248f92f5ae87bfd3821cee36b6f7ebf9aa23ebce1ae17806aaee74261412f01e

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

248f92f5ae87bfd3821cee36b6f7ebf9aa23ebce1ae17806aaee74261412f01e.exe
Size

235KB
MD5

7388059dde381cb6a26e22ecd62117e8
SHA1

1bb622ab914e02f39e2ddfb83369636eab36d6d4
SHA256

248f92f5ae87bfd3821cee36b6f7ebf9aa23ebce1ae17806aaee74261412f01e
SHA512

86f6add33b398d8c60272e999abb222f8bec5302691efd9e02459a1f1083ff8331f44c0135925f012b7de6e6bf515c54e6789d909d7558c1bd00dc372e288065
SSDEEP

3072:9iARVLC8r7HOVMgu+tAcrbFAJc+RsUi1aVDkOvhJjvJ4vnZy7L5AuJaW4bI5:cSRCM7ulrtMsQB+vn87L5A5

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe

Executes dropped EXE 50 IoCs

pid	Process
1840	Kgbefoji.exe
1876	Kpjjod32.exe
2480	Kcifkp32.exe
1488	Kibnhjgj.exe
1744	Kmnjhioc.exe
2064	Kajfig32.exe
3700	Kpmfddnf.exe
2352	Kckbqpnj.exe
4888	Lpocjdld.exe
1228	Lgikfn32.exe
1140	Lkdggmlj.exe
4980	Lpappc32.exe
3564	Lgkhlnbn.exe
2464	Lnepih32.exe
1408	Ldohebqh.exe
2004	Lkiqbl32.exe
716	Lnhmng32.exe
864	Lcdegnep.exe
3956	Ljnnch32.exe
4820	Lphfpbdi.exe
5084	Lgbnmm32.exe
1888	Mahbje32.exe
3584	Mciobn32.exe
4256	Mnocof32.exe
2600	Mdiklqhm.exe
3876	Mkbchk32.exe
4088	Mpolqa32.exe
3356	Mgidml32.exe
2628	Mncmjfmk.exe
5104	Mpaifalo.exe
4252	Mglack32.exe
3384	Mjjmog32.exe
4272	Maaepd32.exe
4320	Mdpalp32.exe
3372	Nkjjij32.exe
1576	Njljefql.exe
4496	Nacbfdao.exe
1628	Ndbnboqb.exe
1360	Ngpjnkpf.exe
3264	Nklfoi32.exe
3352	Nqiogp32.exe
3656	Nddkgonp.exe
4784	Ngcgcjnc.exe
3976	Nbhkac32.exe
1280	Ndghmo32.exe
4480	Ncihikcg.exe
1124	Njcpee32.exe
2840	Nbkhfc32.exe
4840	Ncldnkae.exe
3232	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Kgbefoji.exe	248f92f5ae87bfd3821cee36b6f7ebf9aa23ebce1ae17806aaee74261412f01e.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kajfig32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Kpmfddnf.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kpjjod32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kcifkp32.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kgbefoji.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
764	3232	WerFault.exe	134

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	248f92f5ae87bfd3821cee36b6f7ebf9aa23ebce1ae17806aaee74261412f01e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	248f92f5ae87bfd3821cee36b6f7ebf9aa23ebce1ae17806aaee74261412f01e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	248f92f5ae87bfd3821cee36b6f7ebf9aa23ebce1ae17806aaee74261412f01e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	248f92f5ae87bfd3821cee36b6f7ebf9aa23ebce1ae17806aaee74261412f01e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	248f92f5ae87bfd3821cee36b6f7ebf9aa23ebce1ae17806aaee74261412f01e.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 1840	4768	248f92f5ae87bfd3821cee36b6f7ebf9aa23ebce1ae17806aaee74261412f01e.exe	82
PID 4768 wrote to memory of 1840	4768	248f92f5ae87bfd3821cee36b6f7ebf9aa23ebce1ae17806aaee74261412f01e.exe	82
PID 4768 wrote to memory of 1840	4768	248f92f5ae87bfd3821cee36b6f7ebf9aa23ebce1ae17806aaee74261412f01e.exe	82
PID 1840 wrote to memory of 1876	1840	Kgbefoji.exe	83
PID 1840 wrote to memory of 1876	1840	Kgbefoji.exe	83
PID 1840 wrote to memory of 1876	1840	Kgbefoji.exe	83
PID 1876 wrote to memory of 2480	1876	Kpjjod32.exe	84
PID 1876 wrote to memory of 2480	1876	Kpjjod32.exe	84
PID 1876 wrote to memory of 2480	1876	Kpjjod32.exe	84
PID 2480 wrote to memory of 1488	2480	Kcifkp32.exe	85
PID 2480 wrote to memory of 1488	2480	Kcifkp32.exe	85
PID 2480 wrote to memory of 1488	2480	Kcifkp32.exe	85
PID 1488 wrote to memory of 1744	1488	Kibnhjgj.exe	86
PID 1488 wrote to memory of 1744	1488	Kibnhjgj.exe	86
PID 1488 wrote to memory of 1744	1488	Kibnhjgj.exe	86
PID 1744 wrote to memory of 2064	1744	Kmnjhioc.exe	87
PID 1744 wrote to memory of 2064	1744	Kmnjhioc.exe	87
PID 1744 wrote to memory of 2064	1744	Kmnjhioc.exe	87
PID 2064 wrote to memory of 3700	2064	Kajfig32.exe	88
PID 2064 wrote to memory of 3700	2064	Kajfig32.exe	88
PID 2064 wrote to memory of 3700	2064	Kajfig32.exe	88
PID 3700 wrote to memory of 2352	3700	Kpmfddnf.exe	89
PID 3700 wrote to memory of 2352	3700	Kpmfddnf.exe	89
PID 3700 wrote to memory of 2352	3700	Kpmfddnf.exe	89
PID 2352 wrote to memory of 4888	2352	Kckbqpnj.exe	90
PID 2352 wrote to memory of 4888	2352	Kckbqpnj.exe	90
PID 2352 wrote to memory of 4888	2352	Kckbqpnj.exe	90
PID 4888 wrote to memory of 1228	4888	Lpocjdld.exe	91
PID 4888 wrote to memory of 1228	4888	Lpocjdld.exe	91
PID 4888 wrote to memory of 1228	4888	Lpocjdld.exe	91
PID 1228 wrote to memory of 1140	1228	Lgikfn32.exe	93
PID 1228 wrote to memory of 1140	1228	Lgikfn32.exe	93
PID 1228 wrote to memory of 1140	1228	Lgikfn32.exe	93
PID 1140 wrote to memory of 4980	1140	Lkdggmlj.exe	94
PID 1140 wrote to memory of 4980	1140	Lkdggmlj.exe	94
PID 1140 wrote to memory of 4980	1140	Lkdggmlj.exe	94
PID 4980 wrote to memory of 3564	4980	Lpappc32.exe	96
PID 4980 wrote to memory of 3564	4980	Lpappc32.exe	96
PID 4980 wrote to memory of 3564	4980	Lpappc32.exe	96
PID 3564 wrote to memory of 2464	3564	Lgkhlnbn.exe	97
PID 3564 wrote to memory of 2464	3564	Lgkhlnbn.exe	97
PID 3564 wrote to memory of 2464	3564	Lgkhlnbn.exe	97
PID 2464 wrote to memory of 1408	2464	Lnepih32.exe	99
PID 2464 wrote to memory of 1408	2464	Lnepih32.exe	99
PID 2464 wrote to memory of 1408	2464	Lnepih32.exe	99
PID 1408 wrote to memory of 2004	1408	Ldohebqh.exe	100
PID 1408 wrote to memory of 2004	1408	Ldohebqh.exe	100
PID 1408 wrote to memory of 2004	1408	Ldohebqh.exe	100
PID 2004 wrote to memory of 716	2004	Lkiqbl32.exe	101
PID 2004 wrote to memory of 716	2004	Lkiqbl32.exe	101
PID 2004 wrote to memory of 716	2004	Lkiqbl32.exe	101
PID 716 wrote to memory of 864	716	Lnhmng32.exe	102
PID 716 wrote to memory of 864	716	Lnhmng32.exe	102
PID 716 wrote to memory of 864	716	Lnhmng32.exe	102
PID 864 wrote to memory of 3956	864	Lcdegnep.exe	103
PID 864 wrote to memory of 3956	864	Lcdegnep.exe	103
PID 864 wrote to memory of 3956	864	Lcdegnep.exe	103
PID 3956 wrote to memory of 4820	3956	Ljnnch32.exe	104
PID 3956 wrote to memory of 4820	3956	Ljnnch32.exe	104
PID 3956 wrote to memory of 4820	3956	Ljnnch32.exe	104
PID 4820 wrote to memory of 5084	4820	Lphfpbdi.exe	105
PID 4820 wrote to memory of 5084	4820	Lphfpbdi.exe	105
PID 4820 wrote to memory of 5084	4820	Lphfpbdi.exe	105
PID 5084 wrote to memory of 1888	5084	Lgbnmm32.exe	106

C:\Users\Admin\AppData\Local\Temp\248f92f5ae87bfd3821cee36b6f7ebf9aa23ebce1ae17806aaee74261412f01e.exe
"C:\Users\Admin\AppData\Local\Temp\248f92f5ae87bfd3821cee36b6f7ebf9aa23ebce1ae17806aaee74261412f01e.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\SysWOW64\Kgbefoji.exe
  C:\Windows\system32\Kgbefoji.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\SysWOW64\Kpjjod32.exe
    C:\Windows\system32\Kpjjod32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Windows\SysWOW64\Kcifkp32.exe
      C:\Windows\system32\Kcifkp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2480
    - - C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1488
      - C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:716
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4252
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3384
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3372
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1360
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3656
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3976
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1124
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2840
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        51⤵
        Executes dropped EXE
        
        PID:3232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 408
        52⤵
        Program crash
        
        PID:764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3232 -ip 3232
1⤵
PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kajfig32.exe

Filesize
235KB

MD5
98dd0de13b45eb607b471e9d680d8eb0

SHA1
96f3fae67e292f15141636e4ec1a96deb64881be

SHA256
b55b98f1f89ab36eb67036fd02841193e38e65cec751b2c6f5ffd2f96623d25f

SHA512
52f8b6331cbe1d9b1bca6555367d57f3b68cbe6aa883cdf58027d260a3b1da3b8ddbe79301bc5f0a4af6970b07389fdb71c228f281e097bd55142d1166aaaeba

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
235KB

MD5
684051c5a1bfc6e35ceb53f2487c89af

SHA1
f7896cc3caf990ebeb8f90a3d69e8d8c48181e95

SHA256
449d1e1e76b36453940f1872a99fbd959f601d720f2a74f7412a0f7b4a476fff

SHA512
199e03f1c5074c3829b5dc1c0dfecdac74b735cb2f9a2151dfc2a6932eac23a37d78150d5672fcc7ff3d68b72c455de2cb1a4a382e0da2c47c631a6a131002b2

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
235KB

MD5
6cc856e504a9001476f52494406f74d7

SHA1
0eb5cf808f987d2585150a7dee7cdaceb7bcb07d

SHA256
39e546edb2d8b02148ff333c2ea7405314186d3ec58e2d222dc7762f36925c57

SHA512
37a0465f0050e38914969812f7ec02995d42573676502b388ae5e07b321963816d380bf03b0092f45b333bf8671e1c06840888906dc2c43378e125bb7f55043a

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
235KB

MD5
78961117d80ea25b03c775974b12aa1f

SHA1
f6db8f8e788f089f7fec118a1e0a50c486853980

SHA256
71232bcf8d2de4f20e9ddd7b066bb729e08fda00545c803640d4f952ad49af1f

SHA512
19960c6b509854c322adb4e38e1718754d47152037bd1b48e890ddbe0a42dc436b3cb70aff18541f544638b1e8de98bcda2c0d0b1bf513ded7ccf6ed601511b9

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
235KB

MD5
fb2432ab27736e7faabce37feb74a886

SHA1
63edd9b51ca4b39dfed06ea7908d5942993137b0

SHA256
8ecaa34fd207971dbb536d90b47da909e572981e1ca66fc7d7e7405ffaea0f02

SHA512
76125f722209f43f907441268434d6cb50e6c405e891f6ef7cc8aedd4d4a60f690d3c9ec30edf21f4587b28876b4f88f9d7c047fcd4cddc290133a8f4afc4262

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
235KB

MD5
a38e7d3b420dbfd7d2a40d67da699264

SHA1
5925587d5da5da8b4b96abf054d7f01b809f0b4a

SHA256
8716e296f5f2a7284e489566bea5e7d8d2e28c6041b37a3cc5e2b2d37b029a7c

SHA512
d811dcb5ce12f3ae95daa522cb1fb287ed06cc112e281ac3b727be1c869446da5035e35406b2f19d4b97f161166fc14f7e0b1556d8fa204e6fbf3ed02a85b7a4

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
235KB

MD5
c97b8e02b383285f3159f213e91d4247

SHA1
909035e1da67071f2f50055e8a89ac5e5ea8b655

SHA256
3480579f544b8001fb440cc6f677c9c6e71a95ea10dbb0ec2de15c656e846868

SHA512
8185b0ce807ae1db5ddd27954bdaead0cc92d94f9671f078a4ddd80f3d050f90bd47624fcf8602884222128bd53c3ae42aae9b8bebaf9b971cccf697fc3790e6

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
235KB

MD5
fb63f078cb53a0d9e9f0238ae94bd21e

SHA1
710f3df32d86c97498aa1d9d8684908a67dd53a1

SHA256
ee00a3bc578946e7df673519a7c5065913eb120ba1c7625b40808610721a50d2

SHA512
dbdba9507954e2e359369158bd2e538945dd93a601c8275f57ee3b898e7651343dd1cea54f4673e7d4f50a473638bae684f057a0bac0d9042b5e65cb90138c36

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
235KB

MD5
66af508f5c9c0532bd2ced51870b4aef

SHA1
250af06c06ae59ce9075c7f67ac8350c434371ee

SHA256
e37ccd80805f316a3cfae7ad4fcd8e6ca95c7b444ab32b17aa81500ee82d0832

SHA512
bf4140ed49c61fd4f899b52269932b87ef71e29db61940390e651da4587dc33eac8489335f943299c65d56dc033c92225956852c350d0e24fe26fcb652bbbe13

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
235KB

MD5
feb1634fe634d873328fd6b303ab4369

SHA1
667a2f3fb83567b5516882eee26fde146fe63329

SHA256
1ed7f9099592bc94fd377572dd825d13f1d10de9ddb0908d0e6604c497497638

SHA512
b8559091407100bfee696c038853a304691136d95f149d51623b2a9b9bf3fd353d2bb456f6d6a7783284ea5ea9e890854f72bec7bb0c824ea2a139075200afe2

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
235KB

MD5
c63233384b5492a0393e11344b612d73

SHA1
d5728af41ea8469d614d9f2acca54710fdfbf429

SHA256
8da4777f71e21d36bc08a33fbca785db57234434883475c532b331d5fd76521a

SHA512
46da3d1a596d6ddca9a39391ee79a72bcbe97745e3abd4c0bcb4d3463310ff33b2e9fc74185b703dc575cffed48abc8dfebef33e9d3e3135d1099a0482332602

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
235KB

MD5
c185a21dc028dcdc9307c0eb66dbf075

SHA1
c3fc2e5c97c7b60beddbc81bdb9cf017b4d7205b

SHA256
82e66f0c95c31300319cbfccf4e5abd48e5c2478a00d4abc28df4533ec1c6480

SHA512
3da3ea2c5bbee9f8493b2759745d1331cca58562c434f1e3de9a029fdcbae44e1567ec034249df0b45ad25128911ddb22f62da0288cfa16422d686a1677ec93e

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
235KB

MD5
9fc786184a86db84aec59c02d112a6e3

SHA1
2734e99c460e583d4f04fe504ee188e883a9d19a

SHA256
d06198264486d810b627a31947f98fe7983536d4be629d474f31c8d6c67f4250

SHA512
cac4639120a0c3a897fc56475a4750ccf68ceaed0a4988cf196d31f20480d65cb8d629f8f32fa3075665d07abed15b71df61e9cd197cd3b4a1075323a644d786

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
235KB

MD5
437fc97f590f3251ecb6dff7cad68f78

SHA1
73e38fb031caa5762b061a4f2c22791d52320e19

SHA256
45d7b0a0e0a2634d0bab6eaf0e4ba55a6e14d30e33f0d51857101a49df23b696

SHA512
03dbc3615fb853540d19c0c4bac607fe04e89d75dc9dec5c1b9007e4d581c033e429d23e0d6f4708118e2953c6cc72bf5d89064775d4221e68add9184bcd9a9b

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
235KB

MD5
efce743df33fd1d195e5b0578405f03f

SHA1
ddbad1421e73cac1c1cfc2fd79a1a7d82ae59bd4

SHA256
c426ec96782aee456a5f483a937a323581111eaab31fafa9727fe9ad22e866c5

SHA512
9512429373735f0ff0a749ae312ef585e004547081fd9b0dff0a777241ba780416b1b56e9fd2e368dfb19f5515f2d94a9cfe64dafaeb79bfd652c8708ceec070

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
235KB

MD5
3e369a5c673962505afa0491a542117d

SHA1
1dfc0eff74dc3111431631f35dd54c2a3c50633c

SHA256
235cd312c3ad47c7b40464131e1f8d6b8af57a39a835aea13aadb0c43a8583f2

SHA512
4d59a8e6ec9b06e62b3c589af3f79a1e3b51b81ddbdb9eabd4b287a712ca8ee8c7d9640ffca54ea00cc108e1f138169e92a4659a15246caf48fc892cc0a0ac74

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
235KB

MD5
69c26aa15b01769ac30684d3f5b9c0c9

SHA1
7c79ed42c40e32ee6b21df7da2db8288381a1ae5

SHA256
a773693cede595f6d8cc23aa5be797f9da533e290349c9311d658fa05aeca7e3

SHA512
81c67206ad8bd421ca6dd55c2766d23e2456fe8b6ee136feca978f93851b8b1b1e79181325bad273635e3c0526ae9ddf3b4ebed8a4d4cea08ccd8510b24e7eef

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
235KB

MD5
bd4ebbb46cbe5d418a9192078faf3f82

SHA1
e421bce85d4a79f39d31884e1ee319968cb4ad4e

SHA256
4efa938ff6d8637f0128e28baefbd45235724bfdb61306b08ec919021274a290

SHA512
153e231f649902160addcbbc971642617f933fe7e904b69bef2fad9aac93a8aadb82f432d9edd56366d18f15287c1bff73d04ddc64cdcf8fd83070717254f791

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
235KB

MD5
96de2ba269eda2192970816ffd657811

SHA1
f4faa17a99ffb8e430b37107217e8009a3ccedf4

SHA256
bb91792194610ad18fff200f25abf8c05e32ed66c01ec9ad612787cadb4700d7

SHA512
ff3a4ba95a79d7124452ba5161ad91e02fb7c19db3523729a7d3044f1d60dd1e8bd1e4fe1dbccdda3a5640ef99016c12124d4b55ac86452b1e03f2d305c0b8c3

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
235KB

MD5
a690ebd84ac6934fc089e61fe6ab2e69

SHA1
9e4788d51b04115fe4d7cf50a1c235c98ec4755f

SHA256
bec426eb56dc5e6087604d21921c7536bae84810dc8ec04a416785873c91fef0

SHA512
0063c477cb52e447315f570f01c1443ad08160f124d4bbb466c8da2454653da63be5316c1a6bf938a635914a23a88530b49e6bcbe4ebe90e6fc1b67b3402f7bc

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
235KB

MD5
71fb9466ed359146e7aa755a92cb8e5a

SHA1
051964ccd2f700531415f0f43cc7eeee709f898d

SHA256
ff0ca58e6c10aea3a628a959d7c4ffb8b3479b4bdb240bcf00fa94a235df510f

SHA512
c7888b928263c4ce4ac6c2d5e676a4596228bccf55216575211153572ef0ce33a16d0613d1c6d011f58bb1d73f415e4d8929a17f88174913a27440f2f1dd16f3

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
235KB

MD5
76427f84e2eb98f55dfc4cd4e66d08cb

SHA1
5369f34a12273423dd8e6566d914d4b43a7a2930

SHA256
ff2660cc99f75983dff6d0b229ea2715f7338b43df19eed402d7fac858821927

SHA512
6f484710cbdd019ec9d28dc295bb79f569f276dee3e3a12354308106d1b0f867d9de108f92ea541ae9689e01d0a01c99f91b18deb557a41d43de4bdd1ced45e3

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
235KB

MD5
f0ecf741506d53cebc4425b52e8826a6

SHA1
0f413d3095fee0dd2f921bc46decc5eddf418cc5

SHA256
2a9923b867eb502c5c8d3ef5cbe459e5cec2fe05480c45d3280ab6f1530baaa2

SHA512
437652e436106f40d6f38baf039df0c63de451fb8c276600ab6e3d6cbe0ec996c8205e4b328a4884ce56e8e418a3d11e0c59dcbd9ee05b97a59d81202f42b23d

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
235KB

MD5
7e9e9dcf0916737309ab68464e81c5b8

SHA1
77c32f4e1681fe5766b614288bbf687e9ba09c45

SHA256
c638d4f99d6f7fe86198cca204d31738b8bc5fdec93dcda7969eb6fb338146e3

SHA512
962c192be4ab96aa560a57ad216904720274c626b40fb5cbb6299155b209be9d89daf77dcbd5c417cfb92756fa8b04562f5c9197d38cf50d04bd8a10207fec1d

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
235KB

MD5
fae704471b65e483c426e352574ba4dc

SHA1
01e507e648bb9c390d2e85806ef17393cee4304b

SHA256
bf2e789b707bb869f754bdc94631e866f87134213f97d6edc1249d5cf6f1acf1

SHA512
a63f789ad6c487458a8f4a6c07f54808d3d8d3c93d37a6e913aa04269a3e81adb47f0a2ef700ab52b3473e45feba92f25881c6ab8e2056e6768d2818cbdfad7a

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
235KB

MD5
4ccd0c76eda78384cce90d9064723214

SHA1
846a19f2c4567f1a19cc5c147cb84f17205f5fea

SHA256
0e8bae49ea4b34b974284f31cb7206eee9398ca02e55d6fda8b6ac229c3773e8

SHA512
6a4b1702ff000756d09f7c80632ee525bd89fb8e4c4a27cb352952ff983dd75d169f7d660c0df48fe7037a31d5cc6c7d96a6567f964fa336ed4aa3917d289aa6

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
235KB

MD5
84bd6128065f9911047fecd15fa78f5c

SHA1
acce406a9978b2d453e3b0e88fff3a4302df3ed0

SHA256
74db898361c0238e8728f875c2007585993c3870a0b60004d04de61e11f65c48

SHA512
18d5e0bf4315f0e7b3926ab57973df7d7c2fbb327c66de191b0514de8ed91aa0ee769f8f09bacdc37a4f797960739a472681b37fac6eb1bd7b588c4686fd0647

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
235KB

MD5
f16792bed6b3ff45bd2e4fa7d012253f

SHA1
1b4d7007139642e4e564a941a91446e5f134c2bf

SHA256
29b0b3e40e47980cf3aea07de0d4f2cb2074c9501d32815457abb08639c861fd

SHA512
f43abe83d1fbc5947f4565271de3dd143ebc66d6d8c2cac7ac05c8a39282f5b759047f914137cecf1006f26fdf51bfc883339dab27f5f36bd5af040b16504e0c

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
235KB

MD5
e5d9b5afdf8748ecf948fe2178389a36

SHA1
b92046bc2dcfb9a85d0bd2014999dd4b3d75d4bc

SHA256
f1e1d2f8a9e31cf92c27a8188454006bdf155faf879e34df76d92badab41408b

SHA512
808c1608737303c1bed16177a315eeabbbc2fad70ec8607551e2775c9cf34140a2ced4957d73a4c98ed87768c144db3d8ae21d4b54d007bd2bb14b9cc001d6a0

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
235KB

MD5
ee5793d18d2f35f1a21940ca8ae18496

SHA1
32f28cb11a0a6090144bf9c8ceaeff7c894f8754

SHA256
e726086935a27d3140a38cf18ff144081298ccfd7926d880daafaa3416a575ce

SHA512
5020bb83e17f7513c0f6ab73b902af478b67ab8eb70b27e37159ef8cb30b06bd322574f8a742bfdcb1ff61d5ce9e6f01104a1e47519cabb1c1a27be8b93a6bdb

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
235KB

MD5
5be044cbc0407197964a2e164b221ef9

SHA1
96e073479ede2cd04db8891de578ebb1ae018e8d

SHA256
170c7ac07c5c20b0dcf8ed93280c855a8e95de8a604c0812b0a2b0ea37d2fba8

SHA512
938c2c40a805244a09958c6cab3963573212acb88002a92966c0bd680635dc3bc60f2a668b146f2e2fe46100cd063ffe3fd5b82eb86fc81557f56278a6d7abba

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
235KB

MD5
e1f1ac5991c57042cdf1a3dd3a0ab613

SHA1
0cbae8e4fed5167c078f1f178ffe9099c03c6a81

SHA256
c0742975356405c89395385e31abac075c453d0e04eea98e9022863cadbac400

SHA512
8a8cad4a085a6ef9ce899d1c7d71c2e5bc7a6f5968cc575484687c0f2ccbb20812e56b10cb692804d427155a798a697d1a35bd82559e3f6b568343c7957b4320

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
235KB

MD5
58add3274cce7be443076dc1a8566686

SHA1
f223fec6b4601bfca87dea312deb70d7f458959c

SHA256
7c51be93f34055ef276a80443fb3cdfb0c5fea487e53073d339050a999a0e9f1

SHA512
4e47fc5a942d6cb0d51cd6eb9ddfefcf6ba2c6fc2e18dc93fc88bc7e02872e242b92796090f54a3fb7d07c66b7a73c0eda8d6d0da872815a7c43fd17b127a58d

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
235KB

MD5
c1940758f84a6cf38d9ae2073f1e43ab

SHA1
aae69fea2e45e3fd012835a080cd4e521eb5496b

SHA256
4f46077b29bf661b69ef4d859e0762051f68ded9ecd6839acffb1fdcb757a67f

SHA512
d4f2cc841edd17eca660d68a1e2176c7564a507dff719afe47291445981012757f639130f435cc61782ad4697f473f0625d7cd1aaf50199d6ceba1e808ffc351

Download Submit
memory/716-390-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/716-137-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/864-145-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/864-403-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1124-351-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1140-89-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1140-395-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1228-396-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1228-81-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1280-339-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1360-299-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1360-373-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1408-125-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1408-404-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1488-37-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1576-281-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1576-374-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1628-297-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1744-40-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1744-399-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1840-401-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1840-8-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1876-400-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1876-16-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1888-386-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1888-177-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2004-129-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2004-391-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2064-53-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2352-398-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2352-65-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2464-393-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2464-113-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2480-29-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2600-383-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2600-201-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2628-233-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2628-379-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2840-353-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2840-368-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3232-365-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3232-366-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3264-305-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3264-372-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3352-316-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3356-224-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3356-380-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3372-279-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3384-261-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3564-104-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3564-392-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3584-385-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3584-185-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3656-321-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3700-64-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3876-382-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3876-209-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3956-152-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3956-389-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3976-370-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3976-329-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4088-217-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4088-381-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4252-249-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4252-376-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4256-193-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4256-384-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4272-377-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4272-263-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4320-375-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4320-269-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4480-341-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4480-369-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4496-291-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4768-402-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4768-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4768-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4784-323-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4784-371-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4820-161-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4820-388-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4840-359-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4840-367-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4888-397-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4888-73-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4980-394-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4980-96-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5084-169-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5084-387-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5104-378-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5104-241-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads