b589c205f72162813acf5bcc89b54f0ca244c1d1b35373270aa31984e6a00f94

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05/01/2024, 15:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0d3f60a023818b33736bfc81fae9e3d.exe
Size

350KB
MD5

b0d3f60a023818b33736bfc81fae9e3d
SHA1

46737dc742174cd39240a85c1140af3aa3ccacd0
SHA256

b589c205f72162813acf5bcc89b54f0ca244c1d1b35373270aa31984e6a00f94
SHA512

378a45ecdeba972baba368016809b04050bdd950ddaec9bf27eb0d86dba92e355374895cb18d25fc0ab6ac163beb60b2df8d0abdad4bf613c43f2617eaf8b178
SSDEEP

6144:XD/s0Nr3HVpaopOpHVILifyeYVDcfflXpX6LRifyeYVDc:XDXHAHyefyeYCdXpXZfyeY

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iedkbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iedkbc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keednado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmikibio.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mieeibkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlekia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iimjmbae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnffgd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbgkcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Libicbma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jqgoiokm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbgkcb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kklpekno.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiijnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kklpekno.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Libicbma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieidmbcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieidmbcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jqgoiokm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nibebfpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b0d3f60a023818b33736bfc81fae9e3d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kiijnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcagpl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhloponc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhloponc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b0d3f60a023818b33736bfc81fae9e3d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Keednado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lanaiahq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmikibio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nibebfpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlekia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iimjmbae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lanaiahq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcagpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnffgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mieeibkn.exe

Executes dropped EXE 19 IoCs

pid	Process
1292	Iimjmbae.exe
2812	Iedkbc32.exe
2704	Ieidmbcc.exe
2744	Jnffgd32.exe
2632	Jqgoiokm.exe
2556	Jbgkcb32.exe
2960	Kiijnq32.exe
2908	Kklpekno.exe
1936	Keednado.exe
1944	Lanaiahq.exe
1036	Lcagpl32.exe
696	Lmikibio.exe
2660	Libicbma.exe
1608	Mieeibkn.exe
2356	Mhloponc.exe
1288	Nibebfpl.exe
2092	Ngibaj32.exe
400	Nlekia32.exe
1136	Nlhgoqhh.exe

Loads dropped DLL 38 IoCs

pid	Process
2848	b0d3f60a023818b33736bfc81fae9e3d.exe
2848	b0d3f60a023818b33736bfc81fae9e3d.exe
1292	Iimjmbae.exe
1292	Iimjmbae.exe
2812	Iedkbc32.exe
2812	Iedkbc32.exe
2704	Ieidmbcc.exe
2704	Ieidmbcc.exe
2744	Jnffgd32.exe
2744	Jnffgd32.exe
2632	Jqgoiokm.exe
2632	Jqgoiokm.exe
2556	Jbgkcb32.exe
2556	Jbgkcb32.exe
2960	Kiijnq32.exe
2960	Kiijnq32.exe
2908	Kklpekno.exe
2908	Kklpekno.exe
1936	Keednado.exe
1936	Keednado.exe
1944	Lanaiahq.exe
1944	Lanaiahq.exe
1036	Lcagpl32.exe
1036	Lcagpl32.exe
696	Lmikibio.exe
696	Lmikibio.exe
2660	Libicbma.exe
2660	Libicbma.exe
1608	Mieeibkn.exe
1608	Mieeibkn.exe
2356	Mhloponc.exe
2356	Mhloponc.exe
1288	Nibebfpl.exe
1288	Nibebfpl.exe
2092	Ngibaj32.exe
2092	Ngibaj32.exe
400	Nlekia32.exe
400	Nlekia32.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kklpekno.exe	Kiijnq32.exe
File opened for modification	C:\Windows\SysWOW64\Lcagpl32.exe	Lanaiahq.exe
File created	C:\Windows\SysWOW64\Nlekia32.exe	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Nldjnfaf.dll	b0d3f60a023818b33736bfc81fae9e3d.exe
File created	C:\Windows\SysWOW64\Lekjcmbe.dll	Jnffgd32.exe
File created	C:\Windows\SysWOW64\Djmffb32.dll	Lanaiahq.exe
File created	C:\Windows\SysWOW64\Kbelde32.dll	Lmikibio.exe
File created	C:\Windows\SysWOW64\Fffdil32.dll	Iimjmbae.exe
File created	C:\Windows\SysWOW64\Lanaiahq.exe	Keednado.exe
File created	C:\Windows\SysWOW64\Lcagpl32.exe	Lanaiahq.exe
File created	C:\Windows\SysWOW64\Iimjmbae.exe	b0d3f60a023818b33736bfc81fae9e3d.exe
File opened for modification	C:\Windows\SysWOW64\Keednado.exe	Kklpekno.exe
File opened for modification	C:\Windows\SysWOW64\Lanaiahq.exe	Keednado.exe
File opened for modification	C:\Windows\SysWOW64\Jnffgd32.exe	Ieidmbcc.exe
File created	C:\Windows\SysWOW64\Dpelbgel.dll	Jqgoiokm.exe
File created	C:\Windows\SysWOW64\Phmkjbfe.dll	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nlekia32.exe
File opened for modification	C:\Windows\SysWOW64\Iimjmbae.exe	b0d3f60a023818b33736bfc81fae9e3d.exe
File opened for modification	C:\Windows\SysWOW64\Iedkbc32.exe	Iimjmbae.exe
File opened for modification	C:\Windows\SysWOW64\Kiijnq32.exe	Jbgkcb32.exe
File opened for modification	C:\Windows\SysWOW64\Nibebfpl.exe	Mhloponc.exe
File opened for modification	C:\Windows\SysWOW64\Ieidmbcc.exe	Iedkbc32.exe
File created	C:\Windows\SysWOW64\Jnffgd32.exe	Ieidmbcc.exe
File created	C:\Windows\SysWOW64\Libicbma.exe	Lmikibio.exe
File created	C:\Windows\SysWOW64\Keednado.exe	Kklpekno.exe
File created	C:\Windows\SysWOW64\Lmikibio.exe	Lcagpl32.exe
File opened for modification	C:\Windows\SysWOW64\Mhloponc.exe	Mieeibkn.exe
File created	C:\Windows\SysWOW64\Nibebfpl.exe	Mhloponc.exe
File created	C:\Windows\SysWOW64\Jbgkcb32.exe	Jqgoiokm.exe
File opened for modification	C:\Windows\SysWOW64\Jbgkcb32.exe	Jqgoiokm.exe
File created	C:\Windows\SysWOW64\Mhloponc.exe	Mieeibkn.exe
File created	C:\Windows\SysWOW64\Gbdalp32.dll	Mhloponc.exe
File created	C:\Windows\SysWOW64\Kklpekno.exe	Kiijnq32.exe
File created	C:\Windows\SysWOW64\Ajdlmi32.dll	Libicbma.exe
File opened for modification	C:\Windows\SysWOW64\Libicbma.exe	Lmikibio.exe
File created	C:\Windows\SysWOW64\Mieeibkn.exe	Libicbma.exe
File created	C:\Windows\SysWOW64\Eicieohp.dll	Ieidmbcc.exe
File opened for modification	C:\Windows\SysWOW64\Jqgoiokm.exe	Jnffgd32.exe
File created	C:\Windows\SysWOW64\Ngibaj32.exe	Nibebfpl.exe
File created	C:\Windows\SysWOW64\Jqgoiokm.exe	Jnffgd32.exe
File created	C:\Windows\SysWOW64\Fnqkpajk.dll	Mieeibkn.exe
File opened for modification	C:\Windows\SysWOW64\Lmikibio.exe	Lcagpl32.exe
File created	C:\Windows\SysWOW64\Iedkbc32.exe	Iimjmbae.exe
File created	C:\Windows\SysWOW64\Ieidmbcc.exe	Iedkbc32.exe
File created	C:\Windows\SysWOW64\Jjnbaf32.dll	Kiijnq32.exe
File created	C:\Windows\SysWOW64\Hkijpd32.dll	Lcagpl32.exe
File created	C:\Windows\SysWOW64\Ddbddikd.dll	Kklpekno.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Nlekia32.exe
File opened for modification	C:\Windows\SysWOW64\Mieeibkn.exe	Libicbma.exe
File opened for modification	C:\Windows\SysWOW64\Ngibaj32.exe	Nibebfpl.exe
File created	C:\Windows\SysWOW64\Jmbckb32.dll	Nibebfpl.exe
File opened for modification	C:\Windows\SysWOW64\Nlekia32.exe	Ngibaj32.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nlekia32.exe
File created	C:\Windows\SysWOW64\Kiijnq32.exe	Jbgkcb32.exe
File created	C:\Windows\SysWOW64\Cljiflem.dll	Jbgkcb32.exe
File created	C:\Windows\SysWOW64\Daiohhgh.dll	Iedkbc32.exe
File created	C:\Windows\SysWOW64\Malllmgi.dll	Keednado.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daiohhgh.dll"	Iedkbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jqgoiokm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcagpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b0d3f60a023818b33736bfc81fae9e3d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kiijnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpelbgel.dll"	Jqgoiokm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kklpekno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Malllmgi.dll"	Keednado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Keednado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cljiflem.dll"	Jbgkcb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhloponc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldjnfaf.dll"	b0d3f60a023818b33736bfc81fae9e3d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jnffgd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mieeibkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	b0d3f60a023818b33736bfc81fae9e3d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kklpekno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b0d3f60a023818b33736bfc81fae9e3d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nibebfpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcagpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnqkpajk.dll"	Mieeibkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Libicbma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fffdil32.dll"	Iimjmbae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iimjmbae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmikibio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phmkjbfe.dll"	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	b0d3f60a023818b33736bfc81fae9e3d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jnffgd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbgkcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbgkcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkijpd32.dll"	Lcagpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdalp32.dll"	Mhloponc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ieidmbcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jqgoiokm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Keednado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lekjcmbe.dll"	Jnffgd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kiijnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjnbaf32.dll"	Kiijnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmffb32.dll"	Lanaiahq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbelde32.dll"	Lmikibio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mieeibkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlekia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieidmbcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Nlekia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddbddikd.dll"	Kklpekno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lanaiahq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmikibio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nibebfpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbckb32.dll"	Nibebfpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlekia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iedkbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iimjmbae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eicieohp.dll"	Ieidmbcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhloponc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b0d3f60a023818b33736bfc81fae9e3d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lanaiahq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajdlmi32.dll"	Libicbma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Libicbma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iedkbc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 1292	2848	b0d3f60a023818b33736bfc81fae9e3d.exe	28
PID 2848 wrote to memory of 1292	2848	b0d3f60a023818b33736bfc81fae9e3d.exe	28
PID 2848 wrote to memory of 1292	2848	b0d3f60a023818b33736bfc81fae9e3d.exe	28
PID 2848 wrote to memory of 1292	2848	b0d3f60a023818b33736bfc81fae9e3d.exe	28
PID 1292 wrote to memory of 2812	1292	Iimjmbae.exe	29
PID 1292 wrote to memory of 2812	1292	Iimjmbae.exe	29
PID 1292 wrote to memory of 2812	1292	Iimjmbae.exe	29
PID 1292 wrote to memory of 2812	1292	Iimjmbae.exe	29
PID 2812 wrote to memory of 2704	2812	Iedkbc32.exe	30
PID 2812 wrote to memory of 2704	2812	Iedkbc32.exe	30
PID 2812 wrote to memory of 2704	2812	Iedkbc32.exe	30
PID 2812 wrote to memory of 2704	2812	Iedkbc32.exe	30
PID 2704 wrote to memory of 2744	2704	Ieidmbcc.exe	31
PID 2704 wrote to memory of 2744	2704	Ieidmbcc.exe	31
PID 2704 wrote to memory of 2744	2704	Ieidmbcc.exe	31
PID 2704 wrote to memory of 2744	2704	Ieidmbcc.exe	31
PID 2744 wrote to memory of 2632	2744	Jnffgd32.exe	32
PID 2744 wrote to memory of 2632	2744	Jnffgd32.exe	32
PID 2744 wrote to memory of 2632	2744	Jnffgd32.exe	32
PID 2744 wrote to memory of 2632	2744	Jnffgd32.exe	32
PID 2632 wrote to memory of 2556	2632	Jqgoiokm.exe	33
PID 2632 wrote to memory of 2556	2632	Jqgoiokm.exe	33
PID 2632 wrote to memory of 2556	2632	Jqgoiokm.exe	33
PID 2632 wrote to memory of 2556	2632	Jqgoiokm.exe	33
PID 2556 wrote to memory of 2960	2556	Jbgkcb32.exe	34
PID 2556 wrote to memory of 2960	2556	Jbgkcb32.exe	34
PID 2556 wrote to memory of 2960	2556	Jbgkcb32.exe	34
PID 2556 wrote to memory of 2960	2556	Jbgkcb32.exe	34
PID 2960 wrote to memory of 2908	2960	Kiijnq32.exe	35
PID 2960 wrote to memory of 2908	2960	Kiijnq32.exe	35
PID 2960 wrote to memory of 2908	2960	Kiijnq32.exe	35
PID 2960 wrote to memory of 2908	2960	Kiijnq32.exe	35
PID 2908 wrote to memory of 1936	2908	Kklpekno.exe	36
PID 2908 wrote to memory of 1936	2908	Kklpekno.exe	36
PID 2908 wrote to memory of 1936	2908	Kklpekno.exe	36
PID 2908 wrote to memory of 1936	2908	Kklpekno.exe	36
PID 1936 wrote to memory of 1944	1936	Keednado.exe	37
PID 1936 wrote to memory of 1944	1936	Keednado.exe	37
PID 1936 wrote to memory of 1944	1936	Keednado.exe	37
PID 1936 wrote to memory of 1944	1936	Keednado.exe	37
PID 1944 wrote to memory of 1036	1944	Lanaiahq.exe	38
PID 1944 wrote to memory of 1036	1944	Lanaiahq.exe	38
PID 1944 wrote to memory of 1036	1944	Lanaiahq.exe	38
PID 1944 wrote to memory of 1036	1944	Lanaiahq.exe	38
PID 1036 wrote to memory of 696	1036	Lcagpl32.exe	39
PID 1036 wrote to memory of 696	1036	Lcagpl32.exe	39
PID 1036 wrote to memory of 696	1036	Lcagpl32.exe	39
PID 1036 wrote to memory of 696	1036	Lcagpl32.exe	39
PID 696 wrote to memory of 2660	696	Lmikibio.exe	40
PID 696 wrote to memory of 2660	696	Lmikibio.exe	40
PID 696 wrote to memory of 2660	696	Lmikibio.exe	40
PID 696 wrote to memory of 2660	696	Lmikibio.exe	40
PID 2660 wrote to memory of 1608	2660	Libicbma.exe	41
PID 2660 wrote to memory of 1608	2660	Libicbma.exe	41
PID 2660 wrote to memory of 1608	2660	Libicbma.exe	41
PID 2660 wrote to memory of 1608	2660	Libicbma.exe	41
PID 1608 wrote to memory of 2356	1608	Mieeibkn.exe	42
PID 1608 wrote to memory of 2356	1608	Mieeibkn.exe	42
PID 1608 wrote to memory of 2356	1608	Mieeibkn.exe	42
PID 1608 wrote to memory of 2356	1608	Mieeibkn.exe	42
PID 2356 wrote to memory of 1288	2356	Mhloponc.exe	46
PID 2356 wrote to memory of 1288	2356	Mhloponc.exe	46
PID 2356 wrote to memory of 1288	2356	Mhloponc.exe	46
PID 2356 wrote to memory of 1288	2356	Mhloponc.exe	46

C:\Users\Admin\AppData\Local\Temp\b0d3f60a023818b33736bfc81fae9e3d.exe
"C:\Users\Admin\AppData\Local\Temp\b0d3f60a023818b33736bfc81fae9e3d.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\SysWOW64\Iimjmbae.exe
  C:\Windows\system32\Iimjmbae.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Windows\SysWOW64\Iedkbc32.exe
    C:\Windows\system32\Iedkbc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\SysWOW64\Ieidmbcc.exe
      C:\Windows\system32\Ieidmbcc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\SysWOW64\Jnffgd32.exe
        
        C:\Windows\system32\Jnffgd32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2744
      - C:\Windows\SysWOW64\Jqgoiokm.exe
        
        C:\Windows\system32\Jqgoiokm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Jbgkcb32.exe
        
        C:\Windows\system32\Jbgkcb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Kiijnq32.exe
        
        C:\Windows\system32\Kiijnq32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Kklpekno.exe
        
        C:\Windows\system32\Kklpekno.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Keednado.exe
        
        C:\Windows\system32\Keednado.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Lanaiahq.exe
        
        C:\Windows\system32\Lanaiahq.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Lcagpl32.exe
        
        C:\Windows\system32\Lcagpl32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Lmikibio.exe
        
        C:\Windows\system32\Lmikibio.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:696
        
        C:\Windows\SysWOW64\Libicbma.exe
        
        C:\Windows\system32\Libicbma.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Mieeibkn.exe
        
        C:\Windows\system32\Mieeibkn.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Mhloponc.exe
        
        C:\Windows\system32\Mhloponc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Nibebfpl.exe
        
        C:\Windows\system32\Nibebfpl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1288

C:\Windows\SysWOW64\Nlekia32.exe
C:\Windows\system32\Nlekia32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:400
- C:\Windows\SysWOW64\Nlhgoqhh.exe
  C:\Windows\system32\Nlhgoqhh.exe
  2⤵
  - Executes dropped EXE
  PID:1136

C:\Windows\SysWOW64\Ngibaj32.exe
C:\Windows\system32\Ngibaj32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jnffgd32.exe

Filesize
350KB

MD5
4d5ae62f9798f2eb2f0d68e6d51e021f

SHA1
6bf4f0c77021de3d2e3fd20a4eb29d49e0aed6ec

SHA256
880a797d954564f78fa27dddd7d65b4a1ddeb91442f1ce10897c289e0d4125f4

SHA512
dcc9905808e2c5db3a2bcc14095986055ca5154f9e661d35710e82da80ed837374281176b736f3c2a5090bcb3e873d1f7ffca9b570bfc24f278633e29e6e0ff9

Download Submit
C:\Windows\SysWOW64\Keednado.exe

Filesize
350KB

MD5
8c749bc83cf0f6844c83b748fa15dbc5

SHA1
96ee6033dc126d9d1991a5eaee553a10fa3be6fb

SHA256
5cdf225d8103c1673b47d21d175f216c653e0df0f32dcd90652635017590eb92

SHA512
ebf57c24a50b9375abec8eb372d2da32a69b682a179289a96077a6d44e50c6aa65e45a24676a95dd3755ebabc11d0d82579d3a3b1173c2715b3de1b0a2986cd8

Download Submit
C:\Windows\SysWOW64\Kiijnq32.exe

Filesize
350KB

MD5
04b4e6c73f5253ae5c783108f3181670

SHA1
e7a58fc2d4b650e3567cfb58f98323b6b29d0467

SHA256
12c9693721dc81ba532d64af4619c3fa962573c26bab7a5df37c84deb3d31494

SHA512
af2f2cdb3922e1f1908a3190e4f37a4a6e49ac42d146735b96e77a9b6b135604242d8184fed04e4abf67cddf59a8a4954e02a8e62f1763a71e2167bcb8a342e0

Download Submit
C:\Windows\SysWOW64\Libicbma.exe

Filesize
350KB

MD5
6fd9d0fd215666988a63cab6b5a013b0

SHA1
714eff4b5a69730df38dd26334cc3d653535936b

SHA256
f2a34379b8045979dfd9982b075f50326803baf67cd9014ccef4feb14e781606

SHA512
28d9f47bb18dc5735081c7644a1178d41746898f18f68ebd2a3f403752b0f67b4fe0a6dbdd127e7ec26b70666127eeedc0070ae1f0f2a3cd77a88f23c791e358

Download Submit
C:\Windows\SysWOW64\Ngibaj32.exe

Filesize
350KB

MD5
71adb4519ca703c4a4a6c0f5b7a0ad54

SHA1
fb0a7a274fbf8f04133757ba80352e0295eae5d9

SHA256
60beea7c375e6478c72916bbfee7d425aa807d12c1fbe522bd9e9ff0ac2477a1

SHA512
f1df8009b6fca08c59a016f20b0c3bfe00cb3d869f291efbd548b82af65589f3f2814b1b9632a8c72a8bd6647b7f8a3072659cd6104cd64d823ce4d49f0155ba

Download Submit
C:\Windows\SysWOW64\Nibebfpl.exe

Filesize
350KB

MD5
8c10aa129ae9ba917bf8ac35c900e988

SHA1
b92c6f30e724deed1330407235dcd2fda9b06de1

SHA256
1555a3db26fa6a7e345f82e4fa8bd6d7b3153a762ed8333b23cc5f1ef5276659

SHA512
47f8a7b61761110d1b4d12dfbd690e316ccc92017a6256a84b593814a9d0b17553512ce507bc3724906b73f5d963eb15bc521cc1147cf33bdba01bea51c2ba9c

Download Submit
C:\Windows\SysWOW64\Nlekia32.exe

Filesize
350KB

MD5
c4b87a6e5b7dd70e8a2c5d3656dcf014

SHA1
0c13c4b72855d27fb9f892ff7874978fc06c955a

SHA256
d9e7378fb4977db4fead8b31084bd1f8b1fcc5f88807fc4bf77ec0a0e53492fb

SHA512
d8e6e4c66c9bab134f8e73b82341c7f188e43af5785341c27a6432bc1459187e332c066a71945cee3b420e03ed124dea87af85e1efdf20fe48364e5607eca655

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
350KB

MD5
db663ca7d816d44e96d50147fa835287

SHA1
3fef6444d13835c71bef2cc1da5a3d99aa66f86c

SHA256
1dacb6cf9d74d6574e3882b59d628dfd408c022c71a9b0a088ec0e3e325dd91a

SHA512
5935b56e22bb74a38a15b228cacb51506582cbe80f4b5bd285c138494308b3fab9ad676c9aac141397e1d269bb45d5775cfaf887ed566cc51f73253e33bc3494

Download Submit
\Windows\SysWOW64\Iedkbc32.exe

Filesize
350KB

MD5
a750ca1f1e836f285436ba7771189fc2

SHA1
3116bef81125b647a19bf17f720dc1b641ff56e5

SHA256
3c9893ed39805fe62c7c779fa51eee64b55ee3121314112514a0c0eef2510330

SHA512
9e58624146f178a86e9bf952011d3eb933bf50064485d8b4ad0289116f730a5aee499c64da70927202f63bddf15bb87f88c26dca0ba2a550b826510fad2b81d5

Download Submit
\Windows\SysWOW64\Ieidmbcc.exe

Filesize
350KB

MD5
e9b7878eda7ca65ae636ced403277a77

SHA1
2b8c66279b0595f0e308467b6ead3d2edcfc2673

SHA256
553bb4b0c6921a46d7a922ee2144e9ea2692d36f1c99f9b81f427a5c16599e53

SHA512
552a5c7e9e6b23761141da9fd4160ed8c6df108203da21f8a607b8049eac28dfcedc21d67dfd1c446bf2ce5406965d886beae4a002bada849790a197a0e4ca30

Download Submit
\Windows\SysWOW64\Iimjmbae.exe

Filesize
350KB

MD5
8ca1aeee1c386034d7f39e8f18f9118b

SHA1
f7ffcc681b2adc3ec958993fd20a8c3623979546

SHA256
c63da6fda5854158e874a974f9d4f05e9d27c0dcf595504f95e4332f88b3d869

SHA512
6fb4d6c4f015e91ded2b2d8a6458285e4e6b9d06f1b96093780ecae87d4b353eb3f7a9a0cc31af5fbc3dbe5ec96effaf38cde413e4edfcffc9158fe8a0c8e590

Download Submit
\Windows\SysWOW64\Jbgkcb32.exe

Filesize
350KB

MD5
613667850b277f317ae80b9e48199614

SHA1
df773d26d9df96bf010d219888b027ede31acc7e

SHA256
4d2e1c9e917fdbc6555ce9518f041189adfe3c0b361043bc29d5d6b524adb61e

SHA512
ad865d1b848454a8dab417beea7c6820ade239153750726df66fdf4b6f643663b0b6df2a39ff7881bbd16838d9eee2b53ec2ac453780675c479ab0a5ace38ba7

Download Submit
\Windows\SysWOW64\Jqgoiokm.exe

Filesize
350KB

MD5
b8b2307196676395860c7db6fa2ccf4f

SHA1
2c851c419f918a5506bfb467393aa64a724cd85a

SHA256
1a1a758c5fd5c95f929094de9d60ad56678fedd87bbd1dfd56e5666c08300683

SHA512
9b0f18913c58b32b9133533d64ea44394778d7b6e7a65d1ca3c8bf0ea661d91a6e7c5e9c310797d1c73eec4e8cc626e056f6c30ca00e7981b2e8d452425ff30c

Download Submit
\Windows\SysWOW64\Kklpekno.exe

Filesize
350KB

MD5
dac145fe273d415a966019b8de5f30ff

SHA1
d6ff052148546a61f5bf369a073184cdc2dc9af6

SHA256
4290bbd9a4abe08b53fb1d1cbc6710bc99733d9e52becf1105b17f7ffa413671

SHA512
8128cda82fd80ffdab77be3c5655290fd3439403f91194c462fdc83646d60480b6a8eef44b94f08c6e144a66e81d1fa47b45cdbbe5cdd58cb9893f99fcd457c1

Download Submit
\Windows\SysWOW64\Lanaiahq.exe

Filesize
350KB

MD5
e9535480fe1ccb3519aa74664d3be771

SHA1
5e903a85d5de3305d2bf12bf01be718a9f86a1b5

SHA256
63b1d2e8b2e41577b3714533f8bb7cb37509ec8c2efe52b19db4e160044f2d5d

SHA512
dde930a339f3bb87035e67d8e212c7238f65d51176ba69a5ed24e9b8fdb02885a355ab72902f034781f50d97d81123f1bc211b5e9801251b3fe45c796f4ba000

Download Submit
\Windows\SysWOW64\Lcagpl32.exe

Filesize
350KB

MD5
1fe6f02ef8a3959e5d351e5af906e14b

SHA1
2dc0ac66bacc91836e5f3544024a0de0f76bcc52

SHA256
e6c472faa06e2c037a5ad6e3df523264cfd10de31a71bc377c51bc2356af6e77

SHA512
47db3befeeee10fea531a3b8530563c4aa9909a2ff2f0fe6508d7b29dbf9481bf91a8e14340120859f6225e10a522bcb406447f6601de48ccf9ea3aef7450042

Download Submit
\Windows\SysWOW64\Lmikibio.exe

Filesize
350KB

MD5
7b4f04dc8559fca1744cbcb37968b7f8

SHA1
40d107d00176f58bb1b1b1ea47184e6aa1b88820

SHA256
fa03fe2099b1ab349dd55d091becc0e166778b6c1b12defb43b8416be0fb98f0

SHA512
7c721300e9ecb169c75fe31f2f8fbbf3369c27a744add23b6cedd3cf64ef8de19555d004c816243432842f76d170c513a860de1bfd35d81ef5b0b2f9f7e25f19

Download Submit
\Windows\SysWOW64\Mhloponc.exe

Filesize
350KB

MD5
6177b2b29b6c0fffe0565ae4aea602bc

SHA1
dabec5ff1dbc64ee033fa2629ecd017359f55aff

SHA256
3060b213bc012a4f4c40fcbd0794e9e4a8a68e40f85f5c182385aa69d43b2646

SHA512
dda49024f810dc7fd9d467b50e6dc7904fe49aa7dd27e4630b46e4fe1e8afd4ca1d3bc1ac218ee5c9e16f8be9db13a8bfbfa916ddd91ccacf8a76cdc7b5be342

Download Submit
\Windows\SysWOW64\Mieeibkn.exe

Filesize
350KB

MD5
ee4bb5aa9002d65f70b02c108ad05c93

SHA1
a16789e0dd58541a2505ed0759408f0801f81ace

SHA256
9c228136c5d5525a5ee6a96734f2057149e8633e2274b4af4eed380502d096f5

SHA512
f823ed124d88ef48eeaca4067a7f50aac85e45a328acb42bb6c3568ffbbec2bbd811d16ff291fc8ca6c0fb83071310c129d077b4845cb43eb30c1c2b278c4c15

Download Submit
memory/400-250-0x0000000000460000-0x00000000004B9000-memory.dmp

Filesize
356KB

Download
memory/400-259-0x0000000000460000-0x00000000004B9000-memory.dmp

Filesize
356KB

Download
memory/400-282-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/696-287-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/696-174-0x00000000002F0000-0x0000000000349000-memory.dmp

Filesize
356KB

Download
memory/1036-276-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1036-154-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1136-257-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1288-284-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1288-225-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1288-230-0x0000000000310000-0x0000000000369000-memory.dmp

Filesize
356KB

Download
memory/1288-235-0x0000000000310000-0x0000000000369000-memory.dmp

Filesize
356KB

Download
memory/1292-281-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1292-19-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1608-291-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1608-201-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1608-209-0x0000000000220000-0x0000000000279000-memory.dmp

Filesize
356KB

Download
memory/1608-210-0x0000000000220000-0x0000000000279000-memory.dmp

Filesize
356KB

Download
memory/1936-128-0x0000000000220000-0x0000000000279000-memory.dmp

Filesize
356KB

Download
memory/1936-280-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1944-148-0x0000000000220000-0x0000000000279000-memory.dmp

Filesize
356KB

Download
memory/1944-137-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1944-275-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2092-258-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2092-241-0x0000000000220000-0x0000000000279000-memory.dmp

Filesize
356KB

Download
memory/2092-240-0x0000000000220000-0x0000000000279000-memory.dmp

Filesize
356KB

Download
memory/2356-208-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2356-224-0x0000000000220000-0x0000000000279000-memory.dmp

Filesize
356KB

Download
memory/2356-273-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2356-218-0x0000000000220000-0x0000000000279000-memory.dmp

Filesize
356KB

Download
memory/2556-82-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2556-277-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2632-285-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2632-74-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2660-286-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2660-187-0x00000000001B0000-0x0000000000209000-memory.dmp

Filesize
356KB

Download
memory/2660-189-0x00000000001B0000-0x0000000000209000-memory.dmp

Filesize
356KB

Download
memory/2660-180-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2704-48-0x0000000000220000-0x0000000000279000-memory.dmp

Filesize
356KB

Download
memory/2704-278-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2704-40-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2744-54-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2744-72-0x0000000000270000-0x00000000002C9000-memory.dmp

Filesize
356KB

Download
memory/2744-73-0x0000000000270000-0x00000000002C9000-memory.dmp

Filesize
356KB

Download
memory/2744-288-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2812-289-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2812-27-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2848-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2848-290-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2848-18-0x0000000000660000-0x00000000006B9000-memory.dmp

Filesize
356KB

Download
memory/2848-6-0x0000000000660000-0x00000000006B9000-memory.dmp

Filesize
356KB

Download
memory/2908-112-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2908-120-0x0000000000220000-0x0000000000279000-memory.dmp

Filesize
356KB

Download
memory/2908-279-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2960-95-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2960-283-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads