e4e9f37574f227ff95451052b1f78cdbb5f4c594096046c8e1d34daf937b89c5

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 04:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4e9f37574f227ff95451052b1f78cdbb5f4c594096046c8e1d34daf937b89c5.exe
Size

237KB
MD5

732de6d64b3d2b062df68da43bbd74e3
SHA1

c1a7fb1667a60b7f46f6608a819cc1366c985057
SHA256

e4e9f37574f227ff95451052b1f78cdbb5f4c594096046c8e1d34daf937b89c5
SHA512

20c78ef38c607d3da584747f242c824698f816b6dba1edc365bb66a96f83f143276bd4e9efb06f84630abf28de4be93f4777d6382de900ca64371fe25c96818e
SSDEEP

3072:JDdQbTnRmFZuYVE2jAUbj8Nq75Sq4iqnAUUjE02ZoL9snKKq:r6mF432jXj8U5ihYjEToZY8

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e4e9f37574f227ff95451052b1f78cdbb5f4c594096046c8e1d34daf937b89c5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e4e9f37574f227ff95451052b1f78cdbb5f4c594096046c8e1d34daf937b89c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe

Executes dropped EXE 42 IoCs

pid	Process
116	Kgphpo32.exe
5108	Kinemkko.exe
2732	Kdcijcke.exe
400	Kdffocib.exe
956	Kgdbkohf.exe
1068	Kdhbec32.exe
1892	Liekmj32.exe
4920	Lalcng32.exe
5056	Liggbi32.exe
1708	Lcpllo32.exe
3668	Lkgdml32.exe
816	Lnepih32.exe
3716	Ldohebqh.exe
4488	Lnhmng32.exe
4880	Ldaeka32.exe
5036	Lgpagm32.exe
4116	Lddbqa32.exe
2932	Mnlfigcc.exe
2944	Mdfofakp.exe
4632	Mciobn32.exe
4660	Mkpgck32.exe
528	Mgghhlhq.exe
3680	Mpolqa32.exe
4888	Mkepnjng.exe
2524	Mncmjfmk.exe
2368	Mglack32.exe
428	Mjjmog32.exe
4312	Maaepd32.exe
3556	Mgnnhk32.exe
2080	Nkjjij32.exe
1920	Ngpjnkpf.exe
644	Njogjfoj.exe
1088	Nafokcol.exe
2616	Nddkgonp.exe
1988	Nkncdifl.exe
228	Njacpf32.exe
1676	Ndghmo32.exe
1380	Ngedij32.exe
1660	Njcpee32.exe
3572	Ndidbn32.exe
1000	Nggqoj32.exe
848	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	e4e9f37574f227ff95451052b1f78cdbb5f4c594096046c8e1d34daf937b89c5.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Kgphpo32.exe	e4e9f37574f227ff95451052b1f78cdbb5f4c594096046c8e1d34daf937b89c5.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Bdiihjon.dll	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kdffocib.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nkjjij32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3780	848	WerFault.exe	126

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	e4e9f37574f227ff95451052b1f78cdbb5f4c594096046c8e1d34daf937b89c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kinemkko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e4e9f37574f227ff95451052b1f78cdbb5f4c594096046c8e1d34daf937b89c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e4e9f37574f227ff95451052b1f78cdbb5f4c594096046c8e1d34daf937b89c5.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 116	2288	e4e9f37574f227ff95451052b1f78cdbb5f4c594096046c8e1d34daf937b89c5.exe	82
PID 2288 wrote to memory of 116	2288	e4e9f37574f227ff95451052b1f78cdbb5f4c594096046c8e1d34daf937b89c5.exe	82
PID 2288 wrote to memory of 116	2288	e4e9f37574f227ff95451052b1f78cdbb5f4c594096046c8e1d34daf937b89c5.exe	82
PID 116 wrote to memory of 5108	116	Kgphpo32.exe	83
PID 116 wrote to memory of 5108	116	Kgphpo32.exe	83
PID 116 wrote to memory of 5108	116	Kgphpo32.exe	83
PID 5108 wrote to memory of 2732	5108	Kinemkko.exe	84
PID 5108 wrote to memory of 2732	5108	Kinemkko.exe	84
PID 5108 wrote to memory of 2732	5108	Kinemkko.exe	84
PID 2732 wrote to memory of 400	2732	Kdcijcke.exe	85
PID 2732 wrote to memory of 400	2732	Kdcijcke.exe	85
PID 2732 wrote to memory of 400	2732	Kdcijcke.exe	85
PID 400 wrote to memory of 956	400	Kdffocib.exe	86
PID 400 wrote to memory of 956	400	Kdffocib.exe	86
PID 400 wrote to memory of 956	400	Kdffocib.exe	86
PID 956 wrote to memory of 1068	956	Kgdbkohf.exe	88
PID 956 wrote to memory of 1068	956	Kgdbkohf.exe	88
PID 956 wrote to memory of 1068	956	Kgdbkohf.exe	88
PID 1068 wrote to memory of 1892	1068	Kdhbec32.exe	89
PID 1068 wrote to memory of 1892	1068	Kdhbec32.exe	89
PID 1068 wrote to memory of 1892	1068	Kdhbec32.exe	89
PID 1892 wrote to memory of 4920	1892	Liekmj32.exe	91
PID 1892 wrote to memory of 4920	1892	Liekmj32.exe	91
PID 1892 wrote to memory of 4920	1892	Liekmj32.exe	91
PID 4920 wrote to memory of 5056	4920	Lalcng32.exe	92
PID 4920 wrote to memory of 5056	4920	Lalcng32.exe	92
PID 4920 wrote to memory of 5056	4920	Lalcng32.exe	92
PID 5056 wrote to memory of 1708	5056	Liggbi32.exe	93
PID 5056 wrote to memory of 1708	5056	Liggbi32.exe	93
PID 5056 wrote to memory of 1708	5056	Liggbi32.exe	93
PID 1708 wrote to memory of 3668	1708	Lcpllo32.exe	94
PID 1708 wrote to memory of 3668	1708	Lcpllo32.exe	94
PID 1708 wrote to memory of 3668	1708	Lcpllo32.exe	94
PID 3668 wrote to memory of 816	3668	Lkgdml32.exe	96
PID 3668 wrote to memory of 816	3668	Lkgdml32.exe	96
PID 3668 wrote to memory of 816	3668	Lkgdml32.exe	96
PID 816 wrote to memory of 3716	816	Lnepih32.exe	97
PID 816 wrote to memory of 3716	816	Lnepih32.exe	97
PID 816 wrote to memory of 3716	816	Lnepih32.exe	97
PID 3716 wrote to memory of 4488	3716	Ldohebqh.exe	98
PID 3716 wrote to memory of 4488	3716	Ldohebqh.exe	98
PID 3716 wrote to memory of 4488	3716	Ldohebqh.exe	98
PID 4488 wrote to memory of 4880	4488	Lnhmng32.exe	99
PID 4488 wrote to memory of 4880	4488	Lnhmng32.exe	99
PID 4488 wrote to memory of 4880	4488	Lnhmng32.exe	99
PID 4880 wrote to memory of 5036	4880	Ldaeka32.exe	100
PID 4880 wrote to memory of 5036	4880	Ldaeka32.exe	100
PID 4880 wrote to memory of 5036	4880	Ldaeka32.exe	100
PID 5036 wrote to memory of 4116	5036	Lgpagm32.exe	101
PID 5036 wrote to memory of 4116	5036	Lgpagm32.exe	101
PID 5036 wrote to memory of 4116	5036	Lgpagm32.exe	101
PID 4116 wrote to memory of 2932	4116	Lddbqa32.exe	102
PID 4116 wrote to memory of 2932	4116	Lddbqa32.exe	102
PID 4116 wrote to memory of 2932	4116	Lddbqa32.exe	102
PID 2932 wrote to memory of 2944	2932	Mnlfigcc.exe	103
PID 2932 wrote to memory of 2944	2932	Mnlfigcc.exe	103
PID 2932 wrote to memory of 2944	2932	Mnlfigcc.exe	103
PID 2944 wrote to memory of 4632	2944	Mdfofakp.exe	104
PID 2944 wrote to memory of 4632	2944	Mdfofakp.exe	104
PID 2944 wrote to memory of 4632	2944	Mdfofakp.exe	104
PID 4632 wrote to memory of 4660	4632	Mciobn32.exe	105
PID 4632 wrote to memory of 4660	4632	Mciobn32.exe	105
PID 4632 wrote to memory of 4660	4632	Mciobn32.exe	105
PID 4660 wrote to memory of 528	4660	Mkpgck32.exe	106

C:\Users\Admin\AppData\Local\Temp\e4e9f37574f227ff95451052b1f78cdbb5f4c594096046c8e1d34daf937b89c5.exe
"C:\Users\Admin\AppData\Local\Temp\e4e9f37574f227ff95451052b1f78cdbb5f4c594096046c8e1d34daf937b89c5.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\SysWOW64\Kgphpo32.exe
  C:\Windows\system32\Kgphpo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:116
- - C:\Windows\SysWOW64\Kinemkko.exe
    C:\Windows\system32\Kinemkko.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5108
  - - C:\Windows\SysWOW64\Kdcijcke.exe
      C:\Windows\system32\Kdcijcke.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:400
      - C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:528
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:428
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:644
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3572
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        43⤵
        Executes dropped EXE
        
        PID:848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 400
        44⤵
        Program crash
        
        PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 848 -ip 848
1⤵
PID:4428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
237KB

MD5
b97de51385ed2d146c2808e4e1ec4b4e

SHA1
6847024a2e39f514471187aa9a7854afda88e2fa

SHA256
b78e0205f865044ee3fb55b9f083866a3ecae985c540731a04c45671da078005

SHA512
8d1363e59f1f86734cfc956b6ebcfd91d454d693693e4bbbbb426d70593afb929002fe9526b2dda0445aef647c65c3f92454aa8cd8249e9f7d60f61e3c6facbf

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
237KB

MD5
589deec0f3219f0b35f19832c24f3bf6

SHA1
68b4e845836bdc0ddf3c4d7c9d038df2ba5d8832

SHA256
d23c59b43aeffb2c04bf98964f0a7d6a00c4c9cd1f983207b63383dfd504c915

SHA512
b3e185a9c6892df378d2b2704b3efa3d3184d12794a4c98c783dc9bd28033b7d9c6ab69d3a1d78a004f53be786fd9f96c40179c330b754b591dfd4c8c986dec7

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
237KB

MD5
4974cf1cd3547adfd0a708fe8897262c

SHA1
2ff8b5c2639c34ca89505e31340d539f410ce6a1

SHA256
2704aae9012eb06fee7b285f23dfb5b4c8eb40d0c1ca2bc096825d52ca6ff220

SHA512
ca4b57754b4632f846e6180f5e86b391504afd1be54d65fa3a1b3314b9a0ea6b927e867c2efbdf1b1e88ddd06676b6ca878cc39a1e32f5e7e489f05b0485dbbc

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
237KB

MD5
2d58d9eea443fff3903cb6bc124fa693

SHA1
b725c8c16a8d3e123c3feb608a92c68bbd30ab80

SHA256
7872b73b3c407f13afd2c76182f2192c8338b35da9cc0991f995db526c4481a3

SHA512
1f6588be1ae98a8b2a335ea84a025de761d828eed21013848935271e0ecc557056c1c4c406c41ceab714fbb6fb7ab3247526bdc4510bd8bc494892ae1534fd02

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
237KB

MD5
8ecedd07a3a95a12372c858910b567ab

SHA1
221f2eadb229099a714a8be7783d938be66547e7

SHA256
2091df0b6a65c2908c4095df69a98f7853790f21aa5666026ebdc73b6d8ae6c8

SHA512
f9ef1c38a1a725f8782eb27313ecf6c7fe476bd6af64fd1de8221d2400de1c02866d34cb3c3813ece71857eb019c8edaa66a8d37b7b3e954afd30de3c806f9ac

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
237KB

MD5
26cbadce5b068fd2e35bae8579297ed3

SHA1
4f791ccd870549b17f3c6aa9d8ade2528bf84173

SHA256
757584351524cb98a6e98f5dd7139ac75ae23411b67eeac073d46353960bfa6a

SHA512
237b3d5e68d3ea6b9e71b87a844f82c33bc5372c57737cdba176f443437c5d21787ed54450b7668fa4caf988b128bfffe937e77fe343eeb5461f70040674d6f7

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
237KB

MD5
89ac2a61b78e143ca1ee754546071a26

SHA1
ffcdc7d95806125d932d78e92e126d7824ffcdf3

SHA256
e75a59a97cc04569a705083aa6c74f193bb6c0c34b406667bcf7e0cbd36f7da1

SHA512
d3a7d89db2623474cf0ccfdbdfaa8ae92d02042cd6781e9a133d51021a58edc2ba6b31470af620799ea1684f31e5ba9ea986d1a1cb880cb51ae4361ed4211344

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
237KB

MD5
b9179e3c0e8760dcf44517325acb45cd

SHA1
45d6c8dd15c71f6dbd81216f7b0e15eeab6982c7

SHA256
607040b01e74ca9f4f1505e05165366e74eaabb49f6b86d59f41ed1f71ff26c9

SHA512
737198a35ec4b7920fd4d22321cabcc31f8ef33d6c9002d02b5df86bef581d5117a3af982eced411053ea7e147e696340d76d8d2d725bba250350f2c82270d59

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
237KB

MD5
290c74223f9e6c25bccae8fc05ab4a64

SHA1
16962704e520299a4d022c1230e05c583f28623b

SHA256
dd7f35ca2c47b113e31237f1bb2682225d84abddf87d0d06d53f68e0e24bb6ae

SHA512
d5c54444d821e0021065c30e85dbf34c2cb512de0b7cce38ed8dfedabcacd6cd7629995a54d20bd5ed6622c80f7ab6d0362e9cd4445bd290f14d99df81995122

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
237KB

MD5
ed31d496bf65d914b868f3496936487c

SHA1
1092eb91f6f3ee7629c7a07a7157e76426c388d9

SHA256
f48d30a7d50d586cf4365b680954eef26f9fd760d80d5f1347a8e3a719847c26

SHA512
a9fac2c212a3c046b7cca86a7bc3d83acc23b4ff73370b5ed8dba6810656c1fd4a7cd82e7c2af7000b28d30460f8c7fe77a145ee164679d6ab7f80e96833fb99

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
237KB

MD5
3c67ef76316440324963f6cda0acbb70

SHA1
165bcd4bb9f85372904108cbee2da6833c19addc

SHA256
2abcf09edc0c81745fef0bd0deab552342ea49ee4662dbe3480c7f99df340936

SHA512
f63b00e84d100c4878e6ee7da3fd6db54abccf7d73d8f75df5063f8df4d43aaa94f1c0b9448a3de13b43e3f1b573d4f27b04760651d352de9592da59a7c97bb8

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
237KB

MD5
ddbcf7f9166ac7c6b6e7fb2364db04f8

SHA1
f0ad4b5e8e9078cf7509ba78b00caedb0c1c97ce

SHA256
0ff1e04bf56b5db26cbf3e0cd9d1a355298e35adc079db0500e36c1ba08163de

SHA512
ad9b2450fd29ac17135af833d80229890570334edfc26d41377fc75bee746779c9ca6e37bbd3bbfce91b76d2d0db8247a60ba36ec76039f316970540b22ef5f3

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
237KB

MD5
f0c26e08c5f0720b914777f1fa747b97

SHA1
e56a303c9c9b91d3fcdb3a0ca53b6ba7e4b0968c

SHA256
052e055d6702199f2b8c79984378a1bb1759e1e9204750904b954a66a3f9fc9f

SHA512
c0f672813fc13074b9474ebd3b2ccef6f24ed6d44e3cd2719c3d608fbace4fc14532ecf115dd85d73d0e1a25d7f0a62dfd60cb0ada054e3b525c4289b724ca34

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
237KB

MD5
07badffcd8763d90390ec93e6a4013d6

SHA1
dd0ab0629114e04cd6ac733dcb9f10adc52db80d

SHA256
88b83977b53c6f50c52744987cfe0867f8cacbc66f7f938a02d2578381cfce2f

SHA512
ff5e371113f8494e731033116ee77b5860ab6340131b8aecd7f7fb8d559a52a5ebd4b6e34bfb8036811902c483c1aa2f5e3561e6d9f6e478e50f6a65328a6fd1

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
237KB

MD5
fab9482747bee4369669827df33ab315

SHA1
e29c17e9cf31ca45282d86f0427d61cf0d3a8960

SHA256
d833b0d7c786e0e578565735cfb3ba8c1cc7401047ea33efed3402ca0aab751b

SHA512
a5861cbacf0f2b8342886334ddcf95936e8648bd786d0c7ba83d296470c16e041db9e2720d8638bf7512d5f7bd21d058123d1652dc5ebc6845fd2597862cecea

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
237KB

MD5
b05184e8ba106a19c56312e2373eaab5

SHA1
4cfd3ceba31bc4748cc4b6cf472f44bf11cd713a

SHA256
f53acb5e79b016c51748f2a54971804d9cfa9fd5cd50aa5dbb3da074c4ddd199

SHA512
f961d702bdb310f6dbf1f26ce0dc21cff0737a08a5aa381d9968da2c4dcc53178eae83118ba02e7468ceb4e9b84d6968d108d8f3a9c511424e2ae803860e891f

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
237KB

MD5
c73d02190c73d4b4c6c0ba15a94d0544

SHA1
37d60117cdad12eb266e02f6d5914bcfd595c0f4

SHA256
f223b90400b1b4a72258d72e51a4d544cd453e2ce2614ca0ce88929b6b788042

SHA512
9e559eac7effe1c8a4bffd49b9e5c8a4ae77deddb90aed3eab28e9547e168038f483847d2bd8809e6ed27afae20c5d860da8c3db7acd88e2101955ba10f5aad5

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
237KB

MD5
92bac5c2cb41e5b133a59263b6d81ed7

SHA1
484d607974258e2ee804637f0cc26e04ee03a04c

SHA256
282fc7d71e7312e527f3e00cb877b58a36382a00a733707c63706d8c01fe1478

SHA512
c4991b1b4d78ddad7c22d54caf9d3298ba209eb6e0a39a640e7d3cc4646cd2128fa0f01f32ed124635eee5b4ff77e075068fadd760c8c91e363b073fce907a1d

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
237KB

MD5
ae5c0fb5e67f2dd6e02967bd31907412

SHA1
ac9de03d23f88cde7955e45936d9352b05c9b73c

SHA256
4522869c4ad9e5ec63601637bc06cb9e27bbaedda6b75328e38c24e7e6fc4f0f

SHA512
869eea69986d4d2a2775eb6a310c417b40d9833e090a5998a007e9608273d682133f54b3129acc458f4efdd24d4bcd3ab1aa2bb02510e975f48ac4b92fc27858

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
237KB

MD5
e2ac4d8951549dc462385550becc1ef0

SHA1
e4154527bcfb7de706b0ab8d9993ae675d6c7288

SHA256
f4aef224891362c5c4e5452615de2c8b6fdec55174eda25ec10654593691b914

SHA512
1f77244d9bbde4ff181e487ff23ef0ec32a9327e7171167c341e46364824a9e6aba2f8b2e125f0b2e2920cad2dc66709c064b3ee7bb902b1ef57bc26ac021147

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
237KB

MD5
f6225c0cde3527109c250f42429d55c5

SHA1
704cf94f13b7a35cdb486b91515e9a52bf4059b8

SHA256
f12d7bbc2163b1bdaf4d90eb67b4095de6e58a027b9503ef1d70676a71711ef6

SHA512
afffcedd17beaa60ac662d1eee538537693d8a9d6d9b7985cd01cf4a03ef2683aed2a89da65f5cc299c4d249eddb7f858a78b514b3ed6cca07d129e8e01bcff6

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
237KB

MD5
0f67a51d2769f9403ed978a3518885f4

SHA1
201956685ee8bd047330e4c1236de5999931a6a7

SHA256
a12b20d5890727adc259dd797d45529ae8af9867485e7d8a46193ff1e53aaa02

SHA512
bccdae83cb0fb1d48fb899be779b6a6c6b0f5831c6f377c3012bd87627defad8cec25a32b53ff765e21b6df155c0f81d6ab6c01374f6fad2d9ea8415d249856e

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
237KB

MD5
6e69276987b1c85aaf763f5f4f7439e0

SHA1
ca112b6f35d384641e1579691dd4f159b6a2893f

SHA256
e6f46aa665278e07aa384d0bda5d215637d4b14d226789cf71dc2bdc39001430

SHA512
0af5d0e5d371c3a64ebe143fc4178bff029e7c8d16c8eaaad07395481dec2d287d1776142269b91f0fed4ff59081d25a7431c36c8d01012e795085a44ec9ad29

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
237KB

MD5
45ff74f143fd179412b6eafc6903c0d7

SHA1
2b7c5a397cf08ea65176a2cd33079c33105eab0d

SHA256
a31fdf260fd483e33183e78df4252f3d1187a260d838af272bb68544adc72f8b

SHA512
394db2bb92973d3d1862d66610bc847c33c7bfe12ba768b6b50b6b28d7df37c5df5f38b1039210326cca426cbb5f9060003761837f6f2b369bd963adfd0a8885

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
237KB

MD5
f1b77248c4b6e6f607e96b1b77e24386

SHA1
37aab64bb1ab81a8060a7bd429258e2b1163a054

SHA256
cfb8a5f32db749937c0615c159ab01f62201bfb89ba400ec1bc7ab9f130c3c5d

SHA512
b81aa2a860e4326feaddea7954f3f307e96ada825eee6b4bc188808bce10a40ee3ce49ce816a69c3f1c47e6bbb9688cb2371da5bab81fe28e0dd52a16afac35e

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
237KB

MD5
dca372bd17387ec1f110c6cab4f9421b

SHA1
5f453471b390d01ba070007a90ab1cedf64d3ab2

SHA256
a6dc46b7ab040e3f18449c2e866e664af60b8e2cb8fa506fc753817e7288b35c

SHA512
aeb77c8d4fd30f9f12e9f5e6ebad78c75c88df976252ced78e8ac5333c0d6b3efd12a189c064e707bea17b3624ccc480d84762cf91af5c57430ad12176e4fec0

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
237KB

MD5
2b113654eab9504fa45ac88ef61e2790

SHA1
caa8fcef8ef3262992ac0d0c2055118e4f7eee4f

SHA256
2ce62f43e4bacdc9f6a36a9fcb1c0cd749dcc636801c3ddba686e4f4d34d05c1

SHA512
25040ff91d45345443511206075f7c514c2a92e77d73b90be71de274d4adeaf14dbbd8cd93a422b5cde4aab7cb3549f87481d91505aafe56eb0716f52b766f36

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
237KB

MD5
f77bdaa1e4642a5e218231f966da986a

SHA1
4780600627713836c79c9ac0222182fb1bbdc5af

SHA256
3616965ca681a119dcff29d427543711a937b55808f1e708a05781632bb8e3ea

SHA512
3075d7da73abe775ecd8648ac6290bb5e2a17ab424552ae927602d000d3965414520e23ea46509cf0e197d798907269e397d8798f572536697ef0b26febbe247

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
237KB

MD5
e2f1a149f0d45b068bd426abc6c47aa7

SHA1
fe5208170c519095f391e4036911e0bc4a7b1040

SHA256
9f18daa978544c315d9d808f668b06ffc8ed7c7cc05382af51a129886411b239

SHA512
dcaf70ec93d6be13937290da6accca0ab8d0775934d0fc57504836161cbaa5ac3e61783488fd4c170d8ae5615f2f4e2e4104d805b23dc425908cdc9d83553b01

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
237KB

MD5
47da523e2f8b666c60b181f89da810aa

SHA1
320ebacbf44d7349759f408ea24181132cf5c025

SHA256
ff8ce5847ebbd2821df8424387a595afbb95df021cff20e9296a0c6196c16e01

SHA512
ea206af6e7c33d0f446abccead4cda6fc0df1fe72bf9b4b9c9995dd4d4b18fe21187540da150b2447ab5dfa90dc29011d85137a81f78beff626f0cb762a78e11

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
237KB

MD5
d0b36619acacaa2ba7d505138cd5af1b

SHA1
13453b758b8cf34e6c977dcc6604110ffd5c9da9

SHA256
1dc33186ea17d0337d918491f1c094bc1fca3f0cb57c7f7d112e490e2dfc6928

SHA512
276683e71f97fcacc2fd634acbc486c13b15f167ddda0ad10b90072609fbe001c558840c205f521c3a257ef4796fca2fdc801a103bdfa8dbd27edf156f705b50

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
237KB

MD5
a9a1cc8e00117244a06a087a0abe86ca

SHA1
6653cd36bc6b601d9d5233671350ff616f72b23f

SHA256
c4a408c80e46136226420f7d6f3e9253be48df9d5e2e64abda533fedee5e50ae

SHA512
9be3cad3840447c3978b63e621058d3c18ea42ce5d8eb62fca857a6c33c4f76b258e0e18097118dc4f03bd2dd5166e023c7e7b8d8763c1db63aac44c1569c4cf

Download Submit
memory/116-12-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/116-392-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/228-396-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/228-276-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/400-36-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/400-386-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/428-214-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/428-340-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/528-175-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/528-350-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/644-330-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/644-253-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/816-370-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/816-96-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/848-313-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/848-310-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/956-384-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/956-44-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1000-309-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1000-314-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1068-382-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1068-47-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1088-328-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1088-263-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1380-287-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1380-320-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1660-296-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1660-318-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1676-322-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1708-374-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1708-80-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1892-60-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1892-380-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1920-332-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1988-324-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1988-274-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2080-238-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2080-334-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2288-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2288-394-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2368-342-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2524-199-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2524-344-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2616-326-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2732-388-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2732-24-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2932-358-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2932-143-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2944-356-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2944-151-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3556-234-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3556-336-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3572-315-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3572-317-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3668-372-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3668-92-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3680-182-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3680-348-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3716-368-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3716-104-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4116-134-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4116-360-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4312-338-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4312-226-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4488-366-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4632-159-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4632-354-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4660-352-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4660-166-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4880-123-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4880-364-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4888-346-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4888-191-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4920-378-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4920-64-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5036-127-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5036-362-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5056-376-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5056-71-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5108-390-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5108-20-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads