cd5255fda87174b82fb490fdb188b7c3f34e840ac30835a2990c827c27714078

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 02:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cd5255fda87174b82fb490fdb188b7c3f34e840ac30835a2990c827c27714078.exe
Size

470KB
MD5

1ad2262be3e2334a3d43954e32044cdb
SHA1

3b1903825901667b92c70e771cd3c629c02d59bc
SHA256

cd5255fda87174b82fb490fdb188b7c3f34e840ac30835a2990c827c27714078
SHA512

99b4fc91658193c435af9786b48cdf55f2a16479f20fcaf6010582e01ea8a21bd186434c2620e3ea5fbbd300a6086b3263b7530d2589c51d7ffa4a872c034f4f
SSDEEP

12288:ah1HhWRQ9U+/Qc8QVj94nLiFzN3b7CUq1u2ztB1XQKTQInqyS6Rm6TIJ3l7DurT1:a7MRWU+4

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	cd5255fda87174b82fb490fdb188b7c3f34e840ac30835a2990c827c27714078.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	cd5255fda87174b82fb490fdb188b7c3f34e840ac30835a2990c827c27714078.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe

Executes dropped EXE 20 IoCs

pid	Process
4252	Kpjjod32.exe
528	Kgdbkohf.exe
3264	Kgfoan32.exe
1156	Lpocjdld.exe
3360	Laopdgcg.exe
736	Lkgdml32.exe
3636	Ldohebqh.exe
4504	Lcdegnep.exe
5092	Lklnhlfb.exe
3944	Lknjmkdo.exe
1664	Mkpgck32.exe
4324	Mpmokb32.exe
2180	Mgidml32.exe
3856	Mkgmcjld.exe
4528	Nkjjij32.exe
3748	Nacbfdao.exe
2984	Nnjbke32.exe
5024	Nnmopdep.exe
1084	Nnolfdcn.exe
2948	Nkcmohbg.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	cd5255fda87174b82fb490fdb188b7c3f34e840ac30835a2990c827c27714078.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	cd5255fda87174b82fb490fdb188b7c3f34e840ac30835a2990c827c27714078.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kpjjod32.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Kgfoan32.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	cd5255fda87174b82fb490fdb188b7c3f34e840ac30835a2990c827c27714078.exe
File opened for modification	C:\Windows\SysWOW64\Kgfoan32.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nnmopdep.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3960	2948	WerFault.exe	99

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	cd5255fda87174b82fb490fdb188b7c3f34e840ac30835a2990c827c27714078.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	cd5255fda87174b82fb490fdb188b7c3f34e840ac30835a2990c827c27714078.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	cd5255fda87174b82fb490fdb188b7c3f34e840ac30835a2990c827c27714078.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	cd5255fda87174b82fb490fdb188b7c3f34e840ac30835a2990c827c27714078.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	cd5255fda87174b82fb490fdb188b7c3f34e840ac30835a2990c827c27714078.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	cd5255fda87174b82fb490fdb188b7c3f34e840ac30835a2990c827c27714078.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnolfdcn.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 4252	1120	cd5255fda87174b82fb490fdb188b7c3f34e840ac30835a2990c827c27714078.exe	80
PID 1120 wrote to memory of 4252	1120	cd5255fda87174b82fb490fdb188b7c3f34e840ac30835a2990c827c27714078.exe	80
PID 1120 wrote to memory of 4252	1120	cd5255fda87174b82fb490fdb188b7c3f34e840ac30835a2990c827c27714078.exe	80
PID 4252 wrote to memory of 528	4252	Kpjjod32.exe	81
PID 4252 wrote to memory of 528	4252	Kpjjod32.exe	81
PID 4252 wrote to memory of 528	4252	Kpjjod32.exe	81
PID 528 wrote to memory of 3264	528	Kgdbkohf.exe	82
PID 528 wrote to memory of 3264	528	Kgdbkohf.exe	82
PID 528 wrote to memory of 3264	528	Kgdbkohf.exe	82
PID 3264 wrote to memory of 1156	3264	Kgfoan32.exe	83
PID 3264 wrote to memory of 1156	3264	Kgfoan32.exe	83
PID 3264 wrote to memory of 1156	3264	Kgfoan32.exe	83
PID 1156 wrote to memory of 3360	1156	Lpocjdld.exe	84
PID 1156 wrote to memory of 3360	1156	Lpocjdld.exe	84
PID 1156 wrote to memory of 3360	1156	Lpocjdld.exe	84
PID 3360 wrote to memory of 736	3360	Laopdgcg.exe	85
PID 3360 wrote to memory of 736	3360	Laopdgcg.exe	85
PID 3360 wrote to memory of 736	3360	Laopdgcg.exe	85
PID 736 wrote to memory of 3636	736	Lkgdml32.exe	86
PID 736 wrote to memory of 3636	736	Lkgdml32.exe	86
PID 736 wrote to memory of 3636	736	Lkgdml32.exe	86
PID 3636 wrote to memory of 4504	3636	Ldohebqh.exe	87
PID 3636 wrote to memory of 4504	3636	Ldohebqh.exe	87
PID 3636 wrote to memory of 4504	3636	Ldohebqh.exe	87
PID 4504 wrote to memory of 5092	4504	Lcdegnep.exe	88
PID 4504 wrote to memory of 5092	4504	Lcdegnep.exe	88
PID 4504 wrote to memory of 5092	4504	Lcdegnep.exe	88
PID 5092 wrote to memory of 3944	5092	Lklnhlfb.exe	89
PID 5092 wrote to memory of 3944	5092	Lklnhlfb.exe	89
PID 5092 wrote to memory of 3944	5092	Lklnhlfb.exe	89
PID 3944 wrote to memory of 1664	3944	Lknjmkdo.exe	90
PID 3944 wrote to memory of 1664	3944	Lknjmkdo.exe	90
PID 3944 wrote to memory of 1664	3944	Lknjmkdo.exe	90
PID 1664 wrote to memory of 4324	1664	Mkpgck32.exe	91
PID 1664 wrote to memory of 4324	1664	Mkpgck32.exe	91
PID 1664 wrote to memory of 4324	1664	Mkpgck32.exe	91
PID 4324 wrote to memory of 2180	4324	Mpmokb32.exe	92
PID 4324 wrote to memory of 2180	4324	Mpmokb32.exe	92
PID 4324 wrote to memory of 2180	4324	Mpmokb32.exe	92
PID 2180 wrote to memory of 3856	2180	Mgidml32.exe	93
PID 2180 wrote to memory of 3856	2180	Mgidml32.exe	93
PID 2180 wrote to memory of 3856	2180	Mgidml32.exe	93
PID 3856 wrote to memory of 4528	3856	Mkgmcjld.exe	94
PID 3856 wrote to memory of 4528	3856	Mkgmcjld.exe	94
PID 3856 wrote to memory of 4528	3856	Mkgmcjld.exe	94
PID 4528 wrote to memory of 3748	4528	Nkjjij32.exe	95
PID 4528 wrote to memory of 3748	4528	Nkjjij32.exe	95
PID 4528 wrote to memory of 3748	4528	Nkjjij32.exe	95
PID 3748 wrote to memory of 2984	3748	Nacbfdao.exe	96
PID 3748 wrote to memory of 2984	3748	Nacbfdao.exe	96
PID 3748 wrote to memory of 2984	3748	Nacbfdao.exe	96
PID 2984 wrote to memory of 5024	2984	Nnjbke32.exe	97
PID 2984 wrote to memory of 5024	2984	Nnjbke32.exe	97
PID 2984 wrote to memory of 5024	2984	Nnjbke32.exe	97
PID 5024 wrote to memory of 1084	5024	Nnmopdep.exe	98
PID 5024 wrote to memory of 1084	5024	Nnmopdep.exe	98
PID 5024 wrote to memory of 1084	5024	Nnmopdep.exe	98
PID 1084 wrote to memory of 2948	1084	Nnolfdcn.exe	99
PID 1084 wrote to memory of 2948	1084	Nnolfdcn.exe	99
PID 1084 wrote to memory of 2948	1084	Nnolfdcn.exe	99

C:\Users\Admin\AppData\Local\Temp\cd5255fda87174b82fb490fdb188b7c3f34e840ac30835a2990c827c27714078.exe
"C:\Users\Admin\AppData\Local\Temp\cd5255fda87174b82fb490fdb188b7c3f34e840ac30835a2990c827c27714078.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Windows\SysWOW64\Kpjjod32.exe
  C:\Windows\system32\Kpjjod32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4252
- - C:\Windows\SysWOW64\Kgdbkohf.exe
    C:\Windows\system32\Kgdbkohf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:528
  - - C:\Windows\SysWOW64\Kgfoan32.exe
      C:\Windows\system32\Kgfoan32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3264
    - - C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1156
      - C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3856
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        21⤵
        Executes dropped EXE
        
        PID:2948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 428
        22⤵
        Program crash
        
        PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2948 -ip 2948
1⤵
PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
470KB

MD5
0b4d80730eb2a9fa86f002d98e8e53d1

SHA1
53e1fa4798fcc48e842f6dfd7224f2757e0dea7b

SHA256
7ad1a74670e95ad620fdc30d82d8aa97813d818e6bf1797cdc2d3b1fbdd20c1b

SHA512
71f66aa580e13b0854dbc3e808aed797cfb6f98726511b119a76e87b6071cd4bf5238e1a08380e5f8c41f5340332042cb6eb61364a480716cc8c5bba7c8d452c

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
470KB

MD5
7658df33c7505ccf40dae18ca283f809

SHA1
2c1e00404b77f5ac831f35b7705fe7ad2169d816

SHA256
860615cab5f98073de5d16667ea13f736f1feb89409c521042dd6210d0d91e9d

SHA512
877dcb93f65f05c963cbccc35140c0b538232dc5bc9d8a57c6b4924819b72ca12c5c4041dc00d741dd62f4dd87ac739ecb4929616c89e3738c06064897b6c93a

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
470KB

MD5
494b07f2f935fbb900409e3c9199ceb1

SHA1
e4e7ca2037513ee88e3193b0588d7be2df837234

SHA256
2c47a982728d4ddcda207d210267c05be0aadede2bad7a4dd3660b3f349dd792

SHA512
50e6a7c9479cc68a197650328a00990a0354833a67d17752692002aa86daecf2843b69c9197172eecf7e4b515f541d8e1c7ca8e50ef1d3f8b01c88cb89a42482

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
470KB

MD5
d0e823af95122e117d3fc27dd3cd0bf5

SHA1
9217a08670a7fafe56c806efc65cf735dbc23375

SHA256
5bc36e7c4e1787b9643afde7b386913e9be38b6fa5a3cbf2820097d0785dad22

SHA512
7da37603246f7e0477f9a1f66c308ac3d26f717a8ff9c54f1301de120b6582fe11b84b31999129eeca77b9aa33607b69d733c1b7432246df0cee4f6bf0c5dbd5

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
470KB

MD5
a03039b8a59942db17b68261b2729eb9

SHA1
e3e4e24acba632ef11d37c80d8c948b4ea216d5e

SHA256
295081fb60d2addf46341f0b9e130cf063c1790f6862a19034d2f5fb37019f92

SHA512
2255d90a091dfce7c0adf6319518a807c3ee2c12c87bbf8b8b96f8e3b913461b5d00ff4267ad8a9bb19597c24b06377567610905a1afe3dbd5332059e82f19e7

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
470KB

MD5
8997ead3ece75b2fc6c7caf844c529f1

SHA1
e1d22e00d32765be75733d009b4cf6c08a290b3d

SHA256
185e0e68b3590cd31074a16cdef01d9df663626a0be8c94046aef0cb8f01f751

SHA512
ba43eaafdd034b846e75c90ad0f57ad61dcb91cf177c2cb62a9e4177124e27e4c76cdf4f55d4bfadd5170448cc5124d417b14b4b200acff438859071daeb642d

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
470KB

MD5
f2c9617abf023d30faf01186d12a2ce6

SHA1
98e542042c62370e09f2a57fb297855e383aad38

SHA256
dee213e1d114c810edbcb069b8d56ebd69cd1754ec33cc70a5aaee4da3c1c361

SHA512
b344c6883a6aadb72439ff4e440f5943a61dbaaea9d19a8524cb8b05af4daf03e620b067147cfe06573159d96925581ac99723837bd22224bf6cd06b34318ca2

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
470KB

MD5
001e8b6c278d799752b2eefa60dc1bcf

SHA1
8567e740308a2c854e58617762f2f41cf3b3abff

SHA256
cfc85a504b00083693d48ccfa5faacb5d86bbde904f3fa6de25f4ffb47c52fd1

SHA512
c7d32c834dbe5010a25f17338d647824185466b4ac77349c6a4f3ac83cdae969b74966db7a730055264e5be862dcff9132ea8d5861c74445499f2d2abc30045c

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
470KB

MD5
88e886ecf4748d30e7d0e03c41891f01

SHA1
2cca3320537fc549f4298c07984087d68f99be0f

SHA256
eb1ecf76d4778a2bcb947dee6e4b9b46fbef4e37e18fd2f4db1c8e5a926320be

SHA512
baee245be22171599d6aa651887a2e1a0d7e1a96331d75d7b548b25dfeff0db137c8b39b48285b7788c7cd5ff9eace55e852d266e02211eeac9280780b9ef7c0

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
470KB

MD5
6289571fa59bcf1000de7f32f9ad3584

SHA1
37033456cfebfc06bf251a92fdf969994d1a3f93

SHA256
69b8544731c360d20d185f302b34fc5204febf25350f677323070df7c95872e6

SHA512
d3177f484d30caa31c7b58c0c307f9eafb9c84346a2d9f7a285e0f91b64ff2855f8368d45107256ea0cd267caf801f53b1ba1e2b70e87887913b5df7dbb631a4

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
470KB

MD5
7de54654fa542d859826f174efa19370

SHA1
e299cd9a40a0aad919d0bb6904f5b857c69e3ed6

SHA256
474a889eac61bcea429d828f4fe22338dcb98a267c76d5c818573e34c80e9ccb

SHA512
4a1aa9261c822cbdd9226a06ad4f82a1ea88a7de0aaa526d04dee0d111a012dcf35c903576390361ca473e596600b8ed4702297b792ae944b1e38e48b7166c73

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
470KB

MD5
366df3f701d684147356ed8adbcb1549

SHA1
ac15ef1ce8d96c7e6ed50d07a7102da36b6c0ef8

SHA256
92a3006003501e3490ceafc0e14e0cb3e68f66351cbb0cd919879fd81107df22

SHA512
b8677d18c4d3c92d51c7e8089e9ff51fccd8b8e7b07479561cb1e2033d5a4f7eb33454ae44e6defe6977b5de8c575f9139e88dfa50dd44f061c7dda767a43b09

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
470KB

MD5
6db26029bc88945763abc468562cf117

SHA1
2661c7cf6a64e3bb857eecba6a8206fa1370e63f

SHA256
f81b22cf478dbb4700a53ec16dfb95883ea0d1e510d39d9ce91dc543b0e3ea1b

SHA512
252d8bc966fe0850bc2479375bf0d4b6cb872dea3be7fd06fae4b1927f04c6a47dcf17185070857fdef1b1f16b7a0d20ba5ac85fd5bd87e8de8501d201e1111a

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
470KB

MD5
8c0be76bc542fbdfe09841d62981c241

SHA1
1ac01dc5108deb18e3cf06832cb911800f80dc4a

SHA256
430615978e9aa544e22907d374b7457881cb20f4a094540663a1233b183a60a2

SHA512
a6cc3c789dd786f1ac8889e24954f94a8acf1be6d2989d1b0570355f23a32b5ae120855731a2bf2becf7eab76f68d7f65d194bf7d7560561e90810842366ed3a

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
470KB

MD5
1241670d2cad511338b85e854c4cb82b

SHA1
0d336b696acbdbc6b80317bfbfb5b3a381506e7d

SHA256
e391e81886e8dc042c7f15932e6f69499bf9323a2c2312b44e07be2717c55b11

SHA512
0f3944f9835d059073dd0eb4df1fec61ab6cfce70fe9227f809272c0ebf60ddacff5649b8f1c2700a34a668efde30e040694c6f3f1456979d1229624eddd982b

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
470KB

MD5
bcf9fe7c6a69f8d59bb4b7e23d3e0da5

SHA1
963852b3d87f42bcd1404c2cc74abc74759ac56d

SHA256
6ea821e8a52b3f32ff1658e3d090998f490d278c3db3642efb70557df8e4b72f

SHA512
7b391e7aaca0f4aa8a66ff3e66679ac3a5fa2b889e2d168de690e360618c4f6bd6d8b03c1bca1f847243a1212384126932aec19d67b541cf05d41457397b68d7

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
470KB

MD5
645e85e83eba7cdfb3de7bf30afbef24

SHA1
ef320e0add56773eb978f29ef31989e891ae117f

SHA256
cacc90331e35a02e31148e56809acce313c6627f18e8dca36365b840ca7b039f

SHA512
2d782cac83588e04e83312a0f3d598797b20fc080a067421489dca105ade2edd7952526f1864e1641b43698f3efbb5525c17e21b2e5fcddc1268f1185f89dbac

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
470KB

MD5
4fb219faaad87d4cc2117074f6bf20cc

SHA1
50e935fb05b05c90c31d3be71ef7cd79be9da10b

SHA256
31f30d592c88407373b3e1d64ac59a6167400328f6ce9a64dfe60254e33ac54f

SHA512
8e4b75334ad85ec520ad3c9bacb260ce3b090b277321d989077e0f9fff1d40d2ee8756f5c616bc935e91bda754a3d4c653d9182a3324bd252c7af38d62c60829

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
470KB

MD5
b2bbcbc361d65b0d8f11a262824e709d

SHA1
c885bc90435a23592337dcf5b7a8019928ebb589

SHA256
748aac9a6667b53a2099fd3156c5b46a3db40642de08019d8e71f8fa9dba9133

SHA512
b44e46ccf72ea2b7b84bedf4eddc698545a15d90c4bcc9e4145221042baf73e062540530b5de1893a93e6e077b0dd91268c4014189fb1caf288679e77fd1148d

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
470KB

MD5
257a0eff02799bf59b38809a8db2939c

SHA1
072d6524ac6f38bf09cf863d7f3ada81f0b35674

SHA256
0c6a74734dc47778d3b13e7a57ff802b2c39287b3ed3d8c136dee27065763c49

SHA512
f429538b7b506b22601b89fd814067880ba2ab83473d49b6909f3fc3bfb77013eab087e0521c335ce2f90a6004beacd062975bc3162f5b028571bcb60bce4178

Download Submit
C:\Windows\SysWOW64\Pellipfm.dll

Filesize
7KB

MD5
922e1468132c8bb785daa82a8ea08a43

SHA1
aabb6e1aad352d4b48557d04470c6599dffda5f7

SHA256
2a82bce2b99d0efda78910aecc6f0d796317c64a65b3e70651006ae158798f4e

SHA512
03a0dcde14d877187647c35a8b2d3808501647c340765319b1f41ba0a3874e6a88660464b29e5410543fc237971d22b5898d17b4627b625037fde269aed943bf

Download Submit
memory/528-16-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/528-197-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/736-189-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/736-48-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1084-151-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1084-164-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1120-0-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1120-201-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1156-36-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1156-193-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1664-179-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1664-88-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2180-202-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2180-103-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2948-159-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2948-163-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2948-161-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2984-168-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2984-136-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3264-195-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3264-28-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3360-191-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3360-40-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3636-55-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3636-187-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3748-127-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3748-170-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3856-174-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3856-112-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3944-80-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3944-181-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4252-7-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4252-199-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4324-95-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4324-177-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4504-64-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4504-185-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4528-120-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4528-172-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/5024-143-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/5024-166-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/5092-183-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/5092-76-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads