.exe	95
PID 2848 wrote to memory of 1072	2848	Kkbkamnl.exe	95
PID 1072 wrote to memory of 4728	1072	Lalcng32.exe	96
PID 1072 wrote to memory of 4728	1072	Lalcng32.exe	96
PID 1072 wrote to memory of 4728	1072	Lalcng32.exe	96
PID 4728 wrote to memory of 1476	4728	Ldkojb32.exe	97
PID 4728 wrote to memory of 1476	4728	Ldkojb32.exe	97
PID 4728 wrote to memory of 1476	4728	Ldkojb32.exe	97
PID 1476 wrote to memory of 4488	1476	Lgikfn32.exe	99
PID 1476 wrote to memory of 4488	1476	Lgikfn32.exe	99
PID 1476 wrote to memory of 4488	1476	Lgikfn32.exe	99
PID 4488 wrote to memory of 2800	4488	Lmccchkn.exe	100
PID 4488 wrote to memory of 2800	4488	Lmccchkn.exe	100
PID 4488 wrote to memory of 2800	4488	Lmccchkn.exe	100
PID 2800 wrote to memory of 3768	2800	Laopdgcg.exe	101
PID 2800 wrote to memory of 3768	2800	Laopdgcg.exe	101
PID 2800 wrote to memory of 3768	2800	Laopdgcg.exe	101
PID 3768 wrote to memory of 1076	3768	Ldmlpbbj.exe	102
PID 3768 wrote to memory of 1076	3768	Ldmlpbbj.exe	102
PID 3768 wrote to memory of 1076	3768	Ldmlpbbj.exe	102
PID 1076 wrote to memory of 3040	1076	Lkgdml32.exe	103
PID 1076 wrote to memory of 3040	1076	Lkgdml32.exe	103
PID 1076 wrote to memory of 3040	1076	Lkgdml32.exe	103
PID 3040 wrote to memory of 780	3040	Laalifad.exe	104
PID 3040 wrote to memory of 780	3040	Laalifad.exe	104
PID 3040 wrote to memory of 780	3040	Laalifad.exe	104
PID 780 wrote to memory of 4436	780	Ldohebqh.exe	105
PID 780 wrote to memory of 4436	780	Ldohebqh.exe	105
PID 780 wrote to memory of 4436	780	Ldohebqh.exe	105
PID 4436 wrote to memory of 1252	4436	Lgneampk.exe	106

C:\Users\Admin\AppData\Local\Temp\53e7dfca225707db3221d9c725b61b9de42419dbfdcc22b5c1eb0d01725d8616.exe
"C:\Users\Admin\AppData\Local\Temp\53e7dfca225707db3221d9c725b61b9de42419dbfdcc22b5c1eb0d01725d8616.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\SysWOW64\Kbdmpqcb.exe
  C:\Windows\system32\Kbdmpqcb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:348
- - C:\Windows\SysWOW64\Kinemkko.exe
    C:\Windows\system32\Kinemkko.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Windows\SysWOW64\Kphmie32.exe
      C:\Windows\system32\Kphmie32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1380
      - C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1252
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3844
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1916
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4520
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3376
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3720
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4228
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5100
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3220
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3840
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4848
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        61⤵
        Executes dropped EXE
        
        PID:1052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 408
        62⤵
        Program crash
        
        PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1052 -ip 1052
1⤵
PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kagichjo.exe

Filesize
63KB

MD5
106da4b97db7a75b1c46d21e5895b6ac

SHA1
97a7827a3b92dcad1126b6d0d4a5ba67726856df

SHA256
94a2f200f276a6522631033d3b9f44f6860b0f1d43b0479e885a63664aabdd30

SHA512
6504c8f0271e1a19e1894a8ebf8f20eb6249604e304b52e84006d71fc0762b3dfb4aa54bd4c043811ec2f4cfde8d86268b6c956f10f0fc15fabdc89770d79ecf

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
63KB

MD5
228c4d5e118c3ed7f8a8c35b4191ab44

SHA1
b50a5aab47ea88254d3633e4cd34398c6bcd1f81

SHA256
52419ebe5c62cdf81d34888fee360660019a9646c3cd7100b5cec4e042bb9094

SHA512
de58236cb1b596c3c585590cd53405e46fc1d08ad96866fb7216e6127321e453c89b143a9c9742ea18bda3c2a1dd82109cdebd99cd1aa3241b29a35188f186f9

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
63KB

MD5
2bc694c77c3142babfaede0a511eee7e

SHA1
167e736fb66460dfc284a591e2963bb337b717c9

SHA256
88df789d34ad07ffe38c80d65a6cd177401fe06a8b2de2dae2c93e385e41b76f

SHA512
f2e69ed336132cf9ac1b8a30c7fdf7684b1697da20b1ba03455a85fd6daa08aef9b3c4d29544fcff2f35bc55414f2114045d8b2fdecc1f65d108d8c205b50d80

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
63KB

MD5
f38d13c00d0bbd21e317b9487bcd0a81

SHA1
c3fcd3851ee1bbc2440ac1e30a19cc67ea8a6a17

SHA256
c656fcb46fd193f99444d1c830c1fb82ea86af5111c495d7017a2682f567a23b

SHA512
4f0fd3fafd70430a117256378d5cbd364befcfd1e04787f447a36b71d27a30b9e717d4edeed8177a26a1c67254f0b89ffe859d67b922d3408e122da479239b05

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
63KB

MD5
2f5285fe8376f27a685e14746f3171b9

SHA1
945acd95ece22d9590b87782a3eb287a7965cb60

SHA256
c250e0727fc78e68d72b276ad5be71d3545ef694de2a806a58c6d1c9597bca8e

SHA512
07bb7640441daecafdc84679de83f1972455e1a67129a17196be9c2764b4e05db1521365021198da87b597f0dc770eed80f3b652d324fa18640b556ade8f946f

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
63KB

MD5
04d75cbac6d94a376db89af9549d473a

SHA1
4c3b0174317865a0e902f25cd28e6eb07d1d692d

SHA256
75a8c91888d61b2932d3df381793bf45ce4af2557a02fcb6a9d4e1e2459eea63

SHA512
c36d165510f36f12a6656c10d58905e026bf3df2c2fc446f4f2bfa4a9e0e0cccd37bb41a1b8a81aacef3c9cc8145c97f3419db7c65ed1ab6f4082bbb6078b690

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
63KB

MD5
4b044196f017f20c06d6860c02857e60

SHA1
707f7aab18a4069f93a36e9e2bc9697b070861b8

SHA256
1026ac6018d7f60da45d921d39a85e549800499a900eb6420623240c3caa58f4

SHA512
034bdcde444fbcf1d3c0068ee3bb292e8f33285c0fcc126a05137bf0342ee5670fc3da4dd415c03f2ffe5f86e38fa4d3c019854218280f09d69bf7db02e2b92a

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
63KB

MD5
54a31040594a43e6269901a00bbe77a1

SHA1
42bd740099b4b25e71cf1cd7f8aa062e5517a74e

SHA256
9f3c24dba9916e78660f44c888b94ab31487c155d3a58e2e9b48f29efbf52a6e

SHA512
9bb68f399f8b09dc8c36c564359474916c63122f3d9fceabeb7e0329164cca9dbbd116892037695ff7bda13ad522fd2202c7db32e7248c8b04744487ba9a5164

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
63KB

MD5
40d9e576684f4bfc892ffaed0ae83ba6

SHA1
0f16b86b7a0ee565aa911272dfaf555fd915dc4e

SHA256
b678b27fabf82b659b7403e7aa3383930b6ddd9d58f48c129575c4dae2f1b9cc

SHA512
60c1f04e5066f480065b43dddd6f6107078352d5483bb77a33fedd0088b7cb7bbddded9cae5b70c0020889f70c32a921b43c0d2e0a4c6b8a023a4e93f41cdd6c

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
63KB

MD5
135f0339db3c9c0d1533e59895d93a60

SHA1
c6f0f593b3b20d0bd178885a93c2065d7c4fd856

SHA256
83c6e8e93a84e8610dfce17e8513963a21b5c6e09775aedb29ea2ff2b7c75458

SHA512
1db04459440f8500f9ae3840f58c6597fbc4df416803fc63004a5b02ec6822cdc782d2c9966add08c8b1d2a5bd701ebb305437dd15aae81ec0f6eef169095b5b

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
63KB

MD5
eafe0b16d53f8c6ec53dfc64184e9c91

SHA1
8c7591bbcfcd89b4d70f5a1432764bdeb3320c21

SHA256
14c3c995739723742888ff43fd42fdd7c6798537cb63f4b860805d8c2ac4e5d6

SHA512
359d1efffc6fdd4d8eb086a00980e7834a1843720c1635b0ca6e74855d36a06afbc33cbbc75900b08bff319a91a797b93880060d958e36c4972cd3f6326ad221

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
63KB

MD5
e216eada09a3f698770ce70924a92183

SHA1
d2d3a931d3d959601a64445d21337a2d1ebf8af7

SHA256
5962e6ee520738577ec46f40e229d39d3b4db663e3fd593c35267de696912951

SHA512
1f1b370f2b14bdd492e95f87210e53b03ba99287678150dcc9a826c226726f3d3799ac63abe3b669df0346cd6c58f69cf06749c37eb56ebe073ca68500f45c17

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
63KB

MD5
89f84bbdab9712b71bf0a89ec965092c

SHA1
9d2b1d01a50eaf803e87d1bf1fde04f3e1806735

SHA256
072c54d4b7f40c1308de892634a6e5309436a65f7505b75578da883b7bc53e82

SHA512
7d2264720a168f04dab56d7972013e5a5081caeef1b532e32c945f2aecd66d4bf22d858f70feb4be7a7700f4c85c9240c37a6bc1ba6c1ff7b4299057c1ee49f3

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
63KB

MD5
5f6b10eab8b423c238c95e6c3bbb6803

SHA1
8b24f15e51d00175902ad9aa240586d1fc7715de

SHA256
a3c8b6a7c678dd1a24991521dfefb30bb68bd9ba58767386d3f06042ef805489

SHA512
119a2930eb184cf7f81bc818e5aa7866a70c4d927707f79dead59c48230732f5c2e8ba6987e5257f36e3f418589f67f325a444d695c342df9c6fe11a0e5da72a

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
63KB

MD5
35a61d400b3b71c5b4eaffe63d99fec4

SHA1
3136b94fc06306fd76c7a8fbff8a624ec203c05c

SHA256
d889fa5906b41ebe4680a1bd523b9995e7bb5b6d07473c7d9daa7778fb5480e5

SHA512
52aaadd0a158a92edb64dade6c32229ae057dd55c146c04fb23d696ca00d40a429eed6e48da5b55ce9f061890555b3e6a83dd902f4f2650b5f5074b9c92ffeb9

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
63KB

MD5
3c63674d1298a25877a8dc3ba9756a3f

SHA1
dbb9b402f3655621739ec47db4115a679b18cc20

SHA256
2f974c8ce296b709d515f2a35c00cd40be09cb14b739204dfb56eb51c3b212b6

SHA512
2b006274f3e05c85734ff6f39af158f01068cb5459ff935e9fd888e9746f16fd859e0299376196caf855473a974ac6a79c90808fbcd6c66337fdb518367f25c4

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
63KB

MD5
7f238521f6849b77f97e58805fb13bd4

SHA1
539b855323016dfcd69d05308391c5b111560d39

SHA256
b1134b64f1e1d8bc80815c3dc9d0bb586a3aea9a838b4cafec397699113b176b

SHA512
031fef3d56912793892b42c8561eca86132e77e06fbb57c56a9feb921679073ab6b76288cbcc88eb6a8557adf822e30a5ae58bb3b82cd51db6c6c51c6751214c

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
63KB

MD5
0fdccb7026ec52421eb658f7b15ad181

SHA1
f1e323aee7432dd1d197ca8b005f7601c2174715

SHA256
8f47a47565c04d055b9ba05a7e4ae207b0f1d062e5a61877bb74883b8917e166

SHA512
b7cff65c71430101548183dfe0c57c72a32596448dc6611222b3ab39a1f563bec0138fe5d1ceaf3ff8efaa9b1afa197b494ee0bfafe74e523f836761a8d78f34

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
63KB

MD5
b7b61fe99f1ebe2d333cd4248747ba42

SHA1
9ba437d0c838919b6f77319dd2847be6ecbda944

SHA256
0364855cb1005fcf595e5174aedcb4fa169aeb1ebcd810eafa0d6e45902bfa71

SHA512
a81e0e4141b6bca80f3a5dc76a24f8b1e7d77f6bba150150609181b9204ae180909e3f3f66e4c4c9858d4bf6b158102ca42e92db6c360802bc01188dad9086f4

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
63KB

MD5
8145e2ae4e4345ba7627de575620d4a9

SHA1
7a6e5298101f8e220e7055b8a66e18790b0f6f9e

SHA256
1188e43bd13bf524a5ffb40b87015d2e3a4cd75183f7fdeca5683fac83e30391

SHA512
a3b7ee45d6c23c446e9bb606024a4813a712b14f0632e2e868cec963c25ff7f29146a4726609eead988044705fa503ec7da6d40b5f88f60a372652931055cb05

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
63KB

MD5
4ce91d728588376cbe448db761e276f4

SHA1
a45677787b2cccaa4d8f24bc27551fbb94972601

SHA256
05727b51eea26e80c6e29325569de8ae308d8dbd0b313af1f765fedb3bc6933d

SHA512
e746c9b0a1e1dbad89e994607d6270653149107f5abb142553bf12a059038ab8bb278c78f9676b26ba155e25aa44a8bc9ac6ad286c5da77439ae57ae85eea5db

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
63KB

MD5
0e4f588305a1f289bc6a45b9e926b81f

SHA1
da38140eeb068d216bee719ae532e1d27bc5fb6b

SHA256
a2ae3e85b7f4d0161db03bd2516e5749ca6d27fc49415a171dc11d6282f65e67

SHA512
5d411dc695e8108f6b262557e15602742da17b53ff13c90758a5dcfba004292da25329fdb7fe6bb16ad5cb382fbf4693612a53b8700293916b2bc2871ef2ca14

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
63KB

MD5
c0a59f9f2670c77cf8700ff204071805

SHA1
d33260312d1404b8ed95fee16deb064ca9e89ec9

SHA256
1629c51f9f31002fd864ad8bc24fcd2feb45c039bbd7b953af01cc0259e47bfb

SHA512
e9b962e43ec957e7944197705c1fb010d2ab2432d9aa08cdea4d87df77089a270436bc91a8859b93100d802a2b91145850bc9c440c0fa7e7839dda3c900286e0

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
63KB

MD5
836364d14e6d87dc57f8726320bd2762

SHA1
e3d8eca509aa14a04e70f62f9c97c9fab28489bb

SHA256
8ee63b38c114cd11ee6b02554b97cb3c40d3311d2efe478c83675ef0589e0a02

SHA512
8760bc43d97782f090704d69822ef1a15f85c6ba36b65270a8d170edbe789ce3d6549f3c2a773e0775ac5734636418e7c0688020ad4e7a6c82e2b44cbfd25a21

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
63KB

MD5
43d63aa01d66f724bbcc96cb371d8b52

SHA1
0a4d85ce6901fa3e8d920395b5dc6ee78531cc88

SHA256
06c1a218f4d599698227f41fb0f1d24d005c7f6ea54037972037c635be825643

SHA512
9cdd4d8791ebc48ac70e40ca929d02c1de15a27bd647b6d10da30fe63e8b5f13af422698876d0a025651a04faa9e80ba52fb9113969bd4d56351e186196a5899

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
63KB

MD5
efce52d85c00955c5edc11d3c763556e

SHA1
57f302455c1f115940e0fc1e15532c50f9db6f49

SHA256
9c7bfcc73af85fba0b1f1f636bbb2537366d743614a99036fe07f56ff1bad911

SHA512
ee4c84e2da580d3dcd0ff030ababf800076fe38f941b56e179d41210208ce03e5c0846e9807bbbd2952437c6fdeebc68cee28a63cf8c30c86cf1e740728b1841

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
63KB

MD5
470d4a870d1ea245ddfc57cb2c8f838f

SHA1
9207345588ceb59d7cf06bece902f9600c345a1b

SHA256
74cea01bca965b947c6138d9ae12a0b6fdeffbab45047a4a2c6690057087d165

SHA512
9f68a52ca6a26e92075f0cd05f45443d38a64b449d4301a9b1567aa4b10a7b956b8ad599f5e9622eedb8ac22d320b1871b93832cadcb41d52921e95140597778

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
63KB

MD5
b6eaf245934525ff245f386fca9e958d

SHA1
91950717dd1d7af14e7aef8848b574fe1e3a2005

SHA256
6c6a902c39f4e2d4c5284ded5684f6acf59ef3295eba0626a50a84377ba5aded

SHA512
617965913e7f77bade604a2e7300712784d20d179adce94fccc586aee193d61b0c14059b4377bdb5c7fbadfac33e7bd0e47b5859abad131c50bc2fd642c989f2

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
63KB

MD5
8eaabe1aad4765e5d0ad0a3fc6a93c24

SHA1
d79715ecadcbb206c51e3e51e2552af591dbd431

SHA256
791fd93fe2363e27db7cf97db698e91d9ede8483e41606936248b5315334a5b7

SHA512
42a4f4e79c1a69df05770a51fbba43298125255819c835d92d6b1d178ba7e2445a8544b6db26fa30ddb89cc2baa5a2776ab61b8e5fa3302025d7ddef8bb4cbfe

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
63KB

MD5
5437d31fe61f5da23cd695ded4c217d8

SHA1
016a79486977afa753df11f134f03e69a5da876e

SHA256
a6689fb6af6f8516fcd7fe65d48b984c3daa5e3f52ea6f1c84aead7e0118245c

SHA512
1dfc128c7cb7b5553788da8086f10381dd2d476d6c66e7f796efa824955cc611721a944410d309bdab9a8a99bfbeeecf09034d765b1fea8a21189cc12cc6e2ea

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
63KB

MD5
c7626e21806f9f15e675bb76320c76d3

SHA1
2f0a0c4b5d2f240e471bf946d02de89472d92a99

SHA256
ecdacb10b907032658a6b0e54fc2de13955c3c1fce96818629b7dca41009728e

SHA512
0da0aa9f92bb69888578fee936dc3e83dc07e7e1e385924e6eaf46a1f463f966eadd9f8e5517a2da87a0fe19e5dddd8540bd8d19595761efe470d851bb2bbc0d

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
63KB

MD5
353e2532060d0dd62760e8505b14f720

SHA1
5ccf2101ad355ff6db125fab821ef1eb512f9923

SHA256
e7734f03d7d88436465ae746cc7792453a46496c000b8485402f4a43f0e4d0a8

SHA512
1a95544ebf7973810aae26db06486f6c9bfc7ce2683c0316d0a9aaf050dc558493c8cde4669815892e75f26c1fde3c350fcfd6d8bf4ce72fa5f997e078d67e06

Download Submit
memory/348-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/452-56-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/772-64-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/780-455-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/780-160-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/956-40-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1016-192-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1052-424-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1052-425-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1072-96-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1076-144-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1076-456-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1252-454-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1252-175-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1300-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1380-34-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1452-290-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1476-112-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1476-458-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1524-52-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1612-15-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1644-322-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1644-438-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1916-244-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1980-436-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1980-340-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1992-255-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1992-445-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2000-433-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2000-368-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2204-228-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2204-449-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2732-24-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2744-208-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2744-451-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2796-432-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2796-370-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2800-132-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2808-439-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2808-328-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2836-248-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2836-447-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2848-87-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2908-80-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2944-431-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2944-376-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3040-151-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3104-236-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3104-448-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3220-394-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3220-428-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3376-441-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3376-310-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3484-292-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3484-443-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3568-308-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3716-348-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3716-435-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3720-316-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3720-440-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3768-136-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3768-457-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3840-427-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3840-400-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3844-453-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3844-183-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4004-284-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4040-388-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4040-429-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4228-334-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4228-437-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4268-278-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4412-426-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4412-422-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4416-268-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4416-444-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4436-172-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4488-119-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4488-459-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4520-442-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4520-298-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4552-450-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4552-216-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4556-72-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4628-200-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4628-452-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4640-382-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4640-430-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4728-104-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4768-356-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4844-417-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4848-410-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5076-262-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5076-446-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5100-358-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5100-434-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads