e55128b904780650d0682cb604285f2a3e6f20cb18c04d9a4e0f56a502355965

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/02/2024, 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Backdoor.Win32.Padodor.exe
Size

276KB
MD5

cd227bfb086cda96cf9efd8442288c9d
SHA1

ea736e1e04d811265a8dffe2eb16f8738494b6d0
SHA256

e55128b904780650d0682cb604285f2a3e6f20cb18c04d9a4e0f56a502355965
SHA512

00980477acd12d6b2150a582d35f512d9444fca884671b38f21c07806bd2cbaef12a6a685b63dd453906e9396af440ffda14324b2bc115468cb45e294e9e9f53
SSDEEP

6144:YoT3oQzJA1YrdWZHEFJ7aWN1rtMsQBOSGaF+:DdUg2HEGWN1RMs1S7

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Backdoor.Win32.Padodor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe

Executes dropped EXE 64 IoCs

pid	Process
4484	Jmnaakne.exe
4120	Jdhine32.exe
4460	Jfffjqdf.exe
1216	Jidbflcj.exe
1860	Jmpngk32.exe
1744	Jdjfcecp.exe
1924	Jbmfoa32.exe
4732	Jfhbppbc.exe
1224	Jigollag.exe
3008	Jmbklj32.exe
3932	Jangmibi.exe
4756	Jdmcidam.exe
3168	Jfkoeppq.exe
2372	Jkfkfohj.exe
2344	Kmegbjgn.exe
552	Kaqcbi32.exe
2652	Kdopod32.exe
3316	Kbapjafe.exe
2148	Kgmlkp32.exe
5084	Kkihknfg.exe
2648	Kilhgk32.exe
4768	Kmgdgjek.exe
4640	Kacphh32.exe
3004	Kpepcedo.exe
3552	Kdaldd32.exe
1780	Kbdmpqcb.exe
3964	Kgphpo32.exe
3516	Kinemkko.exe
3720	Kmjqmi32.exe
3828	Kaemnhla.exe
2160	Kphmie32.exe
2096	Kgbefoji.exe
3904	Kknafn32.exe
3604	Kipabjil.exe
2976	Kmlnbi32.exe
3200	Kagichjo.exe
4320	Kpjjod32.exe
2524	Kdffocib.exe
2192	Kcifkp32.exe
1160	Kgdbkohf.exe
428	Kkpnlm32.exe
2580	Kibnhjgj.exe
4744	Kajfig32.exe
2764	Kpmfddnf.exe
3872	Kdhbec32.exe
1084	Kdhbec32.exe
436	Kckbqpnj.exe
1348	Kkbkamnl.exe
5104	Liekmj32.exe
4240	Lalcng32.exe
1564	Ldkojb32.exe
528	Lgikfn32.exe
532	Liggbi32.exe
4244	Lmccchkn.exe
4900	Lpappc32.exe
3356	Lcpllo32.exe
5000	Lnepih32.exe
1140	Lcbiao32.exe
1908	Lkiqbl32.exe
5080	Lilanioo.exe
2076	Laciofpa.exe
4860	Lnjjdgee.exe
4308	Lddbqa32.exe
1832	Mjqjih32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Ggpfjejo.dll	Jfhbppbc.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Jdhine32.exe	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Jdmcidam.exe	Jangmibi.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jigollag.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Ichhhi32.dll	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Jkfkfohj.exe	Jfkoeppq.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Kgphpo32.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Ecppdbpl.dll	Jangmibi.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Kkihknfg.exe	Kgmlkp32.exe
File opened for modification	C:\Windows\SysWOW64\Kilhgk32.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Ojmmkpmf.dll	Kdaldd32.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kagichjo.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Jfffjqdf.exe	Jdhine32.exe
File created	C:\Windows\SysWOW64\Anmklllo.dll	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Mfpoqooh.dll	Jdmcidam.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4504	1064	WerFault.exe	173

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Backdoor.Win32.Padodor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	Backdoor.Win32.Padodor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncoccha.dll"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Backdoor.Win32.Padodor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldobbkdk.dll"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 4484	916	Backdoor.Win32.Padodor.exe	88
PID 916 wrote to memory of 4484	916	Backdoor.Win32.Padodor.exe	88
PID 916 wrote to memory of 4484	916	Backdoor.Win32.Padodor.exe	88
PID 4484 wrote to memory of 4120	4484	Jmnaakne.exe	89
PID 4484 wrote to memory of 4120	4484	Jmnaakne.exe	89
PID 4484 wrote to memory of 4120	4484	Jmnaakne.exe	89
PID 4120 wrote to memory of 4460	4120	Jdhine32.exe	90
PID 4120 wrote to memory of 4460	4120	Jdhine32.exe	90
PID 4120 wrote to memory of 4460	4120	Jdhine32.exe	90
PID 4460 wrote to memory of 1216	4460	Jfffjqdf.exe	91
PID 4460 wrote to memory of 1216	4460	Jfffjqdf.exe	91
PID 4460 wrote to memory of 1216	4460	Jfffjqdf.exe	91
PID 1216 wrote to memory of 1860	1216	Jidbflcj.exe	92
PID 1216 wrote to memory of 1860	1216	Jidbflcj.exe	92
PID 1216 wrote to memory of 1860	1216	Jidbflcj.exe	92
PID 1860 wrote to memory of 1744	1860	Jmpngk32.exe	136
PID 1860 wrote to memory of 1744	1860	Jmpngk32.exe	136
PID 1860 wrote to memory of 1744	1860	Jmpngk32.exe	136
PID 1744 wrote to memory of 1924	1744	Jdjfcecp.exe	135
PID 1744 wrote to memory of 1924	1744	Jdjfcecp.exe	135
PID 1744 wrote to memory of 1924	1744	Jdjfcecp.exe	135
PID 1924 wrote to memory of 4732	1924	Jbmfoa32.exe	93
PID 1924 wrote to memory of 4732	1924	Jbmfoa32.exe	93
PID 1924 wrote to memory of 4732	1924	Jbmfoa32.exe	93
PID 4732 wrote to memory of 1224	4732	Jfhbppbc.exe	94
PID 4732 wrote to memory of 1224	4732	Jfhbppbc.exe	94
PID 4732 wrote to memory of 1224	4732	Jfhbppbc.exe	94
PID 1224 wrote to memory of 3008	1224	Jigollag.exe	132
PID 1224 wrote to memory of 3008	1224	Jigollag.exe	132
PID 1224 wrote to memory of 3008	1224	Jigollag.exe	132
PID 3008 wrote to memory of 3932	3008	Jmbklj32.exe	131
PID 3008 wrote to memory of 3932	3008	Jmbklj32.exe	131
PID 3008 wrote to memory of 3932	3008	Jmbklj32.exe	131
PID 3932 wrote to memory of 4756	3932	Jangmibi.exe	130
PID 3932 wrote to memory of 4756	3932	Jangmibi.exe	130
PID 3932 wrote to memory of 4756	3932	Jangmibi.exe	130
PID 4756 wrote to memory of 3168	4756	Jdmcidam.exe	95
PID 4756 wrote to memory of 3168	4756	Jdmcidam.exe	95
PID 4756 wrote to memory of 3168	4756	Jdmcidam.exe	95
PID 3168 wrote to memory of 2372	3168	Jfkoeppq.exe	129
PID 3168 wrote to memory of 2372	3168	Jfkoeppq.exe	129
PID 3168 wrote to memory of 2372	3168	Jfkoeppq.exe	129
PID 2372 wrote to memory of 2344	2372	Jkfkfohj.exe	128
PID 2372 wrote to memory of 2344	2372	Jkfkfohj.exe	128
PID 2372 wrote to memory of 2344	2372	Jkfkfohj.exe	128
PID 2344 wrote to memory of 552	2344	Kmegbjgn.exe	127
PID 2344 wrote to memory of 552	2344	Kmegbjgn.exe	127
PID 2344 wrote to memory of 552	2344	Kmegbjgn.exe	127
PID 552 wrote to memory of 2652	552	Kaqcbi32.exe	126
PID 552 wrote to memory of 2652	552	Kaqcbi32.exe	126
PID 552 wrote to memory of 2652	552	Kaqcbi32.exe	126
PID 2652 wrote to memory of 3316	2652	Kdopod32.exe	125
PID 2652 wrote to memory of 3316	2652	Kdopod32.exe	125
PID 2652 wrote to memory of 3316	2652	Kdopod32.exe	125
PID 3316 wrote to memory of 2148	3316	Kbapjafe.exe	124
PID 3316 wrote to memory of 2148	3316	Kbapjafe.exe	124
PID 3316 wrote to memory of 2148	3316	Kbapjafe.exe	124
PID 2148 wrote to memory of 5084	2148	Kgmlkp32.exe	123
PID 2148 wrote to memory of 5084	2148	Kgmlkp32.exe	123
PID 2148 wrote to memory of 5084	2148	Kgmlkp32.exe	123
PID 5084 wrote to memory of 2648	5084	Kkihknfg.exe	96
PID 5084 wrote to memory of 2648	5084	Kkihknfg.exe	96
PID 5084 wrote to memory of 2648	5084	Kkihknfg.exe	96
PID 2648 wrote to memory of 4768	2648	Kilhgk32.exe	122

C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.exe
"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:916
- C:\Windows\SysWOW64\Jmnaakne.exe
  C:\Windows\system32\Jmnaakne.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Windows\SysWOW64\Jdhine32.exe
    C:\Windows\system32\Jdhine32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4120
  - - C:\Windows\SysWOW64\Jfffjqdf.exe
      C:\Windows\system32\Jfffjqdf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4460
    - - C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1216
      - C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1744

C:\Windows\SysWOW64\Jfhbppbc.exe
C:\Windows\system32\Jfhbppbc.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Windows\SysWOW64\Jigollag.exe
  C:\Windows\system32\Jigollag.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Windows\SysWOW64\Jmbklj32.exe
    C:\Windows\system32\Jmbklj32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3008

C:\Windows\SysWOW64\Jfkoeppq.exe
C:\Windows\system32\Jfkoeppq.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3168
- C:\Windows\SysWOW64\Jkfkfohj.exe
  C:\Windows\system32\Jkfkfohj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2372

C:\Windows\SysWOW64\Kilhgk32.exe
C:\Windows\system32\Kilhgk32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\SysWOW64\Kmgdgjek.exe
  C:\Windows\system32\Kmgdgjek.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:4768

C:\Windows\SysWOW64\Kinemkko.exe
C:\Windows\system32\Kinemkko.exe
1⤵
- Executes dropped EXE
PID:3516
- C:\Windows\SysWOW64\Kmjqmi32.exe
  C:\Windows\system32\Kmjqmi32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:3720

C:\Windows\SysWOW64\Kaemnhla.exe
C:\Windows\system32\Kaemnhla.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:3828
- C:\Windows\SysWOW64\Kphmie32.exe
  C:\Windows\system32\Kphmie32.exe
  2⤵
  - Executes dropped EXE
  PID:2160

C:\Windows\SysWOW64\Kgbefoji.exe
C:\Windows\system32\Kgbefoji.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2096
- C:\Windows\SysWOW64\Kknafn32.exe
  C:\Windows\system32\Kknafn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:3904

C:\Windows\SysWOW64\Kpjjod32.exe
C:\Windows\system32\Kpjjod32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4320
- C:\Windows\SysWOW64\Kdffocib.exe
  C:\Windows\system32\Kdffocib.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  PID:2524

C:\Windows\SysWOW64\Kcifkp32.exe
C:\Windows\system32\Kcifkp32.exe
1⤵
- Executes dropped EXE
PID:2192
- C:\Windows\SysWOW64\Kgdbkohf.exe
  C:\Windows\system32\Kgdbkohf.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:1160

C:\Windows\SysWOW64\Kkpnlm32.exe
C:\Windows\system32\Kkpnlm32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:428
- C:\Windows\SysWOW64\Kibnhjgj.exe
  C:\Windows\system32\Kibnhjgj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:2580

C:\Windows\SysWOW64\Kajfig32.exe
C:\Windows\system32\Kajfig32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4744
- C:\Windows\SysWOW64\Kpmfddnf.exe
  C:\Windows\system32\Kpmfddnf.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2764

C:\Windows\SysWOW64\Kdhbec32.exe
C:\Windows\system32\Kdhbec32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3872
- C:\Windows\SysWOW64\Kdhbec32.exe
  C:\Windows\system32\Kdhbec32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1084
- - C:\Windows\SysWOW64\Kckbqpnj.exe
    C:\Windows\system32\Kckbqpnj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    PID:436
  - - C:\Windows\SysWOW64\Kkbkamnl.exe
      C:\Windows\system32\Kkbkamnl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      PID:1348

C:\Windows\SysWOW64\Kagichjo.exe
C:\Windows\system32\Kagichjo.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3200

C:\Windows\SysWOW64\Kmlnbi32.exe
C:\Windows\system32\Kmlnbi32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2976

C:\Windows\SysWOW64\Kipabjil.exe
C:\Windows\system32\Kipabjil.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:3604

C:\Windows\SysWOW64\Kgphpo32.exe
C:\Windows\system32\Kgphpo32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3964

C:\Windows\SysWOW64\Kbdmpqcb.exe
C:\Windows\system32\Kbdmpqcb.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1780

C:\Windows\SysWOW64\Kdaldd32.exe
C:\Windows\system32\Kdaldd32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3552

C:\Windows\SysWOW64\Kpepcedo.exe
C:\Windows\system32\Kpepcedo.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:3004

C:\Windows\SysWOW64\Kacphh32.exe
C:\Windows\system32\Kacphh32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4640

C:\Windows\SysWOW64\Kkihknfg.exe
C:\Windows\system32\Kkihknfg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5084

C:\Windows\SysWOW64\Kgmlkp32.exe
C:\Windows\system32\Kgmlkp32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\SysWOW64\Kbapjafe.exe
C:\Windows\system32\Kbapjafe.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3316

C:\Windows\SysWOW64\Kdopod32.exe
C:\Windows\system32\Kdopod32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\SysWOW64\Kaqcbi32.exe
C:\Windows\system32\Kaqcbi32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\SysWOW64\Kmegbjgn.exe
C:\Windows\system32\Kmegbjgn.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2344

C:\Windows\SysWOW64\Jdmcidam.exe
C:\Windows\system32\Jdmcidam.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\SysWOW64\Jangmibi.exe
C:\Windows\system32\Jangmibi.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3932

C:\Windows\SysWOW64\Liekmj32.exe
C:\Windows\system32\Liekmj32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5104
- C:\Windows\SysWOW64\Lalcng32.exe
  C:\Windows\system32\Lalcng32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:4240
- - C:\Windows\SysWOW64\Ldkojb32.exe
    C:\Windows\system32\Ldkojb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    PID:1564
  - - C:\Windows\SysWOW64\Lgikfn32.exe
      C:\Windows\system32\Lgikfn32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      PID:528

C:\Windows\SysWOW64\Jbmfoa32.exe
C:\Windows\system32\Jbmfoa32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\SysWOW64\Liggbi32.exe
C:\Windows\system32\Liggbi32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:532
- C:\Windows\SysWOW64\Lmccchkn.exe
  C:\Windows\system32\Lmccchkn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:4244
- - C:\Windows\SysWOW64\Lpappc32.exe
    C:\Windows\system32\Lpappc32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:4900
  - - C:\Windows\SysWOW64\Lcpllo32.exe
      C:\Windows\system32\Lcpllo32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      PID:3356
    - - C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5000
      - C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1140
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5080
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4308
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        13⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2636
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        15⤵
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4268
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        18⤵
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:836
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        21⤵
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1732
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        23⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        24⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        25⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        26⤵
        Drops file in System32 directory
        
        PID:4956
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3648
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        31⤵
        Drops file in System32 directory
        
        PID:1028
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        32⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 412
        33⤵
        Program crash
        
        PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1064 -ip 1064
1⤵
PID:4316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Anmklllo.dll

Filesize
7KB

MD5
93c8b4865a28447b08daacb12a7b1022

SHA1
071d22d668d4c1d4bc904994c62c03fa892fce17

SHA256
369ead187857974ebe7ddf738cefe373655c0029b1cd6319297d7eb42a937f94

SHA512
c59e73067ac366ce7f8b9aef4f17a734046e10836b676b2a0f8120bc2c2984a2af83738ba8d13ffd17cb0323af7952d92ef36e1c2137a099259d044e5cac14be

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe

Filesize
276KB

MD5
6ee099671f6d788a54bf05131110e167

SHA1
a9d83649a6e889df424f7d1e21fe84b4a0606ab0

SHA256
79ae484fc2cf680f6abf39bd2711bf08129c0bb86e6dfdba87a1c485dad5289f

SHA512
34443aa9c4680098efcffa02b73cb64dccc8895d293125fb00d473f9a5cd336ac8dd50ec8629ca0be6a9ee51d32dda986a59fd96bc5b2fccf186f58caa0cf330

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe

Filesize
276KB

MD5
4e7010bc894332effca9c686800e1ce3

SHA1
d83ab121142b3923ac1f3a05962549c6dd6c098e

SHA256
6bd02be5981d0ba0318bb4d8ae237306108f46ce0b6f7835e98056e7be35461d

SHA512
c4bdde6e4412916c3d6e0b6d61e87ad9ef38d7d9dd80b0e2f7b21d13caacba0f8a48b5db23734c4ad2ac75599c19ed690faf72fd93dee8445caf676a068797f4

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe

Filesize
276KB

MD5
602b695d42e057e4ded207bbe3ea4c22

SHA1
adb784939cac07c126d4adf9c64c733859b23192

SHA256
a6a4c35ad656fdc211c8c7c5ef965a8c982e42d1257b7672bfb83090bfd4e476

SHA512
8b1822a7d25403534ede71cd5c86f3a5c93fabbdc882e4f07900671e5e23da3a49005fcaf8b74f49b68eca411cc3e47439a3cd62b0e449c23c84c9b3c1459cf0

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
276KB

MD5
2af11492a37347ecad54d580e9a07ca2

SHA1
a8055059636309dc02854953226254a647d9286e

SHA256
83c35047530eb5d52e1bb4de378c7805d7ed5982f6f3387628b21a1748f8edc6

SHA512
74ac7cf2b3d84d43afa8a8d476f5cf3c5f730693d6c233381c78b801d992eb8dfae217b0cc893b52244c7a74533c1e3140321f94e632dddfc0f4e8ea69932c56

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
276KB

MD5
066d772b7d910ce312ab8120b12e39d3

SHA1
37de59fdf6a27c8d3ec56ed17caf4a2e5521ad70

SHA256
981b7c7f4f015b3c45f9126a4fc36f0dbe532f16143c073a88aa88fddcb416ee

SHA512
373870e38c59b9cf0ecc8abd4255242fac8e37e567de78b0ad971266baf76326b723ef1ca6153a35c0f53ec8b167e6d923950c811707a5f513b4c669370eccb5

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
276KB

MD5
71712915d287fee778133473ca6ca803

SHA1
1acbbbc1ac335e0eaf4c6a7bf52196871ab77b2e

SHA256
fa918f9b73ed97d8f9de0946b7e393ac6ca84fe409bac898a98dabb16a59f79f

SHA512
95f39779bb9a6f1f6e71357e107acbb9dbb7f98819ef5df1a36d11d5c6c6f8fb9063f22f90b8ed824b8b2a7a4ce752ca00aa60c1e211bc72696b7494e5d4b0b8

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
276KB

MD5
920e59b9a2915632acc56ee5c6901500

SHA1
e22b7d6d59bf4cae61d11312d49a97dac8269531

SHA256
546919cf0ef4b8632330a71d8023f0f664cf64582cef95f05f557e09aba318f1

SHA512
9c6f97050fa6d9aa1c77be7c15b5ad19f80d3c0ebb5341d1ef8cb62fd712527b298b08de5a7b80be97d4f92fd700899e3a1ace484314b9a9b51766f4e5747369

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
276KB

MD5
e11690d7e23e277db5d86aaeed80c28a

SHA1
cf5aca8d8ca434ced6f53b20b0584a968acaa014

SHA256
35d0d1f4eeb9fe2f0cb8fc9abf47c93354bb23825cb47a772974baee7a669c44

SHA512
8bb664418cece7a3494040378360cdfc97364f8ddedf9bdc2400f487fb523b5e17f322728d5e00969d48a6b40c0fc41da2b1cb754123456cca1a65732760e799

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
276KB

MD5
4cbd33e94ad6dd38ee7865c5e5551ce8

SHA1
8cf1711b872079940e38b603a7da3bec6b7c57d1

SHA256
68c9ab3eb4664171da3e117210b8457e62aa1c3085a728ba36bfee7d77118493

SHA512
d46c82db7881f5716aa07d6fcdf436014fe783f7b874b1b9ee05040fb401ed8595ea6906b843055c3731484ecee36e217b0dfa0bb201108bdee49f1ff87d72ff

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
276KB

MD5
ac15e14a34264e6ac1c9592a06ee9c25

SHA1
5ca6b0b6422708bbd1f90cf8b0dce3fe102fe8bc

SHA256
8d20e5b14ec3e18cd8636445a32b58c6987deac58bdf4f8f0d37411b32220a47

SHA512
5e6f96936cf907cf1c6cd45a93e3c1651aae755a94aa33617adc80c04c2390fa693588f1ae98d45666d10a6495696944fa5bf1469f7d563cbb5aea72083ca978

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
276KB

MD5
94cce8ef1a22ddff25abf178a979ee5a

SHA1
b98c9366179ed5821eeef435f34253a305565030

SHA256
3e8821028323f1c4642f5def37da2ef0189c97b689ac5ded0a76599ee53c6ae1

SHA512
4c6fe0b27c9e8a2957f5ce0feaffc42740f38d230b94a708cc3634f3eb4efb3dead7fb4f22df263472e301156f341f804fb5bf45ae955039972a09fed53b77ea

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
276KB

MD5
dfbeaf99df4428ca3c90484cb59346c2

SHA1
1e7aeb6a5f1849500c4a3c73e1e89da569750c6f

SHA256
6f147b8bbc00c163397965b2bc6f7e1a14839c7bff8ff902b9bd7a593f887c61

SHA512
4e1a3ecba8ae1c98ef920923025436b78e556cddb17443983680713c6cf15b5d5ce0c99d8f84794cfdab827f48cb8406cbe317d359b519d426e250edc7806d4b

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
276KB

MD5
9dd0b72735b8974553741df9a0caa3b2

SHA1
8bf5a4d5eb068d814356e105224943763112b2c8

SHA256
4186c7c695caae6135aa01b0b38afdd6af4c876f2d8d98cab72278ad0e71d23f

SHA512
1191bf9731f5eae5a2fab5be2ff7acccb74b7c2afd27ffcf81a78a212d1f89b8d5508de6b3c7b906b4234d088ff1396265a4a60464a5e6683df8acd3f04f2811

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
276KB

MD5
95be340bf73b1218ee0028a9676a6208

SHA1
b108c6b6998ab5e915b256175569c4c209b33fc7

SHA256
e8bafd8613e7a55a3fdd663f2e05a809d6c3be6e01c85a933d40fcb5a87aa30b

SHA512
f64ec4a4198301aa76f3df7913cf89d25e1b4f90853449c3eb245f26f83a1b22ce6b0718d7edf192b6dde954795e8e5413c8e2c54c6488ce42993f78295bef20

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
276KB

MD5
978f498ec449e5d379cb086f4b63aa16

SHA1
1ac3173c1598910789c3bfb5d7fcfc4f7b6bed3f

SHA256
d6c7dda7cfe24b4d467d0a223d6e29604811d42b2fb7dc2face606229fc4c7da

SHA512
5c203667bc286643ad468d00f9fb36c9cddb28567e0d2efc1d9eef109085b76f4d72c541eeaac3ee75c402b476f5a6878b2a6cbd5cc8ba38e51f5360d63cfc22

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
276KB

MD5
44fce1916d257778aefe93c5720efcc6

SHA1
4f7c7dad79989afe4d8af93e5d05b40808b11b3d

SHA256
821b2c0f824173e1a5ca4d97ef60a3771359aab493e2dcc62bd97fde702ebba3

SHA512
47f77927ce358b5d1b4753b07267f32c2fdd4b7ef37b0787a54047aa6102ecd13204dc8b41a26fe5b628aef001e737af68ea273af0696662df02d25792d40e7e

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
276KB

MD5
b345690ef4dc6238e6bb314c838d5da5

SHA1
e6e2390381ea6e592e1b66252c6df8c44d0ab5fb

SHA256
c501caf8560e5702b7294d63fdcd3a9b60a992de5517deb3c20478d597d0d25e

SHA512
657bd0aef4bdd1aba3f16506267155eb1c5f00b4a2fe5cb5e2734e385f092049637d67eab73b2638a668a942c1c292d4c4e9f04b031ab5c9c74a08fdb5966730

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
276KB

MD5
f90404ed408081a862cb7f1f6c32d422

SHA1
7a319e248029f0741851446ac65e83a6e916cd85

SHA256
f1e8056f637dea76c85f0d534703a108a3ae089696e45438f053f487981d4b43

SHA512
65dd1e7eda5088beba796691ef01c48a2faae21b2768e3ea40d97a2c76290a087e9f72cd443ff7664de2c2280c6e6ab277c45815f1c92840b4b60139d7495917

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
276KB

MD5
f63e75db927eb87f30027488618892bb

SHA1
b80b83b2a539dbfdcf21a0fc61d37b52956c64cb

SHA256
739e9598e23d205c5c2f209a96b020bd74afc13f201a8373d1a340a78a46ca2f

SHA512
74dc77f8e8a78cafc0e19953fffd6325affee7c57f8617c22e4a3a66e24178b2be4c9b060f4d6db6002276580133ce3a029ae44e30ef6a0411f901d781b998f5

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
276KB

MD5
ed82d497c3cfe010314c79d04ad78297

SHA1
6c009d94600d655c6df98fa220e1b72e4d1da1ec

SHA256
d6b3e20b397c5e0c19565e5024cc8f2d8ae43357159064fbb7c7e35a9a019e68

SHA512
441c7fd391f25e4045fbd2531d9a677f18bc9d42993e261bd2ea9a081f9dbcad60ee9294ce347cc68ad87139234263189f638119da64eff063fdbb0bf4876f4f

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
276KB

MD5
f3e6aa66673817eaf2ad83bb7461673c

SHA1
23fe5e3618a2a0433968c5587455c03e30eb2e1c

SHA256
5b835d4a0dcf35f1237fb9ff7c938d06086e51556d6e0b9e7dd600305d2be04f

SHA512
84af5eae65257868a3b3f48052050b553560260717d385e0eb1cb8e8062903809795b3ab23a51f6187c9bccd07ee093042d16878d6b3ce1aa77027ec6066cd80

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
276KB

MD5
310eb6c87979ccd1d84d04679c2069b1

SHA1
c3a27dba94fbfbc853b69eb3fcfad51a24a9803d

SHA256
c23fd7dbf3fe29311494d904e227d141d51ac6d666833b323df635d4f6a149ad

SHA512
e8cb8c563972c926b5ebe176b4c3deb9ac2d71670b8bc7eec3231621d3ff0d98ef752f860f25548513cf02093dc5126868791d862d2130d56fc4181c6b162e53

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe

Filesize
276KB

MD5
128c01b4469f5da5d4e99acce0e9f445

SHA1
0bae414fa8b71e7cef8453b0bf0bff50dc363f8e

SHA256
f1011ea3489c007983f8681e53e157458c5b28ad441484a0c5b8d24612235424

SHA512
85c258f12d7a9175531491e2bc87970b0cb4223415db9a4f5e971627cefd8a01972500b5587a5fdb06449767265ca24160cfeb6aeca52043d8035fc21ce33de7

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
276KB

MD5
358ddb0f5706fab8a2d2806a68a9943c

SHA1
aa14d1518ceeb1326ac6fa3934c56df534169329

SHA256
ab851e7067d07a74f8163262e4e76a80159bc05bc235cde410abbbd209854f9c

SHA512
43b23cb304e47035845fd5892ae11e66cccf06799d23110e965dbc484c463556bb3dc09eb2961c50828a836b385329e82479b3b05ef07a7b56ae6a1157cf733e

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
276KB

MD5
7287161e818fd64190e91ac67db99126

SHA1
d53ba0c059957b3a91442fed85be8d0e18454432

SHA256
b479fc7a2601b49f78cb369365a8e6d8190dba9da116fe5e1a434b86e0b01fe3

SHA512
aea7735b206a198f86b08a040510bfaa3d51eb0e9848e13091052c3498cb18e7b3c62c275fa1c616b8f19b7d6c9586cbbaa8f0374da4053df173ed0b44dcb886

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
276KB

MD5
0e2e933ea48434dc9cfd7a62e894c339

SHA1
bdc8a6a841ffdd33c99814b6f72c6d1c7041e7bc

SHA256
be083aab8ccac67031063f85090d0fcb392412cc3721e9e3660b3fb8403d0448

SHA512
f9304d9bc0621bc1b05d9c5b36e0fe2cc4d8e13ab2acb8386d6e34633ebde1e0eb0ddeb1a4a00f34dfb1b5b89a6ce33d046a058670da96f807e104128cd04809

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
276KB

MD5
9e72c4355b87180f67a14ad303dba6c7

SHA1
f101081f7939e804887a76db4496f7f19ca854f2

SHA256
0662d0de085c83566baded70566decde9ce30b84558287e8aa802c725cbe80d2

SHA512
e68b8cfcb397ad0d30c0b484ef08740458ecee659b3b10c05ac4b381cd0911c2a37c8f5422d6d33cb11dab6e7907b4bae5fdf39eae7138baec68333a7d78edea

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
192KB

MD5
c32cec8dea3f9330e84664693552df9e

SHA1
6f74bcf8d39555d27f6cb9d9affc09d73c35a4ff

SHA256
dccc7bf61f8f7bd739919fef64109e181953970a6461d16dcbdef63b03491566

SHA512
dbf5fbb23e0fd5b7ce018e5fd01400191eafb9b2d8c5e0611201d012bd55d7b9902a261f123d41ee0d1b1040a6b63966c6e74d7f85863338f497b8acc087213a

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
276KB

MD5
288456398d8fbd4f8811803944c4caf9

SHA1
a944c5f1908bda4ba2b4445f6b068a927446da20

SHA256
496169b24e236e38e99f5e662c15f9e4976c0bdee3bfcc2efed881ac663ffb3f

SHA512
d0c6ade2d0ad277e9d24262ca689dfb156c9724f624c7f4059860f632e94290477068ccb18f22ee06771b174ff79aec8d354b1de89576ebf99056fea714872d5

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
276KB

MD5
cef048cf84ee03dc18724066367a6914

SHA1
ea98e8193541705a6eda5392c4940a940687af24

SHA256
9d8a0b6e90ea1724b94a07f41e0a44a22bca4cb7c2fe9e8f3d21ea5ab266391a

SHA512
8c51d05c74ee5e8574b32b5b0f7c8b1d85e58d53e2fd50c9151acfc0f5e1836cdaa895893caec66275184adbc22086521c3af778c91fbc95cd2fb2c20954e32d

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
128KB

MD5
e89d6f428aac5e9cb9c9232cc82f2f59

SHA1
84da143a527cf03595318d44a22bc0bdecd6bff4

SHA256
b40da24e7ff84b25a492ea0d0d932cac1542cbb47004f2eb60714ee971c5b39b

SHA512
2c7aadcbe90173467c5dc7854fec0bb1642a1411b32a915719dddf035623faf9a999ab73adef2841b69ec62d83c747547fdd1457ea028fbfa588360b119b86aa

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
276KB

MD5
319a844e1c7e0d956c448f5a6353c9c9

SHA1
1b83ec5659ef3ad1a7cf5365a8e54b294bc6d886

SHA256
8f84f3ecb7517f39ac26ee62f045b24652b4943adfacfccc471f4ede9eacd172

SHA512
c8765af6ff3ca6d5a6fd4169b8a4461da37118b5c8970e7dc86da5b93ed53aa52555525cf0afcbe274dc108916c39c328333eee71b530306fe8fbb2f64551d06

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
276KB

MD5
0f893236433d87c2d0e15a8b439b76ef

SHA1
5bfda4d3538b09f821e4ab1d3ee7f61247df4e3d

SHA256
be2226b95f9002f0d901e42d02a18c3b905ca00df6f8ec020984bcbcaaf89911

SHA512
64404cb556d0c2ddd4df717c43352ba0aa250ae260e3836239d4985124b9d912e5853969dd850ba3e63f4394910a7a63f3660aa60d9a39ce518458c62c4f0ca1

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
64KB

MD5
72b43608a4a46a2933ddfdb51208b3ed

SHA1
6e0e5f832a1996c8e1b24da6327e293a3419f551

SHA256
e4ef2e92a76379b71cbcaf2a3709884f534052e06ce48625a8fd6483240f6d72

SHA512
6b965499f2e131e95118edb38ac69fc6bb2d7f7697d96154ba0f38a2a6ea816bd899e8fdab6a3d5d1be1b6be55a21e1a9f5cf3e09709ad75dbe7962f5efe2f56

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
276KB

MD5
62d9a79fe2f6ab33f2370d39ab72f06f

SHA1
1fa3c9e64af6739168ce454068f9b8641e324810

SHA256
8de62cc06b78bef57525b033f50a548ae79c7301b87f2220990adbc516703d68

SHA512
32114471b5c5b5a347d0396269f3ef5dc2c2443b3c61f73636d2eab3d6699c6d38c6b39766e2d08cb68a86df147bc00f2f6a31a75aa6a0ebe95712c6997614b6

Download Submit
memory/428-409-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/436-425-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/528-442-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/532-443-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/552-329-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/916-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1084-424-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1140-458-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1160-407-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1216-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1224-303-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1348-433-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1564-441-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1744-426-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1780-364-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1860-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1908-464-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1924-108-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2076-466-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2096-385-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2148-337-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2160-383-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2192-402-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2344-323-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2372-317-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2524-401-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2580-410-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2648-349-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2652-330-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2764-417-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2976-397-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3004-361-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3008-308-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3168-316-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3200-399-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3316-335-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3356-455-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3516-371-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3552-363-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3604-392-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3720-372-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3828-377-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3872-418-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3904-391-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3932-310-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3964-370-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4120-20-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4240-440-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4244-449-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4308-478-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4320-400-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4460-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4484-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4640-360-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4732-302-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4744-416-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4756-427-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4768-355-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4860-472-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4900-450-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5000-457-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5080-465-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5084-343-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5104-434-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads