9a0b73f30b00451d0009c9983a49c1d59523231e5b70dc52485f54a1b4ffad34

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/06/2024, 00:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a0b73f30b00451d0009c9983a49c1d59523231e5b70dc52485f54a1b4ffad34.exe
Size

80KB
MD5

916c5674b3278204016d9c16569d874c
SHA1

7b754158a1fcb7085bc40ca37c2c15d33e0bbb5a
SHA256

9a0b73f30b00451d0009c9983a49c1d59523231e5b70dc52485f54a1b4ffad34
SHA512

f97bbf0e786666adbb43e171f312ae14c69be50a77c993672a0e635a64c48529ecd4e3b525daba7ecabc0989161a2b19846b69973db4e596ca250d3b1a7faa19
SSDEEP

1536:31GaCY6HjtcfGLoMDQ0l2LBS5DUHRbPa9b6i+sIk:34aGjtgGLokuBS5DSCopsIk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe

Executes dropped EXE 64 IoCs

pid	Process
1036	Jdmcidam.exe
5048	Jkfkfohj.exe
4948	Kaqcbi32.exe
1436	Kdopod32.exe
2136	Kgmlkp32.exe
4660	Kmgdgjek.exe
3588	Kpepcedo.exe
3856	Kkkdan32.exe
2184	Kinemkko.exe
3440	Kaemnhla.exe
2216	Kgbefoji.exe
3020	Kknafn32.exe
4756	Kpjjod32.exe
840	Kcifkp32.exe
4912	Kkpnlm32.exe
3488	Kmnjhioc.exe
3660	Kpmfddnf.exe
3548	Kgfoan32.exe
1552	Liekmj32.exe
3900	Lpocjdld.exe
2152	Ldkojb32.exe
116	Liggbi32.exe
3360	Ldmlpbbj.exe
3948	Lcpllo32.exe
3580	Lijdhiaa.exe
4884	Lpcmec32.exe
3528	Lcbiao32.exe
2416	Lilanioo.exe
2812	Lnhmng32.exe
3340	Lpfijcfl.exe
4436	Lcdegnep.exe
3476	Lklnhlfb.exe
4996	Lnjjdgee.exe
4480	Lphfpbdi.exe
1384	Lcgblncm.exe
4980	Lgbnmm32.exe
3872	Mjqjih32.exe
2612	Mahbje32.exe
2368	Mdfofakp.exe
2480	Mgekbljc.exe
1076	Mjcgohig.exe
4464	Mnocof32.exe
4736	Mdiklqhm.exe
2088	Mgghhlhq.exe
3924	Mjeddggd.exe
4580	Mamleegg.exe
4508	Mpolqa32.exe
3112	Mgidml32.exe
1776	Mjhqjg32.exe
3212	Maohkd32.exe
1928	Mcpebmkb.exe
1080	Mkgmcjld.exe
4500	Mnfipekh.exe
4080	Mpdelajl.exe
828	Mcbahlip.exe
4728	Nkjjij32.exe
772	Nnhfee32.exe
2824	Nacbfdao.exe
3828	Ndbnboqb.exe
3140	Nceonl32.exe
4848	Njogjfoj.exe
4232	Nnjbke32.exe
1360	Nddkgonp.exe
3816	Ngcgcjnc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Jdmcidam.exe	9a0b73f30b00451d0009c9983a49c1d59523231e5b70dc52485f54a1b4ffad34.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Mghpbg32.dll	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kcifkp32.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ichhhi32.dll	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Jkfkfohj.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Ldobbkdk.dll	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Kmgdgjek.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	Jkfkfohj.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Ecppdbpl.dll	9a0b73f30b00451d0009c9983a49c1d59523231e5b70dc52485f54a1b4ffad34.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	9a0b73f30b00451d0009c9983a49c1d59523231e5b70dc52485f54a1b4ffad34.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1308	4648	WerFault.exe	155

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	9a0b73f30b00451d0009c9983a49c1d59523231e5b70dc52485f54a1b4ffad34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 1036	1292	9a0b73f30b00451d0009c9983a49c1d59523231e5b70dc52485f54a1b4ffad34.exe	81
PID 1292 wrote to memory of 1036	1292	9a0b73f30b00451d0009c9983a49c1d59523231e5b70dc52485f54a1b4ffad34.exe	81
PID 1292 wrote to memory of 1036	1292	9a0b73f30b00451d0009c9983a49c1d59523231e5b70dc52485f54a1b4ffad34.exe	81
PID 1036 wrote to memory of 5048	1036	Jdmcidam.exe	82
PID 1036 wrote to memory of 5048	1036	Jdmcidam.exe	82
PID 1036 wrote to memory of 5048	1036	Jdmcidam.exe	82
PID 5048 wrote to memory of 4948	5048	Jkfkfohj.exe	83
PID 5048 wrote to memory of 4948	5048	Jkfkfohj.exe	83
PID 5048 wrote to memory of 4948	5048	Jkfkfohj.exe	83
PID 4948 wrote to memory of 1436	4948	Kaqcbi32.exe	84
PID 4948 wrote to memory of 1436	4948	Kaqcbi32.exe	84
PID 4948 wrote to memory of 1436	4948	Kaqcbi32.exe	84
PID 1436 wrote to memory of 2136	1436	Kdopod32.exe	85
PID 1436 wrote to memory of 2136	1436	Kdopod32.exe	85
PID 1436 wrote to memory of 2136	1436	Kdopod32.exe	85
PID 2136 wrote to memory of 4660	2136	Kgmlkp32.exe	86
PID 2136 wrote to memory of 4660	2136	Kgmlkp32.exe	86
PID 2136 wrote to memory of 4660	2136	Kgmlkp32.exe	86
PID 4660 wrote to memory of 3588	4660	Kmgdgjek.exe	88
PID 4660 wrote to memory of 3588	4660	Kmgdgjek.exe	88
PID 4660 wrote to memory of 3588	4660	Kmgdgjek.exe	88
PID 3588 wrote to memory of 3856	3588	Kpepcedo.exe	89
PID 3588 wrote to memory of 3856	3588	Kpepcedo.exe	89
PID 3588 wrote to memory of 3856	3588	Kpepcedo.exe	89
PID 3856 wrote to memory of 2184	3856	Kkkdan32.exe	90
PID 3856 wrote to memory of 2184	3856	Kkkdan32.exe	90
PID 3856 wrote to memory of 2184	3856	Kkkdan32.exe	90
PID 2184 wrote to memory of 3440	2184	Kinemkko.exe	92
PID 2184 wrote to memory of 3440	2184	Kinemkko.exe	92
PID 2184 wrote to memory of 3440	2184	Kinemkko.exe	92
PID 3440 wrote to memory of 2216	3440	Kaemnhla.exe	93
PID 3440 wrote to memory of 2216	3440	Kaemnhla.exe	93
PID 3440 wrote to memory of 2216	3440	Kaemnhla.exe	93
PID 2216 wrote to memory of 3020	2216	Kgbefoji.exe	94
PID 2216 wrote to memory of 3020	2216	Kgbefoji.exe	94
PID 2216 wrote to memory of 3020	2216	Kgbefoji.exe	94
PID 3020 wrote to memory of 4756	3020	Kknafn32.exe	96
PID 3020 wrote to memory of 4756	3020	Kknafn32.exe	96
PID 3020 wrote to memory of 4756	3020	Kknafn32.exe	96
PID 4756 wrote to memory of 840	4756	Kpjjod32.exe	97
PID 4756 wrote to memory of 840	4756	Kpjjod32.exe	97
PID 4756 wrote to memory of 840	4756	Kpjjod32.exe	97
PID 840 wrote to memory of 4912	840	Kcifkp32.exe	98
PID 840 wrote to memory of 4912	840	Kcifkp32.exe	98
PID 840 wrote to memory of 4912	840	Kcifkp32.exe	98
PID 4912 wrote to memory of 3488	4912	Kkpnlm32.exe	99
PID 4912 wrote to memory of 3488	4912	Kkpnlm32.exe	99
PID 4912 wrote to memory of 3488	4912	Kkpnlm32.exe	99
PID 3488 wrote to memory of 3660	3488	Kmnjhioc.exe	100
PID 3488 wrote to memory of 3660	3488	Kmnjhioc.exe	100
PID 3488 wrote to memory of 3660	3488	Kmnjhioc.exe	100
PID 3660 wrote to memory of 3548	3660	Kpmfddnf.exe	101
PID 3660 wrote to memory of 3548	3660	Kpmfddnf.exe	101
PID 3660 wrote to memory of 3548	3660	Kpmfddnf.exe	101
PID 3548 wrote to memory of 1552	3548	Kgfoan32.exe	102
PID 3548 wrote to memory of 1552	3548	Kgfoan32.exe	102
PID 3548 wrote to memory of 1552	3548	Kgfoan32.exe	102
PID 1552 wrote to memory of 3900	1552	Liekmj32.exe	103
PID 1552 wrote to memory of 3900	1552	Liekmj32.exe	103
PID 1552 wrote to memory of 3900	1552	Liekmj32.exe	103
PID 3900 wrote to memory of 2152	3900	Lpocjdld.exe	104
PID 3900 wrote to memory of 2152	3900	Lpocjdld.exe	104
PID 3900 wrote to memory of 2152	3900	Lpocjdld.exe	104
PID 2152 wrote to memory of 116	2152	Ldkojb32.exe	105

C:\Users\Admin\AppData\Local\Temp\9a0b73f30b00451d0009c9983a49c1d59523231e5b70dc52485f54a1b4ffad34.exe
"C:\Users\Admin\AppData\Local\Temp\9a0b73f30b00451d0009c9983a49c1d59523231e5b70dc52485f54a1b4ffad34.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\SysWOW64\Jdmcidam.exe
  C:\Windows\system32\Jdmcidam.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Windows\SysWOW64\Jkfkfohj.exe
    C:\Windows\system32\Jkfkfohj.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:5048
  - - C:\Windows\SysWOW64\Kaqcbi32.exe
      C:\Windows\system32\Kaqcbi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4948
    - - C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1436
      - C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3856
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:116
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3360
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3948
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3580
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4884
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        31⤵
        Executes dropped EXE
        
        PID:3340
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3872
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2088
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3924
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4580
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4508
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1776
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3212
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4500
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4080
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:828
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3828
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3816
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:992
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        73⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 400
        74⤵
        Program crash
        
        PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4648 -ip 4648
1⤵
PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
80KB

MD5
874b69973e258dfe055b9ed72f292733

SHA1
833041560ea4d9d1f180acc2fd880a9e81d792f5

SHA256
b7b398b8f6c3d20a537534e8383549f0062e8f1a707c512cf959282363a267ba

SHA512
bc8b90a492f91607181b96523d6d3ca80e08a5b837590882e0dac9c7de7de5dd36ff9f5585139a6426e6dd5a4d6ba81df769c94c30b0c2b5dfc5ac29ca943057

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
80KB

MD5
79b511c95ca77bb26617a011f202ee07

SHA1
6df01a3052afec371cc1424d8dc7098a9bb84276

SHA256
f0fb1bd57f271574c001e6b579bd10fc12258c6a2148e5f456c7d99009f32219

SHA512
12a06dd085dde3316e51a24e6e21912dd7ea22a023d2d65c7474a3f62d6f066395eabb5fbf8f739a7803e67f4336b8013b809ce87bfc51979cb7ca81341a4e93

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
80KB

MD5
dda26831e7f0dce9963659b5a7ea8b6f

SHA1
20bf0ee0ec48602d0f6ae800dc6577ccfcfe1ba0

SHA256
a70627d66a567b53561db0a835769fed92d68aefbfab75fc0aa26dfba539f622

SHA512
8fd1ec2e3b6c1d99b7f9b8235a24297cc8793a46f30a2b1c641fdd1aec2211a6f2abefc0b2473661dd62d2ddfd8d8f774fc879c716beb9260db7e31c607b0282

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
80KB

MD5
e2bcdf3e17b2776b30da68a456c218f7

SHA1
a9210a6a9dd04ae12e91db389a06fb40183c0671

SHA256
785957dec48f66406942ad31305b09a40dc80bf026ff5cfe5c2ad2e43ac1e6b2

SHA512
3de4bb2db3e0bfa897ae0fbcb14c8629facc40ec35ffb03c10e7b0ebbd7bda8c45415a854098eef33e00c473248a577f602f9b255c64beb498c61a78fb118206

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
80KB

MD5
a58a8546a8f7416e10c903541d4d4462

SHA1
6287df965eb33c412db533134adb8cb96813b0a4

SHA256
3d9257cd879bdd322c658d0309c4bbc483b5143c08ec9a67738f88ad83e574f4

SHA512
5f6672147bfc0181ffb88bf295aa3b80ad691bb22c786d4cbb52a95b5b93a2ca9f531c9adeeb07fb2ded08089c7d3649fd5fb707957719d56d7ee2c63e3b20b0

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
80KB

MD5
4b98dbb21234d79e1fbe23a660f537fa

SHA1
5a860995965ade3744c051ba5a834d036731f6c6

SHA256
372f7e381d1f40edbed8faf24197c0c18952990b231e7a0848b311c31acc8e72

SHA512
1d7ed31320eaa2915b676c13bbf48d97a0cb4bd854e398d000eab287dc90caa4c4a2d1629d0db3761353ff0613cad7d444505d95614c4f00cb6d85ab1cf892ac

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
80KB

MD5
9a4de5c7d13e8302b4d37a43ce2a6875

SHA1
3d8e81e3ff635187c17a3c0990850e3c013423f8

SHA256
ab2a883b62bed79cb4d920e4c14dd862b01a79f05784d8c2d45fe989e2a55aec

SHA512
235b265b13bba4917c5f7a70cabadc9e3c4cd5f265473455687656ba7b5f041e8af0502eb454e12c18e0bc853386b5b7e3c9e6360fcb1be8db0a97389cfdab89

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
80KB

MD5
38e1dd447a6f82a29939d3203b032746

SHA1
e910cab1f69feb40656c31745060ce03144ac701

SHA256
93ef6dbaf6dc1f91323e27c71920be421f5b15f3a4aa2bf8fff1207f3b72709f

SHA512
aed0386eee583c4828449eae62c59208325d3c6ad0af804f58cb9bcb6cad82e8ad4e2b99aa64905bda801b4768789db2697df51aafb2228696c0eeb004fbe121

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe

Filesize
80KB

MD5
be197749412c41989889b670547aa822

SHA1
0274c24ca552fbeafded8cff569ff17b8b192c36

SHA256
a06227938e191330e728b72fa882a41aa05fdc2aeb9fb62c6014a76111079d50

SHA512
f2eeaeea2d0b94fd0fb042e704eda306d7f6de5695356ae0701a1342d6865565a1efc1e28eede34680a1fa091092b8a0fc6555efae0985ac7fa85d4b0617e22c

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
80KB

MD5
9cfdbfdbdfd3c658600a91c936508887

SHA1
2e219ab4267fefaeae347393a904787ca726efb5

SHA256
09f0ed6dd797eec79987b165dce0c1785ed3095019750edc16d82a5c2a297500

SHA512
bf7efacc3a6101fdfeca2c20841f042033e1baad2ee9a570b9741ec9830ac539a3a32a9f2a7140cd1c30082a8f386069b8fe7d60380950417272a6eb0eb3ed32

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
80KB

MD5
17d5830a6a1beff8fca24475d424b14a

SHA1
64bced003acf32b6d77dfcc490dc04e6b0e3b9be

SHA256
a8775d27ac49532bae68d1bd1db6783b8c91bde1f56c34b000091451129fa2a5

SHA512
060efa0ae0b7f5da3ce63141f711db403bb2e3cccea934c714497cbd718c37a027e52bf1e0d82ee3cf3e494e1f3ff4d566c4b5722b7a6b6a82722fee866a543a

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
80KB

MD5
62397a43dd37daf27c56e91b2fd7411f

SHA1
184b9cb97199cf8e382f6c67049ffeae917e758f

SHA256
f4e085df3a6172c2312f9e58f42a0ee2971619f06cfa89cbf09841581db6f5b4

SHA512
9a70618ae08897b4790e5e780e91209b764396b6130526838afc0f5aef230355c4d17940fcc48063f487e0291d2be0466b55e77362ac329a0db515de0310a78b

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
80KB

MD5
02df15ffd88d92e4e56c8fb094081db9

SHA1
d8aef1d1eb52566c0e75bad633b984c634232764

SHA256
9d14f9782f272d831970b6d0c4f10b7d53ac1450bacd50cf118eb14b6d9aef65

SHA512
4762024cb381eac74299185634601e49e43e3c9904747ea01aa7b56018ad6840be93e1451203753373f1ed4da02d9d20d2762d2d40428394ed70b7ce28ac5359

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
80KB

MD5
2196ba6f9ae1f2e6d3ef5cbfc703cdad

SHA1
bab7de017261114430474447552524cdb9ec93ae

SHA256
c712b0522fa7af4d950b27e23d19e55c99310e7b5561485c36a2fd8b383a11f9

SHA512
0e0c28f9d2261efe8b4b4ff2f476e186e77448122b577f71607451ac48298adb81e81b4d848b16f50dc51a6af457e19e5058c2e2547e63c150b77aa7bb7df342

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
80KB

MD5
f0ad85d732056ebfd9e9e0ef84a084b2

SHA1
be4bc2a1966c7ff7035ceaff862e60e98a864221

SHA256
9b2b10a74a6e9ac6d126466cffa749c0deba8a7c12e5077ab90048091a0ee049

SHA512
80ad6f583e20dbdb17a6f19235465ef6500e1520c2a7aef44be748661b01ba0c1476037c76b05c434b12a43583dc5dd5040e9881f7c8e831aefb4893605edda2

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
80KB

MD5
c0c784100d9ac9c6ffbda7ebc8ec44f9

SHA1
1df52de153633ab6c6b4f1612c132681e7b11c5e

SHA256
00df54dddb0338c61a64d1726c20a9db3c76d6aa1d020495603a74af885b2bce

SHA512
76dc1deb014240ecafeb417c746a27649ef186a3d402ccda445d09a3fd3bb6dcc96028c5a0ba2c5e0cc3d26a37b3dacfd2ddfc4851c1f77fcc8cf65b992e4968

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
80KB

MD5
d4350290609dfeef65cb83782174a71d

SHA1
c1f7892d9521676f7001f433acd6295f97035227

SHA256
93ff1724e7926e6889459399780d33440b532e7b9e9f4eb0df81cf1dc491c997

SHA512
328512eb419d38090c87e9727ca85683fb0b3bc807fba064d7782ad461d882657aea12da3f70e5cff612abe5dc9c340103a03a2414f2f3b0c9c46ae9302897f0

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
80KB

MD5
08bda79d892e53c8f131f3ddec4bfbe5

SHA1
0184fa6835d932ad3d9fedafd036b46aa7441683

SHA256
ed050d49f30c6de4cf51ae5a3a15b645d7bc5aba45298351b39836698579cb40

SHA512
001f549750477abda45c3ccb4bb2e00d423901dc14065bb9a6c6ac7a2a00700fc8a92499f11f16d6cf64bb9e600f47d3558279f392aa0413f59842857c446bc3

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
80KB

MD5
fe6ac7933a27e1a5b5d56891d692ef1c

SHA1
bf0870ec786325b5f2e0618742c6303bb97a950b

SHA256
ebd95c51e355eb94d2a452d9a86c398b1d823c7a43ba9f686709eb06a013d828

SHA512
8212a50574a5d6750457bba9d991c8d1364555e346777657c94e8e380e6fb1b60432e63ebbcb5252a1600cabd7d513db94dd1a39296071e8943d64e3fbbd133f

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
80KB

MD5
b3cd23e53f56b335083bd1ee4f44d94a

SHA1
6f17f1aa853a1b555f12f203f3e69f0696ca52c9

SHA256
d63dc098356998849480cce853d35e788e01964d97bc77fcf40f82e0a9f0eece

SHA512
6ea3ccb3590ab3d98c0740fe4489501efd6cfab0bea8548a29dbafce81be957b2b3c7b6682110382cb1c023614b341c85209b7de8d0af04f57f228c2ec936f56

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
80KB

MD5
49d5977fba2face73e96eaf4b6cfe434

SHA1
5db49096018823702ebea9478293fd0e77a81b78

SHA256
de150ab590419def1c2c17cf4f31dd58a644bd7ecbcd06670e2046ccfcffe277

SHA512
4c5462e34e24fd8a9566badae355ead28ea51825cc1c720079645159949ffacecdf7d0da3cd67c4a3a1d3c5f7521481080ac47736b3fc626a1c13670736f602a

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
80KB

MD5
28ab6dad61014fca722f5b40257eddf1

SHA1
9e0a7cb535a1f6b3e96e74fc6a784b15b1f33417

SHA256
f2caab34d718b5400ebee138b082d70315dcf247d5ad9c1a75c9d93724d43fcf

SHA512
d026fec7aff26ab42cb6489e0eb3d857299380e10f2abf5363e7097a480602efc5cf57d1cc9dcb26b863d744d8d0738f169a57b0d30158e5c3aaa6a57795681f

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
80KB

MD5
789a75d8a8af7a333615b4feed614909

SHA1
9821def642af6685dd6d271f3be6a2356df20dd7

SHA256
42e93ab8e4cc37a974a31383a71fcb2cbf24d6d79efdb63e76d5a515c4ef77dd

SHA512
2bd334a0c527df086d6223092b0bc55a397d36219992b9e07910155b7873572184922bca278611e6fa27f615d2171ca02330cd9106af9298bc515c01c3b6da77

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
80KB

MD5
f7f6f059123fb68b9d0076df1c6ab72e

SHA1
4d7ffd620af4b0591392cebcf811a7cd118e88e9

SHA256
1187e1cda81afbb496673a6a2f66cf7d764b362e6bf53881213d1e4fcdafa8ae

SHA512
74693a070155870131b93093bbbf987bc76d33e113926e1582b2d72c442330fc5f04c98851134e5682682eeb1f12f9cd437ca6b68cc22c5c78f02fb456b7b5a1

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
80KB

MD5
35a1cbfe90f8fb659d9800b2ce39df36

SHA1
15b3ccabc17438f9368dcbeaaed987bc3ad4e743

SHA256
f302ea198db52eaeae4f8c2a1bcb8d6080c7df09a778116144fb11a24cd5ed14

SHA512
8f13db613ecff482a3141e3a1e75a5cfbf9de6ca4f8665e8333ff524765601adf64ae2436cc7a9bf86ccb8e72e4d9444b0a724a4c0f714c218c5489d796b8562

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
80KB

MD5
dce67832e9fa9a299716a865abea7a8b

SHA1
1945d75fe62e6fba90015aff73f2648307040cb9

SHA256
e74d00bd0ca497996c38df654159d55d0643f001d5d84ecd927f181a473b19a7

SHA512
2632818d1d67b2fb9197dd3c654e677e36a6ab57cc79a0a6b78a4806fdb8d65f55dfdf7c956b0bf643155fea9cf8b8110f005080eb095871b12b4cd95cf53179

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
80KB

MD5
101c11e743283c1ae5a9fc300daef77c

SHA1
b0f67c1dc8a48398ae478a75fc76b6a2ee28a617

SHA256
e6ff812d6fe0f03f34af281b9a83a430dffc772c055f32a94f15fec7189116a2

SHA512
a42ca04a668536d6a36a6ddd6ce6a4fa81ce5ca8fff3c582e127ce3dc5b1c49cf56c74e65f9934e7b436cc8524eea49e5d62435f697466b657aedf0c435b8ca3

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
80KB

MD5
220d6463f7453923343a352dc12e8a24

SHA1
01bb956661c41688d8d273c06e23bd2bb8b34fc9

SHA256
defa6659d33e6c18ec1d4d9877ca094f92bbca01839a9da1785b197b4428d767

SHA512
c90f25b61c36115804936eb7912d132bb7c782b32b07c98c1b86c89adac4520c6b62389d4c91cf9cb97100113cd6126985ccd9a544bb4602ab9eb52375d005fb

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
80KB

MD5
1616c8b9076bbcd4ed0b99102ac4dd95

SHA1
7594b89de129c077007cb6641e388ffccf3d89dc

SHA256
82a91f83e5767fd0f591749281627b177b55d6580798be0145f1f4dc0d56bc89

SHA512
f709996e384e33490c443cda4e8c67a503e55868561b3caa7394448ce11e886286b00d78124e750b7fd70b07b78efb6c7202a7aa22fe396bc6f5246bcecd266b

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
80KB

MD5
b904790d91fc8e0dbe8a780bbc05d49d

SHA1
bbca9d0bfd4c09528854d046566c2e9570c408a9

SHA256
3628f05fb6f395861b5ab3632be442cea8f0f8d8e602172a14a162e35ea0ee3d

SHA512
55df441c569091f1502731c24a9d17212f7280082865482ae2b5858f1ae5b33f53539f62601a6c9ecea1c7a9b5ad516c5851517fa53a92a327c3c7bf8c60595d

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
80KB

MD5
47ff1465a19a60468d4a6592af90e1b3

SHA1
e0ef607324e773a8394bc3c53626f860df5944ca

SHA256
87b424702f2dd59de157bb083728fbf38d6387359b94e585d536023f8045da62

SHA512
8809ad34262c04085889d1f5711e2ac4f5894283f03ad02b0abe9ecf926d8d03b5cf1b1ecf6c8feb92cd7615e345f03dc11debb18a72193c5970faa9fbf99e24

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
80KB

MD5
0d22e81335834c5a58ef9c632a4ff240

SHA1
cf0cb3180bde9b0de594dbeadb9f99a8ed4b338d

SHA256
8dad7a3cec203e63d05d25c5157c439d2e5fcb92f7d2f1bee960b6951f70a9e8

SHA512
7e28df983de94ff1fd9cf9c61c06057ce27617ebb7f562621f5702e3a2481f3345545541522cda86864c1fa7c6efaba8726c88149968faadd22e03896aacca75

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
80KB

MD5
3c932a97a35ef4f8022fe91d2ba692ca

SHA1
4ae24542895dbbb0367f981450f5a42af913a965

SHA256
133e0bcbe13a62e1345ec0f34c585fa7e82ec11dbc4c098e5e183329693b7a38

SHA512
35902e1e1cf40f6e02fb96192df1e27c455469747c93d50bee104a7ee7cf4939b4c49a6fcdefb3a0aea2a0f46f318aaddd0ab376b329916cea2d0a4fbc779ba8

Download Submit
memory/116-176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/772-407-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/828-399-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/840-112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/992-454-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1036-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1076-315-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1080-381-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1088-472-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1292-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1292-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1360-447-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1384-279-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1384-510-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1436-33-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1552-157-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1776-363-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1928-501-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1928-371-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2088-333-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2136-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2152-169-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2184-77-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2216-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2368-507-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2368-303-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2416-225-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2480-305-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2480-506-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2604-490-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2612-297-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2748-493-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2748-480-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2812-233-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2824-418-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2948-494-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2948-474-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3020-97-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3112-503-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3112-353-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3140-425-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3140-498-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3212-502-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3212-365-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3340-241-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3360-185-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3440-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3476-513-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3476-257-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3488-129-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3528-217-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3548-149-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3580-201-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3588-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3660-140-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3816-496-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3816-449-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3828-419-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3828-499-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3856-69-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3872-508-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3872-290-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3900-165-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3924-504-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3924-335-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3948-193-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3980-461-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4080-394-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4232-442-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4436-249-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4436-514-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4464-505-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4464-317-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4480-273-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4480-511-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4500-387-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4508-351-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4580-345-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4648-492-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4660-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4728-403-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4728-500-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4736-327-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4756-109-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4848-497-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4848-431-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4884-209-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4912-121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4948-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4980-281-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4980-509-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4996-512-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4996-267-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5028-495-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5028-462-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5048-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads