536a62c84affc5d4bc1b96123b7c1bb6512b1b93b15b3928300690e226443fe6

Analysis

max time kernel
51s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2024, 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

536a62c84affc5d4bc1b96123b7c1bb6512b1b93b15b3928300690e226443fe6.exe
Size

790KB
MD5

c36695edd0eb6c22d6317df6a5c01702
SHA1

abf9d9cf86287a76ca050e2bea46778f200b61b6
SHA256

536a62c84affc5d4bc1b96123b7c1bb6512b1b93b15b3928300690e226443fe6
SHA512

15e3274bd8070d75aa38dd72a4838100df6d99cf744135e1c4b73a51b8d638e7cc9c65629c834dbfa9f52b20fdbc533dd4f7ddb4c294b3875cd65ba90017ed7a
SSDEEP

12288:pLWWFB24lwR45FB24lJ87g7/VycgE81lgxaa79y:FWePLPEoIlg17o

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	536a62c84affc5d4bc1b96123b7c1bb6512b1b93b15b3928300690e226443fe6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	536a62c84affc5d4bc1b96123b7c1bb6512b1b93b15b3928300690e226443fe6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe

Executes dropped EXE 20 IoCs

pid	Process
4456	Kdcijcke.exe
2924	Kmlnbi32.exe
2348	Kcifkp32.exe
4284	Lmqgnhmp.exe
348	Lkdggmlj.exe
4876	Lnepih32.exe
4804	Lnhmng32.exe
4832	Laefdf32.exe
3160	Mjqjih32.exe
2064	Mdfofakp.exe
3696	Mgekbljc.exe
2752	Mpmokb32.exe
4084	Mdmegp32.exe
1836	Mdpalp32.exe
4884	Nnhfee32.exe
2636	Njogjfoj.exe
452	Nafokcol.exe
4808	Nbhkac32.exe
1040	Nnolfdcn.exe
3876	Nkcmohbg.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kcifkp32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kcifkp32.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	536a62c84affc5d4bc1b96123b7c1bb6512b1b93b15b3928300690e226443fe6.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lnepih32.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	536a62c84affc5d4bc1b96123b7c1bb6512b1b93b15b3928300690e226443fe6.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	536a62c84affc5d4bc1b96123b7c1bb6512b1b93b15b3928300690e226443fe6.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lmqgnhmp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1568	3876	WerFault.exe	104

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	536a62c84affc5d4bc1b96123b7c1bb6512b1b93b15b3928300690e226443fe6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	536a62c84affc5d4bc1b96123b7c1bb6512b1b93b15b3928300690e226443fe6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	536a62c84affc5d4bc1b96123b7c1bb6512b1b93b15b3928300690e226443fe6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	536a62c84affc5d4bc1b96123b7c1bb6512b1b93b15b3928300690e226443fe6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	536a62c84affc5d4bc1b96123b7c1bb6512b1b93b15b3928300690e226443fe6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpkbc32.dll"	536a62c84affc5d4bc1b96123b7c1bb6512b1b93b15b3928300690e226443fe6.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 4456	640	536a62c84affc5d4bc1b96123b7c1bb6512b1b93b15b3928300690e226443fe6.exe	82
PID 640 wrote to memory of 4456	640	536a62c84affc5d4bc1b96123b7c1bb6512b1b93b15b3928300690e226443fe6.exe	82
PID 640 wrote to memory of 4456	640	536a62c84affc5d4bc1b96123b7c1bb6512b1b93b15b3928300690e226443fe6.exe	82
PID 4456 wrote to memory of 2924	4456	Kdcijcke.exe	83
PID 4456 wrote to memory of 2924	4456	Kdcijcke.exe	83
PID 4456 wrote to memory of 2924	4456	Kdcijcke.exe	83
PID 2924 wrote to memory of 2348	2924	Kmlnbi32.exe	84
PID 2924 wrote to memory of 2348	2924	Kmlnbi32.exe	84
PID 2924 wrote to memory of 2348	2924	Kmlnbi32.exe	84
PID 2348 wrote to memory of 4284	2348	Kcifkp32.exe	85
PID 2348 wrote to memory of 4284	2348	Kcifkp32.exe	85
PID 2348 wrote to memory of 4284	2348	Kcifkp32.exe	85
PID 4284 wrote to memory of 348	4284	Lmqgnhmp.exe	87
PID 4284 wrote to memory of 348	4284	Lmqgnhmp.exe	87
PID 4284 wrote to memory of 348	4284	Lmqgnhmp.exe	87
PID 348 wrote to memory of 4876	348	Lkdggmlj.exe	89
PID 348 wrote to memory of 4876	348	Lkdggmlj.exe	89
PID 348 wrote to memory of 4876	348	Lkdggmlj.exe	89
PID 4876 wrote to memory of 4804	4876	Lnepih32.exe	90
PID 4876 wrote to memory of 4804	4876	Lnepih32.exe	90
PID 4876 wrote to memory of 4804	4876	Lnepih32.exe	90
PID 4804 wrote to memory of 4832	4804	Lnhmng32.exe	91
PID 4804 wrote to memory of 4832	4804	Lnhmng32.exe	91
PID 4804 wrote to memory of 4832	4804	Lnhmng32.exe	91
PID 4832 wrote to memory of 3160	4832	Laefdf32.exe	93
PID 4832 wrote to memory of 3160	4832	Laefdf32.exe	93
PID 4832 wrote to memory of 3160	4832	Laefdf32.exe	93
PID 3160 wrote to memory of 2064	3160	Mjqjih32.exe	94
PID 3160 wrote to memory of 2064	3160	Mjqjih32.exe	94
PID 3160 wrote to memory of 2064	3160	Mjqjih32.exe	94
PID 2064 wrote to memory of 3696	2064	Mdfofakp.exe	95
PID 2064 wrote to memory of 3696	2064	Mdfofakp.exe	95
PID 2064 wrote to memory of 3696	2064	Mdfofakp.exe	95
PID 3696 wrote to memory of 2752	3696	Mgekbljc.exe	96
PID 3696 wrote to memory of 2752	3696	Mgekbljc.exe	96
PID 3696 wrote to memory of 2752	3696	Mgekbljc.exe	96
PID 2752 wrote to memory of 4084	2752	Mpmokb32.exe	97
PID 2752 wrote to memory of 4084	2752	Mpmokb32.exe	97
PID 2752 wrote to memory of 4084	2752	Mpmokb32.exe	97
PID 4084 wrote to memory of 1836	4084	Mdmegp32.exe	98
PID 4084 wrote to memory of 1836	4084	Mdmegp32.exe	98
PID 4084 wrote to memory of 1836	4084	Mdmegp32.exe	98
PID 1836 wrote to memory of 4884	1836	Mdpalp32.exe	99
PID 1836 wrote to memory of 4884	1836	Mdpalp32.exe	99
PID 1836 wrote to memory of 4884	1836	Mdpalp32.exe	99
PID 4884 wrote to memory of 2636	4884	Nnhfee32.exe	100
PID 4884 wrote to memory of 2636	4884	Nnhfee32.exe	100
PID 4884 wrote to memory of 2636	4884	Nnhfee32.exe	100
PID 2636 wrote to memory of 452	2636	Njogjfoj.exe	101
PID 2636 wrote to memory of 452	2636	Njogjfoj.exe	101
PID 2636 wrote to memory of 452	2636	Njogjfoj.exe	101
PID 452 wrote to memory of 4808	452	Nafokcol.exe	102
PID 452 wrote to memory of 4808	452	Nafokcol.exe	102
PID 452 wrote to memory of 4808	452	Nafokcol.exe	102
PID 4808 wrote to memory of 1040	4808	Nbhkac32.exe	103
PID 4808 wrote to memory of 1040	4808	Nbhkac32.exe	103
PID 4808 wrote to memory of 1040	4808	Nbhkac32.exe	103
PID 1040 wrote to memory of 3876	1040	Nnolfdcn.exe	104
PID 1040 wrote to memory of 3876	1040	Nnolfdcn.exe	104
PID 1040 wrote to memory of 3876	1040	Nnolfdcn.exe	104

C:\Users\Admin\AppData\Local\Temp\536a62c84affc5d4bc1b96123b7c1bb6512b1b93b15b3928300690e226443fe6.exe
"C:\Users\Admin\AppData\Local\Temp\536a62c84affc5d4bc1b96123b7c1bb6512b1b93b15b3928300690e226443fe6.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:640
- C:\Windows\SysWOW64\Kdcijcke.exe
  C:\Windows\system32\Kdcijcke.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Windows\SysWOW64\Kmlnbi32.exe
    C:\Windows\system32\Kmlnbi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\SysWOW64\Kcifkp32.exe
      C:\Windows\system32\Kcifkp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2348
    - - C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4284
      - C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        21⤵
        Executes dropped EXE
        
        PID:3876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 412
        22⤵
        Program crash
        
        PID:1568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3876 -ip 3876
1⤵
PID:4620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
790KB

MD5
7488e3a86d562d9ad7f02c012862ba2e

SHA1
f08d41a2cdb4f80840501ab28858918c19af1cdd

SHA256
b5ba294fe9ee17941b7c08dcf28c008a47565f494195f9db605a392c6eafcac8

SHA512
e9ca84ad6e69d2ec5946b540fb657f55fdee9b67d9b18413508b5197428ebb2ce2c99943e60f3175afdb9762e844a0862d034db5f741b5042be0fa7149fa0823

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
790KB

MD5
4510eec52b6c9687a547c1f800c55e10

SHA1
c5ef380589cb02a8f8fdeee7648dc701dfdb3983

SHA256
199034bf52271122b8cbaa3384c62022ee575b32176ab5dd9009bfbcc5da5d6f

SHA512
e955d4a8856468467ae79ab378314351f587faaed89c11beb966394e89e23bfe400d08cf37b93920d8d4810c3752aa229536bbb56a8dae0d2f6b2782ed61ab24

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
790KB

MD5
63bf19f394bfae517983804f09d7e6f5

SHA1
5b33b2495dd1bbfd79d0662e7268318c13d7628c

SHA256
734d1c2bd84f7a2bd1c0aeff1a6ddbf7de4f172eaba2ad6a7882dc9e721dabad

SHA512
b8a269ff6fd44a404da641123b5e38268d217dd6c59280862c82912b20581f54f91301eba04158c6c5c1e2273bf4d4b576ab28ccb79ebd01968c09fbebedea97

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
790KB

MD5
840f5777850fd2b85e36e3e01e86551b

SHA1
8beec47e692395e0f4247ad87ea797bfb67b3ce7

SHA256
d7a0919436967c160cb410620d1b056210289e616f5c9b6202b4d088a3b17698

SHA512
b9bc259dbbe6f7a2e8a3a2f5c89db5e44bab131a8877e2efe2540141d7bbfa8de63b8349174e4ece396c850bafd9901c6ebb9836cd5717a0cd6d6ca608b22b76

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
790KB

MD5
6839fa7d09fd37b067af89fd2348970b

SHA1
d4224d1d027cf2b3cb2b24100d1e110b52720f2c

SHA256
9960596635b3130e66729f5ec52a72b4ab0adffb79941c71bbcbe48631e866c8

SHA512
4ef98dfc952654e615e6649b1be9733e13585252287b52353c5ee9aff3616f849ea46072b4545ed98e3aeac387ddfc46ec52aecc11224c8795d27684ee37e764

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
790KB

MD5
76fdca054f9600a29b9b81cd4a780b24

SHA1
193b0b761df571248f3342361cecf1a086aaaf91

SHA256
31cc81b220fdd514a6db6f5b312416b619a958d42be439b9fda6f5399513cab3

SHA512
46175d6a84fd98b8c1557c0ffb7668700cabda700da6a482cfad822d9f67e751733292948fbe2938f4e5af9fc682e7febdaf7c525647ab1f99f6f9c97796f4c4

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
790KB

MD5
67a62a6d06cb984aee7ca5bf08dab0d0

SHA1
4b9db107d6a8c5860679c694288c427081882f91

SHA256
96e72acea549b83ef2e0f7c4df21e921d76484dbad5fc04d92a84855c9f41c95

SHA512
65a131224e18c9817455360dad286cfd48621db017ea0f68d64ef7848e7cb3a49de55eb858177da1282337b1e51c8f71769c6838fb9e72f13d42175427166176

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
790KB

MD5
542c8e4c4a5d820f8c225324b6850cdd

SHA1
b7c7b470de0a24cd5ebe49e221db804a3b19e71e

SHA256
68be432ea47f70734c38d40d11f7f3442c76435860e1bc6f716729083e5d08b1

SHA512
70d9eb9bd972ab0320e7f4f243079dd8c253dfbd1e5108a7268073b7ea413b59319b7df253eae1416596ac75f3fb1f4b6a4ff3d87c4889d8d5f2a01145ed7591

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
790KB

MD5
c5aeef74045111fee29edfc61884e051

SHA1
a8a42c391732b378b5af92bbf232c88e20f8c286

SHA256
0a9552f395ab65f04b7f7a4375187a9350adc4fb8815e4577e04b28394a2eb65

SHA512
e09f9e7539adde5135286d945dac899e479074828f85aee508ceea8e2f2c6e79a32e1ef73955eb53477159508025743a584bb52257341adaa8b731477549ee29

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
790KB

MD5
e46d18211cdc9c128be86c4b62a6028c

SHA1
f6b00fbf52d83c5622ee27f24a3dbf88d6e7887c

SHA256
655e0e1c3ee31797cd1a77f3f9acb87c0fe30f34f62b976ff0be1b6324179535

SHA512
86ce6be16a735c3294bf1a1a3da66e46a01c02bd3191b185623dac70776fe5e94573d3e41be08a2e851021e0dd8b20f12f5ceec151a21589483e9cec805d5d88

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
790KB

MD5
c651f31171bc0a9332eeab197160c9c8

SHA1
80c734b9f979b8096d1529692e31b4b6297ffa7c

SHA256
f75964b063d91ecc91431f08698e9a19aa4175b9a5c6f5c9718bc419ee8640f0

SHA512
9545baf5017fe44e655f8866f457fa82f7115832bef8c11cf3426663dcadd6ae9d1e104da432dcdfc1faae5839f2fedd57087619fa2a74048631c7160dce09be

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
790KB

MD5
0c5c97254f21702314820778d1057187

SHA1
ea8eb63a1aa54b5226a5a185f13862116993d21c

SHA256
d42918cdd132022e443ccb2783345e2e8afa10133721bc0f0008ddc18b570c82

SHA512
484e4d02e71b935907f09ad4bdb3d4d8a1f7177d3e23232208d048d1c036d9c57b5938bc249320a718b32970d9f3ae1401f78e00b999d14591575277c5dc8ae1

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
790KB

MD5
cb17d43d01a66bb0548aa0c3efd4ba40

SHA1
b5bab324704f8cf8497337754ce745be34244ba1

SHA256
6fa4413a18b747bc1c14ff0dbb1479a87f3698a6ef2bd8f24ecbab95c6fde46d

SHA512
6c7688f6be00d2c6bcb148f70f15e65b2f47538a7ebd78915017018a8d7966d7c72adbd3320c98f263739b577121784e967f7d60812dc136e77813c21836355e

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
790KB

MD5
07e07f071cb29e925198c3f83ad18e4e

SHA1
3e0254765c95f5d6d527ef3b75c5b5b0fbc9a579

SHA256
7cebc568c237a33db849cc1a5461149a9978b12ede3c4f65338c26b7f1240c82

SHA512
11458de617d13d5a2c5af9e2b66fe38f8146e559abf68536707512a813a95b73eca06fef4ce8a2c57f65e72eeb78008bcb84c9992007762096fafe55c682ef38

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
790KB

MD5
e2a3b0507e54ace9f13cb3c38aa25534

SHA1
2c4b0148eb31318ad84565e71df6a2f9c81ff901

SHA256
f62fbf456c1fbe9f1a95f5cb15d7c3b33b3bb905091efe1ef1377080d67567c0

SHA512
05e11557625ae4681436a6043a2b3dc2ce51f0f270d3a28f41ec420a04101e1c66aab097fc4358e0b6d7a78d3d5624326858dd167e6089401ac2c730b33589f2

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
790KB

MD5
332e5016562e1ddf66f43513de067514

SHA1
8f37e1d2c879af12393b4998475e01febd5003bf

SHA256
e3ae6af825582ea6cab2d8dd6ccb932ab3dc8d9029cff6549148e23fba26a924

SHA512
784385bb259e168bc8d6b2d3639ae1ce05628b59afb989241f9162ea3c51497e9bb420399583f128e795fa9f6437af2234abe9a84a354be3df37d1a66a4e092e

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
790KB

MD5
5662da82619b08a2e4c60432ccdbc0a6

SHA1
acf673acd285d93de2e5d086697dfc67e4728025

SHA256
c20a16eb4dc5d629e140fc6721b085b2879926ea7b4651c53145cd3ddadde695

SHA512
b94644ba586cf93a00377adb823dcdb48e50a2e840945d366d8306fa989dbb4f7bd8036ed26164a3aabc8995600e159b1031f22fbb7b130742363379b65c7d6c

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
790KB

MD5
19b66656bc60d659a58e43ede06320ce

SHA1
63a7441f1d78180a7aa2ddba8a4aadd9015fd9ee

SHA256
3fcbf64b96efd9cf63e6827388d07d1f47c93c1088c5a99f816b33716b7ea097

SHA512
38f2411e0df3e353c5af29f99398184e126e581430f5aa456d299ac71c613dbede0dcafa6fa60edbd938b476789e971c6c828f99a4ec968864c5589d72862683

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
790KB

MD5
ddbdbb22e4020e904785e1d71e26df01

SHA1
ce55f8d2f03891e4663570e0f2d52ca4d40c0411

SHA256
fe60d669c06e84578593ce6194cfead3aedc1645fbfe39514327a0b20c29a075

SHA512
d7be0306da47fff5ac889e2bd89eb0e2d5fcbd7dbd74e078626b359d9aa6cc5290375298d998c047b2e3108b64e1be5f357b914be751771533e8da526955ee68

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
790KB

MD5
2a0a3674bd05d11559ed7dbcd2da26ec

SHA1
bf2626284a5b1c322ea2ea57c28560488aa5759e

SHA256
e058799d5e54cf145e75ffb82bdb48849c114e41e4d74b19ca85fc78da1cc177

SHA512
fc8c5ed68a97cc59beb5335485a51a52bc63827b2896e1b97cfce4a3fb2b2c48dcb8ec0c62213449a743127457e036ab70461e6603d7ea1f1249a0e4e1ab678e

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
790KB

MD5
71a9fdb842c5f1d450a302823b591f03

SHA1
5c90b76f87a6f97128e778fa1f0fca147c3f2c33

SHA256
a6767735e63d33076c0db181c0d7699b8f1540e3cb6b1c03701f81dd83452810

SHA512
c3fc9db8568542c1c421cdd2c91aa6c10010ea6654b1b641deda31c5be5bd2a0f28354d44f3f11e82427bf71729f1314c67fcef396a79d3fa6f5433e524a7a5a

Download Submit
C:\Windows\SysWOW64\Qgejif32.dll

Filesize
7KB

MD5
f92f640a8f48538a54829fbd3a4472c8

SHA1
22e7e05b2cb2ec7ccc3429067c720d583e72b15a

SHA256
d3c2e070d5ddf84caf0d8deada2a3b75d77ff3ad59b48605241f9cadb2de3e17

SHA512
8d6418b0fe52009d2fd8baf5ded8d96605e2dcbe69af835b39c2817693fd6b3608d4eba8f08087c1f07d320a3114f56760eb32103e99366cfa9f66fe0e8a20f5

Download Submit
memory/348-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/348-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/452-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/640-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/640-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1040-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1040-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1836-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1836-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2064-83-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2064-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-195-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-20-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3160-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3160-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3696-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3696-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3876-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3876-163-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4284-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4284-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4804-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4804-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-63-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads