07f1f6107788c7f01caa034627f1b9782216a112f24dacb88d8bbc20e6ee7c58

Analysis

max time kernel
112s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
07-08-2024 04:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66948e5a33d2d1181003954fe1627220N.exe
Size

352KB
MD5

66948e5a33d2d1181003954fe1627220
SHA1

fda23caabb19dbe2da16be68a150c4a25e6c4e48
SHA256

07f1f6107788c7f01caa034627f1b9782216a112f24dacb88d8bbc20e6ee7c58
SHA512

bf61e283c191f89dc822b0b92ff8638936aa46e89a4a3d99bd5677eb68454b9bd0df91a5697d450c41fa11cc11e0ca3345b0d1755bc688cdd3508423912c5169
SSDEEP

6144:XlC68sJsPz9iWis/j9SrJz9ieis/j9SrJz9is/j9SrJwWisp:VCvsNsUasUqsU6sp

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldndng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kadhen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kikpgk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfdjpo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kadhen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kikpgk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklmoccl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmpobi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmpobi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbaafocg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	66948e5a33d2d1181003954fe1627220N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	66948e5a33d2d1181003954fe1627220N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laknfmgd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcnhcdkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcnhcdkp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfamko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmkbfmpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmkbfmpf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nplkhh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfhpjaba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldndng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mogene32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nplkhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklmoccl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkelcenm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nffcebdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mogene32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfamko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfdjpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfhpjaba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofmiea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofmiea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laknfmgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkelcenm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbaafocg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nffcebdd.exe

Executes dropped EXE 18 IoCs

pid	Process
1464	Kadhen32.exe
2280	Kikpgk32.exe
2884	Lklmoccl.exe
2748	Laknfmgd.exe
2936	Lcnhcdkp.exe
2620	Ldndng32.exe
2804	Mogene32.exe
2712	Mfamko32.exe
2292	Mfdjpo32.exe
1752	Mmpobi32.exe
1536	Mkelcenm.exe
2956	Nbaafocg.exe
2588	Nmkbfmpf.exe
2328	Nplkhh32.exe
2416	Nffcebdd.exe
1248	Nfhpjaba.exe
2452	Ofmiea32.exe
2468	Ohnemidj.exe

Loads dropped DLL 40 IoCs

pid	Process
3036	66948e5a33d2d1181003954fe1627220N.exe
3036	66948e5a33d2d1181003954fe1627220N.exe
1464	Kadhen32.exe
1464	Kadhen32.exe
2280	Kikpgk32.exe
2280	Kikpgk32.exe
2884	Lklmoccl.exe
2884	Lklmoccl.exe
2748	Laknfmgd.exe
2748	Laknfmgd.exe
2936	Lcnhcdkp.exe
2936	Lcnhcdkp.exe
2620	Ldndng32.exe
2620	Ldndng32.exe
2804	Mogene32.exe
2804	Mogene32.exe
2712	Mfamko32.exe
2712	Mfamko32.exe
2292	Mfdjpo32.exe
2292	Mfdjpo32.exe
1752	Mmpobi32.exe
1752	Mmpobi32.exe
1536	Mkelcenm.exe
1536	Mkelcenm.exe
2956	Nbaafocg.exe
2956	Nbaafocg.exe
2588	Nmkbfmpf.exe
2588	Nmkbfmpf.exe
2328	Nplkhh32.exe
2328	Nplkhh32.exe
2416	Nffcebdd.exe
2416	Nffcebdd.exe
1248	Nfhpjaba.exe
1248	Nfhpjaba.exe
2452	Ofmiea32.exe
2452	Ofmiea32.exe
1716	WerFault.exe
1716	WerFault.exe
1716	WerFault.exe
1716	WerFault.exe

Drops file in System32 directory 54 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kikpgk32.exe	Kadhen32.exe
File created	C:\Windows\SysWOW64\Mogene32.exe	Ldndng32.exe
File created	C:\Windows\SysWOW64\Mfamko32.exe	Mogene32.exe
File opened for modification	C:\Windows\SysWOW64\Mmpobi32.exe	Mfdjpo32.exe
File created	C:\Windows\SysWOW64\Gaopnk32.dll	Kikpgk32.exe
File opened for modification	C:\Windows\SysWOW64\Ldndng32.exe	Lcnhcdkp.exe
File created	C:\Windows\SysWOW64\Cpikne32.dll	Mfamko32.exe
File created	C:\Windows\SysWOW64\Nbaafocg.exe	Mkelcenm.exe
File opened for modification	C:\Windows\SysWOW64\Laknfmgd.exe	Lklmoccl.exe
File opened for modification	C:\Windows\SysWOW64\Mfamko32.exe	Mogene32.exe
File created	C:\Windows\SysWOW64\Nlgeqb32.dll	Mmpobi32.exe
File opened for modification	C:\Windows\SysWOW64\Nbaafocg.exe	Mkelcenm.exe
File created	C:\Windows\SysWOW64\Mdjfie32.dll	Lcnhcdkp.exe
File created	C:\Windows\SysWOW64\Nmjkbjpm.dll	Mkelcenm.exe
File opened for modification	C:\Windows\SysWOW64\Nfhpjaba.exe	Nffcebdd.exe
File created	C:\Windows\SysWOW64\Ofmiea32.exe	Nfhpjaba.exe
File created	C:\Windows\SysWOW64\Ldndng32.exe	Lcnhcdkp.exe
File created	C:\Windows\SysWOW64\Mgkgdd32.dll	Ldndng32.exe
File created	C:\Windows\SysWOW64\Gaijph32.dll	Nplkhh32.exe
File opened for modification	C:\Windows\SysWOW64\Kadhen32.exe	66948e5a33d2d1181003954fe1627220N.exe
File opened for modification	C:\Windows\SysWOW64\Nffcebdd.exe	Nplkhh32.exe
File created	C:\Windows\SysWOW64\Fifjgemj.dll	Ofmiea32.exe
File created	C:\Windows\SysWOW64\Kadhen32.exe	66948e5a33d2d1181003954fe1627220N.exe
File opened for modification	C:\Windows\SysWOW64\Nplkhh32.exe	Nmkbfmpf.exe
File created	C:\Windows\SysWOW64\Ohnemidj.exe	Ofmiea32.exe
File opened for modification	C:\Windows\SysWOW64\Lklmoccl.exe	Kikpgk32.exe
File created	C:\Windows\SysWOW64\Nekofg32.dll	66948e5a33d2d1181003954fe1627220N.exe
File opened for modification	C:\Windows\SysWOW64\Lcnhcdkp.exe	Laknfmgd.exe
File created	C:\Windows\SysWOW64\Mfdjpo32.exe	Mfamko32.exe
File created	C:\Windows\SysWOW64\Mmpobi32.exe	Mfdjpo32.exe
File created	C:\Windows\SysWOW64\Pfiffp32.dll	Nffcebdd.exe
File created	C:\Windows\SysWOW64\Nffcebdd.exe	Nplkhh32.exe
File created	C:\Windows\SysWOW64\Lklmoccl.exe	Kikpgk32.exe
File created	C:\Windows\SysWOW64\Lcnhcdkp.exe	Laknfmgd.exe
File created	C:\Windows\SysWOW64\Fdldjnpc.dll	Laknfmgd.exe
File created	C:\Windows\SysWOW64\Pqgcbo32.dll	Mogene32.exe
File created	C:\Windows\SysWOW64\Mkelcenm.exe	Mmpobi32.exe
File opened for modification	C:\Windows\SysWOW64\Nmkbfmpf.exe	Nbaafocg.exe
File created	C:\Windows\SysWOW64\Laknfmgd.exe	Lklmoccl.exe
File created	C:\Windows\SysWOW64\Qegpeh32.dll	Nmkbfmpf.exe
File created	C:\Windows\SysWOW64\Nghhnhbf.dll	Lklmoccl.exe
File created	C:\Windows\SysWOW64\Nmkbfmpf.exe	Nbaafocg.exe
File opened for modification	C:\Windows\SysWOW64\Ofmiea32.exe	Nfhpjaba.exe
File opened for modification	C:\Windows\SysWOW64\Mogene32.exe	Ldndng32.exe
File created	C:\Windows\SysWOW64\Limhol32.dll	Mfdjpo32.exe
File opened for modification	C:\Windows\SysWOW64\Mkelcenm.exe	Mmpobi32.exe
File created	C:\Windows\SysWOW64\Bllndljk.dll	Nbaafocg.exe
File opened for modification	C:\Windows\SysWOW64\Ohnemidj.exe	Ofmiea32.exe
File opened for modification	C:\Windows\SysWOW64\Kikpgk32.exe	Kadhen32.exe
File created	C:\Windows\SysWOW64\Ldbjfdld.dll	Kadhen32.exe
File opened for modification	C:\Windows\SysWOW64\Mfdjpo32.exe	Mfamko32.exe
File created	C:\Windows\SysWOW64\Nplkhh32.exe	Nmkbfmpf.exe
File created	C:\Windows\SysWOW64\Nfhpjaba.exe	Nffcebdd.exe
File created	C:\Windows\SysWOW64\Hdfjnimm.dll	Nfhpjaba.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1716	2468	WerFault.exe	46

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldndng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mogene32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpobi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nplkhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nffcebdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohnemidj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kadhen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laknfmgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfamko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfhpjaba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66948e5a33d2d1181003954fe1627220N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kikpgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcnhcdkp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkelcenm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmkbfmpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lklmoccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfdjpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbaafocg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofmiea32.exe

Modifies registry class 57 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	66948e5a33d2d1181003954fe1627220N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqgcbo32.dll"	Mogene32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkelcenm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofmiea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfamko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qegpeh32.dll"	Nmkbfmpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nplkhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nffcebdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfhpjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nekofg32.dll"	66948e5a33d2d1181003954fe1627220N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mogene32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfdjpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkelcenm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaijph32.dll"	Nplkhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	66948e5a33d2d1181003954fe1627220N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklmoccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdjfie32.dll"	Lcnhcdkp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmpobi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbaafocg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbaafocg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nffcebdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	66948e5a33d2d1181003954fe1627220N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kadhen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kadhen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcnhcdkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlgeqb32.dll"	Mmpobi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kikpgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdldjnpc.dll"	Laknfmgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfamko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdfjnimm.dll"	Nfhpjaba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldndng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldndng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Limhol32.dll"	Mfdjpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmpobi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fifjgemj.dll"	Ofmiea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mogene32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kikpgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmkbfmpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfhpjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nghhnhbf.dll"	Lklmoccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	66948e5a33d2d1181003954fe1627220N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklmoccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laknfmgd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfdjpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfiffp32.dll"	Nffcebdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcnhcdkp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofmiea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldbjfdld.dll"	Kadhen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgkgdd32.dll"	Ldndng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	66948e5a33d2d1181003954fe1627220N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaopnk32.dll"	Kikpgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpikne32.dll"	Mfamko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bllndljk.dll"	Nbaafocg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nplkhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laknfmgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmjkbjpm.dll"	Mkelcenm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmkbfmpf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 1464	3036	66948e5a33d2d1181003954fe1627220N.exe	29
PID 3036 wrote to memory of 1464	3036	66948e5a33d2d1181003954fe1627220N.exe	29
PID 3036 wrote to memory of 1464	3036	66948e5a33d2d1181003954fe1627220N.exe	29
PID 3036 wrote to memory of 1464	3036	66948e5a33d2d1181003954fe1627220N.exe	29
PID 1464 wrote to memory of 2280	1464	Kadhen32.exe	30
PID 1464 wrote to memory of 2280	1464	Kadhen32.exe	30
PID 1464 wrote to memory of 2280	1464	Kadhen32.exe	30
PID 1464 wrote to memory of 2280	1464	Kadhen32.exe	30
PID 2280 wrote to memory of 2884	2280	Kikpgk32.exe	31
PID 2280 wrote to memory of 2884	2280	Kikpgk32.exe	31
PID 2280 wrote to memory of 2884	2280	Kikpgk32.exe	31
PID 2280 wrote to memory of 2884	2280	Kikpgk32.exe	31
PID 2884 wrote to memory of 2748	2884	Lklmoccl.exe	32
PID 2884 wrote to memory of 2748	2884	Lklmoccl.exe	32
PID 2884 wrote to memory of 2748	2884	Lklmoccl.exe	32
PID 2884 wrote to memory of 2748	2884	Lklmoccl.exe	32
PID 2748 wrote to memory of 2936	2748	Laknfmgd.exe	33
PID 2748 wrote to memory of 2936	2748	Laknfmgd.exe	33
PID 2748 wrote to memory of 2936	2748	Laknfmgd.exe	33
PID 2748 wrote to memory of 2936	2748	Laknfmgd.exe	33
PID 2936 wrote to memory of 2620	2936	Lcnhcdkp.exe	34
PID 2936 wrote to memory of 2620	2936	Lcnhcdkp.exe	34
PID 2936 wrote to memory of 2620	2936	Lcnhcdkp.exe	34
PID 2936 wrote to memory of 2620	2936	Lcnhcdkp.exe	34
PID 2620 wrote to memory of 2804	2620	Ldndng32.exe	35
PID 2620 wrote to memory of 2804	2620	Ldndng32.exe	35
PID 2620 wrote to memory of 2804	2620	Ldndng32.exe	35
PID 2620 wrote to memory of 2804	2620	Ldndng32.exe	35
PID 2804 wrote to memory of 2712	2804	Mogene32.exe	36
PID 2804 wrote to memory of 2712	2804	Mogene32.exe	36
PID 2804 wrote to memory of 2712	2804	Mogene32.exe	36
PID 2804 wrote to memory of 2712	2804	Mogene32.exe	36
PID 2712 wrote to memory of 2292	2712	Mfamko32.exe	37
PID 2712 wrote to memory of 2292	2712	Mfamko32.exe	37
PID 2712 wrote to memory of 2292	2712	Mfamko32.exe	37
PID 2712 wrote to memory of 2292	2712	Mfamko32.exe	37
PID 2292 wrote to memory of 1752	2292	Mfdjpo32.exe	38
PID 2292 wrote to memory of 1752	2292	Mfdjpo32.exe	38
PID 2292 wrote to memory of 1752	2292	Mfdjpo32.exe	38
PID 2292 wrote to memory of 1752	2292	Mfdjpo32.exe	38
PID 1752 wrote to memory of 1536	1752	Mmpobi32.exe	39
PID 1752 wrote to memory of 1536	1752	Mmpobi32.exe	39
PID 1752 wrote to memory of 1536	1752	Mmpobi32.exe	39
PID 1752 wrote to memory of 1536	1752	Mmpobi32.exe	39
PID 1536 wrote to memory of 2956	1536	Mkelcenm.exe	40
PID 1536 wrote to memory of 2956	1536	Mkelcenm.exe	40
PID 1536 wrote to memory of 2956	1536	Mkelcenm.exe	40
PID 1536 wrote to memory of 2956	1536	Mkelcenm.exe	40
PID 2956 wrote to memory of 2588	2956	Nbaafocg.exe	41
PID 2956 wrote to memory of 2588	2956	Nbaafocg.exe	41
PID 2956 wrote to memory of 2588	2956	Nbaafocg.exe	41
PID 2956 wrote to memory of 2588	2956	Nbaafocg.exe	41
PID 2588 wrote to memory of 2328	2588	Nmkbfmpf.exe	42
PID 2588 wrote to memory of 2328	2588	Nmkbfmpf.exe	42
PID 2588 wrote to memory of 2328	2588	Nmkbfmpf.exe	42
PID 2588 wrote to memory of 2328	2588	Nmkbfmpf.exe	42
PID 2328 wrote to memory of 2416	2328	Nplkhh32.exe	43
PID 2328 wrote to memory of 2416	2328	Nplkhh32.exe	43
PID 2328 wrote to memory of 2416	2328	Nplkhh32.exe	43
PID 2328 wrote to memory of 2416	2328	Nplkhh32.exe	43
PID 2416 wrote to memory of 1248	2416	Nffcebdd.exe	44
PID 2416 wrote to memory of 1248	2416	Nffcebdd.exe	44
PID 2416 wrote to memory of 1248	2416	Nffcebdd.exe	44
PID 2416 wrote to memory of 1248	2416	Nffcebdd.exe	44

C:\Users\Admin\AppData\Local\Temp\66948e5a33d2d1181003954fe1627220N.exe
"C:\Users\Admin\AppData\Local\Temp\66948e5a33d2d1181003954fe1627220N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\SysWOW64\Kadhen32.exe
  C:\Windows\system32\Kadhen32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\SysWOW64\Kikpgk32.exe
    C:\Windows\system32\Kikpgk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Windows\SysWOW64\Lklmoccl.exe
      C:\Windows\system32\Lklmoccl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Windows\SysWOW64\Laknfmgd.exe
        
        C:\Windows\system32\Laknfmgd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2748
      - C:\Windows\SysWOW64\Lcnhcdkp.exe
        
        C:\Windows\system32\Lcnhcdkp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\Ldndng32.exe
        
        C:\Windows\system32\Ldndng32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Mogene32.exe
        
        C:\Windows\system32\Mogene32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\Mfamko32.exe
        
        C:\Windows\system32\Mfamko32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Mfdjpo32.exe
        
        C:\Windows\system32\Mfdjpo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Mmpobi32.exe
        
        C:\Windows\system32\Mmpobi32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Mkelcenm.exe
        
        C:\Windows\system32\Mkelcenm.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\SysWOW64\Nbaafocg.exe
        
        C:\Windows\system32\Nbaafocg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Nmkbfmpf.exe
        
        C:\Windows\system32\Nmkbfmpf.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Nplkhh32.exe
        
        C:\Windows\system32\Nplkhh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Nffcebdd.exe
        
        C:\Windows\system32\Nffcebdd.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Nfhpjaba.exe
        
        C:\Windows\system32\Nfhpjaba.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Ofmiea32.exe
        
        C:\Windows\system32\Ofmiea32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Ohnemidj.exe
        
        C:\Windows\system32\Ohnemidj.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 140
        20⤵
        Loads dropped DLL
        Program crash
        
        PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kadhen32.exe

Filesize
352KB

MD5
f31f198dbff657791b51457d6089c728

SHA1
269f6af6612551703249cb64dbae998b5c2ddc9e

SHA256
95768a14ebf785a039b4795790636efea39ce747501ee1f54e73407358dee409

SHA512
301128347953ae63b57ae9285e94036dd329017e0db32b83381b86d9f3acf8d5292641a62830bcecb8c81ad37b551d6a40782e79481b90abd826e222052dba83

Download Submit
C:\Windows\SysWOW64\Kikpgk32.exe

Filesize
352KB

MD5
d5009ffa9917a2eb0c785a5be0116004

SHA1
61ac2aecabd3d1c9ae4eae8b720a8209bb1663fd

SHA256
3a453a49ca798e727d7e33302f0e7b1363dd54a18aa7362ada3d646d04fca0d2

SHA512
fe817ae9050985b315304d807381b3e02ee9a565ce41afa61400e01456f1e67c372fad99e94d56d899637f775d024733383d0622222ea15167162f6b7cd521a0

Download Submit
C:\Windows\SysWOW64\Lcnhcdkp.exe

Filesize
352KB

MD5
32c4e0830745e36297cc1067c94e8e8b

SHA1
673c2a8df9c4834f0cefe62b000961656f29b40d

SHA256
78e8ef0729fb8a76428171b578431578cef361f16ead832eb656440b6433c72b

SHA512
b4a4c83c90482d2c12cd4a5238ddbb4236497321ef3930457adcf82b45ec505ae98d491a612d1e5e576ea4f6444870f35c9252d857b4d3b8e37a2ca986e8cd2b

Download Submit
C:\Windows\SysWOW64\Lklmoccl.exe

Filesize
352KB

MD5
f7721e2e6950e2e0f2a0fca4d19a9550

SHA1
609d90f768d081a6829fbcd12615ed6115da6a29

SHA256
d9ca52f54b8aa768c9fefe86ac0e66589e2716048422e64b3442f6fb89817185

SHA512
255fefdbd162a055570390dace0b8e7e72386f42bf05a34019510f1d9684387ae11b41282639f6aa4869616db7883f4a36f6e4f7bcc0c23714fd423434914801

Download Submit
C:\Windows\SysWOW64\Mfdjpo32.exe

Filesize
352KB

MD5
5dc822885352d055316e38bb10ad2920

SHA1
39a27c8a23eb10188d587059191f22699bdd92e7

SHA256
0c32e920b90eff08b36fb385e35101154eef460f6f96c92bf36722f5ca9d4477

SHA512
ff5846a233f1849015b19f45d7b9c622a450c1f840710b5dde979b7d1598fe5d5cb4b2cf88a3f3c01e969b72e71f9d38f49757ab6fbe4980f9d1ce6287097377

Download Submit
C:\Windows\SysWOW64\Nffcebdd.exe

Filesize
352KB

MD5
1fd74bef4e2dcddb6efcd6bfb1bdfe02

SHA1
d0024e7944b2fbada89ece5bcfe1873eb1967e10

SHA256
8b109f37028bb04820b4a5543437a46378a38f8ad8aaeb3b22707642e3d0c98d

SHA512
5864cb7f69dd6b34bd25278ed463d931959b0601b588c7529caf3104c232a5aa5bcda600e3be6dbc01967184aad36258c1adcfa27f6021023d04a55a9d43560a

Download Submit
C:\Windows\SysWOW64\Ofmiea32.exe

Filesize
352KB

MD5
d47f3ded24515ceeff904f73f4c932f5

SHA1
d222778f76c91de60fb81008387e5c63d6bd9931

SHA256
62317e57175df20009eee699cc47343e189aee0412b60d8270eebab28afb151a

SHA512
4aa7b79031ce81335dbad4fe865477aae3559e6135c10dffabaaebbdc511b64c828f019795d2deabf8c223bc85cfcad43cb16060303d32189b990b8b83f8f817

Download Submit
C:\Windows\SysWOW64\Ohnemidj.exe

Filesize
352KB

MD5
feaa89f97940869da19d0b0f48d56aa0

SHA1
b228bfaef4fc689f69e9f262c067da7290b8e2ae

SHA256
93ff3f15e3239412395bd14d9c968ecf13b600101a3800c335818b825ff41eca

SHA512
39fdd534145d0bd4bb37931d520afb7568a2402c878a2e1d79c3505f5e9dec79774a50f0a8290d0a6813d9a44ef64e461e5a414fa2616acd166224acb3a96a9a

Download Submit
\Windows\SysWOW64\Laknfmgd.exe

Filesize
352KB

MD5
e3f81f1723b515ae5bcaf01b399c5ea0

SHA1
241667092fed0dc5776c1a048883eb82a5e51f0c

SHA256
1e142b86dd56ccce709fab7f7af8d2dbeca79f7f5a10e82a112438da6c89f288

SHA512
94efa59f65c1317608beb161bd54cc27ead235bd3b1139b217a776f257a770c584bbc88d348036cf5e7df42f7997acc2db560cb0c7b73b9becd1c7313521e066

Download Submit
\Windows\SysWOW64\Ldndng32.exe

Filesize
352KB

MD5
5ea654366bd980fa063667c84bf2e3f6

SHA1
0ac68adf3a44a1b1c050b4f404585d0cca17329b

SHA256
e3b86b624781f0bf5757648a5f12ab8eff7dc90df1a4382784249dad020c6fc0

SHA512
a751fbb8f387aec3803c8ba6c99a5b77446c54137348c28d8f7dc2f07892a20b84a6d49e9ff3122f6bf2ef7c868abf43cb4fbafabb855fe58909c625dbbeb630

Download Submit
\Windows\SysWOW64\Mfamko32.exe

Filesize
352KB

MD5
03fa05924b4da50a7adb5f8bd72eb5f6

SHA1
d05ca248e2b95927837d7c9fef5d1a96d93bc13b

SHA256
c6d5f25d8a3cf30aa793ec81c83649a2b3f19a7a2c8fd3bccab95db05d7cc6ab

SHA512
851ecb9bb1e275d41d5b0fe9de551d8c013cb9c0c9b3f33be421c03334b302db7daa16ecfe7c81d856dd5f1b5da58933ae7642bfb2fee2b44c47b362dd38dc43

Download Submit
\Windows\SysWOW64\Mkelcenm.exe

Filesize
352KB

MD5
511ef120f9e9c90b71b215add4e141d4

SHA1
059013f37bbae3e95798956aa813cc916a691a01

SHA256
fdc9a38d8923a40ebbb05bdc5395a637e85fbee88ec6e289a1334f7890a8403a

SHA512
f63efc83667b466fced1adf517f32084eb0550d61262cbf593a1d500738dae88e9966d22ac34fbc20b8dd1d1d93b288c1326ddc5091836ccaaa301ec51b72ebe

Download Submit
\Windows\SysWOW64\Mmpobi32.exe

Filesize
352KB

MD5
e248fc8c7dad1f8897bc286e679d0827

SHA1
1e7e106966b6ebcbc839e4db47a12fae495fca55

SHA256
88b2ec641cadca461c6073e8267366a34ad64d9c4f9329071daf8f435895af11

SHA512
90068e01b091cf9e2e03f96e2f93cbbd3c2f006a0ff0be6d6dba766758f767f513c118cb42d53132970d2e7965daf9087f2652f2d8d0ce123603a1e6cfd87bec

Download Submit
\Windows\SysWOW64\Mogene32.exe

Filesize
352KB

MD5
73159b407d7203e6258506339a295dff

SHA1
1111f04e452412b44e7d97c347ead35dba644731

SHA256
be29f866259f8e8e38c335294f2d66bb922659eb25d322f2063d0fee7d7f36e7

SHA512
371affd840b010e0d4ade68be57eef22d40f3e4bd8702557a2baeff40eba88d28592b502fbe96bc2c9f970c454110529ec4175d2a3755ff91bc64162fff9cad5

Download Submit
\Windows\SysWOW64\Nbaafocg.exe

Filesize
352KB

MD5
1a124af1cd4ae97d0bf8c54df4fd7114

SHA1
a337975f6b24e673271403cf2c4810aa7ccbd5e2

SHA256
1b76ef05de48cc704385dd494a51cd91786738d0cd697cc163085966a7c95a8a

SHA512
9ad628997d82f3bfd9cd9d5dc1db704c89e3e55c2aafae7239e0fc587324e0af996b58c32ae7b582f0cb2974e7f4e34568ce5041d75ea8b6d728769baa0c734e

Download Submit
\Windows\SysWOW64\Nfhpjaba.exe

Filesize
352KB

MD5
9fdb3319ff89e4d56cd62ca1378cc4d3

SHA1
ce4d1ad940c4bd216a8d07b3c09ec7fb44673e4a

SHA256
5f86b36ff7d084c8186d6ec31ad19f77e93fbfa95fe6c9717fb02708f49103f4

SHA512
c1137c348524dfcf3019c433f197bf2af5792a65b921b78ca4ebcd8d34b99bd25ac5277d5f373ef5f4ccc05ba6bab61110da987f60dbe7240e694c279dd8d4eb

Download Submit
\Windows\SysWOW64\Nmkbfmpf.exe

Filesize
352KB

MD5
6402fb4218468bc277751d99ee5ab2e7

SHA1
63c1f93c191ce91cf383d6274d657111f3e3de2d

SHA256
7e2d4b74ba89faaaa450125623beb8ad934c64052a9e8715d4c650643f685006

SHA512
701751d612f30de65ff3b591e48e707bd655e0b7631ad2b73e70a7f399d0a66ac6445f4f827d78037a870e991fd8a88a5ce9bca32b6c0d19f86165fad59f22f5

Download Submit
\Windows\SysWOW64\Nplkhh32.exe

Filesize
352KB

MD5
c13452bb7a03e206ea72171c4a71e45b

SHA1
ee51f2e4771605860b3721b335090243d19f0e5b

SHA256
9bced1efd6a62e3f9c55434675ef6a28727e55c66fb1cbb1b0ac06977048d345

SHA512
79883f778dbb4dd7ce0b8c8c14c7cd09528c1231612963f3691217f16a83906cf4f21b8c0ec469b922aac58594af14c8f2e48f4115750ee9c81f0628b0fa3d28

Download Submit
memory/1248-236-0x0000000000250000-0x00000000002CF000-memory.dmp

Filesize
508KB

Download
memory/1248-235-0x0000000000250000-0x00000000002CF000-memory.dmp

Filesize
508KB

Download
memory/1248-225-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1248-326-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1464-293-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1464-31-0x0000000000330000-0x00000000003AF000-memory.dmp

Filesize
508KB

Download
memory/1464-18-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1536-313-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1536-164-0x0000000001FE0000-0x000000000205F000-memory.dmp

Filesize
508KB

Download
memory/1536-152-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1752-311-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1752-137-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1752-150-0x0000000000480000-0x00000000004FF000-memory.dmp

Filesize
508KB

Download
memory/1752-149-0x0000000000480000-0x00000000004FF000-memory.dmp

Filesize
508KB

Download
memory/2280-32-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2280-295-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2292-309-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2292-122-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2292-135-0x0000000000480000-0x00000000004FF000-memory.dmp

Filesize
508KB

Download
memory/2292-134-0x0000000000480000-0x00000000004FF000-memory.dmp

Filesize
508KB

Download
memory/2328-216-0x0000000000250000-0x00000000002CF000-memory.dmp

Filesize
508KB

Download
memory/2328-319-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2328-208-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2328-210-0x0000000000250000-0x00000000002CF000-memory.dmp

Filesize
508KB

Download
memory/2416-215-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2416-321-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2416-223-0x0000000000260000-0x00000000002DF000-memory.dmp

Filesize
508KB

Download
memory/2452-240-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2452-246-0x00000000002E0000-0x000000000035F000-memory.dmp

Filesize
508KB

Download
memory/2452-328-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2468-247-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2588-317-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2588-207-0x00000000002D0000-0x000000000034F000-memory.dmp

Filesize
508KB

Download
memory/2588-206-0x00000000002D0000-0x000000000034F000-memory.dmp

Filesize
508KB

Download
memory/2588-181-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2620-95-0x0000000000250000-0x00000000002CF000-memory.dmp

Filesize
508KB

Download
memory/2620-82-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2620-303-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2712-307-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2748-55-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2748-299-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2804-108-0x00000000002D0000-0x000000000034F000-memory.dmp

Filesize
508KB

Download
memory/2804-96-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2804-305-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2884-40-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2884-53-0x0000000000250000-0x00000000002CF000-memory.dmp

Filesize
508KB

Download
memory/2884-52-0x0000000000250000-0x00000000002CF000-memory.dmp

Filesize
508KB

Download
memory/2884-297-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2936-68-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2936-80-0x00000000002F0000-0x000000000036F000-memory.dmp

Filesize
508KB

Download
memory/2936-301-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2956-179-0x00000000002D0000-0x000000000034F000-memory.dmp

Filesize
508KB

Download
memory/2956-315-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2956-166-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2956-180-0x00000000002D0000-0x000000000034F000-memory.dmp

Filesize
508KB

Download
memory/3036-4-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3036-291-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3036-12-0x0000000000330000-0x00000000003AF000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads