e997b158d02a39ea075c9d5a5a38244187489eebc3f6f9f652ca981712ad0b9f

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 05:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e997b158d02a39ea075c9d5a5a38244187489eebc3f6f9f652ca981712ad0b9f.exe
Size

56KB
MD5

fc8901ada34e5821ccb58687228fd6cf
SHA1

fadf87016c9220a84ffa2ec455e8d1b4de4ffebb
SHA256

e997b158d02a39ea075c9d5a5a38244187489eebc3f6f9f652ca981712ad0b9f
SHA512

56caaf800f3f3e191e2824e18040f973ff66f7664823f6655aaf24666541b4871d353d104f86f18d7478f0980fe09a05a59bb8d1e11d033a5564d24afd9f3658
SSDEEP

768:+kMXy32kMx0TpoKweWeRXwXXP2n39G7QKkV5l5VA/DMzDi5vAJW6acbXI/1H5rX3:+LXy32kD1oK1Wif5O/kJe4CD

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e997b158d02a39ea075c9d5a5a38244187489eebc3f6f9f652ca981712ad0b9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe

Executes dropped EXE 64 IoCs

pid	Process
348	Kpepcedo.exe
5108	Kgphpo32.exe
4468	Kkkdan32.exe
4852	Kaemnhla.exe
2000	Kdcijcke.exe
2460	Kknafn32.exe
3780	Kmlnbi32.exe
4024	Kdffocib.exe
4836	Kkpnlm32.exe
5000	Kajfig32.exe
1644	Kdhbec32.exe
404	Kckbqpnj.exe
4872	Lmqgnhmp.exe
4348	Lpocjdld.exe
4488	Lgikfn32.exe
2252	Liggbi32.exe
4772	Laopdgcg.exe
1120	Lcpllo32.exe
2804	Lkgdml32.exe
3016	Lnepih32.exe
4904	Laalifad.exe
528	Lgneampk.exe
3548	Lilanioo.exe
1428	Laciofpa.exe
4848	Ldaeka32.exe
1968	Ljnnch32.exe
3284	Lphfpbdi.exe
4176	Lcgblncm.exe
2444	Mahbje32.exe
2016	Mdfofakp.exe
4780	Mgekbljc.exe
1640	Mnocof32.exe
4500	Mdiklqhm.exe
1668	Mkbchk32.exe
2732	Mjeddggd.exe
2176	Mpolqa32.exe
2960	Mcnhmm32.exe
4992	Mkepnjng.exe
2104	Mpaifalo.exe
3096	Mglack32.exe
4624	Mkgmcjld.exe
3448	Mnfipekh.exe
1888	Mdpalp32.exe
816	Mgnnhk32.exe
3320	Njljefql.exe
2200	Nnhfee32.exe
1900	Ndbnboqb.exe
716	Ngpjnkpf.exe
3252	Nklfoi32.exe
1856	Nnjbke32.exe
1788	Nafokcol.exe
876	Nqiogp32.exe
3840	Ncgkcl32.exe
2744	Ngcgcjnc.exe
2368	Njacpf32.exe
3032	Nbhkac32.exe
448	Nqklmpdd.exe
4572	Ncihikcg.exe
1992	Ngedij32.exe
2400	Njcpee32.exe
1312	Nnolfdcn.exe
748	Nqmhbpba.exe
1452	Ndidbn32.exe
2448	Ncldnkae.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Kpepcedo.exe	e997b158d02a39ea075c9d5a5a38244187489eebc3f6f9f652ca981712ad0b9f.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lnepih32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Kaemnhla.exe	Kkkdan32.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Kpepcedo.exe	e997b158d02a39ea075c9d5a5a38244187489eebc3f6f9f652ca981712ad0b9f.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Lpocjdld.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
392	3740	WerFault.exe	149

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ncihikcg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 348	3472	e997b158d02a39ea075c9d5a5a38244187489eebc3f6f9f652ca981712ad0b9f.exe	82
PID 3472 wrote to memory of 348	3472	e997b158d02a39ea075c9d5a5a38244187489eebc3f6f9f652ca981712ad0b9f.exe	82
PID 3472 wrote to memory of 348	3472	e997b158d02a39ea075c9d5a5a38244187489eebc3f6f9f652ca981712ad0b9f.exe	82
PID 348 wrote to memory of 5108	348	Kpepcedo.exe	83
PID 348 wrote to memory of 5108	348	Kpepcedo.exe	83
PID 348 wrote to memory of 5108	348	Kpepcedo.exe	83
PID 5108 wrote to memory of 4468	5108	Kgphpo32.exe	84
PID 5108 wrote to memory of 4468	5108	Kgphpo32.exe	84
PID 5108 wrote to memory of 4468	5108	Kgphpo32.exe	84
PID 4468 wrote to memory of 4852	4468	Kkkdan32.exe	85
PID 4468 wrote to memory of 4852	4468	Kkkdan32.exe	85
PID 4468 wrote to memory of 4852	4468	Kkkdan32.exe	85
PID 4852 wrote to memory of 2000	4852	Kaemnhla.exe	86
PID 4852 wrote to memory of 2000	4852	Kaemnhla.exe	86
PID 4852 wrote to memory of 2000	4852	Kaemnhla.exe	86
PID 2000 wrote to memory of 2460	2000	Kdcijcke.exe	88
PID 2000 wrote to memory of 2460	2000	Kdcijcke.exe	88
PID 2000 wrote to memory of 2460	2000	Kdcijcke.exe	88
PID 2460 wrote to memory of 3780	2460	Kknafn32.exe	89
PID 2460 wrote to memory of 3780	2460	Kknafn32.exe	89
PID 2460 wrote to memory of 3780	2460	Kknafn32.exe	89
PID 3780 wrote to memory of 4024	3780	Kmlnbi32.exe	90
PID 3780 wrote to memory of 4024	3780	Kmlnbi32.exe	90
PID 3780 wrote to memory of 4024	3780	Kmlnbi32.exe	90
PID 4024 wrote to memory of 4836	4024	Kdffocib.exe	92
PID 4024 wrote to memory of 4836	4024	Kdffocib.exe	92
PID 4024 wrote to memory of 4836	4024	Kdffocib.exe	92
PID 4836 wrote to memory of 5000	4836	Kkpnlm32.exe	93
PID 4836 wrote to memory of 5000	4836	Kkpnlm32.exe	93
PID 4836 wrote to memory of 5000	4836	Kkpnlm32.exe	93
PID 5000 wrote to memory of 1644	5000	Kajfig32.exe	94
PID 5000 wrote to memory of 1644	5000	Kajfig32.exe	94
PID 5000 wrote to memory of 1644	5000	Kajfig32.exe	94
PID 1644 wrote to memory of 404	1644	Kdhbec32.exe	95
PID 1644 wrote to memory of 404	1644	Kdhbec32.exe	95
PID 1644 wrote to memory of 404	1644	Kdhbec32.exe	95
PID 404 wrote to memory of 4872	404	Kckbqpnj.exe	97
PID 404 wrote to memory of 4872	404	Kckbqpnj.exe	97
PID 404 wrote to memory of 4872	404	Kckbqpnj.exe	97
PID 4872 wrote to memory of 4348	4872	Lmqgnhmp.exe	98
PID 4872 wrote to memory of 4348	4872	Lmqgnhmp.exe	98
PID 4872 wrote to memory of 4348	4872	Lmqgnhmp.exe	98
PID 4348 wrote to memory of 4488	4348	Lpocjdld.exe	99
PID 4348 wrote to memory of 4488	4348	Lpocjdld.exe	99
PID 4348 wrote to memory of 4488	4348	Lpocjdld.exe	99
PID 4488 wrote to memory of 2252	4488	Lgikfn32.exe	100
PID 4488 wrote to memory of 2252	4488	Lgikfn32.exe	100
PID 4488 wrote to memory of 2252	4488	Lgikfn32.exe	100
PID 2252 wrote to memory of 4772	2252	Liggbi32.exe	101
PID 2252 wrote to memory of 4772	2252	Liggbi32.exe	101
PID 2252 wrote to memory of 4772	2252	Liggbi32.exe	101
PID 4772 wrote to memory of 1120	4772	Laopdgcg.exe	102
PID 4772 wrote to memory of 1120	4772	Laopdgcg.exe	102
PID 4772 wrote to memory of 1120	4772	Laopdgcg.exe	102
PID 1120 wrote to memory of 2804	1120	Lcpllo32.exe	103
PID 1120 wrote to memory of 2804	1120	Lcpllo32.exe	103
PID 1120 wrote to memory of 2804	1120	Lcpllo32.exe	103
PID 2804 wrote to memory of 3016	2804	Lkgdml32.exe	104
PID 2804 wrote to memory of 3016	2804	Lkgdml32.exe	104
PID 2804 wrote to memory of 3016	2804	Lkgdml32.exe	104
PID 3016 wrote to memory of 4904	3016	Lnepih32.exe	105
PID 3016 wrote to memory of 4904	3016	Lnepih32.exe	105
PID 3016 wrote to memory of 4904	3016	Lnepih32.exe	105
PID 4904 wrote to memory of 528	4904	Laalifad.exe	106

C:\Users\Admin\AppData\Local\Temp\e997b158d02a39ea075c9d5a5a38244187489eebc3f6f9f652ca981712ad0b9f.exe
"C:\Users\Admin\AppData\Local\Temp\e997b158d02a39ea075c9d5a5a38244187489eebc3f6f9f652ca981712ad0b9f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Windows\SysWOW64\Kpepcedo.exe
  C:\Windows\system32\Kpepcedo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:348
- - C:\Windows\SysWOW64\Kgphpo32.exe
    C:\Windows\system32\Kgphpo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5108
  - - C:\Windows\SysWOW64\Kkkdan32.exe
      C:\Windows\system32\Kkkdan32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4468
    - - C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4852
      - C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3780
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:528
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3548
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3284
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4176
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2016
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4780
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4992
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3096
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3448
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:816
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        49⤵
        Executes dropped EXE
        
        PID:716
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1856
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1788
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3840
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2368
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1992
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1312
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:748
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        66⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 220
        67⤵
        Program crash
        
        PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3740 -ip 3740
1⤵
PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
56KB

MD5
00291a2b22865fedd65c74b4e73b3513

SHA1
7f0dce1627b6bc28495906ae61062af946931245

SHA256
ca1986274f095305b1563379b2a80246867734f421a1a3fd5710df690672a30a

SHA512
c5ee44800f8e79e38900a45327b1c86a82ac4cc34373238eebcd86fcf09cad449f3a09bc34cb23375d80e8dbaad434b6c5c5306320f8020566a7effe8e7459ad

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
56KB

MD5
17a5761b597dae6b340a2f71b4efee31

SHA1
4b208d38163bca09d28330dcae7679dc8dbf73f6

SHA256
f50e8359b9d452885f1daf52bc64f43a530743bd0e1efc939ac4f00311f4dc98

SHA512
80751ebd1d89d5acd7279dc52f9aa5370e20386668f2c4e4f3fd75202afd8c6a7c6d2f7b75859ae6b7ba3eb53f99051ab7cc3f20dc5669e741eefaf16ef4ecea

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
56KB

MD5
8b6a918817fff2511c74fdf2182fcc20

SHA1
3ba114690510c7b53e4cf5c466e2174bae9a72e2

SHA256
c3c4de67d70476681132da0cc8f3a0b811a2eada896695d77fd1cea1f74768f2

SHA512
977016e837bfe2a366e9c09f0053a81230a480e4be01e602f390d17c79610a81f1ae0a6a7bb0a79ddb192b11f5c9d14b01273b2723d4bcb8c6be7a6d3352526b

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
56KB

MD5
67fb930660ceb5eeaf5618f7c5925d9f

SHA1
60acb5843936d989170717e375943b1417967a93

SHA256
b0b318e0290edbb024865b645fa40fb60b7c85a453b9d107d914ebce47dbab27

SHA512
379bc357f5aed96a7148e4c18ae3bda9cf23deea218abc850a81df8165a079d25910da2d5fab297efbde77979d55b7ae9b8ad4611cb26b539f0a979426205b1d

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
56KB

MD5
c11102982c5284afbdff9fa06b73753e

SHA1
935b07e16d3239be989767c35f3a8bc379cdb035

SHA256
4083d84e08d844e763376e2fe5f66278b8cb8b262a454a77869b76ad55ae1a43

SHA512
408f7c9347085d8d9171d7267a318c67190a521cbcf7eaf7e58d112e7ae597b16e2c34e4fd3bee65f4baad0465047a2ef35f0da394ff2f3bce0f9f932b528e2b

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
56KB

MD5
7a5553878a86e23e8dfae7d94dbe6022

SHA1
006d8433746c04748c996a8cffb890bbb1ed50ef

SHA256
8219bbaf2951892dce81bd4533ffb7508f1d91bb98010dad232d91729a23045f

SHA512
5ef18dd57267f35887fb8101b5e87c9f6afe52537141e5ff42a7cd96d60b2eb9a6f089e25d2a4db7e75c3fbb6f28101116b5c27a2937fb75041eda7a6693fb3c

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
56KB

MD5
5acb7b31a44d26866a401f485a03ce5a

SHA1
a2c9bdd31b6c44c8457c0628e225b09da9479394

SHA256
d2515e23f6b1f02ee20cd887afe8acf5da849a834d2eee746ca0b5d3382cbc96

SHA512
49d48b4c557a1c6509f7f0c9bd67b4f2b4047927c4c2cf13f97190c9a25dabe644f61da23288e33c363c9934c0e37f2325f479d6c8d2d5151b5b20e4b44d8f45

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
56KB

MD5
84255800efb12affea74d02a4c462d8b

SHA1
8eac5f14f266ae369bd37689976f22ddc65b2ee5

SHA256
422d203ddf508e9e805a0bec8761a0d4e8ea46c34f078bee745b8cdfdea29e5e

SHA512
b67a2c2733ab4d4d4354f0f94ba856b9061575aa7ff3bb2eb737d67c05edae2baeea4e49c955383ec8e8a165ef5b77e4335362fd7ff46a98a68a3810ed6702b1

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
56KB

MD5
f6f295be8bc21a3add7517493d74a80f

SHA1
af546617c13d92dc69cef22d6229d3098af2a6dd

SHA256
9856a1f6f484d9929ed7f071b33f0d27c5cc0f3f2d294df3702800f582dffaac

SHA512
ae5f63aac4fd4a7981b353f744d882494e326cd425037855d9adc6522c3290648afdecac9bdf83f9083f5366227fc7d5f9313c9e46a70e06523c343d9dde9fea

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
56KB

MD5
f8b8e937587abcc780d8c54d5110faca

SHA1
abdb519283d9d53a5d5a07dd06fd141f16ca680e

SHA256
e34ee6306efba7d9ac30528c88f4a84bf5ff3598d2b8d4faaf0befc0c5e21c57

SHA512
532db8d1368d33f27a04d001567d09881fb013371ea8c763fe4750ce390c781fd7a9de56b04ba9c98c1ebf4d47a4d93bbb98fc7c7ed030e468552ea95e0610f5

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
56KB

MD5
647ce5fa4c341c53a6fc2f97ca48841e

SHA1
2d36b256e5b6b85bfc901b0341355ee594489e52

SHA256
4eb0fdb4ed6c306c86481f8c385eff00887b086ed483fc0bd52eed18a6ee0312

SHA512
ec2918cd1aafcd32a59b717d9d18ccb834c1e9fad3da4f12f320c7866c701e40d2d44578f6564b9f6d0230922d2e260fa965df1d40394ca8190da49a0f1e1a34

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
56KB

MD5
4b28be6ab21029b7858c31ff636eca50

SHA1
6bf86e4a8a7245b57cc823d28550d2f25fbb9bca

SHA256
061df65572a89aeb472c0d289dea1b4471068b40212ac2bfa373f4e185484e73

SHA512
b572b651153df9fa402f4d14035cbb840603b77664591d24281c4c6473011a871a0c2190c339a8141af96a5be1328815548953342900c2fd5246f5f7ba2145c1

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
56KB

MD5
1acadad49989c697493e702dec923008

SHA1
78c630bd7b848c554c0a83c2f92696d662ff46b6

SHA256
9bfaa7145a20f93b6996b1cad456767f489c058ef0bcfa53a08d756e878b64f3

SHA512
4bff8d1f28b0939f1ff088bb94ae3809b97a4f884bb34078e036e413e61f9790882a58672ed247dea30d7355f1af9c0de3b7b451ed178b72d73b408a26ae3b4a

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
56KB

MD5
3b7aa9acf4fcf187694aec318c266ebd

SHA1
290730f799da5927adf2d55d37d7101dfc801806

SHA256
1476b3eb753b488628add5691fdf2fa4685f3c3379d17a40d75c430eb05655fc

SHA512
ec7c0658081e8f0cfcd9bae1869e3038e8ebc084ccf2efa62a5c5ed610bc7266aff24ba556f4c26fb06c35b5cbe845a1e02aa14c36eda78791b49eef9d50e810

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
56KB

MD5
d2b68ee7702803947e360cb0de6aba61

SHA1
f3d14c4c048519591953ccbccb1eebbc0ae95dd5

SHA256
7668a4dce1f889e21252d4ad25934d0888cccec9a175521d76d74ff40b51c253

SHA512
f40e504f0316262cebe1bed8253dd61d58dec3f886f219cc7d45a012e8dd37599ec2f3545c8569f3090ec991a58e36301da1cc60f51cdf4319da75cefc630a9c

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
56KB

MD5
2e9d4fd9fa804db66f05f22dc57ebd0d

SHA1
c043d987f0dd53d3d701de440b22167171772ee7

SHA256
b2523806077affa4f8f903bd13f5ae0361bdf03bed823f2f4046a420c1869f5a

SHA512
ef0d9c083ccbbc95d4d80d5536c0988d04fc2512a00665e6e1c5f45631e33d11eefcf1b873f747d09da52dd55d5617e60c7f6848a095072cf90ab0eeeb2bee91

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
56KB

MD5
73b02154b624109ea165a595efd66d8f

SHA1
9cadf8eec1bb2ffe83bf3ffcfef887265552363d

SHA256
9692f25465a6cf37ac7c3d5952c0637e1c33893093f5f3e7acb5f7914e9e18ec

SHA512
c6e58243524771e15450d65e5618984407d900f1108267e6f9851963999c6fcb70f1a22925aaa70af77607fb9a359ec6257673295f1cacb806a448f0a883bcde

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
56KB

MD5
634e0aa10f0e0f21b5537ae13b927bfe

SHA1
8d84f8fd718a386a8261e4baa705cb4e588593ab

SHA256
da0fd966d9d5a4b5c52807a10b7c58c4f51bce1ba514fb8dff7f8b4b399f69c2

SHA512
8f059058867c148d89c867b9d346521d5e30e4d71895d859ee915f48cb58f8babf59681d8acbadb37348ad42d14201b7dc27c0953089284de51368d3dc76a653

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
56KB

MD5
7037e4f77b0b5a6b703566aeb5147a17

SHA1
93639bad7fb9ce5b7c890c41d23a28e1e7242ed7

SHA256
86032b0512b7376ddd32529605df44ee75536371e077409025d5edfc39bc2c8f

SHA512
0844e89bae99316a0a454c3b20298d263923ae2e6048dd98ccc3e161d3f94f7d1353802de104ba64912d76f286bc446d1f5626a8534c39a85254ea3d56b21df2

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
56KB

MD5
a2bcea20c16d2d762e6949e4f5a31f98

SHA1
fdc6f37335ed6d295f1db80c1b3e17fbe9203157

SHA256
48961a2760b43b4b86be490350c3165883faed1e6a85c37d66c09ff2aeae5a6e

SHA512
b8825d76eb0f8c5916109819405e3201d19057b2b4cd291e12c501f846090e572017ca506319a212cf6f7fc47f338652062ffcc1bfa151b38b9959c200c10abc

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
56KB

MD5
bf95d3d05d96cb6fe511948ba79aad08

SHA1
24faddaa0c3aaa1d1739950e9b711013f34d1fb7

SHA256
8cecfdc020009043f7bde2d6904e9b911e5037905416d2392df771aec335626c

SHA512
4c31cb44c0ec023a887e3cf2b113d399b6f13086a35ce922eaf49951556656af5be3288a5b843fc0ed49040d9f6ce3bb78799ef6cfec95a4b778c247f858a718

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
56KB

MD5
8ba23d599302d8019cab2f6ec0c4093f

SHA1
a726e475d158447cdd2f95f710a932aea815da1f

SHA256
cc7c316e6ee6026ab32c8ddd5fe066f2a711644704eca53226916b2ab87ba982

SHA512
48f183d6cac1c2d26106679f3a0f364e5b47dba8463de355799e8169e2d32ccd5f9ec3189d8d1689a3bdad2bebfd2d507ef1db751fad883aa7c5b2654f461e27

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
56KB

MD5
a8579b6a013d63d8975f07b4195564eb

SHA1
f5902647c8111b934a8fa9b35a186cb85220c814

SHA256
4d766aa2f743d7375cc63dfcb7458fcc97eae2d99add62cb43bfbfec88a00817

SHA512
f45e559ffd93e4ed34902c13cc25659618dada133ac927b19cefdcc63b2611c1ab5ddebe0dbac212c965c8ae616830f8838677cd31debf44f478310d80035dd7

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
56KB

MD5
99dc7b245f1d4ad011e23583458f46b0

SHA1
1ccf06ef73379e6ce081aba825f8f3bd759a3c8c

SHA256
dbe2069a2763082e8800ef82360872ac705722ddd1209ad3eb5a7186db098556

SHA512
988af031eb66b4030c5f0e20082d7bbc27755c7730aab5fee553eeb3360d3d704d9f3f2c568c5d7a6141ff8250cda83434092302c654f69d7752c0f4e856ff7a

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
56KB

MD5
b0ddf68395760af7ee51ee5aace5227d

SHA1
8db968ad582cb0906732932c81ddc438f47dd51a

SHA256
e776d04f525fd05129cc6525cc0956cec6c6f56bf0e202f293c92e62a2b8e474

SHA512
dc1bb6c9f0f77679e1dec73cb61bc18ba5ada67811bca0f29259d8293cebc0771c0bf72f44f1fd61cbbabe7691a9cbef7d371b0f465fcbd3fed738835ebd807f

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
56KB

MD5
f0a50dd56c8b93ded956dbe6904d1522

SHA1
b59b5c8236fda9fdefc9e3d6f31b53c99348f25b

SHA256
bfcf02aa9f0052419a6f7431cb4480e8c101531d185a9f52eb4d1754a60bf71b

SHA512
4ca470489897ea857536a0cc63c8026b7c351bf617b06b62d3d5fff2a84ea9dd6965cb28ccc4ca0ac5d0f581c266e7d3b9a7d8fbef3e8f763f5617b8393eaded

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
56KB

MD5
07e9a56c472b5272a37b15c3a61050f5

SHA1
deed114ce0b752e9bd791481f6a608dd0be062ec

SHA256
500df20ba3f508d3b4c2876401e7ede94180b5111581d53ae0cfef4d301dc141

SHA512
c3a175595b02714d32244592732ede8e025d87163e554ae10428fed50ac138a6cab4a00de624f80cd6738eefff5cec9c512cf05705de956fd44697cc98641bcb

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
56KB

MD5
d4a6ebbac4160dbda2a22974bbb12305

SHA1
164706787cccfe411bcdfb9710fb960015d66579

SHA256
db0f901cfae05372fb16175ef0044af642406c50ee23f14b7dfdd0b6079e49ee

SHA512
645ef11e933776d6eb747780381a7635d96682860aaa576d16e94e602c4511ce7f30eefbfc8874e27a6c5907e86c17b9da12080e80044dd8bb59d6471a04f677

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
56KB

MD5
aa78aa0d53e2b6cee90896306fc0584b

SHA1
9d7c7991d1ed37a46b129bda3c901534d31366df

SHA256
1c8a88c136a5c1a89f97f9c1996d9697ef2b7a9bbe3175122686f526b4ff3aaa

SHA512
e959426492871106bc155a7849e88e1e5fde8d05d2107e2dae20a679988d329a415b90cdd62419954d8260e9f7e4e66579ab77b2d63c6d7d456c8a6ecb92e80e

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
56KB

MD5
d9ef0a62bc1e23e5fd172494e1dd6f57

SHA1
430c7724c8b73c758f444e4bcae2a79272153e8b

SHA256
7b666794936166cacacc25d2afa5d732f7f279265285c75f761a593704dce37c

SHA512
b68cd5faa7e6443e2316b38e1fe2a04d22bd3f06e6a0997d577f1abd4e4ba8e736e201dcf8e08f65ce822c5f3567977e6a3cafb1b459e98c21bf602b3a50a1df

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
56KB

MD5
7643d977e029e8976bd6e760c910cf42

SHA1
d88b73228f33a17febca9f9bdff109be34a356fe

SHA256
42d78be594c0d838c4868eede082eb1a427f43030e8bfebb7a9834b51cc5a10d

SHA512
6faf8f65c20d85543f9b4930bbbabe1b970d5fdc971a363b2cbd0c30d99395bca1115be0d0cd487097045add61eef53bb0a9c8dbd9074b21d4a80533fe9a3c15

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
56KB

MD5
af340ff0e7aa2f8b8b816b47e07c7601

SHA1
5682f364dfec8a2b6f06e591c8711af112338f23

SHA256
7f62f36bb67802fb004007c4e92ccceeec9d2eba2b899766b4640b2608b9a87f

SHA512
721a3a817eb1a5140b26b3c2e798e2eba890f984300a12be57569ca7bd9d1043afc2d3050158e3a8873492a8f7b6eb93376617598874a1512e59f4739f47d030

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
56KB

MD5
bfccd997f81578ee148fc706a3809a25

SHA1
f5ba879d845cedee03256bd0cc1d18627528d4d6

SHA256
ed48b03ff39438595d29271ec3edfe32b9e978f2c77910d163cd1a148f2d673f

SHA512
56a0020abb989c6e28f7df2b652f17df28c221d8329a5c6f5fe2510e28854ad487728bd418b55643068d666a74ba8d3a988c573a8ec7a3d834d93e58c32867b0

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
56KB

MD5
63e5f96e566950f7e1ca2b2cd862de58

SHA1
31a43d74c7a317c842850e5c87f8b8af6159677c

SHA256
c3cacccd559f7c0699fd37ee2f69bf038bf266f70403ea3e17a271ce38d478a7

SHA512
0debcea4a514106f885dd390b5b5c75f938ef3cd823a88cb711d568d82ee7e8c49b6af2a8f6ebf47776eb3ee600595741432e4095ab72970c1b8f92d5b6d5ca9

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
56KB

MD5
f3ae648c3a66aa3e5e03b810a7d0cf93

SHA1
679d68d758b04c3dc587d0b9d5e40fdca5966c40

SHA256
3536eb6b6351248a26900e56331d7af6bf605c6a782c7d731e62cf8549c6f6e1

SHA512
dc22b87c4463844749af22f923efb79aa6642f43a777233b4c0e34c2bcb1a38a3ea8243a30cf9115ab1fe38c56a80a8a9d867fb1924ebac4e782eb7ca46233f3

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
56KB

MD5
ec78e8374319802ec92edc6975face09

SHA1
d40a45a42abe0c25a97be82b3f4cc189a873082b

SHA256
12b94b30b8f0e6e22d464efeac682524d853bec1c9e4c88e4d4a043190f4e638

SHA512
63d67936301dd3227c485323b59b72b0a5eed7f94dc25e78da1ab7bb0c555618aa27079f095224c7ff21ff1138eb9cae7fb21e5bfd060a19bbda33cd3daa12a2

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
56KB

MD5
5bb881f862de9b1fa6195a4a6472bff6

SHA1
1a8994b4889eca790338d6876868743dbe0bd720

SHA256
9b0fabb5d90aa6c5a5de9ed374aecaeec806ffd85d5e699efb5c0d14f97dee15

SHA512
dafd8f8b0b8a5cb259ade4d53424bd965aa7378650952d4476cef94b4c64aa6ff2736ef70f17e97b73f79a6664b3be7dde1232ced0467dacd2232414ff0d2bfb

Download Submit
memory/348-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/348-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/404-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/448-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/528-186-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/528-271-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/716-453-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/716-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/816-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/816-422-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/876-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1120-155-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1428-289-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1428-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1640-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1640-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1644-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1644-91-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1668-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1856-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1888-415-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1888-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1900-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1900-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1968-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2000-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2016-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2016-258-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2104-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2104-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2176-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2176-367-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2200-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2200-439-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-133-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2368-429-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2460-53-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2460-131-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2732-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2732-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2744-423-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2804-164-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3016-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3032-440-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3096-331-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3252-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3284-229-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3284-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3320-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3448-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3448-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3472-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3472-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3472-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3548-194-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3548-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3780-141-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3780-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3840-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4024-154-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4024-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4176-238-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4176-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-210-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4468-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4468-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4488-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4488-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4624-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4624-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4772-237-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4772-142-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4780-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4780-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-163-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4848-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4848-211-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4852-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4872-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4904-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4904-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4992-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4992-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5000-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5000-174-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5108-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads