852ed1b6c6a19afa4139306a25bf512aaf16554ca6a8a0b58aaee4d7da52a869

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

852ed1b6c6a19afa4139306a25bf512aaf16554ca6a8a0b58aaee4d7da52a869.exe
Size

73KB
MD5

c642b6c3ea2b33042f40b1407d44ca74
SHA1

f180183a4011e8230de1fae274cce4b9a373d544
SHA256

852ed1b6c6a19afa4139306a25bf512aaf16554ca6a8a0b58aaee4d7da52a869
SHA512

8e00000413c31782647bf9ee4626a2842476f5c4e5446a897eeded09544109a89d8cbbc7157ec279bdb3dcb44864428128c07331e9a582027c63816fd6af9afb
SSDEEP

1536:/BQrB4w6uXTRxTXae8W+b5+4+3zCQ85YMkhohBM:/BQthPXtNKeJPjCQoUAM

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	852ed1b6c6a19afa4139306a25bf512aaf16554ca6a8a0b58aaee4d7da52a869.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	852ed1b6c6a19afa4139306a25bf512aaf16554ca6a8a0b58aaee4d7da52a869.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe

Executes dropped EXE 46 IoCs

pid	Process
3352	Kpepcedo.exe
2264	Kbdmpqcb.exe
628	Kkkdan32.exe
3492	Kinemkko.exe
744	Kaemnhla.exe
3668	Kknafn32.exe
2240	Kmlnbi32.exe
3212	Kdffocib.exe
1012	Kkpnlm32.exe
1308	Kajfig32.exe
4028	Kdhbec32.exe
4904	Kgfoan32.exe
2096	Lmqgnhmp.exe
4932	Ldkojb32.exe
1984	Lkdggmlj.exe
2536	Laopdgcg.exe
620	Ldmlpbbj.exe
4084	Lijdhiaa.exe
1616	Laalifad.exe
1440	Lcbiao32.exe
2760	Lkiqbl32.exe
1424	Lklnhlfb.exe
1380	Lknjmkdo.exe
2340	Mkpgck32.exe
644	Majopeii.exe
4872	Mcklgm32.exe
3516	Mjeddggd.exe
2468	Mamleegg.exe
1572	Mgidml32.exe
3844	Mncmjfmk.exe
3840	Mdmegp32.exe
4468	Mjjmog32.exe
4584	Mdpalp32.exe
680	Mcbahlip.exe
4544	Nnhfee32.exe
3660	Ndbnboqb.exe
1384	Nklfoi32.exe
1416	Nnjbke32.exe
3376	Nddkgonp.exe
3220	Ngcgcjnc.exe
3048	Nnmopdep.exe
2456	Nqklmpdd.exe
4768	Nkqpjidj.exe
4236	Nnolfdcn.exe
1256	Ndidbn32.exe
3948	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	Kkkdan32.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Kaemnhla.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Ojmmkpmf.dll	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ldobbkdk.dll	852ed1b6c6a19afa4139306a25bf512aaf16554ca6a8a0b58aaee4d7da52a869.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kdffocib.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kajfig32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Kinemkko.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kinemkko.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
756	3948	WerFault.exe	125

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmmkpmf.dll"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldobbkdk.dll"	852ed1b6c6a19afa4139306a25bf512aaf16554ca6a8a0b58aaee4d7da52a869.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4400 wrote to memory of 3352	4400	852ed1b6c6a19afa4139306a25bf512aaf16554ca6a8a0b58aaee4d7da52a869.exe	80
PID 4400 wrote to memory of 3352	4400	852ed1b6c6a19afa4139306a25bf512aaf16554ca6a8a0b58aaee4d7da52a869.exe	80
PID 4400 wrote to memory of 3352	4400	852ed1b6c6a19afa4139306a25bf512aaf16554ca6a8a0b58aaee4d7da52a869.exe	80
PID 3352 wrote to memory of 2264	3352	Kpepcedo.exe	81
PID 3352 wrote to memory of 2264	3352	Kpepcedo.exe	81
PID 3352 wrote to memory of 2264	3352	Kpepcedo.exe	81
PID 2264 wrote to memory of 628	2264	Kbdmpqcb.exe	82
PID 2264 wrote to memory of 628	2264	Kbdmpqcb.exe	82
PID 2264 wrote to memory of 628	2264	Kbdmpqcb.exe	82
PID 628 wrote to memory of 3492	628	Kkkdan32.exe	83
PID 628 wrote to memory of 3492	628	Kkkdan32.exe	83
PID 628 wrote to memory of 3492	628	Kkkdan32.exe	83
PID 3492 wrote to memory of 744	3492	Kinemkko.exe	84
PID 3492 wrote to memory of 744	3492	Kinemkko.exe	84
PID 3492 wrote to memory of 744	3492	Kinemkko.exe	84
PID 744 wrote to memory of 3668	744	Kaemnhla.exe	85
PID 744 wrote to memory of 3668	744	Kaemnhla.exe	85
PID 744 wrote to memory of 3668	744	Kaemnhla.exe	85
PID 3668 wrote to memory of 2240	3668	Kknafn32.exe	86
PID 3668 wrote to memory of 2240	3668	Kknafn32.exe	86
PID 3668 wrote to memory of 2240	3668	Kknafn32.exe	86
PID 2240 wrote to memory of 3212	2240	Kmlnbi32.exe	87
PID 2240 wrote to memory of 3212	2240	Kmlnbi32.exe	87
PID 2240 wrote to memory of 3212	2240	Kmlnbi32.exe	87
PID 3212 wrote to memory of 1012	3212	Kdffocib.exe	88
PID 3212 wrote to memory of 1012	3212	Kdffocib.exe	88
PID 3212 wrote to memory of 1012	3212	Kdffocib.exe	88
PID 1012 wrote to memory of 1308	1012	Kkpnlm32.exe	89
PID 1012 wrote to memory of 1308	1012	Kkpnlm32.exe	89
PID 1012 wrote to memory of 1308	1012	Kkpnlm32.exe	89
PID 1308 wrote to memory of 4028	1308	Kajfig32.exe	90
PID 1308 wrote to memory of 4028	1308	Kajfig32.exe	90
PID 1308 wrote to memory of 4028	1308	Kajfig32.exe	90
PID 4028 wrote to memory of 4904	4028	Kdhbec32.exe	91
PID 4028 wrote to memory of 4904	4028	Kdhbec32.exe	91
PID 4028 wrote to memory of 4904	4028	Kdhbec32.exe	91
PID 4904 wrote to memory of 2096	4904	Kgfoan32.exe	92
PID 4904 wrote to memory of 2096	4904	Kgfoan32.exe	92
PID 4904 wrote to memory of 2096	4904	Kgfoan32.exe	92
PID 2096 wrote to memory of 4932	2096	Lmqgnhmp.exe	93
PID 2096 wrote to memory of 4932	2096	Lmqgnhmp.exe	93
PID 2096 wrote to memory of 4932	2096	Lmqgnhmp.exe	93
PID 4932 wrote to memory of 1984	4932	Ldkojb32.exe	94
PID 4932 wrote to memory of 1984	4932	Ldkojb32.exe	94
PID 4932 wrote to memory of 1984	4932	Ldkojb32.exe	94
PID 1984 wrote to memory of 2536	1984	Lkdggmlj.exe	95
PID 1984 wrote to memory of 2536	1984	Lkdggmlj.exe	95
PID 1984 wrote to memory of 2536	1984	Lkdggmlj.exe	95
PID 2536 wrote to memory of 620	2536	Laopdgcg.exe	96
PID 2536 wrote to memory of 620	2536	Laopdgcg.exe	96
PID 2536 wrote to memory of 620	2536	Laopdgcg.exe	96
PID 620 wrote to memory of 4084	620	Ldmlpbbj.exe	97
PID 620 wrote to memory of 4084	620	Ldmlpbbj.exe	97
PID 620 wrote to memory of 4084	620	Ldmlpbbj.exe	97
PID 4084 wrote to memory of 1616	4084	Lijdhiaa.exe	98
PID 4084 wrote to memory of 1616	4084	Lijdhiaa.exe	98
PID 4084 wrote to memory of 1616	4084	Lijdhiaa.exe	98
PID 1616 wrote to memory of 1440	1616	Laalifad.exe	99
PID 1616 wrote to memory of 1440	1616	Laalifad.exe	99
PID 1616 wrote to memory of 1440	1616	Laalifad.exe	99
PID 1440 wrote to memory of 2760	1440	Lcbiao32.exe	100
PID 1440 wrote to memory of 2760	1440	Lcbiao32.exe	100
PID 1440 wrote to memory of 2760	1440	Lcbiao32.exe	100
PID 2760 wrote to memory of 1424	2760	Lkiqbl32.exe	101

C:\Users\Admin\AppData\Local\Temp\852ed1b6c6a19afa4139306a25bf512aaf16554ca6a8a0b58aaee4d7da52a869.exe
"C:\Users\Admin\AppData\Local\Temp\852ed1b6c6a19afa4139306a25bf512aaf16554ca6a8a0b58aaee4d7da52a869.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Windows\SysWOW64\Kpepcedo.exe
  C:\Windows\system32\Kpepcedo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3352
- - C:\Windows\SysWOW64\Kbdmpqcb.exe
    C:\Windows\system32\Kbdmpqcb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Windows\SysWOW64\Kkkdan32.exe
      C:\Windows\system32\Kkkdan32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:628
    - - C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3492
      - C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1424
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:644
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4872
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1572
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3844
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3840
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:680
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3376
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3220
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4236
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1256
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        47⤵
        Executes dropped EXE
        
        PID:3948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 400
        48⤵
        Program crash
        
        PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3948 -ip 3948
1⤵
PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
73KB

MD5
c9f2393a3f5c52d48d4efd08ddd2916a

SHA1
6e5735e137987ae24422c93ceac5eb8f9aba320b

SHA256
6d5c83016af6d86143b1256f6b09e90b7fd4d6f06354c27de2550b628bf4b9d0

SHA512
493e1c4ba1aa639b4848a896c2147c823a85818ea47224ae03d01b8ca5cdb4565485e5390e0118c274fd6ea63ecccf0f858e994bee08e3a477b8057d6aec42bb

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
73KB

MD5
273ff63e32abe08b7c342e53cc0f06c9

SHA1
a6c392e54271ad47da2a5a405d1b2b5e19aa9ef7

SHA256
cb6232d16c3b4d3c374e4f4acda8142d61e0fff6eb01a028eb4ae348fe86e88e

SHA512
e480acc7bbfe8a885c0420c7b96816dc7ee1f18390b19a8666ffc6d0ba86a4be4f66f24ae35e8ca222b8ed9f3fe4266ca310ca1c45dd4c40978844b5a51d026b

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
73KB

MD5
00e79978c25700cf4002dbf4b53f936f

SHA1
bcffd09406554ff0fb817f1e6e7fcbc33cfaa4c0

SHA256
f44b7aaebd4d0ebc52d07fa35825c8528366f581bcb939d1f0e0032d6d41abcb

SHA512
7b6be820b16840de0339a4550fb94c2fe589fcc117f9fddf122676b832e26e81b5f74dd4f9c7096dcef1b84f58e9351f84d77c79400c397a41d661f8a3a81094

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
73KB

MD5
a76f35bca79c1c307fcf93c87eb48db8

SHA1
5a99b17e0c5cebc635ec9c23d96b9e068c4862f2

SHA256
9403ee04a2b00d03214a011eb8720970e4f7624418179c06db6f4e0a69cdf2c3

SHA512
3c490912d19aecd8b22255cbaa0056c9eeee0cca75060e53da5cadabe4050dbb30110529b81d918b12aab2ab9354b1ca2eff333491b64ef63f3b2938a028ad82

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
73KB

MD5
cbd764d2ef1be0557ac2c32150add5cc

SHA1
f1a791ab1e08249d0e7fd806355949e3690d8730

SHA256
734e850f69dfd23ad505e1e351b8df3173781dd9932679da8da989eb3f11ae0f

SHA512
3668c54f2c026ddaee570a20a36c19d6530eedfee9a619f69be51bb8a68925ed87d6b3ff591789b9d39ff70bae7b657015c0935f7536a21c0fe09feec619df79

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
73KB

MD5
16d952f103baa4eb2430f2870c7823a1

SHA1
9421ba2bd04b8eae062b109ad340272d67c220e3

SHA256
bbbd40169b7fdd24e1b3546014aabc20565e6f78d9a56b2cf7a24c3e7acfccbc

SHA512
039ed00eed8889f8ec866a39264dc51861099f5f2a039eb6b30743ae66dbd87d8e67d573d75f31df25b0ea1fafa3a229a26ca05f59fc2547150d3f0f90e42458

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
73KB

MD5
4b4b5bd58664e271aa39dd4c0a39393b

SHA1
c8f91fc16e8dd9a34e741c0ca09d947a4ac3873f

SHA256
9e398b9514f0facdd0c59ca16f4804c5aa08b4029d627093d4f00385a0fcec18

SHA512
52bfc9de2d6ca1d4aef9be943e02833c6e53d2e065cc6bfc438745b926639a870527ed7ccef160f9df33dedaec07cfed915c13610176b9272740f63b09c0be47

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
73KB

MD5
e58763f3b9e0aacc4cdb170069768331

SHA1
3d857019902d647db3b6470e94f1fac3dad680cd

SHA256
63e79f81833c5f83cf09972300689a7496ad66955041111867db6f52a8f7f2b4

SHA512
036741a9875fdad692307da9bfe53140b1e502dfb0dd9456994768792f239decd40971a7dcddd5d8901584de733de96fb17dabbe17ee38a6ad195b36f2d8e3eb

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
73KB

MD5
0b4068986ed0541a83be7dbec76ef070

SHA1
544acd5232297e4fabadc0a795f4c55af2c2e7e1

SHA256
3ddee6d7def3b764f62fc44823dcbb660da353c84dc5d81d8dd40012aa40e612

SHA512
655a5e51946bda54a91bc13c282c9a40bb62373f81a04f753e100309f3e9a1b4f8ff85c64e14292e7affbc4c45727c38ab25916062254381b0a880cb22191bb4

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
73KB

MD5
0c0a4aa0634e192bb9679149810788bf

SHA1
ca0988c69784520cc20b21865fd29764a24a7b51

SHA256
20161a87f4d17da24c25b4f4a3f178ed915d8d03484f145b4902781c553783f5

SHA512
1cb1228372fbbacf2550601e5d07a199d0b6c5cf277dd20932e8a2a1b39fc3f69eacf1b3a1176d8e78b8d3f78a11c10f641c3b6d923e726f2202b3d94d48a56a

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
73KB

MD5
8aab32fbacc0ccffc27ee66af7bbf091

SHA1
e4fe1a733a177c5901e40ad2a444b7f5d46762ec

SHA256
4ccd8a061c730f7c332ea873d2648ba847c95fdfb195f9fb2faf29e3dfa0d234

SHA512
76ff0cca433c215c7bc70bdce4771dc7cd068ddb3429efe3222f012a1daf666e4fcf88eaeb6a44e1a9f1db3e19d1fef325662067af66d5f81dfe9a6de1658151

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
73KB

MD5
b8f5144026787301c3f45ffc7509a172

SHA1
fbc20423c7076c22f49a4cd77fa842c267d86934

SHA256
e15b8909692eb06f34cfa696af753c2d6a259371a9c4fc2445e495595fb82519

SHA512
6bda7ac16219171786426c5111d5adc2dc5db91dc688f289a8539cd924662a60e64aa2dd368a8fecdf419cd8a396cf2cd2013703bb9f6f738d579b4f898aab8b

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
73KB

MD5
60c1ac83974b4df1bcd1def3f5ce5cd6

SHA1
a2cd2b5c46ed08b4388ef578cde14b72e60f4ad4

SHA256
ba23ba2592297205b2ff2d0d732e8c8877bbd774a2c275b7bbb63949ecb838a4

SHA512
ca32a88081292cc3827b1e6c35932181025af36b2131079f9cd9ed4bb94ba76bd75fd950d59b839e2054a14ffbcb7e762b53c86076d100f6bee505c62c98a374

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
73KB

MD5
70e9ca4b9ec12f8bb2effca52d04ed6c

SHA1
33c11c70ba22ca94ca6adfc6d47ad52d95dd98eb

SHA256
442b17302956d820f1ae4142ac2c997cc7f4347681b2f4d90e61d9b6b8723c8a

SHA512
74e291cef0cffc81163ddd2a0f177d5c0504ac6fc752f4de95951bcf056ee20098ab59a0c3f7493a18bcc65f226843e48fa82926195dc0ce66ecac1b1b66b6dc

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
73KB

MD5
3d77c422e7f5a23bf1180f2273c66168

SHA1
4e3a06f6d59c4bfb13613eecb99d63eeeeece440

SHA256
a47b6c7c39a9ad5e18607e5ca540d7f2c8a586a38a75fc163eb34739a4dcd14a

SHA512
42531382d0d8a58020a3c566aeb5011f6b3f8736ece2317c815f874ec57c85e9ba43703de3b0848b4d467b3b9662a9e1de0a86e3c26ba25bd6dd84b70e6f24aa

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
73KB

MD5
f4f290043a003dbe30064bae6d6e08bd

SHA1
b6908126a5578739e7d80536477563cf874b6eae

SHA256
434d08d8482f67f7d6004f53ca5d8d619ffafed5f7c9044c82e37e11098ecb85

SHA512
a054965a36c01c30f221bdae686d683552e9e8ddd419f3575ed5e8315f91d4397f01dedf2ef49d7ec491f2e23611a9cb36b27a2fbb56976a2bc42136cf72833e

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
73KB

MD5
e6dca0d3de78aa7626caf8d7c26461f7

SHA1
920873be8f64e5f7f625e7c47d2780cd800c2448

SHA256
c64cd399916384662d852e215daff61d2f205f0059b356c5d916582a8ab488ff

SHA512
b88d086d6d0012072c9f67b6b24139d4370b69eeaca4cc40f83971234d22c997e18570fc573a9834b8f2ce8468ec45f905863f07b21499c6f2fc718d664acd27

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
73KB

MD5
dbbd9c6225bea2551656ea9ae3080429

SHA1
41e50a0c49900afb3d0b0f6989f71141d0eafb7d

SHA256
278943875421cc5d2f161b688a68c35820da0523e8c8046410159225fa4b93d4

SHA512
611d033ce449ddec7bc6d0891d2d7fcb984551c45bcd6c5fa743c2425c9f0700e9fda672b6ed97d83ff3b3c33503b8d581b00541622242e779baaa63e5f4371d

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
73KB

MD5
8f73df4e6c51b3f69c44a6204ff23a11

SHA1
9dcb73e5b8d90c1b4a9b40046cd99e6366ad1d4a

SHA256
a04091a9e39e2fa9dc5b703023c3801c2d26411b8c454bbf2aada745271f9d95

SHA512
147af0989e7a8a4a6364bca3ea5dead5892d5f95eccddd797a58786e77466eaa73b8a2f91cd666c9f65188023258949c957abc5940dedcab7032ae736b6417cb

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
73KB

MD5
461c14d684fbfca7615b7e370abfade2

SHA1
c994c4970f1224a7aa2ba382fa85d39781fc3d21

SHA256
f2f1e95f3d65c77ba01c4c26ffdd43c2dd0217b5dabe14d88d53a8657fd84580

SHA512
1f3d6235ab94b411cbd0d8c04818731bff4305ae9c61b6faffd4c2198861a1211f624917cccda3ad2b09b7459906ea80c6a2b0b1728389151ad698f5e8c11296

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
73KB

MD5
789493d5d3dc04a833ae93e14aae5250

SHA1
bde3e29edbcb0dff7a6b53bc45cd873be3942a51

SHA256
1b52dee78a0c7179f8fec13d54d78c6daa9269f55f207f78a26b4db0bcd5de43

SHA512
5d65f01fcea36b85e1e14755a78e3a5c6682412e31f97b7fb56603c8e0d09ae1e1d3d11c6cf9b9b7e245ce54108f1a38e1244e9860a85d5c84d79bd806c7cfbe

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
73KB

MD5
6af76fb1a1d26ad90027ea66ab783a90

SHA1
a4d71cf103c49c803387dc1544a9bdbb89081cb0

SHA256
79d3efc1e0b0b72ba5bcd6a8a022c69c16ffda1ffe2e2f6d3ac1341ec1ef1883

SHA512
af9c6babcaa82318bb633fcbb38b65aaad3350d964b2b2907fdacfa2f534547eb92776ee30192038f334591a9606d604a568766d9a750d2e2e4006a4cb5edec2

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
73KB

MD5
3928e6abbc28b961f7f4d6537b6443a9

SHA1
c7ed04d2c7380eba9814f0ef62d944c377bbee0a

SHA256
af21ffe70cf71af71feefc84db40a3c4152903bd9d75cc88c8bb09d15367fe1f

SHA512
5d6e43aa22767413b263b188edcdc5438ecf0af0da48b5ecf2234c1c91a3988d7def91de4d226f81057ae75a36b12d8faca4f5153392d1f9d7581d9368aef983

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
73KB

MD5
8ad1d64c48283eb90ed9bb888128bc25

SHA1
d713ce4d60d9c3bd6fc9bbda0cd073cc693a11d2

SHA256
55bff520ddfebf363bfc3bf8c23bd7746c3114591d5fdb9e614fc57191b1343c

SHA512
1faa28a1d07c1d90d3dc2c3df5236867eb939f96c6a45a09e78bef74843f4e09b1201e995cecddec44854c23503d19702fd9b0610c00a5d72ca4249e78688411

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
73KB

MD5
3009d49cac13ca412ff6f00a4756078a

SHA1
687f2775663f421fbad4124c8fb6fee7921f3c2f

SHA256
2bb8ea0e7bf5a8680870d91ec65f7270cf09c82bc650cc3d2b0b19e97d54fde4

SHA512
1ac26ad70b55e2a6c4338ba92ad4256b8b3487f91cd41e30cb42a23324b97185d1e00af3f92b8d794e7dda80e411c270bda4295c8a2ea5adc5f86dbe241f13db

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
73KB

MD5
958d3f4641be90c615b67f51595b17a3

SHA1
714c8bceea7de22605784eaeadfe0806dd45c195

SHA256
bcb24bc7659c7946bf6f171cfb7e92a90e451cf9fe1092dd0f17d4e15bc31943

SHA512
31e41c307fe5a448a397f2db768efa2f13605e314b3bc941bf3ae96946176d59e2d8b29eba878cfceedb9938d6b4accdfe03ba5bdf8b094ba96f9f53310b4ae7

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
73KB

MD5
6e87829e02fe12782576701b0aca4726

SHA1
140dbe0c6b3ccff8bf5e68067458f62434c86419

SHA256
1a4d80c275fccb9e07568699268c18a032b40de02bdb55d9de435eb267ecb789

SHA512
91a8ecc6636635fa42b0ce866e273892cd9621084804a28c36c4b8b2316bd53ce81687e9bb571957080be807e4217912b4ddfdf090cbdeb71c4b44cbeabb2fed

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
73KB

MD5
3177676c884f2220f613cc4e01c1c81c

SHA1
756c9b88c004b472ef26afb16dceee30ce8cfc2c

SHA256
dee30b578339d99089f3fb9e43f5d0ad7d1294a39658ff010089c973116b329e

SHA512
c25b7c567d57d372dd9401080132f8e07a93afef22078db90d57a552d775fd9b324bda1a6150f2a1cec323cae5e71bee6dbe7a58fed9fd25fcd63962311ab8a7

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
73KB

MD5
57cad15303e5f1293f45771fb56e62ea

SHA1
0e3772fa40e5947d10ead49b909b9725a39f6d3d

SHA256
d25ccc1d696d959000f63bdb768d8be0fec68481e6b5237b09d54effdff80d08

SHA512
35d8f6f7ea59adc83047976154e385ac77c6dbdf5011a57785a3706d224205c5af092b36a1c808a536c1193ab67fd536aa9441875b4d0363f5fcbe67dfbb3d88

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
73KB

MD5
5062d09b26a837f47130412ef973adc8

SHA1
ee2f85f7f20c1f26b6ba4f5c870edb19034197b2

SHA256
ef379b5f978142f4e51d16e3c1831efd8f1272f307408cb3b1a01244b223ca5b

SHA512
6a41f514d1dd64e23535d7c5407a35c3f4b806320191b865f2158adce914033ab21c6a7b4772fbd0710c3948d7185d43648f1600da9b2cf912d585a08a9d9e36

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
73KB

MD5
613cd033ddc09c2c0c9bf993f33d4830

SHA1
b657e5bd4e4ff5fb888e54016da572defe96c1c3

SHA256
0721fe290bd7c6abe1f0f7454cea97c78f623560f4dd6216f2505d2f594ae0b6

SHA512
451d5d721bebad2cc505c503142137e5ba649b3d8c1bedf141ee98a6b96665be4a3d8c45305c7e01d3cbfc8959ffc668f1a5f7fb4af34606f95fa7cf7c832a93

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
73KB

MD5
cfeda7cc446d3ffd3e7dd4e08508c9e8

SHA1
6f6f7ab1e07e891407843ad3487d1dcd3148220f

SHA256
33f7489f4b2f1d578ba255666d3892e0715653a00c2bd3db986b1fa066956090

SHA512
bef0d14b559859c0d3979489c1062a39540e660c221c17cfc1241ab94ceb50e430f036d524c075ad8a583f18bcb1db10a9f8e985c458358eca5ce4624c2b90a2

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
73KB

MD5
3f44cdea31bf2e69a5df66abfab120b1

SHA1
94f3e50e675d8a11cdb3cb7cf44d67908b5225ec

SHA256
d974845c3c370034d58e50070a5a7cb004c87a9dcd4f0489aac21c3ec9d26512

SHA512
d52f56b7a019f82ad58d98ad9a9a932d90ff54382c820948d7a6174b669c70068580e8280a1f68174ab56fca4ab8e64b909b8e59503a4b730669a64897d1ddb4

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
73KB

MD5
2bca463c6b5a2f2d17b1ed733a642365

SHA1
d5b2c8d58d5048123caf3b2b7d29d26bdac69030

SHA256
40d72957ed06903d5714d85431a8219dc9663eb69b46a041dd4e2cefd87e423e

SHA512
76398fdb3566c7b9962e6049e2827739fc6d8454b2782f6222edf487304a6ed7bcf33bcd81282b9218109b9310689adf62771d56e1d77cf579f6eb6aaebf175a

Download Submit
memory/620-135-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/620-369-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/628-28-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/644-199-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/644-361-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/680-268-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/680-353-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/744-39-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/744-380-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1012-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1012-376-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1256-342-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1256-334-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1308-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1308-375-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1380-184-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1380-363-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1384-350-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1384-286-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1416-292-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1416-349-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1424-175-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1424-364-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1440-366-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1440-160-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1572-358-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1572-232-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1616-152-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1616-367-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1984-120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1984-371-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2096-373-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2096-103-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2240-378-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2240-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2264-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2264-382-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2340-362-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2340-191-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2456-345-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2456-316-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2468-359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2468-224-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2536-128-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2536-370-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2760-168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2760-365-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3048-346-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3048-310-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3212-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3212-377-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3220-304-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3220-347-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3352-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3352-383-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3376-348-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3376-298-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3492-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3492-381-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3516-220-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3660-280-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3660-351-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3668-379-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3668-47-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3840-356-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3840-248-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3844-240-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3844-357-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3948-340-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3948-341-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4028-92-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4084-144-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4084-368-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4236-328-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4236-343-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4400-384-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4400-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4468-256-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4468-355-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4544-274-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4544-352-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4584-262-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4584-354-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4768-344-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4768-322-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4872-208-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4872-360-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4904-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4904-374-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4932-112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4932-372-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads