916b153a291135b664e6cf54b778116b3fbc7a2706056fa08a6850d33b6c92fc

Analysis

max time kernel
93s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

916b153a291135b664e6cf54b778116b3fbc7a2706056fa08a6850d33b6c92fc.exe
Size

94KB
MD5

177ee883e65896e912313172beaef928
SHA1

555cd0b962b467d339aba5591d1d49d40bdf8b5c
SHA256

916b153a291135b664e6cf54b778116b3fbc7a2706056fa08a6850d33b6c92fc
SHA512

bcc18e96884166c2747023a2c410c8532f2955e6a558e878722ab171796033b178a3f5a177ea87a53cdf410b58647b7100f95faf426b79ec0d8239aee494560d
SSDEEP

1536:MOaqcfFBUaAwlxB676m+ErzZJGD5CCMAmkEQQFh0I1de2LhlaIZTJ+7LhkiB0MPX:MOPKFBLAwlxM+FErzZJGD5CCMAmkEQQ8

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	916b153a291135b664e6cf54b778116b3fbc7a2706056fa08a6850d33b6c92fc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe

Executes dropped EXE 49 IoCs

pid	Process
2700	Kbfiep32.exe
1544	Kknafn32.exe
964	Kpjjod32.exe
5068	Kgdbkohf.exe
1064	Kibnhjgj.exe
3940	Kajfig32.exe
1776	Kdhbec32.exe
1824	Kgfoan32.exe
2760	Kkbkamnl.exe
4744	Lalcng32.exe
2752	Ldkojb32.exe
3928	Lkdggmlj.exe
4756	Laopdgcg.exe
3412	Ldmlpbbj.exe
4804	Lkgdml32.exe
3600	Laalifad.exe
3080	Lgneampk.exe
3060	Lilanioo.exe
2740	Ldaeka32.exe
896	Lnjjdgee.exe
4368	Lphfpbdi.exe
468	Lcgblncm.exe
3880	Mahbje32.exe
2268	Mciobn32.exe
4320	Mjcgohig.exe
3340	Mdiklqhm.exe
1996	Mgghhlhq.exe
3376	Mkbchk32.exe
4564	Mpolqa32.exe
1548	Mgidml32.exe
2344	Mjhqjg32.exe
2932	Maohkd32.exe
2516	Mdmegp32.exe
2312	Mkgmcjld.exe
3900	Maaepd32.exe
1740	Mcbahlip.exe
816	Njljefql.exe
4432	Nacbfdao.exe
3304	Ndbnboqb.exe
2592	Nklfoi32.exe
1348	Nafokcol.exe
4152	Nqiogp32.exe
4864	Nkncdifl.exe
1256	Njacpf32.exe
1304	Nbhkac32.exe
2692	Nkqpjidj.exe
2908	Nnolfdcn.exe
3864	Ncldnkae.exe
3568	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mahbje32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Kbfiep32.exe	916b153a291135b664e6cf54b778116b3fbc7a2706056fa08a6850d33b6c92fc.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Kgfoan32.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kpjjod32.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kbfiep32.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mpolqa32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4476	3568	WerFault.exe	132

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	916b153a291135b664e6cf54b778116b3fbc7a2706056fa08a6850d33b6c92fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	916b153a291135b664e6cf54b778116b3fbc7a2706056fa08a6850d33b6c92fc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	916b153a291135b664e6cf54b778116b3fbc7a2706056fa08a6850d33b6c92fc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 2700	4468	916b153a291135b664e6cf54b778116b3fbc7a2706056fa08a6850d33b6c92fc.exe	81
PID 4468 wrote to memory of 2700	4468	916b153a291135b664e6cf54b778116b3fbc7a2706056fa08a6850d33b6c92fc.exe	81
PID 4468 wrote to memory of 2700	4468	916b153a291135b664e6cf54b778116b3fbc7a2706056fa08a6850d33b6c92fc.exe	81
PID 2700 wrote to memory of 1544	2700	Kbfiep32.exe	82
PID 2700 wrote to memory of 1544	2700	Kbfiep32.exe	82
PID 2700 wrote to memory of 1544	2700	Kbfiep32.exe	82
PID 1544 wrote to memory of 964	1544	Kknafn32.exe	83
PID 1544 wrote to memory of 964	1544	Kknafn32.exe	83
PID 1544 wrote to memory of 964	1544	Kknafn32.exe	83
PID 964 wrote to memory of 5068	964	Kpjjod32.exe	84
PID 964 wrote to memory of 5068	964	Kpjjod32.exe	84
PID 964 wrote to memory of 5068	964	Kpjjod32.exe	84
PID 5068 wrote to memory of 1064	5068	Kgdbkohf.exe	85
PID 5068 wrote to memory of 1064	5068	Kgdbkohf.exe	85
PID 5068 wrote to memory of 1064	5068	Kgdbkohf.exe	85
PID 1064 wrote to memory of 3940	1064	Kibnhjgj.exe	86
PID 1064 wrote to memory of 3940	1064	Kibnhjgj.exe	86
PID 1064 wrote to memory of 3940	1064	Kibnhjgj.exe	86
PID 3940 wrote to memory of 1776	3940	Kajfig32.exe	87
PID 3940 wrote to memory of 1776	3940	Kajfig32.exe	87
PID 3940 wrote to memory of 1776	3940	Kajfig32.exe	87
PID 1776 wrote to memory of 1824	1776	Kdhbec32.exe	88
PID 1776 wrote to memory of 1824	1776	Kdhbec32.exe	88
PID 1776 wrote to memory of 1824	1776	Kdhbec32.exe	88
PID 1824 wrote to memory of 2760	1824	Kgfoan32.exe	89
PID 1824 wrote to memory of 2760	1824	Kgfoan32.exe	89
PID 1824 wrote to memory of 2760	1824	Kgfoan32.exe	89
PID 2760 wrote to memory of 4744	2760	Kkbkamnl.exe	90
PID 2760 wrote to memory of 4744	2760	Kkbkamnl.exe	90
PID 2760 wrote to memory of 4744	2760	Kkbkamnl.exe	90
PID 4744 wrote to memory of 2752	4744	Lalcng32.exe	92
PID 4744 wrote to memory of 2752	4744	Lalcng32.exe	92
PID 4744 wrote to memory of 2752	4744	Lalcng32.exe	92
PID 2752 wrote to memory of 3928	2752	Ldkojb32.exe	93
PID 2752 wrote to memory of 3928	2752	Ldkojb32.exe	93
PID 2752 wrote to memory of 3928	2752	Ldkojb32.exe	93
PID 3928 wrote to memory of 4756	3928	Lkdggmlj.exe	94
PID 3928 wrote to memory of 4756	3928	Lkdggmlj.exe	94
PID 3928 wrote to memory of 4756	3928	Lkdggmlj.exe	94
PID 4756 wrote to memory of 3412	4756	Laopdgcg.exe	95
PID 4756 wrote to memory of 3412	4756	Laopdgcg.exe	95
PID 4756 wrote to memory of 3412	4756	Laopdgcg.exe	95
PID 3412 wrote to memory of 4804	3412	Ldmlpbbj.exe	96
PID 3412 wrote to memory of 4804	3412	Ldmlpbbj.exe	96
PID 3412 wrote to memory of 4804	3412	Ldmlpbbj.exe	96
PID 4804 wrote to memory of 3600	4804	Lkgdml32.exe	97
PID 4804 wrote to memory of 3600	4804	Lkgdml32.exe	97
PID 4804 wrote to memory of 3600	4804	Lkgdml32.exe	97
PID 3600 wrote to memory of 3080	3600	Laalifad.exe	99
PID 3600 wrote to memory of 3080	3600	Laalifad.exe	99
PID 3600 wrote to memory of 3080	3600	Laalifad.exe	99
PID 3080 wrote to memory of 3060	3080	Lgneampk.exe	100
PID 3080 wrote to memory of 3060	3080	Lgneampk.exe	100
PID 3080 wrote to memory of 3060	3080	Lgneampk.exe	100
PID 3060 wrote to memory of 2740	3060	Lilanioo.exe	101
PID 3060 wrote to memory of 2740	3060	Lilanioo.exe	101
PID 3060 wrote to memory of 2740	3060	Lilanioo.exe	101
PID 2740 wrote to memory of 896	2740	Ldaeka32.exe	102
PID 2740 wrote to memory of 896	2740	Ldaeka32.exe	102
PID 2740 wrote to memory of 896	2740	Ldaeka32.exe	102
PID 896 wrote to memory of 4368	896	Lnjjdgee.exe	104
PID 896 wrote to memory of 4368	896	Lnjjdgee.exe	104
PID 896 wrote to memory of 4368	896	Lnjjdgee.exe	104
PID 4368 wrote to memory of 468	4368	Lphfpbdi.exe	105

C:\Users\Admin\AppData\Local\Temp\916b153a291135b664e6cf54b778116b3fbc7a2706056fa08a6850d33b6c92fc.exe
"C:\Users\Admin\AppData\Local\Temp\916b153a291135b664e6cf54b778116b3fbc7a2706056fa08a6850d33b6c92fc.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Windows\SysWOW64\Kbfiep32.exe
  C:\Windows\system32\Kbfiep32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\Kknafn32.exe
    C:\Windows\system32\Kknafn32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1544
  - - C:\Windows\SysWOW64\Kpjjod32.exe
      C:\Windows\system32\Kpjjod32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:964
    - - C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
      - C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3376
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2932
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2312
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3900
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:816
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4152
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1256
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1304
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2692
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2908
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3864
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        50⤵
        Executes dropped EXE
        
        PID:3568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 400
        51⤵
        Program crash
        
        PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3568 -ip 3568
1⤵
PID:3744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kajfig32.exe

Filesize
94KB

MD5
7a049df40a2987e0a86679d0f12cca5c

SHA1
4ec2b2a2a5794e7c855b2e872fe04c625411ffb4

SHA256
700f2fe1363bd7ad7715461dbc3f375f4c0d6bac63162376cb6121f78f98b913

SHA512
9508ddf15313ec54b2351a4edf7bcd82fb5f59c46e0c6bc4c445f8d029edf6a382def0e7c06c95be1ddaea790bee2ab7a50563dd426bf34d68159a9a4b735fd3

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
94KB

MD5
8b2e56a760b77da615538f7ecd8453b3

SHA1
00c7a6fde18465bbf21a83a6c32d7c9e5b8625b8

SHA256
b52a5018d650821cbe928f747c460c81096793cb1e5ff6c8e9fa8fbe54e9eaa5

SHA512
7e908a1d2206cdcaecd509650768e7374250d061111e5d89624121b8e7c8f04745280d7bd62a661626c452b96c43bb690b69bf62b3bc933b4dba1789df8b438e

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
94KB

MD5
fecbbdce2b4b8a2b66aa0dddf62dc05f

SHA1
b8cb891d8b221e4550f617be5679c8b30e137c73

SHA256
13bbbce175a9828c1543a8251ee8d61051b5330d8f6a3ed042b1d0957549225f

SHA512
c8ec20fee89f1bb496d6561f6ea364a176d2243b528e0b30822874ba290a594ed5d2084c01468909d611b39381c7481dbd1ddb0b7c60434dd704758f7e9cc131

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
94KB

MD5
ec87ff7b83936dae9ad6d08b3d06b165

SHA1
6950a5e7e6a16079726abe18675b6600ef48c4c5

SHA256
1a526f9f8b10e90246c0caef9cec9c4b7e7f8da0569e5e56e096cb171af48702

SHA512
5bd9556c2c92178730a1361080e08e40e0f749af142345c401a75acdc22ac94f0814ca13f18f5c3b5524be4156067ba81fa2d0c2343cd7d2feee4b20f046cc06

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
94KB

MD5
46d14c1d7d77c3d6a3265c136d112a39

SHA1
97386fd30015a0d747be6567dc889460c4a0993e

SHA256
d260042d3071fbaa8b4b0fa45d38f6ae0fee30cae67e5efe5bac16cbd32ce171

SHA512
8e947ba74f26dff3c90d8d101cec594c9ca00d151bd1fa29274a1ec3655270d8fcb7fd11b25ccbfb7efa1cb803a38bf004724db0adc9c642091a21da69eb5fcd

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
94KB

MD5
63457c34638264e79468a84e127c393a

SHA1
c81fe5c8cb888f05d1e7cc5e031a83d562688de4

SHA256
ab24f47f3d495e3ff7b59163f959f10a2689a75939b23d8fba58dc5a81c7bab0

SHA512
651630534cfd852a8e51efec26fde046008a67403d7d0169d12fe49ef06e8af68dfa933f529ec05cfdfbef44136d9502339fecd276c06ba934f83fec70d9ff66

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
94KB

MD5
65e6c6f56b5e9060267c2b16950756f1

SHA1
64e9a40329e4637959481233acccaf291945e5f4

SHA256
db730cff3ac1a92f699f1b15e6e5e8aba09516452973843d670b55b569170570

SHA512
7f13d8e9cebb294c00e59de5dac67e65eb7367b465cfd5f2967dd8f3acbd6dc3a6c0984f07fa2a9b68ab4c9108441c814db2a687493fc3cef1381a6570a534b9

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
94KB

MD5
520a3b4ee9a27747bfd8015282291af1

SHA1
cf7f68340f5cf4a3fda57cf53f94fa3490a521cb

SHA256
6ff0d7e4ef49f7b87c68caa5e95fa93b3fe28f364ebf6510a20e25b596cc2195

SHA512
f5a9454c6680fa348ef6d697ad6234ca1fa1093ecd68508b83a1610781628f580252e28def9899408621dec68380801c16cde2ea731b2e327aa7a21e8ffc4a4b

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
94KB

MD5
c9fb97ec2e1f954e584e106d102b3683

SHA1
2c8a92cb727d41dd8764ac1ad310d5a3736ebfaf

SHA256
f596c9ea8a1844874e1b3162f055471e61d4254114fdca1059930598182dd809

SHA512
1e3361b8279cf49573ccc931de3b99139452b56e047a957044893eb47d89c4dd8feb09c908c4d5ae4326814d9dfeedff8267647ac05d8e812a2cdbbe055f88db

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
94KB

MD5
478a2aeb24434ff055d26fdccc35613d

SHA1
9fbafb1d9cbde81d2c45b374008ad51b55caa7ff

SHA256
8e7bf845cab66bf26c35723456ba26586f68b7fb9293d337be161c18604806e9

SHA512
acf4d62bc5607c481d3867f9661accbf6b6170d5a4fe0328739525b81e2510a3fa0d487e4d9fa9f6056bbe92e29b360e48ade4457c1617631df514fc259fd42f

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
94KB

MD5
04536f8fa4f84674ce37b5cf8f9f53a4

SHA1
f568179dd86538a15c7af2ba0e6e0305dcc7b076

SHA256
20072ee2d349b216ec486860b4e023bfaa742a9c336ede639289b7b4286e2d5d

SHA512
87f5d0f20c2c4e7ca16555d0f09a826ef081047c76954af2fa6cc52eb5b692db83650163a4f5424ede8034ab762304d758b541657e9b24812723be1e48c231f6

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
94KB

MD5
e70ca5c6283c9d7b5f793f4075104018

SHA1
f634bdbf33c43c2dd7d92d40b934011b3d8d4936

SHA256
1e3f22344c6eac7f9a65d7615a4298cfd23aeb96fadb6df2ee34c4459c4ee6f9

SHA512
1a2df9e4a531af80b76439ef5ddfbbf9143aed617b8f0638354707da6165830399bdecc9d262e53f0e03be69cc9f9d37fd7099af6f11d0013c8a76bcd980fb48

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
94KB

MD5
bd0c1aecd5723928c75899a2dc26349a

SHA1
4c08ee9a9a3f10de1f8da5dd8bd820d2b21c570a

SHA256
14bf71a7a870045cf0550689d7f52e3691fc5d2ba0035e95975b39acf0c443f3

SHA512
7038233f9ae98b7fea6ece9b00ee80a9ca392ddce5ef54009c91a490e1db641e2e6d4545836731dba8951d3f29bda373daba8366ecc29353bae755d8755b7c85

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
94KB

MD5
5f056837255209d3420c3e5cd7142d3f

SHA1
c9d2fd22033a0bbe129f143bf18630926c765725

SHA256
a3fcadfe97d2b1a0bc0e38ac3abffac71c4d73ee5ea398db15d8b90f0d81ce1c

SHA512
1446c847c4827f0103a51a267add68d604378e057d1dee538d6dc17b12272fd220651e4a5f28d26019fe24afa6c757790f7a7c7e81a3f8c0ac15fd941f3073c2

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
94KB

MD5
7cc881d9fb91e115e6e44474b8736c16

SHA1
138a7d9ebcfa7973cd1250327d8e4416b6605042

SHA256
a5822c5bff3f2ed0f48f5a3cf13035ccb2ccd9fa6071353ec2f772842be85591

SHA512
c4c063d4833c25e00d403ce6c208412189d7362c587f378e4f62743f342937ccb8a9eb97d723027c998fd013b3527ab52cf49c0eff98d6b1678b16f6b704d6e0

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
94KB

MD5
fa4fa24cb82acc0bf521438bd7589fd5

SHA1
2b42fb9b9ffe9ddc3f54f0b7ae7d3abf6a60f890

SHA256
6695bf62d2fdf1de72a817d186d9d66f9fc59f94ab8f919ad3f04988c3f441f3

SHA512
a21aa11176fdbd2ee0522562f4d07b4b420934d7817179ebac668d7527a4a62c3d93baef9609e22503ae0761e02119f0163c21f6e6123cb83845b22ddd0f7808

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
94KB

MD5
4f4fa09ce710bdb2e186535dae8def16

SHA1
5122c1e8d093d70ff016993742af9d5940619858

SHA256
5894cd2ca123f4d8b752118543a8f1bae66076cff89c0351d7e49642c8e91b5c

SHA512
11339de8c08612c331efeb2001d7fcc41a49ab08981b1d6c618e8d0f3c3861c150823a98a3dccf4557c2693f126dacf9780571c2452e54fb55dd127bf5f1a490

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
94KB

MD5
e0fe7e0fdf6de594cffe8aa4701db219

SHA1
456fba7b61100ba1bfad8ff8424774d91b28d06f

SHA256
1910e2d4ca737fbf09312886078efd3599c69f42d00ad6e0f50d96d86815a382

SHA512
9b7a82a9763ff5ae2214011c76fa3e2fd237f5e37fe18914bf0b41f56e5435f5dbf4522eabdec672a1e8fb24b2d50766ca155d9e707eb87c08fedfa998fe3a4b

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
94KB

MD5
e472bf81bee392465942d929cf158752

SHA1
02cf23f72e60c7104fdcd618f426b2ae979d242d

SHA256
3c0988176e71022024d5aed87236f0b3856dd3017be4390baf0e2222ec8cb794

SHA512
383e995dcf5e6c1077db2820942f6865027b131be415405fd687e2e25a168c8c4eb4a4d6cc808ba04d19874a9437ae6cad39af7531c5dd6e1735b4521a2ed9a9

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
94KB

MD5
c0db7d461ae54cfea523282e4a40c47f

SHA1
b72d12f172d40bfa9523b79ee634519f577b86bd

SHA256
9f0b74f6170b67a503d92a5c12ca276553f9caa48a280e6346d49d353e4f81c5

SHA512
9fd8b30e961cab91e6d1f2eacf81f598076771bef771acbfe30da2f724b62502e31db27483fa97afdc40fba75681ec1a28f15d357ca9ee8f11723db79e37186e

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
94KB

MD5
b77dd10ea24ce7e99006a04a27257eb5

SHA1
5daa9d3b66508c593d0243f668828b24294c3e9b

SHA256
5ed8cae08834c48bd0023bd0714b430811eaf4144a2a8677540684df089a9fe4

SHA512
4e41d17f4d29643d19796ebb33aa6b6971e3bf7875f84f5ad607fe754f87085daa058e05fc6a6c2c1c8f20b0e687446d1a3e800235f33a98aa10f0b22fb3f671

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
94KB

MD5
e754e560817081377e7c9dc34ea23b63

SHA1
b0a5bbf45e004e1e551ddfde6791f166b31188a7

SHA256
891310505ac15a3c68641f755689d937c64d8481defb8d1e8b9830d528488491

SHA512
595684d7a4ead5aa4f8e62687ffb6b7c1dcb065ba8a2f50efc308f60743c9be7503abf6968dc0d578cb8d51cf99085f181748732e1fa6061e5d0fc0ce788bda1

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
94KB

MD5
074dc7d42f3d4bbfaed468a47e50a1d1

SHA1
c1c7aa7fd2494b67ee82ba8f75c7c69c40989925

SHA256
377c4b683c1ca324b8d3eb616c684cdae04b13c64150de4ffe214be07ec8f4e2

SHA512
423ade9e5f5e04523f6694820b1842ddb9f790221e0260b73cb9e96be24fe3b0f98a3c297a40820d3fa621283cf2598edc7738af7bdcbb3933229d98322e096f

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
94KB

MD5
897c13d94e72e1f3d3a0cfa6c27dab51

SHA1
72a445cd193c63b94086964218bf5a93a890a581

SHA256
3496ad07207c9adf77e2e810aa8ff3277685d4e2ab4f170872732c8122f4109f

SHA512
e02c071d99ee4c6af0f0779d7dea4528dfbf4bb73ef523a31da931d94534a77ece6a3e41b5d7405e8e3ed34d7e6b592c7b712176ba89f340ec0050d4f1f535ec

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
94KB

MD5
6f73eee903712cacd9e79fa5696b556b

SHA1
e61c8eba72eafe5c0a117c9d7fccc3184882233d

SHA256
85a4dfa71235b8e799a55003d82c91413ba52563362384d5b127f4e36a5bbbb9

SHA512
b80dd6d37021db4328b08ecc4b04c3f291a408daaeb72eff94307765f61a037396ba2bfb39bc57ff496a9287462c5a4626b6fe34e582ca91b43d241e64fccef8

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
94KB

MD5
b0e5ca2e3a521c7e3b4fc304efaee49c

SHA1
a660178db3ce8f2f62c4d84b2ebefc105095a216

SHA256
5a149f634ae057b739477cb30ff811fcc0c3e1dd5a8b759884dbd2ab5b6cc5bc

SHA512
5fce8dc884fe393c6a49a13ce2f1d1f28aa1e703aad283bad95839cf7ce707e4b75f12cf552d799d24870e04dac66d0c629e7d7947059de7d15f1c8bcc163fe5

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
94KB

MD5
8325fd8fcb33b88535e59e3a9e597036

SHA1
3149281c2a938acbf73384b3eb990de622ccc05b

SHA256
3d0160b1b8246b70942c9329a979081a77c177c9014dc63a6eaad51213e825f1

SHA512
caa730a695d9d323dcf7457497713bd00bc1c9b0a1c0536dcead7e11fa52e4d7698722682174f352dda7a69d7990914df8776be60724fc8c3d6775ed0da95d1b

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
94KB

MD5
035d0f2cf5ed31207ce1d5e7880f2119

SHA1
2b7b74ba61616869731c598c8e7012af16da894d

SHA256
726f31ff1a6e1275c8189cc4d19f91ed9335f4544a48dde83a1a8def82cd793e

SHA512
c41e1525656d632f0334d29cb104db15685ef6a96d359eea13dacb26c906acdb5f89b648f6e8cd983a2301b1e273189005e161e5736138274d86df68a99aa535

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
94KB

MD5
621c95303312fce103ddaa49234e7e35

SHA1
9d88e8ea267f06f91d0627e0a4b0028ab8db4142

SHA256
f97c6b87e0864fb4cb33f6e8b3b6df90f803785a2510daa4fedc557767c7511c

SHA512
fc08efd83a052f159c89d22d32ad3ae4b8500d7b9fe4c4db3e3913e82f60509db81731119dd24220b6c06dfc4e281b35096d36e451cc605b448f8ad0fa3ee69d

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
94KB

MD5
6d0fcf2f773db448f9a99b27e46feef2

SHA1
d85ac645db6156b11e41ebca50f9365faad4d9cc

SHA256
94c036a80c2e9a33849b75b9e3d9eccd96cf9afd5b1130cd4ba6cb8c71739798

SHA512
80446f25192cb0ed43908ba7c4905298eb068c0871f97a33655c40373a7bb14e50c005c28b9a5e799d113e75a751e1666fa2e78d909a99d1897a2c6100773077

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
94KB

MD5
03838cf66035f0f82b57b83d45d89024

SHA1
9264a9c1b2736312b71aba85b8e9e98215b94ffb

SHA256
68ae297b54d508e3b7d27dbec7bd22832b228476134cc2674b338d8b8ef14938

SHA512
cd1d54be6148d2753cb7df0e49327b69fb1d7da8e576d8f25aa59ada0f250b53b17ce129cf53a83de9c17e6d316e5a12aacd10c75f8e832faf92c469e061e759

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
94KB

MD5
1a1ce7c9f494a8442b88fe615c1487ff

SHA1
75c0255331575a437bcda7e6b7dff866fecc189f

SHA256
64f5bf4324f49ff5992ee765969ddba35f4f4f0362987f6260f8abc52fea81be

SHA512
2802e095e9804de03d44af173bedf5333080d4d9b0d8054fe2fba4f4abcf0cd210dbeff34602f6ba57baec604d2c74e0d6fb9d79a87305ca73f092aee3875b10

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
94KB

MD5
8d0ab308b1545f2b8ee7679dd51c7a3d

SHA1
495f8e1e49fb1573b8c99a7799c386988f2ae31f

SHA256
4cf2462a48b52d237cf4fd66c96b102b397eb059a1dcb88684dce5e62d765d50

SHA512
e5528215ce53bdcd9c4e6676b63c3c70291116f8c6e177ad96ff27fbd763fde707322d3b212e38b43d5499c096342945ab4efeb0d71aa9ea6c4b3bdef7b69373

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
94KB

MD5
4150a3c81f8c9bb015212963600a682d

SHA1
a9fae0b62a33dbb7bb604bc0f9c09b45f56ea769

SHA256
085a612bc3c4465c0799363d13104f54dd8a529d51bc393c7b1bd31dc9f7f699

SHA512
8f6d9a6c80fd8579066ddbc739023ae90c74d5924f5aee3dc3da25f12b58382b2d2946881f81f3db197c91307a83ffce92c7f3f4b9eb755ff6ddb0b1180eedaa

Download Submit
memory/468-189-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/468-276-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/816-311-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/816-379-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/896-170-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/896-259-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/964-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/964-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1064-41-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1064-125-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1256-364-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1304-398-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1304-366-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1348-342-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1544-17-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1544-98-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1548-331-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1548-260-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1740-305-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1740-372-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1776-143-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1776-57-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1824-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1824-151-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1996-237-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2268-290-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2268-206-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2312-291-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2312-362-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2344-272-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2516-355-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2516-284-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2592-400-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2592-332-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2692-397-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2692-377-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2700-13-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2700-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2740-161-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2740-249-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2752-91-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2752-182-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2760-160-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2760-74-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2908-380-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2908-396-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2932-344-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2932-277-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3060-241-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3060-152-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3080-236-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3080-144-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3304-329-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3340-223-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3340-304-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3376-317-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3376-242-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3412-118-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3412-205-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3568-394-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3568-393-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3600-139-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3864-395-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3864-387-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3880-283-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3880-198-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3900-365-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3900-298-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3928-188-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3928-100-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3940-53-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4152-345-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4152-399-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4320-297-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4320-215-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4368-184-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4432-386-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4432-318-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4468-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4468-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4468-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4564-328-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4564-250-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4744-82-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4744-169-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4756-197-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4756-109-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4804-214-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4804-127-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4864-356-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5068-33-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5068-117-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads