e91b533c91e431c444887cd65dbdc4c9a574dd9fc9526004b0a622514b9d972d

Analysis

max time kernel
53s
max time network
69s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e91b533c91e431c444887cd65dbdc4c9a574dd9fc9526004b0a622514b9d972d.exe
Size

443KB
MD5

59abbd9efd427646784aa5aca3bf4898
SHA1

4e4ca9d5f59cc5d7fb109783090c0445e08d6011
SHA256

e91b533c91e431c444887cd65dbdc4c9a574dd9fc9526004b0a622514b9d972d
SHA512

ef2ed4107a877dc5b5964b82cb3888d435cf2316744cf6a660074cf7a954f6a6f6d2ea1ec4cab5ad02788b28b983c3a856599ba8ea273646d047fb4a834c756d
SSDEEP

6144:Pg+axc4K4m7zeXmRL13n4GAI13n4GAvs0PEpNF0pNO021fv13n4GA3uKjwszeXmP:2x+p1J1HJ1Uj+HiPj

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e91b533c91e431c444887cd65dbdc4c9a574dd9fc9526004b0a622514b9d972d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e91b533c91e431c444887cd65dbdc4c9a574dd9fc9526004b0a622514b9d972d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe

Executes dropped EXE 36 IoCs

pid	Process
3444	Kkbkamnl.exe
4456	Lmqgnhmp.exe
4416	Lalcng32.exe
2888	Lcmofolg.exe
4668	Lkdggmlj.exe
4220	Lmccchkn.exe
4032	Lkgdml32.exe
2416	Laalifad.exe
968	Lgneampk.exe
1440	Laciofpa.exe
4380	Lddbqa32.exe
2044	Lknjmkdo.exe
768	Mnlfigcc.exe
2004	Mpkbebbf.exe
5080	Mciobn32.exe
3748	Mkpgck32.exe
3380	Majopeii.exe
4820	Mcklgm32.exe
4516	Mjeddggd.exe
2692	Mdkhapfj.exe
3196	Mjhqjg32.exe
2732	Maohkd32.exe
456	Mcpebmkb.exe
2484	Mjjmog32.exe
4348	Maaepd32.exe
2388	Nkjjij32.exe
4648	Nqfbaq32.exe
2408	Nceonl32.exe
228	Nklfoi32.exe
1860	Nqiogp32.exe
3612	Nkncdifl.exe
3008	Ndghmo32.exe
3664	Ngedij32.exe
748	Nnolfdcn.exe
4268	Nqmhbpba.exe
4512	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	e91b533c91e431c444887cd65dbdc4c9a574dd9fc9526004b0a622514b9d972d.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Laalifad.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	e91b533c91e431c444887cd65dbdc4c9a574dd9fc9526004b0a622514b9d972d.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Lmccchkn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
860	4512	WerFault.exe	116

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e91b533c91e431c444887cd65dbdc4c9a574dd9fc9526004b0a622514b9d972d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e91b533c91e431c444887cd65dbdc4c9a574dd9fc9526004b0a622514b9d972d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	e91b533c91e431c444887cd65dbdc4c9a574dd9fc9526004b0a622514b9d972d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4120 wrote to memory of 3444	4120	e91b533c91e431c444887cd65dbdc4c9a574dd9fc9526004b0a622514b9d972d.exe	81
PID 4120 wrote to memory of 3444	4120	e91b533c91e431c444887cd65dbdc4c9a574dd9fc9526004b0a622514b9d972d.exe	81
PID 4120 wrote to memory of 3444	4120	e91b533c91e431c444887cd65dbdc4c9a574dd9fc9526004b0a622514b9d972d.exe	81
PID 3444 wrote to memory of 4456	3444	Kkbkamnl.exe	82
PID 3444 wrote to memory of 4456	3444	Kkbkamnl.exe	82
PID 3444 wrote to memory of 4456	3444	Kkbkamnl.exe	82
PID 4456 wrote to memory of 4416	4456	Lmqgnhmp.exe	83
PID 4456 wrote to memory of 4416	4456	Lmqgnhmp.exe	83
PID 4456 wrote to memory of 4416	4456	Lmqgnhmp.exe	83
PID 4416 wrote to memory of 2888	4416	Lalcng32.exe	84
PID 4416 wrote to memory of 2888	4416	Lalcng32.exe	84
PID 4416 wrote to memory of 2888	4416	Lalcng32.exe	84
PID 2888 wrote to memory of 4668	2888	Lcmofolg.exe	85
PID 2888 wrote to memory of 4668	2888	Lcmofolg.exe	85
PID 2888 wrote to memory of 4668	2888	Lcmofolg.exe	85
PID 4668 wrote to memory of 4220	4668	Lkdggmlj.exe	86
PID 4668 wrote to memory of 4220	4668	Lkdggmlj.exe	86
PID 4668 wrote to memory of 4220	4668	Lkdggmlj.exe	86
PID 4220 wrote to memory of 4032	4220	Lmccchkn.exe	87
PID 4220 wrote to memory of 4032	4220	Lmccchkn.exe	87
PID 4220 wrote to memory of 4032	4220	Lmccchkn.exe	87
PID 4032 wrote to memory of 2416	4032	Lkgdml32.exe	88
PID 4032 wrote to memory of 2416	4032	Lkgdml32.exe	88
PID 4032 wrote to memory of 2416	4032	Lkgdml32.exe	88
PID 2416 wrote to memory of 968	2416	Laalifad.exe	89
PID 2416 wrote to memory of 968	2416	Laalifad.exe	89
PID 2416 wrote to memory of 968	2416	Laalifad.exe	89
PID 968 wrote to memory of 1440	968	Lgneampk.exe	90
PID 968 wrote to memory of 1440	968	Lgneampk.exe	90
PID 968 wrote to memory of 1440	968	Lgneampk.exe	90
PID 1440 wrote to memory of 4380	1440	Laciofpa.exe	91
PID 1440 wrote to memory of 4380	1440	Laciofpa.exe	91
PID 1440 wrote to memory of 4380	1440	Laciofpa.exe	91
PID 4380 wrote to memory of 2044	4380	Lddbqa32.exe	92
PID 4380 wrote to memory of 2044	4380	Lddbqa32.exe	92
PID 4380 wrote to memory of 2044	4380	Lddbqa32.exe	92
PID 2044 wrote to memory of 768	2044	Lknjmkdo.exe	93
PID 2044 wrote to memory of 768	2044	Lknjmkdo.exe	93
PID 2044 wrote to memory of 768	2044	Lknjmkdo.exe	93
PID 768 wrote to memory of 2004	768	Mnlfigcc.exe	94
PID 768 wrote to memory of 2004	768	Mnlfigcc.exe	94
PID 768 wrote to memory of 2004	768	Mnlfigcc.exe	94
PID 2004 wrote to memory of 5080	2004	Mpkbebbf.exe	95
PID 2004 wrote to memory of 5080	2004	Mpkbebbf.exe	95
PID 2004 wrote to memory of 5080	2004	Mpkbebbf.exe	95
PID 5080 wrote to memory of 3748	5080	Mciobn32.exe	96
PID 5080 wrote to memory of 3748	5080	Mciobn32.exe	96
PID 5080 wrote to memory of 3748	5080	Mciobn32.exe	96
PID 3748 wrote to memory of 3380	3748	Mkpgck32.exe	97
PID 3748 wrote to memory of 3380	3748	Mkpgck32.exe	97
PID 3748 wrote to memory of 3380	3748	Mkpgck32.exe	97
PID 3380 wrote to memory of 4820	3380	Majopeii.exe	98
PID 3380 wrote to memory of 4820	3380	Majopeii.exe	98
PID 3380 wrote to memory of 4820	3380	Majopeii.exe	98
PID 4820 wrote to memory of 4516	4820	Mcklgm32.exe	99
PID 4820 wrote to memory of 4516	4820	Mcklgm32.exe	99
PID 4820 wrote to memory of 4516	4820	Mcklgm32.exe	99
PID 4516 wrote to memory of 2692	4516	Mjeddggd.exe	100
PID 4516 wrote to memory of 2692	4516	Mjeddggd.exe	100
PID 4516 wrote to memory of 2692	4516	Mjeddggd.exe	100
PID 2692 wrote to memory of 3196	2692	Mdkhapfj.exe	101
PID 2692 wrote to memory of 3196	2692	Mdkhapfj.exe	101
PID 2692 wrote to memory of 3196	2692	Mdkhapfj.exe	101
PID 3196 wrote to memory of 2732	3196	Mjhqjg32.exe	102

C:\Users\Admin\AppData\Local\Temp\e91b533c91e431c444887cd65dbdc4c9a574dd9fc9526004b0a622514b9d972d.exe
"C:\Users\Admin\AppData\Local\Temp\e91b533c91e431c444887cd65dbdc4c9a574dd9fc9526004b0a622514b9d972d.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4120
- C:\Windows\SysWOW64\Kkbkamnl.exe
  C:\Windows\system32\Kkbkamnl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3444
- - C:\Windows\SysWOW64\Lmqgnhmp.exe
    C:\Windows\system32\Lmqgnhmp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4456
  - - C:\Windows\SysWOW64\Lalcng32.exe
      C:\Windows\system32\Lalcng32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4416
    - - C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
      - C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:456
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4348
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3612
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        37⤵
        Executes dropped EXE
        
        PID:4512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 224
        38⤵
        Program crash
        
        PID:860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 4512 -ip 4512
1⤵
PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
443KB

MD5
ed6db413a3440636474407b60d4d450e

SHA1
4aa9f06a85e1566a6768e352e3955a24895d6ffe

SHA256
f62dc380aa485a3a72b1b53138a721bad5ae52434f7d2a5fbdecc2fae208f6f6

SHA512
054f526d96d3a02aaf45717f744f828468e6a9a0dfad7322c29d6c6a694461571dd02fec6237a8acb36584ab16216386853a3b47d57bb7ff4d3b07e8235b0a7e

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
443KB

MD5
83e88d3cf6bcc2c842f2ebe64aca78e3

SHA1
2b6eb970b0f20de30060f4dbdfaa6599bc674d74

SHA256
28db84cee3b1a28ef44f72ba57c55f16ebc1eaf50a39a189620ef4a38e7ab572

SHA512
0c940aba878bd2edf9198365efc8e5464f71f4affcfad9f2e795cff5ff00d639417146ff1c227a460c80234db80f79e4f811c71ec6559abc1b1de907d65007b8

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
443KB

MD5
fdb1512fe7aa865407cc6d87a1785f33

SHA1
b7e3e810bf8145270b1c10e09cf487e27582ebde

SHA256
71fd373a19696cc7379709c00efbbaf09ab1218bd111cc94eb23c84171993678

SHA512
98a69f03f7a1a6fb20671bb0701e113d7aa35cf00b0ed644cfa2a6397290a87bcaefa77b9d3cc81fb3defb584d5aac352e93263cf2c9527423512101299b4e45

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
443KB

MD5
8db98982be9dcfb22f6355a135f33afb

SHA1
d860be822e500d8321f8d202b3ff8c0f9def295a

SHA256
9160b92f41278a32c9c6a0a349d0d4076d7534178f18c2c25d65f231f25db4d5

SHA512
4bb37a2927c5a3c9e070fabc31d1f88187a956b2bb64481df1d5036dbd85aa119a4bc6ef2eb9210bfc1b9f45bef7102eb5d641120dbde696f852d6bf842315f6

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
443KB

MD5
70acecbdeeefe1545110abbec6c095f1

SHA1
ceea515db0d0fe87d77821373ad6167eca6ad39e

SHA256
a6ad9bf2fdc369e544e1c8e384701a08599376136e820efc9e6f0e84795350e3

SHA512
052348673cb243d41bbe1f577b82f5d6945226d5b2d1399cc072e2c988e6e4f982640c82c01c77f6cbe4ed773860c9b5d85b7ec30eaaa646dd7a5eb409850ed4

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
443KB

MD5
821fb86e6f61aebbd6466dd35d5bc4e0

SHA1
408ea8749ae7c4986715bb5964854fdc6ea1b0db

SHA256
c6403d99830099409891d3ca489894dd23e6b52e6f784e22fd754e9d6b67d2dd

SHA512
81165e79a92ad5469ef77d1c222d1074afe578070043689c607ec25b2a66d26c2dd37b66b589c705394c1a3578a0263b698ff07e03c6b41aef437ad715c50277

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
443KB

MD5
f3b99f862041234a74a1a4eb23b89a92

SHA1
f2d5888f110d2720080b3d841f5f69569de351d5

SHA256
077401b7f5c6a3df9cc64e12b534ffd917605b5ded497a06486f7721d24bdb3c

SHA512
07acde603c5d7d997e36715c4a2b73eba93b1f9b78051046112dc8cb6d130e65d5219d47fd7aafb19ef9c18bc355031983d7573d111006d137d91489677e7f56

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
443KB

MD5
6c7b4293a4b6f7bce91c5ccbbb7ebc8e

SHA1
d33793208dd23007b2236adeac55320d214b635f

SHA256
f51b53411e00303afabd942b666685d95380282dd648c0d9e97523ca009eee21

SHA512
67ea7b4a0b52e8bc32cb70f2c9a6adaa04fbd05673d2d885ee4dedbd80db2442a75f92bd3344f3fa36d7c588500f6de96674ef913ee973362b599b640bc6ff1d

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
443KB

MD5
789a9cb9a35403efd990308b4c05d3cd

SHA1
9bdbe478684b0bc78a66ee225ad02fd82d322d8e

SHA256
2e67159eeb5210e70e2ff3a0badd1271d064182a78e88cbd62bf25f974f66905

SHA512
768fb254b7ef6c4c126f8f8989b08dfe3ac3387410f675d72badb6445a1540dd7a3d8c28b739c808204c659fa39e8a769d4b164200882c0b20a3dd06e0800550

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
443KB

MD5
655cfb97322fbe29c70331e6a983c220

SHA1
be943913601dc52fe829472c35fdc346d18cbb66

SHA256
525a8452ce49cd01c04b1d3a0dfa8a92ff07c07286dab320ff74b934d8eafa89

SHA512
4393fabef833ad2a3da152414a77e4dd56a4bc5caaa7f8603392ef4b0f8619add53782b68e5cb49eec6ebad322b3b51a871734e51d0c2bab2df44298eaeaba83

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
443KB

MD5
25e38aa39635a0f25ce85d7e0bca7cb4

SHA1
f6beaae2575e855886399354a0397f488ae72b38

SHA256
8b2e81e36a0b4b97ac776b9b00f1b5915087ba89c3dee8094979f8c05be1a666

SHA512
d45b292daa0c51aec0943b52184540739bedaf7963e84a367fd18515596f0a7bcc2747ee62cc28d073e7046635c0819e380f07c7a5820214a032b54068325548

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
443KB

MD5
1cc6059308fb05c4f00e7ebb11f3165e

SHA1
e2bcaa859bda1d0a90946bd41d0008dde6bac8db

SHA256
67f025e3b6531cc1df1315705d8e0ea7f88a3fdec883f72f18621fde8faab058

SHA512
5cf2635663f02a6bee3dc9861bb59a421e36252230cb2e9c12a3c8b8eba46175b86c95764edbd9a713a7662f3f1706005ca601f93b13e165a4922f192394755f

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
443KB

MD5
dd10bb5789f475869e6cc6138ae22cfd

SHA1
fb60aaa3229c6f9f53b375314010846673c316b4

SHA256
10796ca1187ededc29ac74014c673cd368983adbf4a1df2d1c640e45c0f8acd4

SHA512
45ccb605b3882a62b944f17bb22334e1fb5b1909e5943581a3625b012d3e213b1b4b50f6a0ee85a50e19444a1f64981272f185b771a4bc5ee6cfd0680e972872

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
443KB

MD5
93aa3c0fa60b4efb025a7d4d32cef1d5

SHA1
e95ad1728cedb12b4e60d078a66242f7e3bf2aa9

SHA256
6768d32f3a766b8c45cacd98e1bcfb1f1ce67e93daae3aec90c618ef50e52490

SHA512
e34ab6986e706e04d7cc80e9001ae03660909fe718b214161fde703675f4715192f62d0b7d943ee5f89c0c471c46b594d1fa9bfd69a2939fc06b39f2eb9c6feb

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
443KB

MD5
cb88b7e577b01ab64b476b14aeedbab0

SHA1
cd593573b52c435879674695f3454a089f9fab78

SHA256
f3fbe15ee6016fd1d15f6620fe01865c3bc5721525fdba3c338d765913a6b324

SHA512
dea5509b0a7868e231bf5a6320ebbacc7b02c5a73bdb3b331d4999bbeb3f7be94584f98c14cbfe696eabb10a236f0c5056d651806b71f397871fd963f3f8fce2

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
443KB

MD5
489b44b91b252a2970880c5c5402018a

SHA1
a1422e5eaadffaebf960a9eebc373b41d2d57782

SHA256
7482b775d51ada805753d04722d66c58e00ca80f0e51a082ffcfcba2b5827b8e

SHA512
d52828fdfe087e4318a4989aeeb83acff54facda165ff45e2ebf8c2adbfe1ec936027a81bf4d60624e436b960486e5cfa10510ac360e8b476b1c09e20ab45214

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
443KB

MD5
c31b51af70ce7585eca553c67fee3a50

SHA1
6cc0e88e991ecefc612262b8d3f3485d39d4c0e8

SHA256
19b70f73330f56d33411252115d078d964101a3a955440b2341933903051e3af

SHA512
4ca96b8cf8c2a865b133e70c4b8e4ece0e3aac783971cf393c14f77dbaeb5a3ef5d46066501eb8e1335469b3954ec74590b23d7eaac5154c83d8917eccf485ca

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
443KB

MD5
148b63bde4e603d9d936d83a6f3f40cc

SHA1
cb1f95562fe97aef6d4787ae78cbccc163e57238

SHA256
3f91800a10a31505ebf94431b368cc209fe34369162acbd96c2856cb6f2d051a

SHA512
3a9af4b6e632357cbc8fa54a8b7ba19e9101677591c09ae6f55b8b3480e3c26389cc60ce3070bcecc1f5fe03ae30aab3634f1e088a0e1f7e1727c3a996291000

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
443KB

MD5
97489038fe6221ab524e890bb97fcb6e

SHA1
7ec4bb8241cd23174309d1282da9c98a862c2156

SHA256
6eb8c91bb9b5d5a73d7ad438633315e721409205226521137196380338d18f71

SHA512
2febb47d44a3845f649922ecac4db4bf353bf42cdf03d89d61f5c459a39022097522c3a528bca6f7265b978bfe7df86c37623ac268fb31a7212196f71672bae0

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
443KB

MD5
fde9543b44c363825a477f8bca7635ea

SHA1
c3ba193cb1aaf190d51b123f8b96c172a0a47cdb

SHA256
1bc646a927612e48bfe299d192989a414f34e21f523a02faaf5610734b3c079e

SHA512
5b5b4ba1b0c0eb5cd89e36794979309d95cbfcf99ea6df523fca3a672ddb1eee5499d6b5ff07e599a08e94c0d9fe26f717b732960f5d91572db7213093c50bfe

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
443KB

MD5
30a8fc76840ad87da5e01911a4d14508

SHA1
9a1edfd7cbf08687615d9059da343c279163340d

SHA256
0b718c14563a5d34f077f602e546b5601a0cdc45ea313d32e65fdd35bbfdec67

SHA512
da8ef907b69c4e21b9acb4e482f7b5691130adc462e3e2045c8945a615f8e8085c48b3ccc235925094a4c05cfd9463ba15921017d82a7c1b432a782eca738501

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
443KB

MD5
17a027988997cbe3cd85610234d28383

SHA1
9f3c30cbe0f05383bdcd6f9e61ea94712e924d2c

SHA256
b727c5ab48e90972b533e21cc8b50bbf37aef50c63316a07a88fc48b97030398

SHA512
40cee805b7a7e6306f9b905676e250e6b2320dd56ba1da82d83fa48423372f216acb4f9b89362b43a0c528f9b88ac59ccb0582c961d76d95e95581fdbcdc5873

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
443KB

MD5
faa44d5d47f9402ccf40ccdde093188a

SHA1
196b18449d6e22c65f76abc87bc0a5d09ec46f39

SHA256
13eab6259ac30acf7342faa2b901e2d27014ff2f7ebd4ac67c17eebe87425ff4

SHA512
384c55f182396540c2be727137330d310dff397ad48099a173294dfaaeba9ae0540eb6512e7a67dd31be944421fbffb9e5f31fa22f6e85f16ec0bcdeecc21997

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
443KB

MD5
1256110f715556d8e1a4079c2d1e76be

SHA1
22324fd2cf7b982d328becfc5ea602d0277a300c

SHA256
ac2f234482dcba26f115b51a5ae2ab909601f9eaab262f67b407f0306f27e94e

SHA512
0ae4e8fc591c57fb6a9374ab74c479b7dffc5148a17e77ff134f5e27b9b20a5dd241920283e4c326eb211aac383e7fbc165a1c707eb106bbc5a7af4bbb8c1860

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
443KB

MD5
b9e9962fbf5b97df366d60a2d618b7d2

SHA1
72fec180fc4ba5d4208406d91394d8b6fe5e7170

SHA256
1a742ec677fc3f752f458dcda114689a01dbe3d7b7c8a028142403f2051e3723

SHA512
bf6a8bf3343753f43d06d80481805f8c74f795d18cc15a4da7b6ad96bbc97c685108803389ad6513be7902e227abd8843df47e55bd40e4f106caa16fc1ec075f

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
443KB

MD5
aaff8bb1006358d0d00b40ef46ed0dde

SHA1
8ee30e346654c1aa5446735771b02361502a5a31

SHA256
edefc6ee321fda1aaa88286071727eaf53c30ca46edb89432340666e4dd64dd4

SHA512
7400863f9156c7a8c417620806c7364552df92017004d23f234db3c9da4d5707dc630331a881697407bf2c9c2cb362411d2b4b6f8baa2fb3ebd868240247dda4

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
443KB

MD5
c20c70507edce1493c22e2bf750e271d

SHA1
a943cda40d13ddeeec07165d725e83097658f539

SHA256
aacbade38e466354ea28c60ce5fcc4e03930771a45008ab3755f03428249c264

SHA512
d4ddfbdeca8d5811457d9533e065b5eed13570c91526be7a081df65553464e74d01e544cf4dc7ec1a461910ed9334967e7a4d94cec3747c78098e0db490e3b6f

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
443KB

MD5
98d86d4655d6456746882b0f49c4ebb9

SHA1
dbdd86cf009a60bddd379d2a2e076ab07cc2bd59

SHA256
b7f0a6d6156a098d5e4246234d2450610ef0800ec99db45ba4bc8e5af191faa0

SHA512
58c3061b37e64d8bf28f9beddeba6bd63302492b17b98eec2fb721abcd4093834120cfae7187f25712f07d4f953984f0b004590ee042bcc8641ee3f6b69bc89b

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
443KB

MD5
df8b89ccff864bca440a0eb59a5d8f54

SHA1
73e946763c2c05063a2a011166ece97ea8e9503d

SHA256
44649213a9604e974e8c9705f082c08eec14a2a82f5b0a4dab87e3c486ad4c65

SHA512
77d78bead00802229daa450c3341e3738cab6e71ad990d8fa0cb56e2451606696ed3e67c5fd4df363d2108e0959e0469eab4467fe95a62092646dedc4300e2f2

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
443KB

MD5
b680b35d0e8c2238104a2279909bd79b

SHA1
d582586849737b5b59e381183fc2367685b9d278

SHA256
ea585cb858d9605c0c146f45b8ce1aed880b664f75213aaf0b1e12ec92d47d8d

SHA512
b171b1ae55779c0e7b802c9744f08e79db93ba6ed3480749eea8edf1145805d51699e9c0ab0eff8266f9031ed691e17331ce25a6c4329af4dbc9f4fb8b3895bf

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
443KB

MD5
1773d6b152bacabdbc8b1c3c03838992

SHA1
0e7ced5c153c384865e8c7d10163d1a2752e6db5

SHA256
39526def2a48ed46e3ddfb92a64dd62717b3abc5f5ea8c3a186a0cf47138b536

SHA512
b059ffae321cc90c8725084e717f0b7d470b8f9b7c252f098a205d2a59d1cfa2e724ced057644ace31edc992d807e37844723d8912f6f7619c3ba7a13db67c34

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
443KB

MD5
a7667121213c6536fda5981c6c615fa6

SHA1
997c9f1538a8de5603a04c4a82c84a2e4707dd30

SHA256
a40654231ec4c5a3d7b8866f4931814a1db4edf81831b0c22e91c0b813d970dc

SHA512
e0a7d42d84185ad014480d1944dbcd27c0f3d35700566909e2c326099792f1f2d9b71bdbad122c7c07e96d6defd424426885ebbfa7f194da3c8a1053691badab

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
443KB

MD5
c8917e8ef8160c0d4e008781181acbd9

SHA1
84702cf67d189489de5f04bfa79bf0f9ca9f7a7d

SHA256
677f5a18499edc6992af73355a7a34bc08ea55ee2d08a47d87a9ee16084f5f1d

SHA512
22b75f595fa65ea38862e2297e3d4d8c81f3ef91293db7f49df212b94e76a44ff17fb1a31837d66083921776d4ba3922c767cc6a10b7295351772068ef4bae9e

Download Submit
memory/228-297-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/228-233-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/456-184-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/456-308-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/748-273-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/748-286-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/768-105-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/768-328-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/968-336-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/968-72-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1440-81-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1440-334-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1860-295-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1860-241-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2004-113-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2004-326-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2044-330-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2044-96-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2388-303-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2388-209-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2408-299-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2408-225-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2416-338-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2416-65-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2484-197-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2484-306-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2692-161-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2692-314-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2732-310-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2732-177-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2888-33-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2888-346-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3008-257-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3008-291-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3196-312-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3196-169-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3380-137-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3380-320-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3444-352-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3444-9-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3612-293-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3612-249-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3664-266-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3664-288-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3748-129-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3748-322-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4032-340-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4032-56-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4120-354-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4120-0-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4120-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4220-342-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4220-48-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4268-289-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4268-275-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4348-201-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4348-355-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4380-332-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4380-91-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4416-348-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4416-25-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4456-350-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4456-21-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4512-285-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4512-281-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4516-316-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4516-156-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4648-217-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4648-301-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4668-40-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4668-344-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4820-145-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4820-318-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5080-324-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5080-120-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads