f6201bebf1f0f3a1128197257b9b0ca8bb1c150e48e32f29a6488d98ffe7ceed

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6201bebf1f0f3a1128197257b9b0ca8bb1c150e48e32f29a6488d98ffe7ceed.exe
Size

112KB
MD5

cd2942c294542624df39edfe1683be59
SHA1

9a478b8ba4ac72c4be8d9d800b8699e4d84542b9
SHA256

f6201bebf1f0f3a1128197257b9b0ca8bb1c150e48e32f29a6488d98ffe7ceed
SHA512

eddf6f1b4eca4de6eef0aa660fc793e15831efc365ffc58046a8cabd7d6486c8b0ff2dfd466865cc523dea9d9aad0d9e9039c31f25efaf502d5fea298fe8cf83
SSDEEP

1536:oKaxxAIvdXK59hh8If829kuBLOYRhvA/5CikRynlypv8LIuCseNIQ:oKanRK5FwuBfzYRC+lc802eSQ

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	f6201bebf1f0f3a1128197257b9b0ca8bb1c150e48e32f29a6488d98ffe7ceed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe

Executes dropped EXE 39 IoCs

pid	Process
4552	Kgbefoji.exe
2212	Kipabjil.exe
4780	Kagichjo.exe
1712	Kpjjod32.exe
4244	Kibnhjgj.exe
2496	Kmnjhioc.exe
3308	Kdhbec32.exe
224	Kgfoan32.exe
3920	Lmqgnhmp.exe
2552	Lcmofolg.exe
696	Liggbi32.exe
1048	Lpappc32.exe
3304	Lgkhlnbn.exe
3492	Lnepih32.exe
3064	Lpcmec32.exe
2576	Lcbiao32.exe
4616	Lilanioo.exe
744	Ldaeka32.exe
2640	Lklnhlfb.exe
2168	Laefdf32.exe
1528	Lcgblncm.exe
368	Mahbje32.exe
3716	Mnocof32.exe
1012	Mgghhlhq.exe
1980	Mgidml32.exe
1064	Mjhqjg32.exe
2124	Maohkd32.exe
3612	Mdmegp32.exe
4816	Mglack32.exe
3104	Njljefql.exe
4660	Ndbnboqb.exe
4072	Nklfoi32.exe
1904	Nddkgonp.exe
2256	Njacpf32.exe
1564	Ndghmo32.exe
1488	Ngedij32.exe
868	Nbkhfc32.exe
5104	Ndidbn32.exe
1352	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	f6201bebf1f0f3a1128197257b9b0ca8bb1c150e48e32f29a6488d98ffe7ceed.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Kgfoan32.exe	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lnepih32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Kgbefoji.exe	f6201bebf1f0f3a1128197257b9b0ca8bb1c150e48e32f29a6488d98ffe7ceed.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kipabjil.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Kbmfdgkm.dll	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kpjjod32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4584	1352	WerFault.exe	119

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	f6201bebf1f0f3a1128197257b9b0ca8bb1c150e48e32f29a6488d98ffe7ceed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	f6201bebf1f0f3a1128197257b9b0ca8bb1c150e48e32f29a6488d98ffe7ceed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	f6201bebf1f0f3a1128197257b9b0ca8bb1c150e48e32f29a6488d98ffe7ceed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 4552	4420	f6201bebf1f0f3a1128197257b9b0ca8bb1c150e48e32f29a6488d98ffe7ceed.exe	81
PID 4420 wrote to memory of 4552	4420	f6201bebf1f0f3a1128197257b9b0ca8bb1c150e48e32f29a6488d98ffe7ceed.exe	81
PID 4420 wrote to memory of 4552	4420	f6201bebf1f0f3a1128197257b9b0ca8bb1c150e48e32f29a6488d98ffe7ceed.exe	81
PID 4552 wrote to memory of 2212	4552	Kgbefoji.exe	82
PID 4552 wrote to memory of 2212	4552	Kgbefoji.exe	82
PID 4552 wrote to memory of 2212	4552	Kgbefoji.exe	82
PID 2212 wrote to memory of 4780	2212	Kipabjil.exe	83
PID 2212 wrote to memory of 4780	2212	Kipabjil.exe	83
PID 2212 wrote to memory of 4780	2212	Kipabjil.exe	83
PID 4780 wrote to memory of 1712	4780	Kagichjo.exe	84
PID 4780 wrote to memory of 1712	4780	Kagichjo.exe	84
PID 4780 wrote to memory of 1712	4780	Kagichjo.exe	84
PID 1712 wrote to memory of 4244	1712	Kpjjod32.exe	85
PID 1712 wrote to memory of 4244	1712	Kpjjod32.exe	85
PID 1712 wrote to memory of 4244	1712	Kpjjod32.exe	85
PID 4244 wrote to memory of 2496	4244	Kibnhjgj.exe	86
PID 4244 wrote to memory of 2496	4244	Kibnhjgj.exe	86
PID 4244 wrote to memory of 2496	4244	Kibnhjgj.exe	86
PID 2496 wrote to memory of 3308	2496	Kmnjhioc.exe	87
PID 2496 wrote to memory of 3308	2496	Kmnjhioc.exe	87
PID 2496 wrote to memory of 3308	2496	Kmnjhioc.exe	87
PID 3308 wrote to memory of 224	3308	Kdhbec32.exe	88
PID 3308 wrote to memory of 224	3308	Kdhbec32.exe	88
PID 3308 wrote to memory of 224	3308	Kdhbec32.exe	88
PID 224 wrote to memory of 3920	224	Kgfoan32.exe	89
PID 224 wrote to memory of 3920	224	Kgfoan32.exe	89
PID 224 wrote to memory of 3920	224	Kgfoan32.exe	89
PID 3920 wrote to memory of 2552	3920	Lmqgnhmp.exe	90
PID 3920 wrote to memory of 2552	3920	Lmqgnhmp.exe	90
PID 3920 wrote to memory of 2552	3920	Lmqgnhmp.exe	90
PID 2552 wrote to memory of 696	2552	Lcmofolg.exe	91
PID 2552 wrote to memory of 696	2552	Lcmofolg.exe	91
PID 2552 wrote to memory of 696	2552	Lcmofolg.exe	91
PID 696 wrote to memory of 1048	696	Liggbi32.exe	92
PID 696 wrote to memory of 1048	696	Liggbi32.exe	92
PID 696 wrote to memory of 1048	696	Liggbi32.exe	92
PID 1048 wrote to memory of 3304	1048	Lpappc32.exe	93
PID 1048 wrote to memory of 3304	1048	Lpappc32.exe	93
PID 1048 wrote to memory of 3304	1048	Lpappc32.exe	93
PID 3304 wrote to memory of 3492	3304	Lgkhlnbn.exe	94
PID 3304 wrote to memory of 3492	3304	Lgkhlnbn.exe	94
PID 3304 wrote to memory of 3492	3304	Lgkhlnbn.exe	94
PID 3492 wrote to memory of 3064	3492	Lnepih32.exe	95
PID 3492 wrote to memory of 3064	3492	Lnepih32.exe	95
PID 3492 wrote to memory of 3064	3492	Lnepih32.exe	95
PID 3064 wrote to memory of 2576	3064	Lpcmec32.exe	96
PID 3064 wrote to memory of 2576	3064	Lpcmec32.exe	96
PID 3064 wrote to memory of 2576	3064	Lpcmec32.exe	96
PID 2576 wrote to memory of 4616	2576	Lcbiao32.exe	97
PID 2576 wrote to memory of 4616	2576	Lcbiao32.exe	97
PID 2576 wrote to memory of 4616	2576	Lcbiao32.exe	97
PID 4616 wrote to memory of 744	4616	Lilanioo.exe	98
PID 4616 wrote to memory of 744	4616	Lilanioo.exe	98
PID 4616 wrote to memory of 744	4616	Lilanioo.exe	98
PID 744 wrote to memory of 2640	744	Ldaeka32.exe	99
PID 744 wrote to memory of 2640	744	Ldaeka32.exe	99
PID 744 wrote to memory of 2640	744	Ldaeka32.exe	99
PID 2640 wrote to memory of 2168	2640	Lklnhlfb.exe	100
PID 2640 wrote to memory of 2168	2640	Lklnhlfb.exe	100
PID 2640 wrote to memory of 2168	2640	Lklnhlfb.exe	100
PID 2168 wrote to memory of 1528	2168	Laefdf32.exe	101
PID 2168 wrote to memory of 1528	2168	Laefdf32.exe	101
PID 2168 wrote to memory of 1528	2168	Laefdf32.exe	101
PID 1528 wrote to memory of 368	1528	Lcgblncm.exe	102

C:\Users\Admin\AppData\Local\Temp\f6201bebf1f0f3a1128197257b9b0ca8bb1c150e48e32f29a6488d98ffe7ceed.exe
"C:\Users\Admin\AppData\Local\Temp\f6201bebf1f0f3a1128197257b9b0ca8bb1c150e48e32f29a6488d98ffe7ceed.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Windows\SysWOW64\Kgbefoji.exe
  C:\Windows\system32\Kgbefoji.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Windows\SysWOW64\Kipabjil.exe
    C:\Windows\system32\Kipabjil.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Windows\SysWOW64\Kagichjo.exe
      C:\Windows\system32\Kagichjo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4780
    - - C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1712
      - C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:696
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:368
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        40⤵
        Executes dropped EXE
        
        PID:1352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 412
        41⤵
        Program crash
        
        PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1352 -ip 1352
1⤵
PID:3672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bpcbnd32.dll

Filesize
7KB

MD5
26e1a534dc1a5f6b21b3c933f3518b44

SHA1
a16d6473b7774b41938e0c85d111aac8e757b192

SHA256
aaa9f5c82802240e8e2c3c61ed28ddd3f425288cbd592308502a09bf5f89d805

SHA512
715f4988c807af47889c2e693532e1e62ddb1cd815e381a700ffff1d89886cd71b9b32a3e6c55c18cd54e2226928f30ead5ffdfc1ef327ee3b3e3bbbd7a947fb

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
112KB

MD5
5abdfa5346a42d120c00f2d00e4517a7

SHA1
96ac0ce13066465e2175dc7247a0a6b1f883f54b

SHA256
63e93a0b0f7dd2951d4fe01a9a55431f07cd8939285a50e533a00a73accbf3ae

SHA512
0708e0d8a4a1b0d6c7182d8073431e22b2d726004b6dacfba3b3c4f3b36ab478d031823802e5d902caa87c23f54333781459ba7c3a5f204d67ded08d20874203

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
112KB

MD5
e59f70349bbc00bfe5227d5b56107f0d

SHA1
55b5038c7832cc3dced43aa3f0258857fe94a7de

SHA256
94b8d2502b28c7c4f423eabf78e36d50c731da75bf8af106e42bc59b81aa9d68

SHA512
3d57aaebab01632d3dd710bbcd01a164df46e8ce0003de881ae1a990885f44f381d28cb6bf5c718765a26bc5b1ed41953e55a73050cb74bb522228d3e75544c6

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
112KB

MD5
ced1c708ba3184eb985b019fa3d6ea88

SHA1
68625523e7ab1c1618bd2c4f15ca57e2697865df

SHA256
8ca735d6bec73bf9a0213dd7d6b131f82bc21575680d3bf7521635dc30aac479

SHA512
10d999b62801d0d9031724083e35e5c5c5d94ea55a594fa0fda61487345ef39d0ce87a214ab69e2b8214436964b03c68c6e8a663eae2ba3dd4b600445e856265

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
112KB

MD5
5a74786ace4acef9d79c37fbfd4e2c8e

SHA1
6679d32ecbfe3521db7acf6065c0437461aa35b4

SHA256
7e7dae6d6c42611e4d8e147543ec4d3d272d075c6f7dbc269112924817e6a284

SHA512
cf644a04e59ae9a77516d23525f078119bf8e0c720608f453cca6da84324af5b21673a8d44056cf15b71491d55726e13a91f2fe1e9d6c9b96deead439b9704bb

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
112KB

MD5
3760b7e5817930edf787203af0ee7882

SHA1
ed05e0d021b5a05482744830206ea63b0c50a2b9

SHA256
a498cbcabb87bce257bbb26fb0f34608fa04743169d6980972532a67d8899ee4

SHA512
a296c77406e94b41bfe10be0c4709a6e7d25ac87697d85e7f0f619d8d82878a858785a0f17c154d2ac931f7a81d6bc37cb23e6053cec0464259e225970f2d514

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
112KB

MD5
174dea8a11c293d30abf5bdd8e9813f5

SHA1
762ec024487229c7325f1c0bffac69cd60226089

SHA256
90d14851a01fbe62adec8ffed983652cd96f6a9fe5506b3d922910bdef6c14e5

SHA512
3b07a80835152a93e9ab37a35fed4e6206b4d685396b241f68d416d62c10c53e0480535be62ccfca2c6a41acd51a06d2aad97d33a13fcc4d6d667dd085cb9644

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
112KB

MD5
bd5b1a827be518472b56393bdccc7253

SHA1
60e6cbd990f69737330f019b095c84d2f396c963

SHA256
a92ac0bd63e6b39e9669d752bdc904b322e40180e70ff916ee8be518b348cf87

SHA512
12a6db33346d4ff03be98a297b05e9a586e9a80c107a2e393c363e55df095d69d40bf744d717a7fb95a15cfda73ed0901a15887e6d20f98537cb5d37106ff3fc

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
112KB

MD5
292b4fbde0703e95c042a4fa5dd8b59d

SHA1
9a866db09968b3fd9d6611d808a637b064fe568f

SHA256
455828ba853925b6498d265c24ded13fb3cf4f5b34ef90af4e687b63951094d1

SHA512
195618d8b55f4c1a868d3ee73d80addbb7c2688ada616357f87c48675dfcc4e5d54656c5394cf73e4e409d7a34e6df879fd0898242175e2b28374fce1ec5e12e

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
112KB

MD5
06b2f24370e2d1efffd0f93206ab2849

SHA1
58b536e8ee0bb84cad11cf062b9afd9683b79938

SHA256
25510d97f34684718a9cddd5c48e661331d09d21a4c88682d63eb64b3cc5bb84

SHA512
76b8c370944de6cf942177753cbcb990f285e4396bc8e15cd4cb700fd9bd5bf0ecf0fdf4c5503adf32a62cd4be98d7d694e13dba009b6f9aed946399e7af6e1f

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
112KB

MD5
297bed80e4dd3161fbc6201547c0adc1

SHA1
e47c02517c02fd7309feab458415445ccdedf9e2

SHA256
805e413702dedfa35072b86bcfa68fecc1866932f968ed46aab8355e3f63b4e2

SHA512
c8fdec8055a83a78a1a72dd198d820dbc6a7c24cf6949283b7852ea4de2e5826ce6d738026b61df88c89ede39757dff2510a664bbb598d60b92aeed49f3b0a13

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
112KB

MD5
d187aba4d50a7e3e7880d409ab30a032

SHA1
84078564bc4eb03c5abc5810161c9e26c09ecaa1

SHA256
23095c0d3977f5851eefc57399c5561791395bcb186208ea9ec55422e970f403

SHA512
fa72fbbecbd4f4a42872692dc3026a89d3d7607b42da7f8f86b1f7189d8a96964c471e47b4e6eac2fa0534a9f1fe21313d0aea7ae26d5f4bd157f1fc6a7527a6

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
112KB

MD5
c8c74e4109d8ca3b75a2f8ec6976ef81

SHA1
4aad9e7fcf0224b0c43e794fa6eb1a3bed7459ff

SHA256
63a7de647712a4b1f2db21c7b2599431f4f6ef8f1e75f4e029ddb4a37c219845

SHA512
08604ccbf8732331102fbef812e09bed9f1deba4d9a6e2102fa5eb0e5544ac5ff20a236172de316112335d5833f318111c830e08070359ef6078cafc76719109

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
112KB

MD5
e54f131e594e3899bf1c2ff6aae5d0dd

SHA1
526ce60328179097c8e6c389365ba9d16e9475fe

SHA256
d42ab3c6bdbd231f4faad78f30c2f97089b3235976f89d7f7119d1fedf64d5d3

SHA512
b8ea05dd64209ced8e2ca89e7a20568cff8abc418895ded7facef15e87b52c7edbb240d050e7fd6b59c756823f38a7f4c66df9b0075ba8055c2b784a4cc428bd

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
112KB

MD5
cc162df8b0442abc9b743643a4f45718

SHA1
758edf1c99dda6581176c5ce6c48d1bc17538f96

SHA256
6c7511e0fe5f5fc116594f34f6b2479b04bb50653abad5c99ed66dca91f70ecb

SHA512
4f07f5ed72067e46fb7c9a9fa0de6fec2fb9e7c2964152e5402a44210a736d8cfc6bdebd3b2c2af77f98636e2f4bd42878f1fe37898858fabb608f667856891c

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
112KB

MD5
7a1e8cca0ee9398523f3e15b01317f56

SHA1
70fc82ff0749ab3ec15b0023af706e929416e6d4

SHA256
3c1c3f910fd0fb8b2d4e2f1c67dd6b13acfc370183a855032d43c48b2f315019

SHA512
6d23da4448edb4c3e1e2b13717eafc93031d650b3ecfaf11b0fb319fdcb0cb80e8fda6f5968e0048c6ba3e59f40ca0c6ceb7b4e4404f1168d87200830207e239

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
112KB

MD5
0736b7fc901307e80675f1cd8b39aaad

SHA1
10cab6f84277265da236273f649dc617c7c794a7

SHA256
64f5b020256161d8b58245f24470a8dfbebff4e2dc66a4b62440c9f713fb24a4

SHA512
2df1892e14ee2a39b196673d7a1378662dd546662764c7b74e733f91ba4aafbbd193a8639a55a3d5c1a70a662a07ffd9f18525e3dc8b52bd059345b33d3985c4

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
112KB

MD5
3b3ccd862536d7d5cbf8a2ae7bec37f1

SHA1
c0ed2e6e9fbe54a2ad421bb9274d54475da7cfd4

SHA256
638280cc8514eb95e41cafcac811cddc4b0bf377c22868a34dca4b9f67289804

SHA512
f431b4e425c40a0f0a994d92b252253c8a723e130e986cb968e3062aa480cd8a615ff003a1886edcfadd0ee21d74dd55510185edc26115979e4bbe6fcb04c7ba

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
112KB

MD5
9c93861d77207bf61f27cdaa2eddb0aa

SHA1
d790e7e6f2a3aeb1dd408553b74b3d540aad1455

SHA256
6839e871cc975e81960ba541beec2e0da911d8faa33858adb320cd319680de08

SHA512
64419b58c256ae35da5b5a8d698da8cb7d17e3e612ccf2f7fdc5d04ef7cf67418f2005e80e94f1a2e9a49dfd573437da269474cadbacc4c94983b71bd0487389

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
112KB

MD5
2e951f99d68ac146f940f7c1cb1100d4

SHA1
015eaf52fad56d291fd8052523808b48a14aa703

SHA256
512d8f46a5d95b1fbc6e05d5f4336f75e40099ac9342a35074ffed6cc3e0d945

SHA512
3e4aedc3bec7a140daee2ca874b833bc5c82d696450ee51ced7b056ea7c04443fdb3361a0b978d65a3e58b1f79d44594009199baf46c5639654be89b7788981a

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
112KB

MD5
c9c1b39a82c1460b68cb0a9b4fe198c6

SHA1
cca32360b6cc212ab522ff9d78bde6a355d498ac

SHA256
5acd520ae55a7cf40a049cbb9bdfe802f519f14459e6fade59b504b5d04662d3

SHA512
ea34acbe502c12abbe510d96d9467dcca738e9adbc6e645861a2df7a5d3395b095d3e297712d608d9f86e12a6e012de0ed730731d2ee8c8f0f90226f81f81c09

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
112KB

MD5
7a6141057265d01045cc4d1abb607ac7

SHA1
f82fee717677bf8d2cf9023def4daaea560a7cba

SHA256
fb841e2c993f45b7198c3d5effd0000099488f188b6185107fe558410325ab03

SHA512
eebb14427916317a61bce884d8b49087e6c6cfb27e7961681d56157f44dad1718e275e17799552853f244d439c994ea3b53e4c05bcac69bb50e24d972650b556

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
112KB

MD5
10453820c6a86dac2b194f52aca7bbcb

SHA1
2c13ec3c5649a6f35082cfbc46a9f78af520577b

SHA256
9677360490375d53bf9ea71e5ff41bb4fb4482b924423aab671dde9a18376b80

SHA512
25c7c83d6fb9e872e3e88546e45775bdc3aa6ed3393e14db93f5b6e9828f41bea1a981077da8faf3a898353173764faaf9cc43944224d0502677dea37937d7a4

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
112KB

MD5
981bf03eef75abf4bb83181e6894301e

SHA1
fb27d9578978b0720930b3dc5b52220d4ed0a6c1

SHA256
e4b261832862f821cfde96f27da1a3bdd6781cd2cf8f71be03d5661e17458475

SHA512
720139122476331c2f867e6691949e60ca092e33eb1b5a5a912f5d31b9aa7386d7c592a6d730c0d5b6234974aa58f04445857d750cf7b3b72964f6867d76a25a

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
112KB

MD5
355fc8118541ca7020f3e54fbd871367

SHA1
6d7e4b7ac3448f1e59054f678ae839b8ee2facdd

SHA256
fbc27826c1f0b24e4c2bb441b5e259160bf1b223401cc522898039dd29b9539d

SHA512
e094d9dd5fd7dac4cf591868581b1630402fb090fb1ebef0e7e8b6c94348ab300d3b77d7e0fbfe6ff16f4e5648d6b47759a90d7b634ca74867f6082e9d8d1795

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
112KB

MD5
d2af13487c9baa767400ba15ce74e516

SHA1
7cbfa00d2d83586ebda90f8950921b3c4abd4738

SHA256
46ed3235f20ddf0ee12fcb1ad4cf18a36c7424466eed9884eef27510f5aaf8f7

SHA512
025181f7abae8d45f8aeb1261a419ac130f44386e094571ba4da721ab785f1c08529b46be44557e5ee431013b231844be8debda335fdfdbee002933388e3886b

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
112KB

MD5
067697896154cc0975a6baa6ef586b97

SHA1
636fb6c08b028cb26d30087e11510b0fe19cd050

SHA256
bae418029383e9fdcdf66252aa3b615e86d386465fc47237166a2843a0732604

SHA512
ee0b66c005e9c03b0c33e5328771603f144734f7adba6a7a9de82ef33b4c95d54697b400ad5d168ed4bf003e5ca79b6afdb0b83b75eab5ccec36a2ce3f0885c2

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
112KB

MD5
4a664726d789befb490515f93df816f9

SHA1
839be0133a2834168b0f6e18d3faef842088b975

SHA256
1b209dc8fcc5df4d42487d325b0b501bda7d0520d2d9995e42b1db09bee0fc9a

SHA512
0e7557ae0be8a8884067ec534d6733fb20d222d99c28c1e45f320e69d17ed3540cb94b4d12e1d905ae1036d614188c786d95ea63a424ac597e99f6187c4284c5

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
112KB

MD5
d248a88da0d50b3a56840abc7ad626b6

SHA1
35c1a88a8500c43c512992e6d715df8ccfb9cf3c

SHA256
39cba832272310775995774c820a06c3ef95e6766d892817ba8c488551fffb5b

SHA512
781396838a08b61efec05464794a961691b00383f3dcaa81772449e8cada23433d5d9120b3578505427dd71eeefd43510deb7a47dcfaca23aac9be8265b98dd1

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
112KB

MD5
f00c3a1202e23a12df15c91bd711fb50

SHA1
acef7101b4b0c73b60ca111032122f2c8923f2e7

SHA256
257c89b5d89f39949733e5c196617b2b7cd6f320c0dd9ba77dd46654156cc611

SHA512
903d0eda5383e3fe3993ecd1aaa6967e564eb247edb58b708633f50e1a9fbd5b08af01e2530f77335e5ccc4a168e726885942d99245f9e3c9045b64944f52fcb

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
112KB

MD5
c31e875712ad3de30e2e797010f5e816

SHA1
48d57f98a94e6e4e2edfbd4a272311425dc64209

SHA256
bd7980aa862aceb71b768c4847d5db13c2063497c627eb038c6d162829d8032e

SHA512
086324631e5838924a79ead59893805c171d664d5dcbd839c4929fcde1d22dca764b3500d2fe2cbd72e476f7ef20bf78cbe4759fb2f1ce5b54a992848303751c

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
112KB

MD5
9be5a1526e5204f6d34a7c2ddceea325

SHA1
e4297094e1dff6849a279b5e5b99301dd8d4a6be

SHA256
13b13516d176e6938046d290faa8a044e7b369ddf7cfa28413494889517b3181

SHA512
568896ffd1a6cf79a083c081f594fec52abf7a26baa7327fe8a9bcb4cf93ff83de9175146e5c9fae1a949704178d32b403ab1660f16ef580985c0042c3724dfc

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
112KB

MD5
1a32fc0294478730a25b3082678b4967

SHA1
0df4d036d9510b10d76bce124491a3af132e054b

SHA256
635e2a7989843d4aec41478982fdc1792b05daa6d9047d996f8bc9fc3bcd7dee

SHA512
c45084459dc74842de0a53c909fd6559ab167ced65db876d688ce0f05f1b203b5c430f8eaafae4601da3b0070b82c28ba9aa9fe9d00dca1ab46ebddbf63420f3

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
112KB

MD5
a7c02bdab6e0785e6ee0483821c3071c

SHA1
8055cc21a2f3a71b8ac21ec92808b062ba604e8d

SHA256
e9da47da3c50b9fef1e8dabf51629babe4a8508f5e0903a120c8ad5d19c81072

SHA512
af25f4878398380300b145d3cec2ca90731183f2bb83dee31b117baca7ac1666b27a3d2225c75c895345c543e151d3ddee7b8e3ed5258d00497e6cd2e2cccdb9

Download Submit
memory/224-329-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/224-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/368-315-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/368-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/696-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/696-326-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/744-319-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/744-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/868-301-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/868-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1012-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1012-313-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1048-325-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1048-95-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1064-311-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1064-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1352-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1352-299-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1488-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1488-302-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1528-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1528-167-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1564-303-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1564-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1712-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1712-333-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1904-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1904-338-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1980-312-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1980-199-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2124-215-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2124-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2168-317-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2168-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2212-335-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2212-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2256-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2256-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2496-331-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2496-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2552-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2552-327-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2576-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2576-321-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2640-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2640-318-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3064-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3064-120-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3104-307-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3104-239-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3304-103-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3304-324-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3308-330-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3308-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3492-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3492-323-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3612-223-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3612-309-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3716-314-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3716-184-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3920-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3920-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4072-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4072-305-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4244-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4244-332-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4420-337-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4420-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4552-336-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4552-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4616-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4616-320-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4660-306-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4660-248-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4780-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4780-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4816-231-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4816-308-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5104-300-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5104-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads