a0dab7a2179133ba79407941b48dcf61711e5208cd61a4f879d3fd8d89583283

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 01:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a0dab7a2179133ba79407941b48dcf61711e5208cd61a4f879d3fd8d89583283.exe
Size

640KB
MD5

0affc6d52907fce55afda2303821e383
SHA1

d763d90199c8a257811d9cdc3d05a3aeb3ae783a
SHA256

a0dab7a2179133ba79407941b48dcf61711e5208cd61a4f879d3fd8d89583283
SHA512

2dbc3945ebcec296e64b20ef745d71d667ac7cf6f135615d085eaca5ac69dd4c4a758fd5c02c89676d5f42b5eae6ead18751eb2d42682a09ff29362e64759a41
SSDEEP

12288:9Ps+3dXHaINIVIIVy2oIvPKiK13fS2hEYM9RIPk:x9dXHfNIVIIVy2jU13fS2hEYM9RIPk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a0dab7a2179133ba79407941b48dcf61711e5208cd61a4f879d3fd8d89583283.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a0dab7a2179133ba79407941b48dcf61711e5208cd61a4f879d3fd8d89583283.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe

Executes dropped EXE 34 IoCs

pid	Process
872	Kinemkko.exe
4628	Kknafn32.exe
3560	Kagichjo.exe
4912	Kdffocib.exe
3476	Kckbqpnj.exe
976	Kkbkamnl.exe
2656	Lmqgnhmp.exe
4864	Lkdggmlj.exe
3376	Laalifad.exe
3440	Ldohebqh.exe
1500	Lgneampk.exe
1872	Lkiqbl32.exe
4980	Ldaeka32.exe
2076	Lklnhlfb.exe
3436	Laefdf32.exe
5000	Lcgblncm.exe
4892	Mpkbebbf.exe
2436	Mciobn32.exe
2816	Mkpgck32.exe
4004	Mjcgohig.exe
3444	Mcklgm32.exe
2260	Mjeddggd.exe
5084	Mjhqjg32.exe
1888	Mdmegp32.exe
4548	Mglack32.exe
412	Mkgmcjld.exe
1640	Nklfoi32.exe
3804	Nafokcol.exe
1756	Nbhkac32.exe
2604	Ndghmo32.exe
532	Nkqpjidj.exe
1948	Nnolfdcn.exe
4888	Ndidbn32.exe
4500	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jplifcqp.dll	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kknafn32.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kinemkko.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
624	4500	WerFault.exe	113

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	a0dab7a2179133ba79407941b48dcf61711e5208cd61a4f879d3fd8d89583283.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	a0dab7a2179133ba79407941b48dcf61711e5208cd61a4f879d3fd8d89583283.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	a0dab7a2179133ba79407941b48dcf61711e5208cd61a4f879d3fd8d89583283.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	a0dab7a2179133ba79407941b48dcf61711e5208cd61a4f879d3fd8d89583283.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 872	1644	a0dab7a2179133ba79407941b48dcf61711e5208cd61a4f879d3fd8d89583283.exe	80
PID 1644 wrote to memory of 872	1644	a0dab7a2179133ba79407941b48dcf61711e5208cd61a4f879d3fd8d89583283.exe	80
PID 1644 wrote to memory of 872	1644	a0dab7a2179133ba79407941b48dcf61711e5208cd61a4f879d3fd8d89583283.exe	80
PID 872 wrote to memory of 4628	872	Kinemkko.exe	81
PID 872 wrote to memory of 4628	872	Kinemkko.exe	81
PID 872 wrote to memory of 4628	872	Kinemkko.exe	81
PID 4628 wrote to memory of 3560	4628	Kknafn32.exe	82
PID 4628 wrote to memory of 3560	4628	Kknafn32.exe	82
PID 4628 wrote to memory of 3560	4628	Kknafn32.exe	82
PID 3560 wrote to memory of 4912	3560	Kagichjo.exe	83
PID 3560 wrote to memory of 4912	3560	Kagichjo.exe	83
PID 3560 wrote to memory of 4912	3560	Kagichjo.exe	83
PID 4912 wrote to memory of 3476	4912	Kdffocib.exe	84
PID 4912 wrote to memory of 3476	4912	Kdffocib.exe	84
PID 4912 wrote to memory of 3476	4912	Kdffocib.exe	84
PID 3476 wrote to memory of 976	3476	Kckbqpnj.exe	85
PID 3476 wrote to memory of 976	3476	Kckbqpnj.exe	85
PID 3476 wrote to memory of 976	3476	Kckbqpnj.exe	85
PID 976 wrote to memory of 2656	976	Kkbkamnl.exe	86
PID 976 wrote to memory of 2656	976	Kkbkamnl.exe	86
PID 976 wrote to memory of 2656	976	Kkbkamnl.exe	86
PID 2656 wrote to memory of 4864	2656	Lmqgnhmp.exe	87
PID 2656 wrote to memory of 4864	2656	Lmqgnhmp.exe	87
PID 2656 wrote to memory of 4864	2656	Lmqgnhmp.exe	87
PID 4864 wrote to memory of 3376	4864	Lkdggmlj.exe	88
PID 4864 wrote to memory of 3376	4864	Lkdggmlj.exe	88
PID 4864 wrote to memory of 3376	4864	Lkdggmlj.exe	88
PID 3376 wrote to memory of 3440	3376	Laalifad.exe	89
PID 3376 wrote to memory of 3440	3376	Laalifad.exe	89
PID 3376 wrote to memory of 3440	3376	Laalifad.exe	89
PID 3440 wrote to memory of 1500	3440	Ldohebqh.exe	90
PID 3440 wrote to memory of 1500	3440	Ldohebqh.exe	90
PID 3440 wrote to memory of 1500	3440	Ldohebqh.exe	90
PID 1500 wrote to memory of 1872	1500	Lgneampk.exe	91
PID 1500 wrote to memory of 1872	1500	Lgneampk.exe	91
PID 1500 wrote to memory of 1872	1500	Lgneampk.exe	91
PID 1872 wrote to memory of 4980	1872	Lkiqbl32.exe	92
PID 1872 wrote to memory of 4980	1872	Lkiqbl32.exe	92
PID 1872 wrote to memory of 4980	1872	Lkiqbl32.exe	92
PID 4980 wrote to memory of 2076	4980	Ldaeka32.exe	93
PID 4980 wrote to memory of 2076	4980	Ldaeka32.exe	93
PID 4980 wrote to memory of 2076	4980	Ldaeka32.exe	93
PID 2076 wrote to memory of 3436	2076	Lklnhlfb.exe	94
PID 2076 wrote to memory of 3436	2076	Lklnhlfb.exe	94
PID 2076 wrote to memory of 3436	2076	Lklnhlfb.exe	94
PID 3436 wrote to memory of 5000	3436	Laefdf32.exe	95
PID 3436 wrote to memory of 5000	3436	Laefdf32.exe	95
PID 3436 wrote to memory of 5000	3436	Laefdf32.exe	95
PID 5000 wrote to memory of 4892	5000	Lcgblncm.exe	96
PID 5000 wrote to memory of 4892	5000	Lcgblncm.exe	96
PID 5000 wrote to memory of 4892	5000	Lcgblncm.exe	96
PID 4892 wrote to memory of 2436	4892	Mpkbebbf.exe	97
PID 4892 wrote to memory of 2436	4892	Mpkbebbf.exe	97
PID 4892 wrote to memory of 2436	4892	Mpkbebbf.exe	97
PID 2436 wrote to memory of 2816	2436	Mciobn32.exe	98
PID 2436 wrote to memory of 2816	2436	Mciobn32.exe	98
PID 2436 wrote to memory of 2816	2436	Mciobn32.exe	98
PID 2816 wrote to memory of 4004	2816	Mkpgck32.exe	99
PID 2816 wrote to memory of 4004	2816	Mkpgck32.exe	99
PID 2816 wrote to memory of 4004	2816	Mkpgck32.exe	99
PID 4004 wrote to memory of 3444	4004	Mjcgohig.exe	100
PID 4004 wrote to memory of 3444	4004	Mjcgohig.exe	100
PID 4004 wrote to memory of 3444	4004	Mjcgohig.exe	100
PID 3444 wrote to memory of 2260	3444	Mcklgm32.exe	101

C:\Users\Admin\AppData\Local\Temp\a0dab7a2179133ba79407941b48dcf61711e5208cd61a4f879d3fd8d89583283.exe
"C:\Users\Admin\AppData\Local\Temp\a0dab7a2179133ba79407941b48dcf61711e5208cd61a4f879d3fd8d89583283.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\SysWOW64\Kinemkko.exe
  C:\Windows\system32\Kinemkko.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Windows\SysWOW64\Kknafn32.exe
    C:\Windows\system32\Kknafn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4628
  - - C:\Windows\SysWOW64\Kagichjo.exe
      C:\Windows\system32\Kagichjo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3560
    - - C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4912
      - C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:412
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3804
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        35⤵
        Executes dropped EXE
        
        PID:4500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 408
        36⤵
        Program crash
        
        PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4500 -ip 4500
1⤵
PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kagichjo.exe

Filesize
640KB

MD5
dad5e9322884fd00d92569903b50e78f

SHA1
6e7bb371d459335866f2ad14097b1fd34aee075c

SHA256
36b8f746a50af8e97c06c61ffab23a3a9b80ffbd19efbb5270739d36806164e4

SHA512
883edc2e300ca693110087a2566dad4f758fb7940360aced5ee7f84c98466d55f3670e80bfd69f12a8630750c22926f219fde5357872e07c50fde2f9929f9b26

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
640KB

MD5
02d71e898dab898663b7f67a354cec8e

SHA1
16ee34716ac57d19bb13cff3ad211779096b9d09

SHA256
5a81cbf7ee74dd5be21e58c9b2705a14372e2f82b618e7f0611802450f1100cb

SHA512
3ed1386a6ab3e3bcd082aa4ea7b9e348d2fed663668d422ebb3059c5c913c66e72af057805a2d2cdb464c8c30ad421316bbdf0821671da5f519b9a62f90e3299

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
640KB

MD5
74e1df9c13df7c2928425bb2bc5840ab

SHA1
74f78b9e8e9821b88a5e6ce6bf07e1f5084226ff

SHA256
45984d48442fc271458a78b9f96e2e262036053cb3976f6c0e4f7d17fdef2a78

SHA512
163b1e14563df8fed72e3de2911ee4efc886c6a1be998bcb5f5b4e3e7dd8d25d97a3623b4287abdf451ec1eada316a9cfd4e282d42080313180967bc5eefd7bd

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
640KB

MD5
35964386cb60ca8103e19440e1cf521f

SHA1
92cdaf36ac21f8449b29b98dd447c1dc245482f7

SHA256
07dbada39fda3a35d285f7e1e18597ea3c7e7947574099ffef2da0955f2826a0

SHA512
5b2e6b56d5a59bcba2d122633920650119fe8db59c7c6d33382e7c5c13ebcc005ae782115d41fc7fc8c17169cf5173fd36e3033ca914635332a23e37f69806a3

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
640KB

MD5
8a6e65f0f31b6cfb990f2f3ac3bfbd28

SHA1
3ec239bc384c99277457ba8d17ca7cd418db62ce

SHA256
3856cae12c11b08235a589e220327e18843f71ba7c875410918cfe5d2297a2d7

SHA512
3a561db1c4272ed3ddd2a0f1e3b1250a066f71f3296ca5bfe4cff3f3741813b1aaac9b6996b87c9c888d920a8a1136c1bfe5e834406bf63d8a9b79cc57a09ff5

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
640KB

MD5
27a2fe4aebdb44368e70dfe70e6b6987

SHA1
8b66a75a0cd3df69b95c1c2175c721d7d9eee3c8

SHA256
4d800b5386409214e990dd03906a4d1a5aa552bd42301c9d28710f80c8e2cf34

SHA512
60195a65793058e3d48d29b192275137e01dc1abf70e0a310465d68cbc84cef14e35248717e0bf146fcc7d768568fb069456d21f4816dc2cf8f038c689fdeed3

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
640KB

MD5
3eed1781f597e6b0cebe18eedf947af4

SHA1
1fc49c4c11fcdf333f7db59833ce24707d9db5c5

SHA256
689a7d9a236cbb32f278e9ed019c9e2efaa845cf92315b22939fa2b92c21b358

SHA512
6718474461972ae5e9162fe45a74bbf3e2de7909112b74134f2e4ca8ef397a45de1050df745dfac320670c0062a446ebaa7ecc4ed694e15ba54577f10ca38cfd

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
640KB

MD5
0356942a1482d1bc7e9ddf6e0732e642

SHA1
e71f380fd4f9d9e1e5fce52b9c4bd9d7a4ceab0d

SHA256
a9c7cff073b318711846709c880a41c5ac4c1d73bc929f72c259242105e777f4

SHA512
d59e86d57bbb7e2196225ccbad6d8b6bab0ce0add74401d1c7df311a9464fd82dc4a9e3683e9fa75aedcf7ae379c161c068c91d06287fca87d4047256b54ad3f

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
640KB

MD5
cbc6f9d46cc070c97e9ff007b4a5b842

SHA1
f7765a35f6bec7464a727df86ccb2d55ce5deb53

SHA256
98e16b5e41dfbdf74c02b4839a7bfdf7a9ab42b3ce4425da01528901e99d6d53

SHA512
1435706c4ca1290b00d952e8f4b2d9bcc05de8826bf67371ad40f5cee15933ee409645b5a1de899b5c7d833af1a9798233dc37deefa8596f79109e954c0050cc

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
640KB

MD5
28bd0138a55e384182ab773fefa5073d

SHA1
e6a6be9d15f048a5201b0d8c098c5368de2b881c

SHA256
72994053cab38056c352dcf1641fa22ef316b06aa5b5c5d52ff4c28ad9997aab

SHA512
3274669b8d1851915f1141c037d6fc651ac9ad68adefb113a0780df49c67e61ed901a57c4a7da7cbd279dc860e849550cf42d1668eae2c872ace002dfcd4b6ae

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
640KB

MD5
567cb5db8bc6867bd1d03e6d03e1a3d3

SHA1
bef080a54189965b4669f82eb37b59d112e47559

SHA256
8f0b166e7eddcf12e84655401c01eca5bfb0644ee61b98cc5e8bac54e24425b6

SHA512
12f977007c79a01b86757e9ec5ae0ed7f8c033f5022f71e813b775c461aa981b9b549a3c7fcf58187fe3727cd5b4b6c1b074a1145b67c2939705274d592054d9

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
640KB

MD5
33d3aa498375cc38f8e98010b46a64dc

SHA1
1d49baf596fd4c64a5b8363acfdc6a0f5bd685ae

SHA256
8796389f2c13fc64592d6a4bf20eb2b91782b614db7bbbc27aedeeb12423f8e2

SHA512
54cda1fd6d3af5d419b7d3d5c60df830605471ccb923ffd98d8aa02a1ff7bab1d1167f23154b65ce4a7ca94111857ca4fbebf6df8a6e0a17898f9a342d164d10

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
640KB

MD5
c48d1d4372b6cd4690248bcd88ae898a

SHA1
a811706ad9bc254d9bb4d350933b547057fa5f82

SHA256
fe59168ea59e9b0b02607e42237d269613c671d22d8b25ff60da5f3801c68500

SHA512
71fb5056ed818c1149c0e65fc507c66261358b9dff5680dd50f92bd51bb1d6ad7ee21b005efb50d7cc0db5f8416d0489e423e3a99195f6ba8eeff0f9387486eb

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
640KB

MD5
0fe3237bfc0603d86d9e795957964126

SHA1
f358efb2acdad35b87283a93daae0f37a761c953

SHA256
4d81390c0fc67dd4a1b73d599584a7858f1ae21cbcb2ffb3d68417ab0c0d9a7a

SHA512
f7092e17e2726d793c513f84ff5a4cc0331bd7df6f0fbf6eee8d2786176146748c120975f1863447cfe343da15a8f010cdf934600114c29b0880db25bb08db74

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
640KB

MD5
1558366061465806e1f82c5df0fb62fc

SHA1
d5995b7089a3903a4c6b08e5f8d4fc492de5bac3

SHA256
95ff15c4ff9793f1685ab1394fa3393eb6fb4fb784791cb0f041f2cc4b0509b4

SHA512
afa3124ceff6873243589d50e75d8f72a1a74efd5b6451e9a73bbead15f296e429c641619369314b0480d3db31ded0745fe3bbbcae289b9df778562ae55be5b5

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
640KB

MD5
fb90a68f284ca94e53906a17350eb207

SHA1
2701a5d55fa0448b63bac649280f4bfa808e7dc6

SHA256
0503eca0342e3373041eb47ba0fe966a37610b25e50f4bb17b33064fda083e01

SHA512
59a3b2b1584819fb540d9fcd05a176496ec42f5b04427fd40ba49c26f01c04905fecfc5ddc0775ddef527f1d7d2721203cc4b2a2efa425a819785ec3b64627de

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
640KB

MD5
72c71f02885299098ee86f525da18ffd

SHA1
bae03142a01fecdd65e309ab1439787cf9e0dabf

SHA256
aa5eadb34d4f37c3a9274d72545064c5e79eae98635e59e0b1470ec210876319

SHA512
b93fc9984b100be448bbddc00a116ff4ef8fa015c23efa409d79bce3c78981ff04a7073b91d5ff0ed78b4c1629012b2b56260e74e084b74bd08042577dd6d765

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
640KB

MD5
fa0b55d887f6b1a8eb9fc0c8cebb287b

SHA1
0a08ede5dac6bdb14ed7d255d82937b28cc284cf

SHA256
b5c6b8069e1a3e34c442ca475dbf3a9af87abe3b55f11fd5ce36b2347a47ff08

SHA512
fe8740cc73211f3a298f48e3746b16bbf8c7573b35bdbc6346b08bf85da01d994a5c2a64000d2126ceb1b70257189f593f4173a64df794eebd6d785e621b71c4

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
640KB

MD5
06884c77596d123ce8fbe6ffaf036372

SHA1
2c194942f1e867ef1fd2e6f4444381dee7bd7e88

SHA256
1eedd538cde670ef801ce5cff8dc783fdef96959e60b8f17799adc1e160a21eb

SHA512
01deaa37a7ac4809b41d2509ce492e381c98843e7a0b193c5e01af6462067fa50ca8c29b599903010c10f94ceb0dbe61d96f05fa76fceacc8dd78a302c4cc562

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
640KB

MD5
be137e9a48bd659f5090c79530dd66b9

SHA1
e7061b31ca310301c16c5e8fcceb867bfb664cb4

SHA256
a058a59584bf2e8cc241d4c031062c1e76ebce0307a58d84c695b462bdc0276f

SHA512
375f00af4e07d3d99e33a7766d1c3b720f8942d31cc68f911a42a2a34f87c7912b7e06e428bc062026ef48d7146a098a5ee4f031ab44c287671d14abaaf6935d

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
640KB

MD5
601cc3e5638bd12e94264f1b966c8d65

SHA1
f3b370d501237ae11a66628201ee18d2d3faf30d

SHA256
3d40bcc25f426d8b27c4181aa72f9b06ff717cb179ce068f7ded6564d6c61318

SHA512
b1b72b6c2def10c2983d0c2fecc3ae12f9554c8ae84d2ec7d803fe3cefcaed7fe30490544cc68c25bfbaca10a2bd38cb5592defe8e38072ab1cfb9d2813e8a85

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
640KB

MD5
1d3241228e7dce3271d704b480a27757

SHA1
6d358b632f2c30685083ae956d8dcf055a0fc191

SHA256
9797cb212bfea3c03835f5e68a1f7e502d24e906c0430630cfa7deb186eba14b

SHA512
293c4e855dab7746cc8d98823cff323591dfa935eaeda63e1f92f308c97ca90aa0c8495feb1a6e393c344ba2a64c2b61bc2370a15050907fa78e0fcde6d9e557

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
640KB

MD5
edd955eaeb07e94ae23d64f4428a585f

SHA1
d649f23f60dc1310fb651ebcc89d736b45790de3

SHA256
4694e9fbe66651b336116c50fc9bdad3a6b2a411ad909ea382f4e550e0713abd

SHA512
28b69da2ff7b4c963e6d8f3a57248dddb352ebd48c2131dca15044e8baaf0e30a094755ad0c03ea611a963b8c630338e74184d3606fb7835e6df8fe0c56542da

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
640KB

MD5
b8ae1fb7ae754bb9f4527379006a2a7e

SHA1
c6feacd8c5c3ca148c8c6bdee0c0bc3f6a808980

SHA256
333c7eab5e5c91754a278ff81c81333dab4ea253b7d46a1497fee619d5ab7ec9

SHA512
b634190008cb4309998c6ad371553bb2f7204a5a8e836d83fc651a3e21ffcc8bb1b4b52a5b6b2e3880a5921255dbc834339af0af632901d17ae5b0ed5dfbba0a

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
640KB

MD5
8e0d0a55e489b67f293b1d0f6e6b7335

SHA1
376b3e413c49c0f509d91764edb0a2927b952a87

SHA256
cad112e1d6948c29076e05d48716b8a3cc2d05c304ab3f1939b7b3ca8b045945

SHA512
623f4d028927db510597e83b985651be3b2a47e03ac33646bbf44a0fd41b742f00bbd1bf8ea631f587a661a1218b28059e1ca5e9a2c895e9f43c1014b9bed2b5

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
640KB

MD5
1a2811759a6e723e4cbc9f942a745ede

SHA1
ae2acd88ff0fb81c794c4431e3d15a68276b36f8

SHA256
262cbf600d8eb476f402d4a5c26219b2010922efab4a164a6e44d660102260c9

SHA512
138846a2bd020d6ae4a0d4654f0dcb17cf29cc35fed25ce12b16a254225366983340fc23fd954d6353f545a9e3ce4ac39df78ed57433c4b68f9d165e9921e036

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
640KB

MD5
b1a18c16974c4305a07e30d1b476fe25

SHA1
916646e64ed2d2f9a37b8dcabf7a557c3e2cb0bd

SHA256
8c2300a65e0e766b2e8af5684f0498186c3abd7c77e11cb8a5e178e5122d9753

SHA512
987dde9f2a1411c6645150477314e9097cc783ccaf53d063f11608284bdfdb4bc6f182d01ea3537871752b27f7d002b48358b1679cc928afa18b4cd616381f3c

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
640KB

MD5
5646af25f162c1860b8fbd9f84d705c2

SHA1
f91e14d85d61cb467f633a63d4de2bea031e0406

SHA256
3c5073b19235c7e11370817bb3181359ba80f4f1c4b4016f70e0acf334d16377

SHA512
30e53776fd51ece1420835414cbc31e50ec513a6f10ff6bdcd6f167a222d6dfa37b15eccb2176849991f8a99fb055cbdb857d22e4bbd0867d8a1d176ac757a27

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
640KB

MD5
0aa5cd409a7864eff8e9317a8b447342

SHA1
703f43db443c4cd0f2e87e0df41dc825443e23e4

SHA256
ec1c959dfdaa4b751b74775dd4ba65145150bb458ac8877a62ece96cdfda3717

SHA512
7800920b61d997236897baa39e637987187600a3d7cb7dd78c609b0940d9b87e1f5665306f5428e0defd8c59bb4aa5fe34f3f08b688eaa21abfeaff4c118e821

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
640KB

MD5
4bac3dbc34c6f321bcecc49494f85418

SHA1
006f93b5a638fa70f7dd41ea2c3997ebe60b6087

SHA256
a6426875870e154eadf1eeb24a76e425545348114c5df6715371c0f5a38b77af

SHA512
be3e67e41e72e78bd62d73d55189ce1ac6325d91ad99eaac410d006ab72b08c1fc7067eda49189d1ade0e69c3a250dcf8d236f02c8b7fb135500cd39b2354a06

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
640KB

MD5
365c9ad7593f26d9efc8f889d9f4348e

SHA1
c03a56e84b88a5df6c14f7da25115d67ff33e138

SHA256
718c3cea7460d0d736498db9026e3030109442671dbe426dabfa07ffb44a5549

SHA512
2bb73dc6bf2728fc196679a649df248773a2db963653571f54d558ec2625ffafe180be8d9342370005a85663d703d47b61b5ef802456837d3d281ed085475c00

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
640KB

MD5
88b3791b8473abaea826793072ae6e9e

SHA1
72c77f5e727738500e78ec586bbd26a293cc8fb1

SHA256
c4d59ecc3b51dcab1522cd9dc392bf319008ac8ab0f6796bcf5bdf3ec2b1cb9d

SHA512
983895ab063412c0396fb0625b89eb8d5a613a27b006b54d12042d8f4f56672d6b915855b40a081d414410462eca492bfffbea0c7fd174f4e85e7c4fe7e148c1

Download Submit
memory/412-278-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/412-208-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/532-249-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/532-273-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/872-299-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/872-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/976-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/976-294-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1500-291-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1500-88-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1640-217-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1640-277-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1644-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1644-6-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1644-300-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1756-275-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1756-233-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1872-289-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1872-97-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1888-205-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1948-257-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1948-272-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2076-112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2076-288-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2260-176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2260-279-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2436-283-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2436-144-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2604-274-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2604-241-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2656-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2656-293-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2816-282-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2816-152-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3376-77-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3436-286-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3436-121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3440-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3440-290-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3444-280-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3444-169-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3476-295-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3476-41-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3560-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3560-297-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3804-225-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3804-276-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4004-281-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4004-161-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4500-270-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4500-269-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4548-206-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4628-298-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4628-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4864-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4864-292-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4888-271-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4888-263-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4892-137-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4892-284-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4912-37-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4912-296-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4980-287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4980-104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5000-285-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5000-129-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5084-204-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads