ef2561077a3317c25f011cc183aef3fde328ace3e211dfbe398eaf7511358def

Resubmissions

14/03/2024, 00:33

240314-awl6zaea8y 10

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14/03/2024, 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef2561077a3317c25f011cc183aef3fde328ace3e211dfbe398eaf7511358def.exe
Size

297KB
MD5

000226a99db47c5c7a84a0c4137f8af5
SHA1

adbda08e57eec67867639d2766ccbd4035ef5db7
SHA256

ef2561077a3317c25f011cc183aef3fde328ace3e211dfbe398eaf7511358def
SHA512

6818d0488dfcad502825c7db2ef8b4a8bb43193948e74a2781fee20df17d6a412244abe670e93d84b306b2b0d60c6068ee4d75fb1f5fc445a3623693f5a9b3dc
SSDEEP

6144:Tyt069Npui6yYPaIGckXBVbHmtswcoEe0g8IkQs4UAcoEwMY0g8IkQs4UAcoEwMo:+tzpV6yYPoBVgsPpV6yYPHGlm

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Keednado.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnbbbffj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nodgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Melfncqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkmhaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndhipoob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nodgel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkmhaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jgfqaiod.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbbngf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kofopj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaldcb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laegiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbkmlh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Melfncqb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhipoob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnmlhchd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jcmafj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbkameaf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbiqfied.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mbkmlh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncmfqkdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncmfqkdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ef2561077a3317c25f011cc183aef3fde328ace3e211dfbe398eaf7511358def.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	ef2561077a3317c25f011cc183aef3fde328ace3e211dfbe398eaf7511358def.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keednado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kaldcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcagpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mofglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jnmlhchd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbbngf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laegiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kofopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbkameaf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcagpl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgfqaiod.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcmafj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnbbbffj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lbiqfied.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mofglh32.exe

Executes dropped EXE 20 IoCs

pid	Process
3020	Jnmlhchd.exe
2624	Jgfqaiod.exe
2668	Jcmafj32.exe
2676	Kbbngf32.exe
2660	Kofopj32.exe
2956	Keednado.exe
1532	Kaldcb32.exe
2800	Kbkameaf.exe
2856	Lnbbbffj.exe
1108	Lcagpl32.exe
2224	Laegiq32.exe
2480	Lbiqfied.exe
2140	Mbkmlh32.exe
2364	Melfncqb.exe
2900	Mofglh32.exe
900	Mkmhaj32.exe
2244	Ndhipoob.exe
1820	Ncmfqkdj.exe
1688	Nodgel32.exe
1320	Nlhgoqhh.exe

Loads dropped DLL 44 IoCs

pid	Process
2056	ef2561077a3317c25f011cc183aef3fde328ace3e211dfbe398eaf7511358def.exe
2056	ef2561077a3317c25f011cc183aef3fde328ace3e211dfbe398eaf7511358def.exe
3020	Jnmlhchd.exe
3020	Jnmlhchd.exe
2624	Jgfqaiod.exe
2624	Jgfqaiod.exe
2668	Jcmafj32.exe
2668	Jcmafj32.exe
2676	Kbbngf32.exe
2676	Kbbngf32.exe
2660	Kofopj32.exe
2660	Kofopj32.exe
2956	Keednado.exe
2956	Keednado.exe
1532	Kaldcb32.exe
1532	Kaldcb32.exe
2800	Kbkameaf.exe
2800	Kbkameaf.exe
2856	Lnbbbffj.exe
2856	Lnbbbffj.exe
1108	Lcagpl32.exe
1108	Lcagpl32.exe
2224	Laegiq32.exe
2224	Laegiq32.exe
2480	Lbiqfied.exe
2480	Lbiqfied.exe
2140	Mbkmlh32.exe
2140	Mbkmlh32.exe
2364	Melfncqb.exe
2364	Melfncqb.exe
2900	Mofglh32.exe
2900	Mofglh32.exe
900	Mkmhaj32.exe
900	Mkmhaj32.exe
2244	Ndhipoob.exe
2244	Ndhipoob.exe
1820	Ncmfqkdj.exe
1820	Ncmfqkdj.exe
1688	Nodgel32.exe
1688	Nodgel32.exe
1988	WerFault.exe
1988	WerFault.exe
1988	WerFault.exe
1988	WerFault.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lnbbbffj.exe	Kbkameaf.exe
File created	C:\Windows\SysWOW64\Melfncqb.exe	Mbkmlh32.exe
File opened for modification	C:\Windows\SysWOW64\Nodgel32.exe	Ncmfqkdj.exe
File opened for modification	C:\Windows\SysWOW64\Kofopj32.exe	Kbbngf32.exe
File created	C:\Windows\SysWOW64\Keednado.exe	Kofopj32.exe
File created	C:\Windows\SysWOW64\Ndhipoob.exe	Mkmhaj32.exe
File created	C:\Windows\SysWOW64\Egnhob32.dll	Mkmhaj32.exe
File created	C:\Windows\SysWOW64\Cnjgia32.dll	Ncmfqkdj.exe
File opened for modification	C:\Windows\SysWOW64\Kaldcb32.exe	Keednado.exe
File opened for modification	C:\Windows\SysWOW64\Laegiq32.exe	Lcagpl32.exe
File opened for modification	C:\Windows\SysWOW64\Melfncqb.exe	Mbkmlh32.exe
File created	C:\Windows\SysWOW64\Kgdjgo32.dll	Ndhipoob.exe
File created	C:\Windows\SysWOW64\Kbbngf32.exe	Jcmafj32.exe
File created	C:\Windows\SysWOW64\Lnbbbffj.exe	Kbkameaf.exe
File opened for modification	C:\Windows\SysWOW64\Lcagpl32.exe	Lnbbbffj.exe
File created	C:\Windows\SysWOW64\Nodgel32.exe	Ncmfqkdj.exe
File created	C:\Windows\SysWOW64\Gcgnbi32.dll	Jcmafj32.exe
File created	C:\Windows\SysWOW64\Kofopj32.exe	Kbbngf32.exe
File created	C:\Windows\SysWOW64\Kbkameaf.exe	Kaldcb32.exe
File created	C:\Windows\SysWOW64\Mkoleq32.dll	Kbbngf32.exe
File created	C:\Windows\SysWOW64\Bohnbn32.dll	Keednado.exe
File created	C:\Windows\SysWOW64\Lbiqfied.exe	Laegiq32.exe
File opened for modification	C:\Windows\SysWOW64\Lbiqfied.exe	Laegiq32.exe
File opened for modification	C:\Windows\SysWOW64\Mofglh32.exe	Melfncqb.exe
File created	C:\Windows\SysWOW64\Ncmfqkdj.exe	Ndhipoob.exe
File created	C:\Windows\SysWOW64\Jnmlhchd.exe	ef2561077a3317c25f011cc183aef3fde328ace3e211dfbe398eaf7511358def.exe
File opened for modification	C:\Windows\SysWOW64\Jnmlhchd.exe	ef2561077a3317c25f011cc183aef3fde328ace3e211dfbe398eaf7511358def.exe
File created	C:\Windows\SysWOW64\Jgfqaiod.exe	Jnmlhchd.exe
File created	C:\Windows\SysWOW64\Hfjiem32.dll	Kbkameaf.exe
File created	C:\Windows\SysWOW64\Mkmhaj32.exe	Mofglh32.exe
File opened for modification	C:\Windows\SysWOW64\Ndhipoob.exe	Mkmhaj32.exe
File opened for modification	C:\Windows\SysWOW64\Ncmfqkdj.exe	Ndhipoob.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nodgel32.exe
File opened for modification	C:\Windows\SysWOW64\Jcmafj32.exe	Jgfqaiod.exe
File created	C:\Windows\SysWOW64\Epecke32.dll	Jgfqaiod.exe
File opened for modification	C:\Windows\SysWOW64\Keednado.exe	Kofopj32.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Nodgel32.exe
File created	C:\Windows\SysWOW64\Djmffb32.dll	Lnbbbffj.exe
File opened for modification	C:\Windows\SysWOW64\Kbbngf32.exe	Jcmafj32.exe
File created	C:\Windows\SysWOW64\Kaldcb32.exe	Keednado.exe
File opened for modification	C:\Windows\SysWOW64\Kbkameaf.exe	Kaldcb32.exe
File created	C:\Windows\SysWOW64\Laegiq32.exe	Lcagpl32.exe
File created	C:\Windows\SysWOW64\Djdfhjik.dll	Mbkmlh32.exe
File opened for modification	C:\Windows\SysWOW64\Mkmhaj32.exe	Mofglh32.exe
File created	C:\Windows\SysWOW64\Poceplpj.dll	Laegiq32.exe
File created	C:\Windows\SysWOW64\Qaqkcf32.dll	Mofglh32.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nodgel32.exe
File created	C:\Windows\SysWOW64\Jcmafj32.exe	Jgfqaiod.exe
File created	C:\Windows\SysWOW64\Lcagpl32.exe	Lnbbbffj.exe
File created	C:\Windows\SysWOW64\Aadlcdpk.dll	Lcagpl32.exe
File created	C:\Windows\SysWOW64\Mcblodlj.dll	ef2561077a3317c25f011cc183aef3fde328ace3e211dfbe398eaf7511358def.exe
File created	C:\Windows\SysWOW64\Badffggh.dll	Jnmlhchd.exe
File created	C:\Windows\SysWOW64\Hoaebk32.dll	Kaldcb32.exe
File created	C:\Windows\SysWOW64\Ddbddikd.dll	Kofopj32.exe
File opened for modification	C:\Windows\SysWOW64\Mbkmlh32.exe	Lbiqfied.exe
File created	C:\Windows\SysWOW64\Mofglh32.exe	Melfncqb.exe
File created	C:\Windows\SysWOW64\Almjnp32.dll	Lbiqfied.exe
File opened for modification	C:\Windows\SysWOW64\Jgfqaiod.exe	Jnmlhchd.exe
File created	C:\Windows\SysWOW64\Mbkmlh32.exe	Lbiqfied.exe
File created	C:\Windows\SysWOW64\Ekebnbmn.dll	Melfncqb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1988	1320	WerFault.exe	47

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	ef2561077a3317c25f011cc183aef3fde328ace3e211dfbe398eaf7511358def.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcblodlj.dll"	ef2561077a3317c25f011cc183aef3fde328ace3e211dfbe398eaf7511358def.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkmhaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bohnbn32.dll"	Keednado.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mofglh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndhipoob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Almjnp32.dll"	Lbiqfied.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaqkcf32.dll"	Mofglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncmfqkdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	ef2561077a3317c25f011cc183aef3fde328ace3e211dfbe398eaf7511358def.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	ef2561077a3317c25f011cc183aef3fde328ace3e211dfbe398eaf7511358def.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	ef2561077a3317c25f011cc183aef3fde328ace3e211dfbe398eaf7511358def.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kbbngf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kofopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lnbbbffj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poceplpj.dll"	Laegiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekebnbmn.dll"	Melfncqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jnmlhchd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgnbi32.dll"	Jcmafj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jcmafj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddbddikd.dll"	Kofopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfjiem32.dll"	Kbkameaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgdjgo32.dll"	Ndhipoob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncmfqkdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Badffggh.dll"	Jnmlhchd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kbkameaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Melfncqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Nodgel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Keednado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoaebk32.dll"	Kaldcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kaldcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnhob32.dll"	Mkmhaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndhipoob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Laegiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mbkmlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkoleq32.dll"	Kbbngf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kofopj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lnbbbffj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcagpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcagpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nodgel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jcmafj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kbkameaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmffb32.dll"	Lnbbbffj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Laegiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djdfhjik.dll"	Mbkmlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	ef2561077a3317c25f011cc183aef3fde328ace3e211dfbe398eaf7511358def.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jgfqaiod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kbbngf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lbiqfied.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnjgia32.dll"	Ncmfqkdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jnmlhchd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kaldcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Melfncqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jgfqaiod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mofglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Keednado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aadlcdpk.dll"	Lcagpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lbiqfied.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mbkmlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nodgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epecke32.dll"	Jgfqaiod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkmhaj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 3020	2056	ef2561077a3317c25f011cc183aef3fde328ace3e211dfbe398eaf7511358def.exe	28
PID 2056 wrote to memory of 3020	2056	ef2561077a3317c25f011cc183aef3fde328ace3e211dfbe398eaf7511358def.exe	28
PID 2056 wrote to memory of 3020	2056	ef2561077a3317c25f011cc183aef3fde328ace3e211dfbe398eaf7511358def.exe	28
PID 2056 wrote to memory of 3020	2056	ef2561077a3317c25f011cc183aef3fde328ace3e211dfbe398eaf7511358def.exe	28
PID 3020 wrote to memory of 2624	3020	Jnmlhchd.exe	29
PID 3020 wrote to memory of 2624	3020	Jnmlhchd.exe	29
PID 3020 wrote to memory of 2624	3020	Jnmlhchd.exe	29
PID 3020 wrote to memory of 2624	3020	Jnmlhchd.exe	29
PID 2624 wrote to memory of 2668	2624	Jgfqaiod.exe	30
PID 2624 wrote to memory of 2668	2624	Jgfqaiod.exe	30
PID 2624 wrote to memory of 2668	2624	Jgfqaiod.exe	30
PID 2624 wrote to memory of 2668	2624	Jgfqaiod.exe	30
PID 2668 wrote to memory of 2676	2668	Jcmafj32.exe	31
PID 2668 wrote to memory of 2676	2668	Jcmafj32.exe	31
PID 2668 wrote to memory of 2676	2668	Jcmafj32.exe	31
PID 2668 wrote to memory of 2676	2668	Jcmafj32.exe	31
PID 2676 wrote to memory of 2660	2676	Kbbngf32.exe	32
PID 2676 wrote to memory of 2660	2676	Kbbngf32.exe	32
PID 2676 wrote to memory of 2660	2676	Kbbngf32.exe	32
PID 2676 wrote to memory of 2660	2676	Kbbngf32.exe	32
PID 2660 wrote to memory of 2956	2660	Kofopj32.exe	33
PID 2660 wrote to memory of 2956	2660	Kofopj32.exe	33
PID 2660 wrote to memory of 2956	2660	Kofopj32.exe	33
PID 2660 wrote to memory of 2956	2660	Kofopj32.exe	33
PID 2956 wrote to memory of 1532	2956	Keednado.exe	34
PID 2956 wrote to memory of 1532	2956	Keednado.exe	34
PID 2956 wrote to memory of 1532	2956	Keednado.exe	34
PID 2956 wrote to memory of 1532	2956	Keednado.exe	34
PID 1532 wrote to memory of 2800	1532	Kaldcb32.exe	35
PID 1532 wrote to memory of 2800	1532	Kaldcb32.exe	35
PID 1532 wrote to memory of 2800	1532	Kaldcb32.exe	35
PID 1532 wrote to memory of 2800	1532	Kaldcb32.exe	35
PID 2800 wrote to memory of 2856	2800	Kbkameaf.exe	36
PID 2800 wrote to memory of 2856	2800	Kbkameaf.exe	36
PID 2800 wrote to memory of 2856	2800	Kbkameaf.exe	36
PID 2800 wrote to memory of 2856	2800	Kbkameaf.exe	36
PID 2856 wrote to memory of 1108	2856	Lnbbbffj.exe	37
PID 2856 wrote to memory of 1108	2856	Lnbbbffj.exe	37
PID 2856 wrote to memory of 1108	2856	Lnbbbffj.exe	37
PID 2856 wrote to memory of 1108	2856	Lnbbbffj.exe	37
PID 1108 wrote to memory of 2224	1108	Lcagpl32.exe	38
PID 1108 wrote to memory of 2224	1108	Lcagpl32.exe	38
PID 1108 wrote to memory of 2224	1108	Lcagpl32.exe	38
PID 1108 wrote to memory of 2224	1108	Lcagpl32.exe	38
PID 2224 wrote to memory of 2480	2224	Laegiq32.exe	39
PID 2224 wrote to memory of 2480	2224	Laegiq32.exe	39
PID 2224 wrote to memory of 2480	2224	Laegiq32.exe	39
PID 2224 wrote to memory of 2480	2224	Laegiq32.exe	39
PID 2480 wrote to memory of 2140	2480	Lbiqfied.exe	40
PID 2480 wrote to memory of 2140	2480	Lbiqfied.exe	40
PID 2480 wrote to memory of 2140	2480	Lbiqfied.exe	40
PID 2480 wrote to memory of 2140	2480	Lbiqfied.exe	40
PID 2140 wrote to memory of 2364	2140	Mbkmlh32.exe	41
PID 2140 wrote to memory of 2364	2140	Mbkmlh32.exe	41
PID 2140 wrote to memory of 2364	2140	Mbkmlh32.exe	41
PID 2140 wrote to memory of 2364	2140	Mbkmlh32.exe	41
PID 2364 wrote to memory of 2900	2364	Melfncqb.exe	42
PID 2364 wrote to memory of 2900	2364	Melfncqb.exe	42
PID 2364 wrote to memory of 2900	2364	Melfncqb.exe	42
PID 2364 wrote to memory of 2900	2364	Melfncqb.exe	42
PID 2900 wrote to memory of 900	2900	Mofglh32.exe	43
PID 2900 wrote to memory of 900	2900	Mofglh32.exe	43
PID 2900 wrote to memory of 900	2900	Mofglh32.exe	43
PID 2900 wrote to memory of 900	2900	Mofglh32.exe	43

C:\Users\Admin\AppData\Local\Temp\ef2561077a3317c25f011cc183aef3fde328ace3e211dfbe398eaf7511358def.exe
"C:\Users\Admin\AppData\Local\Temp\ef2561077a3317c25f011cc183aef3fde328ace3e211dfbe398eaf7511358def.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\SysWOW64\Jnmlhchd.exe
  C:\Windows\system32\Jnmlhchd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\Jgfqaiod.exe
    C:\Windows\system32\Jgfqaiod.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\SysWOW64\Jcmafj32.exe
      C:\Windows\system32\Jcmafj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\SysWOW64\Kbbngf32.exe
        
        C:\Windows\system32\Kbbngf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\Windows\SysWOW64\Kofopj32.exe
        
        C:\Windows\system32\Kofopj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Keednado.exe
        
        C:\Windows\system32\Keednado.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Kaldcb32.exe
        
        C:\Windows\system32\Kaldcb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Kbkameaf.exe
        
        C:\Windows\system32\Kbkameaf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Lnbbbffj.exe
        
        C:\Windows\system32\Lnbbbffj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Lcagpl32.exe
        
        C:\Windows\system32\Lcagpl32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\SysWOW64\Laegiq32.exe
        
        C:\Windows\system32\Laegiq32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Lbiqfied.exe
        
        C:\Windows\system32\Lbiqfied.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\Mbkmlh32.exe
        
        C:\Windows\system32\Mbkmlh32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Melfncqb.exe
        
        C:\Windows\system32\Melfncqb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Mofglh32.exe
        
        C:\Windows\system32\Mofglh32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Mkmhaj32.exe
        
        C:\Windows\system32\Mkmhaj32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:900
        
        C:\Windows\SysWOW64\Ndhipoob.exe
        
        C:\Windows\system32\Ndhipoob.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Ncmfqkdj.exe
        
        C:\Windows\system32\Ncmfqkdj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Nodgel32.exe
        
        C:\Windows\system32\Nodgel32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        21⤵
        Executes dropped EXE
        
        PID:1320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 140
        22⤵
        Loads dropped DLL
        Program crash
        
        PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Melfncqb.exe

Filesize
297KB

MD5
b0d74a4d38e4a710bba5c41caff69c8f

SHA1
6f06b8c98b5f90a17a4bfd17bde4db9f551d3797

SHA256
1a81a8cb58565e243b879b765726b980fbd3a7a16e6830a75dcc5b47dd3e395b

SHA512
e83ddfdf325e3f3fc4393ddf3319416ce39d8fab2495d948ea0d2cd73b30837153dbe67d78b72f192512358e26f0004d7a754ad83a48c0be788005d3e4084874

Download Submit
C:\Windows\SysWOW64\Mkmhaj32.exe

Filesize
297KB

MD5
aa7e3d88d538154ecca92dfc0c67ca3c

SHA1
2c9fea190972d96b3881c24c1a80955a59f13889

SHA256
90ce632251e078a5940730cfb878a115e120cabe875e36cf9343fa7cd3b82c16

SHA512
0c9a910978c7649ba5984dabf0b39336e35a735fb857ad418008b5d7b592465f56db34f5b3000fcc94a434039a662f48c68baa6061eadfdc23a257e5b6af6f64

Download Submit
C:\Windows\SysWOW64\Mkoleq32.dll

Filesize
7KB

MD5
3fbc557af878f85135ccf4df13529bab

SHA1
198dbf3ba1ee17c7f490fc14d48cdafd86d5ae63

SHA256
38e909d692958834d463e14d763ae333746df85b762556f64992ae7a4bf6185d

SHA512
e37c06928a232e3c9de3930150031a8de0f13eae2900bfc8ee232c637cc918e66408f97d30994147eaa9a8dff340bcd2b6eebe8529932792116ceb3ef932930f

Download Submit
C:\Windows\SysWOW64\Ncmfqkdj.exe

Filesize
297KB

MD5
f6046e41258e0da363528ddd267461a9

SHA1
6821af6b5b48b5e4b8bac01a5ba586cb89d3f1d8

SHA256
653a987c23e45f973b3cf12a18b4e9e871f5659454ab05af81d855a493a0fe7a

SHA512
1e406cb58f0c613ce4e6382ed6eea8d6009dcabd119bdfd2b8512161bad7dbbaae232f49e387fd5067e6768037401aa6bdc67c642bcec666bf1ea0af11857505

Download Submit
C:\Windows\SysWOW64\Ndhipoob.exe

Filesize
297KB

MD5
26eb2bcc11fdbbb163d2029fcf6be600

SHA1
8af61515e6719662771e099236ca187ed5f1a2bc

SHA256
a071462a85e95de858df7c49f9c0f2c71bd02912afe1a5d3775f7eda93c3b055

SHA512
76639487667866076d1b53e7c006d79c8d09a7cadaaf19a47cc3d91a53c34ec1c00ecf6735de33780a58b02030183e32fb7097b56ed41669379eb9b70e6c0d92

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
297KB

MD5
307380e0e697afe51ebc5c2da2cca371

SHA1
2dd926df903516eb6840245bdbaa9cde257e29d7

SHA256
2f72a3949227321336443f573f6e464430d1c609e535c72fc80a7696ada9a9d1

SHA512
46b2ad5fb99974b7c52ca4533ea0aca52c2c7a29a88685a1cf5411e772648067bb373aa1e6d9fc091a5039b63a50636c43d51bf9617a7b360afe5eb2dd230f42

Download Submit
C:\Windows\SysWOW64\Nodgel32.exe

Filesize
297KB

MD5
91c86abe6d2bb692c8547bd24b597e14

SHA1
ab5bdcb2f1bd422567bbe999133b1a7d4b1ac836

SHA256
f18544459ec594154fd871979cd52aaef1d4367e1316416bab2597b3549bd674

SHA512
747ed08c4684e161a90f3ca8ea770af8833b517fbc699d53df0d699822b788de6888809ceab59680b53d09e50e93c94fb57838ffbee697206c07f7bc0d094f29

Download Submit
\Windows\SysWOW64\Jcmafj32.exe

Filesize
297KB

MD5
37c280851cef400f5834b7e785d1d161

SHA1
84e020f6285c730605ab6d89643a1ee7d1843993

SHA256
ceee1a6fa4fb70cfadc78b18e5dffeb7bbb88a6c55b11acfb68f7602f40d16ff

SHA512
d1e7c5ea0d4f1a53a4fa0d7ba8dae19d91052cd67913247d7b7e409d6cc33876fdf78ba04b3b3a7e00214f7f8192e0a6b4d6eeb9c2c69274eef6ab06c0f08d34

Download Submit
\Windows\SysWOW64\Jgfqaiod.exe

Filesize
297KB

MD5
c3d699ac13902ff7aab4eb195358206b

SHA1
cc15b5191443c74a0d288531438b0c784a5f8f9a

SHA256
87134102381737f7369e484595dfe5a4c1ee989623cb4485ef60fc5deb8d12fd

SHA512
4c3f636487dc59131645d7064ed5ea647345b39e974ea653d5beb7c919606d26dc164c5ac582607d2622f3725c7443c892b912ac27e17f70865b3cf9880fe104

Download Submit
\Windows\SysWOW64\Jnmlhchd.exe

Filesize
297KB

MD5
6d46143ac6e275268bd8c9eddd05b9e1

SHA1
64939b78de7f394f8c5cd7180ea94b7dc5cf0219

SHA256
fb4e2e50943e468dbd1186781a7d5a9a9887fb26393bb97d1b5eb44200cd71ad

SHA512
4d7ed72e93c68c426f8a349efb4ce013ba217cde4ce369f98e25db7df1be51d0ee1f07efb9ff7d1a8318dadb58dbef1c73c514b4b09c9884c0a2414d1aac2643

Download Submit
\Windows\SysWOW64\Kaldcb32.exe

Filesize
297KB

MD5
b4de2729068e6115fe4ba67fb4866b0b

SHA1
a8f65c643437f7610708b7b2ddd079de4eae25c5

SHA256
4b9e26424842026b4694d27003b09733fca33f3a3156aafc854899390b6212b4

SHA512
47b9139f5bf57fee1eb11a7acc934fbf843e542527d2ac7602f66b53bf299d9552ed3316648a7a22a564d80c790edd44985204baccbbf7e9166f64256faafc2c

Download Submit
\Windows\SysWOW64\Kbbngf32.exe

Filesize
297KB

MD5
c8c57b86d599812ee936124202535062

SHA1
bf38b781a286fb77cc3beaf0fa7a017a06c3939e

SHA256
3180ea44a0a95ad5396fec55aebc9340752b43a46841702afa3a8de6f18c9e01

SHA512
1415ac99a603780598afd6a73e8661f6ab7487b0f0a1bad2e0033e3c2d3a7e370c7c4aca85e43057131b55133514e6038a2e9472c77d61f5004e9637bb3a6946

Download Submit
\Windows\SysWOW64\Kbkameaf.exe

Filesize
297KB

MD5
d9709576251ab48186242fc56c40274a

SHA1
b095f81be394ac003bbd5d8a9eb23f8ab8b93aa2

SHA256
8efeeaf220913a4bc9246b9d35be34a88e1585fb1538075620dfd410f9d3d67f

SHA512
a3219ca396a7e6f4c8a84208d3ccafbce78004c2af7da0c75bb360caa6c9c3f1552617d5fa8b7d17d8700e1e2657e7307b0032597e20fd8cfc334af2fbfdc351

Download Submit
\Windows\SysWOW64\Keednado.exe

Filesize
297KB

MD5
c911f41ea9207962b8a1f2756e682a02

SHA1
3471b6858de73f7d2cd67d5de3abb01091741eeb

SHA256
fc7608d82eb41be37756ce354b6f2e819e5a1dc6a4d661046ec3ea0bf694a33e

SHA512
26c0f95c9357e397b4d6722fa7915f1ca40b7df4de62104030ba6c2e7112ec1a1ddbb19eba70bd655540302ceb17e7ea09eb38ca95b098f6078a01b68bde0ebe

Download Submit
\Windows\SysWOW64\Kofopj32.exe

Filesize
297KB

MD5
4ed3a15076eb5db2c984bae6c2810063

SHA1
5319843529e49e84cee6fc583d38e4be4bfbd97f

SHA256
6d523a9965acbf2ae35394ed1af7f471907e7ef9e52c1d279a14d8b8341a24b4

SHA512
bd42c820fb6431ccb2b2934afe362cebeccd1383eef321b0deae1b4a39908b0b84be744dc6bfe315adf1d20d08004e913689d1d18b318a25e377ee118ffae0ba

Download Submit
\Windows\SysWOW64\Laegiq32.exe

Filesize
297KB

MD5
7f65c81a4ff458d200901bbde8e73b83

SHA1
65bf61592455eeefd17fe04f842a6b7e4fc040ec

SHA256
df2495fa7fad5f29e468f61d7cf29915034efdcce03f761567550c3015996b42

SHA512
417b6b92a7d5d8e144bd3b8240634a9e6f8396ab8d70edf2675a24e23a5f3a209d49abbee6a55b1037333f30eb5eccb247d268b3056764e7719f8634040817da

Download Submit
\Windows\SysWOW64\Lbiqfied.exe

Filesize
297KB

MD5
f1d3c119ea6347d11fd605dd566c7c43

SHA1
b59c360eb8fd72aebab4ae8d187ebccf752776fb

SHA256
42cbbf0f66cfa02c0210ebf583a5277b6d2dba1a9f1e9cc8d3a6832a17edf8a9

SHA512
4e97574da794fe0fcf9ce1d5d9efe6d81060607b67e4cd11924127d2c865da5babafa50241b8adbc7b5fde7f8ea2a78f98ce8c746789cd67eea243cb29e90d33

Download Submit
\Windows\SysWOW64\Lcagpl32.exe

Filesize
297KB

MD5
7a90b0501a810e9a31a628f779f902e6

SHA1
b5fdf04f2232480e6f91ddf862f599f884d30e07

SHA256
c8817c54886851122ae2354b1400fb365bc727169f89f9a90e98c2e06c9e40c9

SHA512
805f63126384b6452b63de81f91cb91016c0e65ee6ab7298a01aae9efd506c1aededc22a535d647b30ba11b3c7a90bb018fd3055553c78857d93f08269489b38

Download Submit
\Windows\SysWOW64\Lnbbbffj.exe

Filesize
297KB

MD5
7f5737e83b82ff03bf3d50f4e523845b

SHA1
5cacc49d6f79093ad5b63e302dc303befd9ed93d

SHA256
2c4bdd1095a71401e2e1caaa1c636ed6a3703dcdaff5e134f505d7cea7a6746c

SHA512
4c4c171f00820fc8796f2e9323820f8ccf629162fb8ab9470b02dd51b4e2679c29d12711fd54be5f1e514fc305063852ef64ad4922712477a24f60a1b00a9e24

Download Submit
\Windows\SysWOW64\Mbkmlh32.exe

Filesize
297KB

MD5
884ebb4c21b9a066be93d3da78fb9bf1

SHA1
c1dad2c42a4f0162d694ee2fb6c7356cb26ec96f

SHA256
f6b5f0f12965e86216f4bd70efc2aefb3232806e7572dd169c439f8d859c0b93

SHA512
6be789b7377ad00ec8e2665cf7a292ba368a9cfe764aa063bd0e92781210fab72bb6aaf31565b77f1a08aaf4882d91e42d6d971758abc2f7773ccc812ee234db

Download Submit
\Windows\SysWOW64\Mofglh32.exe

Filesize
297KB

MD5
5fbf34e942c5d0bd47f27ee4e9d7b069

SHA1
c674d5daeb1d0e6f402487f938188f34370985ef

SHA256
e4d293d5737719ce577da29e9250167bed644866a44c2bf235993730234127d1

SHA512
6972f928682f604ce585c45cd5dc651e2303c7f0365efbc4756366aac703364ff011cbf60a761251c4261aba8fe605764f0d49de98e605b747dc7800775e3a84

Download Submit
memory/900-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/900-234-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/900-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1108-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1320-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-110-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1532-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-263-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1688-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1820-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1820-254-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1820-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-18-0x0000000001C00000-0x0000000001C33000-memory.dmp

Filesize
204KB

Download
memory/2056-6-0x0000000001C00000-0x0000000001C33000-memory.dmp

Filesize
204KB

Download
memory/2140-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-200-0x00000000003A0000-0x00000000003D3000-memory.dmp

Filesize
204KB

Download
memory/2140-193-0x00000000003A0000-0x00000000003D3000-memory.dmp

Filesize
204KB

Download
memory/2224-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-172-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2224-160-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2244-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2244-242-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2364-195-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-207-0x00000000002C0000-0x00000000002F3000-memory.dmp

Filesize
204KB

Download
memory/2480-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-39-0x00000000002C0000-0x00000000002F3000-memory.dmp

Filesize
204KB

Download
memory/2624-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-81-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/2660-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-60-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2668-53-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2676-64-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2676-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-143-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2856-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-137-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2856-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-229-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2900-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-222-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2900-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-84-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-91-0x00000000003C0000-0x00000000003F3000-memory.dmp

Filesize
204KB

Download
memory/2956-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads