456c4dbfa6bead77066710f85c02b718ecceb408c1f0eb0f7603e62806f9546f

Analysis

max time kernel
93s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2024, 11:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

456c4dbfa6bead77066710f85c02b718ecceb408c1f0eb0f7603e62806f9546f.exe
Size

159KB
MD5

278508f65b00fca947c5c4d1cdbfdfdb
SHA1

02deecd10d141479531e630e917068397086f81f
SHA256

456c4dbfa6bead77066710f85c02b718ecceb408c1f0eb0f7603e62806f9546f
SHA512

0c6c69ad5cbbb7bbded309f5b31d52fb65f7986c633200c31885b00b5e40357e7a4691dad470ce6a7286c0e19db1fcaef3c9e15d565535d8fda90270c12c3e91
SSDEEP

3072:BSCKIknNNynDrSUCmnfCm04AetXS+Tbwf1nFzwSAJB8FgBY5nd/M9dA:EbIiszf04JXS+g1n6xJmPM9dA

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	456c4dbfa6bead77066710f85c02b718ecceb408c1f0eb0f7603e62806f9546f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	456c4dbfa6bead77066710f85c02b718ecceb408c1f0eb0f7603e62806f9546f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lalcng32.exe

Executes dropped EXE 41 IoCs

pid	Process
4816	Kbfiep32.exe
2308	Kipabjil.exe
2548	Kagichjo.exe
1396	Kdffocib.exe
1188	Kkpnlm32.exe
4688	Kajfig32.exe
5040	Kkbkamnl.exe
3628	Lalcng32.exe
3928	Lcmofolg.exe
764	Liggbi32.exe
2292	Lpappc32.exe
4300	Lkgdml32.exe
2528	Laalifad.exe
2228	Lgneampk.exe
4040	Lilanioo.exe
1744	Ldaeka32.exe
3196	Ljnnch32.exe
2896	Lddbqa32.exe
4788	Mjqjih32.exe
1168	Mdfofakp.exe
4844	Mjcgohig.exe
3836	Majopeii.exe
2596	Mkbchk32.exe
5000	Mnapdf32.exe
4896	Mgidml32.exe
3128	Maohkd32.exe
1660	Mkgmcjld.exe
4944	Maaepd32.exe
872	Mcbahlip.exe
4800	Nnhfee32.exe
1980	Nceonl32.exe
4340	Nklfoi32.exe
4864	Nqiogp32.exe
2348	Nddkgonp.exe
1000	Nkncdifl.exe
216	Nbhkac32.exe
4876	Ncihikcg.exe
2796	Nkqpjidj.exe
1608	Nnolfdcn.exe
4388	Ndidbn32.exe
1668	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kagichjo.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Kbmfdgkm.dll	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kbfiep32.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Kbfiep32.exe	456c4dbfa6bead77066710f85c02b718ecceb408c1f0eb0f7603e62806f9546f.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Laalifad.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ppaaagol.dll	456c4dbfa6bead77066710f85c02b718ecceb408c1f0eb0f7603e62806f9546f.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Majopeii.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4904	1668	WerFault.exe	125

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaaagol.dll"	456c4dbfa6bead77066710f85c02b718ecceb408c1f0eb0f7603e62806f9546f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	456c4dbfa6bead77066710f85c02b718ecceb408c1f0eb0f7603e62806f9546f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	456c4dbfa6bead77066710f85c02b718ecceb408c1f0eb0f7603e62806f9546f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4660 wrote to memory of 4816	4660	456c4dbfa6bead77066710f85c02b718ecceb408c1f0eb0f7603e62806f9546f.exe	82
PID 4660 wrote to memory of 4816	4660	456c4dbfa6bead77066710f85c02b718ecceb408c1f0eb0f7603e62806f9546f.exe	82
PID 4660 wrote to memory of 4816	4660	456c4dbfa6bead77066710f85c02b718ecceb408c1f0eb0f7603e62806f9546f.exe	82
PID 4816 wrote to memory of 2308	4816	Kbfiep32.exe	83
PID 4816 wrote to memory of 2308	4816	Kbfiep32.exe	83
PID 4816 wrote to memory of 2308	4816	Kbfiep32.exe	83
PID 2308 wrote to memory of 2548	2308	Kipabjil.exe	84
PID 2308 wrote to memory of 2548	2308	Kipabjil.exe	84
PID 2308 wrote to memory of 2548	2308	Kipabjil.exe	84
PID 2548 wrote to memory of 1396	2548	Kagichjo.exe	85
PID 2548 wrote to memory of 1396	2548	Kagichjo.exe	85
PID 2548 wrote to memory of 1396	2548	Kagichjo.exe	85
PID 1396 wrote to memory of 1188	1396	Kdffocib.exe	86
PID 1396 wrote to memory of 1188	1396	Kdffocib.exe	86
PID 1396 wrote to memory of 1188	1396	Kdffocib.exe	86
PID 1188 wrote to memory of 4688	1188	Kkpnlm32.exe	87
PID 1188 wrote to memory of 4688	1188	Kkpnlm32.exe	87
PID 1188 wrote to memory of 4688	1188	Kkpnlm32.exe	87
PID 4688 wrote to memory of 5040	4688	Kajfig32.exe	88
PID 4688 wrote to memory of 5040	4688	Kajfig32.exe	88
PID 4688 wrote to memory of 5040	4688	Kajfig32.exe	88
PID 5040 wrote to memory of 3628	5040	Kkbkamnl.exe	89
PID 5040 wrote to memory of 3628	5040	Kkbkamnl.exe	89
PID 5040 wrote to memory of 3628	5040	Kkbkamnl.exe	89
PID 3628 wrote to memory of 3928	3628	Lalcng32.exe	90
PID 3628 wrote to memory of 3928	3628	Lalcng32.exe	90
PID 3628 wrote to memory of 3928	3628	Lalcng32.exe	90
PID 3928 wrote to memory of 764	3928	Lcmofolg.exe	91
PID 3928 wrote to memory of 764	3928	Lcmofolg.exe	91
PID 3928 wrote to memory of 764	3928	Lcmofolg.exe	91
PID 764 wrote to memory of 2292	764	Liggbi32.exe	92
PID 764 wrote to memory of 2292	764	Liggbi32.exe	92
PID 764 wrote to memory of 2292	764	Liggbi32.exe	92
PID 2292 wrote to memory of 4300	2292	Lpappc32.exe	93
PID 2292 wrote to memory of 4300	2292	Lpappc32.exe	93
PID 2292 wrote to memory of 4300	2292	Lpappc32.exe	93
PID 4300 wrote to memory of 2528	4300	Lkgdml32.exe	95
PID 4300 wrote to memory of 2528	4300	Lkgdml32.exe	95
PID 4300 wrote to memory of 2528	4300	Lkgdml32.exe	95
PID 2528 wrote to memory of 2228	2528	Laalifad.exe	96
PID 2528 wrote to memory of 2228	2528	Laalifad.exe	96
PID 2528 wrote to memory of 2228	2528	Laalifad.exe	96
PID 2228 wrote to memory of 4040	2228	Lgneampk.exe	97
PID 2228 wrote to memory of 4040	2228	Lgneampk.exe	97
PID 2228 wrote to memory of 4040	2228	Lgneampk.exe	97
PID 4040 wrote to memory of 1744	4040	Lilanioo.exe	98
PID 4040 wrote to memory of 1744	4040	Lilanioo.exe	98
PID 4040 wrote to memory of 1744	4040	Lilanioo.exe	98
PID 1744 wrote to memory of 3196	1744	Ldaeka32.exe	99
PID 1744 wrote to memory of 3196	1744	Ldaeka32.exe	99
PID 1744 wrote to memory of 3196	1744	Ldaeka32.exe	99
PID 3196 wrote to memory of 2896	3196	Ljnnch32.exe	101
PID 3196 wrote to memory of 2896	3196	Ljnnch32.exe	101
PID 3196 wrote to memory of 2896	3196	Ljnnch32.exe	101
PID 2896 wrote to memory of 4788	2896	Lddbqa32.exe	102
PID 2896 wrote to memory of 4788	2896	Lddbqa32.exe	102
PID 2896 wrote to memory of 4788	2896	Lddbqa32.exe	102
PID 4788 wrote to memory of 1168	4788	Mjqjih32.exe	103
PID 4788 wrote to memory of 1168	4788	Mjqjih32.exe	103
PID 4788 wrote to memory of 1168	4788	Mjqjih32.exe	103
PID 1168 wrote to memory of 4844	1168	Mdfofakp.exe	104
PID 1168 wrote to memory of 4844	1168	Mdfofakp.exe	104
PID 1168 wrote to memory of 4844	1168	Mdfofakp.exe	104
PID 4844 wrote to memory of 3836	4844	Mjcgohig.exe	105

C:\Users\Admin\AppData\Local\Temp\456c4dbfa6bead77066710f85c02b718ecceb408c1f0eb0f7603e62806f9546f.exe
"C:\Users\Admin\AppData\Local\Temp\456c4dbfa6bead77066710f85c02b718ecceb408c1f0eb0f7603e62806f9546f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Windows\SysWOW64\Kbfiep32.exe
  C:\Windows\system32\Kbfiep32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\SysWOW64\Kipabjil.exe
    C:\Windows\system32\Kipabjil.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Windows\SysWOW64\Kagichjo.exe
      C:\Windows\system32\Kagichjo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2548
    - - C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1396
      - C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3836
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3128
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1608
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        42⤵
        Executes dropped EXE
        
        PID:1668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 420
        43⤵
        Program crash
        
        PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1668 -ip 1668
1⤵
PID:4152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Eeecjqkd.dll

Filesize
7KB

MD5
fe917f1afa17586da605d8b1e7fde3d3

SHA1
fe31a9db3af5028ab8919d574018efb7b6b39f11

SHA256
21d9aa2681524dc9246d756d2c4fb45db0d2f9f1045f263b1b79c086172aabdf

SHA512
2fabc9e99985edd409bd274b842fa293d5764a1ab75dc51242169a531395f954d2ccf0fe21ec49893a132801b90ae3855c9414b829519d6d557b0b8af5e9152d

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
159KB

MD5
8a7fc84250fe2233d28b2045effa3e59

SHA1
7f8b9a4574adc248b7412c02d2bd9ff32594db12

SHA256
3c03eb2966d914fcb27299c155fb6ead24c9a268b25cb7d404acf4825c85748d

SHA512
0d9659d4bb93afafbb7f1263197c859e6826be16bc0735abadaaa2c527d3a3960c2a735ad0f288e6b9fc35d5496153f4ef1837c775c3e1f9b19ddae4f1e48dbe

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
159KB

MD5
1457eb9445da9eb029d92d3de86887f6

SHA1
d667d452b8d0e9f5fb8d5846c17beca05183da0c

SHA256
62a97072e0acd930951793e66532b8a08709be364c555fefc8f83f0712b4bd22

SHA512
86b054036cc234046fcbcaf12a85bab41a362b27890d48ca263e8d22dd5c1d42ad74596955507b9a2b8257476ec676c85a18ad4a18200428c033ad30a41c4b02

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
159KB

MD5
c24c89578843466a46707de85894978e

SHA1
75a1471ed70ded07360ff4a244a54839885a54ea

SHA256
0dc53cb54749a6b1a2c71e14c29a914ab23731b1f6001bd3829dcb653eba2dc5

SHA512
e738e92d588ac7d2dd0fc77cb85c92c262ac32ff9434811d980d17ab34b322c3a9b80d4bad7b9d37679f080fed96d8be74602b645c7743925ca7f1fa0b6f9a77

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
159KB

MD5
fd0aa01890bfaaa1e3e62b249491e21c

SHA1
d3517f9d3e4f58dbbad16b8c068509333cfea3f9

SHA256
a1abdcba8f9840b002331fda71f49d9fa818d4cfb7055b327c74a18def0f07f1

SHA512
a9c33df90ed1e0ba62847fef3501700a46e6999907252b57c21dd006a0a6e1fbefbd959729433a6c1d1f13443904b6671f7f7bbb24200551c8764a878af6a88d

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
159KB

MD5
973ace200a8243030b6edc2c4a148eca

SHA1
2802d6f45ce1cc860bff977577fe05cd03462321

SHA256
7b4954f706ab3d6d85eeecbbd65678d30920d850693574af71c8c005b24950fe

SHA512
71b37e814c4f90a95ab1eee50b4fac87577a3736d510b6a9607926521766e952d20983e04094cbda4162434721fe10e0ab22dfd0b2b69b25349e70d0cb12f01b

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
159KB

MD5
9bbf0d2ae48775c7cd9967885606a357

SHA1
63977e7b6fe004f51797c392d38e417a46b3a784

SHA256
265a72d0a0d13926acba4a0f22a586bf28edcd43ba8321749a663968e52f8870

SHA512
dc3e4e01ef14f56ef54a3f7ff1bf633d438d121a13b06267ba7de71ea2a6dc48011ac68a28ae3e1f5b9c58b2161233cfd8b090d2397aa35bc7c3c51b440f3c29

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
159KB

MD5
7962798e945eb1e3a3c86ce667bca798

SHA1
6619250cf6092cd0df52924f6fbc4385efa3a01f

SHA256
bb79c46e5fe6fb91d186cf2b16553a4674c924b7bba1921c8505a73b15ed6fe9

SHA512
4f8adc48a6fb047f97056c4ec494d548d8568b2ac79279460263e71f1238f7966fd8077a58959a301be7271f345e73b98bf5782a92b700f6d1dd813f2e324855

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
159KB

MD5
ca3ee8a783c0f465fe03097b238def64

SHA1
58cb1f24cd89b74b6a1ca7f5d87d9292e384d6ee

SHA256
3fab799e0a3fe01f5b28d3e6d80a1a5f8a2a4dbd1a81c42960ffb1781f98fbb4

SHA512
19c127861cc6abf87d31e56d38d6eefa75b9876aba7d1403e208e9eef5c651d7b7c6953d1a80138070abfba3e89b5f131773dfdb0ba59c8399477274dc3d7a98

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
159KB

MD5
0ae617044afc2196f64c0a3769996b30

SHA1
fe84122d0cb59f072d09d5ffb3f023e627d3181d

SHA256
662fa0368047f323e1453d228bccf6e42a0d0ee91d0b86e16c628af8aa5d77e2

SHA512
d8b0a4b8d7665da9dc6c49f44b74373f43e1e5d316822b398a57a459767c39793e2864d5f788047fa9c5fffab519951d86271851f44d8b664a9f3c3629bd64ce

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
159KB

MD5
d36f25f6c695812c3a12881818e85920

SHA1
1ae0938c52de3945cdd1e80fc2f8c527317dd5db

SHA256
5ab41407a7af02705125f348e5b92cfe8cc64f02daa0e206dc6d537a4581c415

SHA512
4d20eb4f4d68c85563b07c119156e7a7074b4986f3e847b2bf16ed79caa3fbbe017dc88108a4727ec25bdeb624b782ea91f2d186be1290d8fcd7d4bb5945e466

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
159KB

MD5
8360462bd042f5e6517b9cc7c05e5980

SHA1
c524b1c420c940c57378094123161289e592ac4f

SHA256
e941374cd01c4f808997e0003efe04a2fdc65997fbea3ca371e19b12bab27cce

SHA512
3322437621ee97e688889282fd057a8a28cb90d795b013bd46e22f2e7d8f5f57ff0e602bcd24ab44e7159d708fdabe6bf401642e401cd702deb43f921544c1e0

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
159KB

MD5
81aa81acd251df5edfb9aeefb3919baf

SHA1
24870c590171fd8fe5aa9dff9bc2d4537a5f9b1f

SHA256
59fb178b1ee2e77a1b3821aab41112a5d16afd291a7a0a7685783f5c9193d396

SHA512
decca5ea4e819369af0289d0601464f79db95c5820c74114538fe773d128ca967265fe7f047ba585c022bc6738b78679446749014d79c57d2e4a861b0870854b

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
159KB

MD5
1f7efd523ff165f1065c5c23cb09680f

SHA1
45d6687b68816d07e281d1924519059d7e48f175

SHA256
42b005cde835b9ada152db02069122abb98684aabf19959495ac35a1c8b83844

SHA512
ba56a1771baa88855afef2ed9001957db31038ed790682318138359dfd1b55f1faf9dcc76bea74306cb4d01b55be2ec4ef89836f5bab82572f64789c9773c15c

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
159KB

MD5
3c42a456ffbffd39c0bf3d95dcc71d86

SHA1
95e88dc6b1d0ecf1f76a1b2b5e379036cbae619f

SHA256
2302f8c4733f22b8f67585fde1b79b4ae6a7a773effc78c75ec68a57f20e2bbf

SHA512
ae4458432a9db3b37c0c3ed6873b651c4c293ef03d89ec341c088a85f21190e8abd9490c296385808e62fbba975430458b89f202779d8e14a39d9ae47046fad2

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
159KB

MD5
6b7520b64ddb743f9afb6baaa59c31d2

SHA1
aa50601139f3aae7c52c8303a30c784abb9e9c36

SHA256
f36409f2b52874c2728c0c7e0757e2d56f14a1f431e5ea41d87717aaba735fa2

SHA512
54422b52836290d9c959647ffe2708481f82043e27c8cd233a5a3db2cf880a99c5fd89e8b50156cdd7b408ea5e48198906c1ff3be7de93d778ac1aa6efe66317

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
159KB

MD5
bee3e3e74a21cf5a5feb7e43019ca135

SHA1
ebe7af34b46b345196ffd50bcbc84b1b38d0f163

SHA256
e8b51999b8930762dbb1a8ef628bea2eb799ec4306d5a5e26b5b2adb79c286b0

SHA512
aede16c2604ee7e661c62ef3be46964c24fe79507daf7cf1aa7a5faaea2efc90f3533d1eb568345eb3c85ecb7c4a6be48ec7ffcac2680bd088befbef44d25b76

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
159KB

MD5
cc5da542970afc0005d8e3cb470211f7

SHA1
fd82da9306fd0daddbee113a755e057d1243a538

SHA256
4f86d89db9d66762dc4f825504cc78c459e106583a117b6860f86ed0ed3389a0

SHA512
c56defbdf909fa32b2da6511e1818d0477d46cd42ea8d63ed25e7bc6f28a5e5f1e5dacaf90ba86c027fe24f92eca6f93c30224c3d9d8c74a8de766f6e000e69b

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
159KB

MD5
77b250748a6df1507bad40da45f62859

SHA1
b5257efcfd697d2f41d18397e0daa569007fe926

SHA256
4509258f2f8f58af1bcde3f0e2fcc20e54da95420fc0797d048b74f0ac328e8c

SHA512
5cf66c9825ab9325b39c6b8a1ffedd9f1fc25a4ca2b1ea8bf27ed7e38ed9a6d8ca2c303bd1317bd83b8411595ecf304beb0d3d042ae5b4c21b2e6b2e56aa1eb4

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
159KB

MD5
1eff198675ab074b09d4d93425587d6c

SHA1
ff3d8d67a6dccc65776628ea664250a8ab2520ed

SHA256
d1038104b78e54dc7e97139340e0a635c4e3b4fede0780b5a57c6a058f9b66c5

SHA512
6a82adc06aa447adc7c87e1b19704c950d870c3c888cee580cbcb600dfcc194d7fe2be99afa917f77e07f7a44e2e209460318dcdd1df73b7b147005497542440

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
159KB

MD5
be8b28fb10bf69bfc1b57098fa02858e

SHA1
be364e3b84f468d4a0eb4dbce3ba0969c88a151d

SHA256
545ae92af36a7cc2c5d90e2b0071279bc2891d973f345b13045a8342d2463f6d

SHA512
75a85afce75f24b7e61051dbf0fbb407c01e96b3d51bacf186b4502dfed35f612f4a3bcffea7ba1197edc532b6c2687431b7d55cd3b6f9b6f69fa7fe49deccdf

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
159KB

MD5
26e8b17a2cb28c9fcca251e4c25c90b4

SHA1
57ba88401c1a487420df4eda558e07f0cbffe51a

SHA256
637e133cf6f272c44a29ea1966ac896f31c62bc2c6aa062bd00fde39516cc77d

SHA512
64459dc784d512494f5c4168d1008a6df8f678c1b7a36a315657308555e1d1da7d000a0ab8b6b4651d18233d728e73e5f9a127455777edd46e00df2582e348d0

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
159KB

MD5
efc7e37a4a0d6fc0b7235c66ce1c2db1

SHA1
4540f9abc888d384c26fcfd3932a1fa020ddc213

SHA256
369ae5e25b892f5e68bda9e9b97f24b0c7a29cf8a980d928faa6fa6d22bbfa23

SHA512
17638e9ca11dec8d19dcf8afbd0c7b93c5cfdf61e56af5254f6d934c82c8e5a3afb24d61d346134804a164227596ba688183342f19725448da9200444b73f10d

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
159KB

MD5
41d32da37a9e5f9ecd9bbdb10547e38a

SHA1
cc8442ab8c1ea9bbf656633526324f99114b7590

SHA256
cc3c506bcb8e8555b4fff78a7804a5fe12569c60ff597def1c991c2a0130f6a5

SHA512
88af441eada3593dcf58771049f056e5b095e26c7701c0c23d40e7a008306e99b6c878c2393534f8bac9af5d6e2a7437fe844174d7b41c48682a6438f6513a69

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
159KB

MD5
44e244f1877f3e87c4f9e6526f1d641b

SHA1
c68643480a4cd4a1d7a8e3334ace6d3084d5f2e1

SHA256
34fc0cfee3c780eb86d559891f151d7e5826bcfb38e8293f5cd5c8da1663c405

SHA512
9441fc89183057dc7ba4b373c633eded01bdba403ab2382cd88e857619c9363b446a32ba60d2ed2370b517362f2aa4bb5f3717ffeeea30f791fced2fd8a36918

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
159KB

MD5
150e8b9ba60405fe3907f067e4affe9d

SHA1
059868843ba0dd8b0ced390fb7186f33487a6c6f

SHA256
712806544ada86608a7c4bb966cfc51d1327cd868adbf7fadb2cb0236bae18f4

SHA512
36244fe8303470a47781e9bd49d3db12d509ac766a512bc4d1d8f29106e9c0d67f39fdd3d4dddcb55c877e64b24c3e9e5fa38cfcad62fc8117807aae3ea2c804

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
159KB

MD5
69cb2b29a843b66732f809040a50bd0e

SHA1
8641dcf3b7890e73afa12a710be8a93009848207

SHA256
97ba324a3b99deb8fae60834b1f08e70d37d634d64476a60c62224aa8c723728

SHA512
80fd7edf35bb4cd5a060eb4b101c8cde50d99ec6991fb8ed734b47d7f8208adda554ab477e3eafcd757fa84851a96f233fc8c3f195e3276d3918e690674d83ef

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
159KB

MD5
4678569a5b2ca9761c30ea034758198d

SHA1
794605c5fabb205051664774dc22ea2789d73457

SHA256
fce6230188e7cd169fbd44079f2b65fe4030df3c6ecbeefd62028537c3cbd837

SHA512
8dde82124390b0c6eb51fa575daac0e0c31f38a08957fd12d366d2a04392286e47bc098a8efb42b00452c95f959588db5470ae8365fd93e6368c91f7e8a9c1ed

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
159KB

MD5
37d37f441e811525ec7e10e8e043c4e8

SHA1
73e363cd11758811d3c1f3868a43bb12412728f6

SHA256
2137e9edc25545234ab334954a511927d81e6cb6d77cd6327f290752fb3e448b

SHA512
c5d0fecd08c42388b9b255fc227dcc908ffb3f6f38a612baa68954865d49aea3d1eed03a692e610345928a5c4da92755f4dfa8945cbdb02fdd7a0acc21dd05a4

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
159KB

MD5
fa90cc46603e725b4f9a841efac6b463

SHA1
91270a00037f7ae1b77e06472c6b82d6fe08fef7

SHA256
563c69596b541b821d97b23acd7092ce9582358d6329cabd0f60b21fe18e7eec

SHA512
0753e4ac78aa6016b19d8d257025e634a3363e41af8f73dc4e33d408a802a7e0e288a3ba6ce906e85487edfca34786ad0abc39fef53987d445175206e24c2ad7

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
159KB

MD5
fc7cf0f728893af02915c8a387e05846

SHA1
c446ab9de68b4e609230b0c6c9a395e790b63433

SHA256
f930341610e635effe15dd7d5b6a4140601dd199d8446490103d005c247d20cf

SHA512
58e91f09bd3e932f675a10917e477e2611973747560bf3af8c8aee593b89a6f09adce2f993139c7a6f877dc9dee46fdc7f202decaf7674b750c22d27a043dc85

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
159KB

MD5
f43c0c3ed50169f2495750b545882f03

SHA1
697e53f2f8865b1681f6ac54eb575ea988e3f17c

SHA256
6f4b5b2ec8ad7630ac4ccb04b075af849d744b61f39d2b34713630f82daf85b9

SHA512
d8bfb5221d0730bfad3301e69049e0d3c17350505501c077e9d07010e40757c94b610849809e7d3fabd07dabf323370b3ab8e4d3f0af56f5061d691affc3fa81

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
159KB

MD5
7061703703d134587ea251fd8bb74df1

SHA1
05769f966dd9da3ca77460d5569c9631fe0ce7ca

SHA256
6beb31c61ed0356794304363443a055192d1d5349877dc4692596f03b87bb0ee

SHA512
4585b308edfd044a2605b44e6f0fc3b4fb20af4a9c1ca4e5cc29d8897c536ffa0a6374c58c66ea981648a56eb2920034caf41d530efbc5b9571b167d6e8a3f8d

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
159KB

MD5
ff4ec8d75247051bb98c892920089870

SHA1
b4088aba32acb6e3836ea82e98fb4b18b8a2ba1c

SHA256
8e258627b6b9417ce1618c926da3100032372892c9e993ef4f42f8eede1b34b0

SHA512
161db3f9f7f4fbae18d14bfee76211e5730cf2ea2cb9253d7dc7040b5b37dc2f79bf4eb78728cf93b90e8e2f8094a7fe528d0c8855163f8f3ad533afb3c4f82e

Download Submit
memory/216-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/216-319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/764-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/764-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/872-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/872-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1000-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1000-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1168-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1168-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1188-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1188-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1396-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1608-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1608-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1660-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1660-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1668-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1668-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1744-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1744-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1980-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1980-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2292-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2292-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2308-385-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2308-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2348-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2348-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2528-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2528-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2548-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2548-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2596-344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2596-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3128-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3128-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3196-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3196-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3628-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3628-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3836-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3836-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3928-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3928-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4040-360-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4040-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4300-366-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4300-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4340-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4340-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4660-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4660-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4688-378-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4688-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4788-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4788-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4800-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4800-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4816-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4816-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4864-325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4864-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4876-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4944-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4944-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5000-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5000-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5040-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5040-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads