89440f94fe9186daba94ebd1bcefeaa1ef9fae3427ae2319672c00a7c7c3a008

Analysis

max time kernel
144s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 22:17 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89440f94fe9186daba94ebd1bcefeaa1ef9fae3427ae2319672c00a7c7c3a008.exe
Size

80KB
MD5

622f90fe12f57146eb38eec6b41034ac
SHA1

f5c68885667d97fbe8a912e24115028a576225dc
SHA256

89440f94fe9186daba94ebd1bcefeaa1ef9fae3427ae2319672c00a7c7c3a008
SHA512

8fbc6db41af5b9a3978d4fe65e5d87616e415b935e2e00bfcf8aa948bdfb4dd299ab97f9169cc41f2d6d32b42022cb949a1e6ed4248f2de3ae72151dae1239a8
SSDEEP

1536:qXpDCP4ByT/Y9mx22GT2LtIwfi+TjRC/6y:h4Bo/imx22Jewf1TjYD

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	89440f94fe9186daba94ebd1bcefeaa1ef9fae3427ae2319672c00a7c7c3a008.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	89440f94fe9186daba94ebd1bcefeaa1ef9fae3427ae2319672c00a7c7c3a008.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe

Executes dropped EXE 64 IoCs

pid	Process
1336	Jaimbj32.exe
1032	Jfffjqdf.exe
4092	Jmpngk32.exe
5116	Jpojcf32.exe
2912	Jfhbppbc.exe
2936	Jdmcidam.exe
3876	Jfkoeppq.exe
1048	Kmegbjgn.exe
2044	Kpccnefa.exe
3004	Kbapjafe.exe
5100	Kilhgk32.exe
1436	Kacphh32.exe
540	Kbdmpqcb.exe
3984	Kkkdan32.exe
3312	Kmjqmi32.exe
1036	Kaemnhla.exe
3992	Kbfiep32.exe
2240	Kipabjil.exe
4880	Kagichjo.exe
5092	Kdffocib.exe
4876	Kgdbkohf.exe
3264	Kmnjhioc.exe
1888	Kpmfddnf.exe
244	Kckbqpnj.exe
2828	Liekmj32.exe
2604	Lpocjdld.exe
4704	Lcmofolg.exe
4368	Lmccchkn.exe
4448	Lpappc32.exe
2092	Lijdhiaa.exe
2144	Lpcmec32.exe
3840	Lgneampk.exe
2880	Laciofpa.exe
532	Lcdegnep.exe
3268	Lklnhlfb.exe
3484	Lnjjdgee.exe
2548	Lddbqa32.exe
3812	Lknjmkdo.exe
3784	Mnlfigcc.exe
4420	Mpkbebbf.exe
1708	Mciobn32.exe
2288	Mkpgck32.exe
5088	Mnocof32.exe
1312	Mgghhlhq.exe
4548	Mnapdf32.exe
4940	Mpolqa32.exe
760	Mcnhmm32.exe
1824	Mkepnjng.exe
2872	Mncmjfmk.exe
404	Mdmegp32.exe
3024	Mkgmcjld.exe
4744	Mnfipekh.exe
4936	Mdpalp32.exe
2460	Nkjjij32.exe
4288	Nnhfee32.exe
2968	Ndbnboqb.exe
4996	Nklfoi32.exe
1180	Njogjfoj.exe
816	Ncgkcl32.exe
3420	Nkncdifl.exe
2344	Nbhkac32.exe
4908	Ncihikcg.exe
1988	Njcpee32.exe
4100	Nqmhbpba.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Jfffjqdf.exe	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Kilhgk32.exe	Kbapjafe.exe
File opened for modification	C:\Windows\SysWOW64\Kmjqmi32.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Kbmfdgkm.dll	Kbfiep32.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Kpmfddnf.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Kmegbjgn.exe	Jfkoeppq.exe
File opened for modification	C:\Windows\SysWOW64\Kbapjafe.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Iljnde32.dll	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kmjqmi32.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2844	1696	WerFault.exe	157

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	89440f94fe9186daba94ebd1bcefeaa1ef9fae3427ae2319672c00a7c7c3a008.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	89440f94fe9186daba94ebd1bcefeaa1ef9fae3427ae2319672c00a7c7c3a008.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncoccha.dll"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcod32.dll"	89440f94fe9186daba94ebd1bcefeaa1ef9fae3427ae2319672c00a7c7c3a008.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmklllo.dll"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 456 wrote to memory of 1336	456	89440f94fe9186daba94ebd1bcefeaa1ef9fae3427ae2319672c00a7c7c3a008.exe	89
PID 456 wrote to memory of 1336	456	89440f94fe9186daba94ebd1bcefeaa1ef9fae3427ae2319672c00a7c7c3a008.exe	89
PID 456 wrote to memory of 1336	456	89440f94fe9186daba94ebd1bcefeaa1ef9fae3427ae2319672c00a7c7c3a008.exe	89
PID 1336 wrote to memory of 1032	1336	Jaimbj32.exe	90
PID 1336 wrote to memory of 1032	1336	Jaimbj32.exe	90
PID 1336 wrote to memory of 1032	1336	Jaimbj32.exe	90
PID 1032 wrote to memory of 4092	1032	Jfffjqdf.exe	91
PID 1032 wrote to memory of 4092	1032	Jfffjqdf.exe	91
PID 1032 wrote to memory of 4092	1032	Jfffjqdf.exe	91
PID 4092 wrote to memory of 5116	4092	Jmpngk32.exe	92
PID 4092 wrote to memory of 5116	4092	Jmpngk32.exe	92
PID 4092 wrote to memory of 5116	4092	Jmpngk32.exe	92
PID 5116 wrote to memory of 2912	5116	Jpojcf32.exe	93
PID 5116 wrote to memory of 2912	5116	Jpojcf32.exe	93
PID 5116 wrote to memory of 2912	5116	Jpojcf32.exe	93
PID 2912 wrote to memory of 2936	2912	Jfhbppbc.exe	94
PID 2912 wrote to memory of 2936	2912	Jfhbppbc.exe	94
PID 2912 wrote to memory of 2936	2912	Jfhbppbc.exe	94
PID 2936 wrote to memory of 3876	2936	Jdmcidam.exe	95
PID 2936 wrote to memory of 3876	2936	Jdmcidam.exe	95
PID 2936 wrote to memory of 3876	2936	Jdmcidam.exe	95
PID 3876 wrote to memory of 1048	3876	Jfkoeppq.exe	96
PID 3876 wrote to memory of 1048	3876	Jfkoeppq.exe	96
PID 3876 wrote to memory of 1048	3876	Jfkoeppq.exe	96
PID 1048 wrote to memory of 2044	1048	Kmegbjgn.exe	97
PID 1048 wrote to memory of 2044	1048	Kmegbjgn.exe	97
PID 1048 wrote to memory of 2044	1048	Kmegbjgn.exe	97
PID 2044 wrote to memory of 3004	2044	Kpccnefa.exe	98
PID 2044 wrote to memory of 3004	2044	Kpccnefa.exe	98
PID 2044 wrote to memory of 3004	2044	Kpccnefa.exe	98
PID 3004 wrote to memory of 5100	3004	Kbapjafe.exe	99
PID 3004 wrote to memory of 5100	3004	Kbapjafe.exe	99
PID 3004 wrote to memory of 5100	3004	Kbapjafe.exe	99
PID 5100 wrote to memory of 1436	5100	Kilhgk32.exe	100
PID 5100 wrote to memory of 1436	5100	Kilhgk32.exe	100
PID 5100 wrote to memory of 1436	5100	Kilhgk32.exe	100
PID 1436 wrote to memory of 540	1436	Kacphh32.exe	101
PID 1436 wrote to memory of 540	1436	Kacphh32.exe	101
PID 1436 wrote to memory of 540	1436	Kacphh32.exe	101
PID 540 wrote to memory of 3984	540	Kbdmpqcb.exe	102
PID 540 wrote to memory of 3984	540	Kbdmpqcb.exe	102
PID 540 wrote to memory of 3984	540	Kbdmpqcb.exe	102
PID 3984 wrote to memory of 3312	3984	Kkkdan32.exe	103
PID 3984 wrote to memory of 3312	3984	Kkkdan32.exe	103
PID 3984 wrote to memory of 3312	3984	Kkkdan32.exe	103
PID 3312 wrote to memory of 1036	3312	Kmjqmi32.exe	104
PID 3312 wrote to memory of 1036	3312	Kmjqmi32.exe	104
PID 3312 wrote to memory of 1036	3312	Kmjqmi32.exe	104
PID 1036 wrote to memory of 3992	1036	Kaemnhla.exe	105
PID 1036 wrote to memory of 3992	1036	Kaemnhla.exe	105
PID 1036 wrote to memory of 3992	1036	Kaemnhla.exe	105
PID 3992 wrote to memory of 2240	3992	Kbfiep32.exe	106
PID 3992 wrote to memory of 2240	3992	Kbfiep32.exe	106
PID 3992 wrote to memory of 2240	3992	Kbfiep32.exe	106
PID 2240 wrote to memory of 4880	2240	Kipabjil.exe	107
PID 2240 wrote to memory of 4880	2240	Kipabjil.exe	107
PID 2240 wrote to memory of 4880	2240	Kipabjil.exe	107
PID 4880 wrote to memory of 5092	4880	Kagichjo.exe	108
PID 4880 wrote to memory of 5092	4880	Kagichjo.exe	108
PID 4880 wrote to memory of 5092	4880	Kagichjo.exe	108
PID 5092 wrote to memory of 4876	5092	Kdffocib.exe	109
PID 5092 wrote to memory of 4876	5092	Kdffocib.exe	109
PID 5092 wrote to memory of 4876	5092	Kdffocib.exe	109
PID 4876 wrote to memory of 3264	4876	Kgdbkohf.exe	110

C:\Users\Admin\AppData\Local\Temp\89440f94fe9186daba94ebd1bcefeaa1ef9fae3427ae2319672c00a7c7c3a008.exe
"C:\Users\Admin\AppData\Local\Temp\89440f94fe9186daba94ebd1bcefeaa1ef9fae3427ae2319672c00a7c7c3a008.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:456
- C:\Windows\SysWOW64\Jaimbj32.exe
  C:\Windows\system32\Jaimbj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Windows\SysWOW64\Jfffjqdf.exe
    C:\Windows\system32\Jfffjqdf.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Windows\SysWOW64\Jmpngk32.exe
      C:\Windows\system32\Jmpngk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4092
    - - C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5116
      - C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:244
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        26⤵
        Executes dropped EXE
        
        PID:2828
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2604
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4368
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2092
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3840
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        37⤵
        Executes dropped EXE
        
        PID:3484
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3812
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3784
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        45⤵
        Executes dropped EXE
        
        PID:1312
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1824
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2460
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1180
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:816
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3420
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2344
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        67⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 404
        68⤵
        Program crash
        
        PID:2844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1696 -ip 1696
1⤵
PID:3228

Network

DNS

232.168.11.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.168.11.51.in-addr.arpa

IN PTR

Response
DNS

232.168.11.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.168.11.51.in-addr.arpa

IN PTR
DNS

74.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

74.32.126.40.in-addr.arpa

IN PTR

Response
DNS

74.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

74.32.126.40.in-addr.arpa

IN PTR
DNS

178.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

178.178.17.96.in-addr.arpa

IN PTR

Response

178.178.17.96.in-addr.arpa

IN PTR

a96-17-178-178deploystaticakamaitechnologiescom
DNS

178.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

178.178.17.96.in-addr.arpa

IN PTR
DNS

149.220.183.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.220.183.52.in-addr.arpa

IN PTR

Response
DNS

149.220.183.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.220.183.52.in-addr.arpa

IN PTR
DNS

241.154.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.154.82.20.in-addr.arpa

IN PTR

Response
DNS

241.154.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.154.82.20.in-addr.arpa

IN PTR
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.a-0001.a-msedge.net

g-bing-com.a-0001.a-msedge.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1a4dc347da144234807cb47585031fd0&localId=w:011BA1D4-FCB1-62A8-177E-91C13F9689FB&deviceId=6966557510629837&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1a4dc347da144234807cb47585031fd0&localId=w:011BA1D4-FCB1-62A8-177E-91C13F9689FB&deviceId=6966557510629837&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=3A9720550061687214BE34120146692E; domain=.bing.com; expires=Sun, 13-Apr-2025 22:17:17 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 228D4518E83043AC95EA77C587A619C0 Ref B: LON04EDGE0722 Ref C: 2024-03-19T22:17:17Z
date: Tue, 19 Mar 2024 22:17:16 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=1a4dc347da144234807cb47585031fd0&localId=w:011BA1D4-FCB1-62A8-177E-91C13F9689FB&deviceId=6966557510629837&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=1a4dc347da144234807cb47585031fd0&localId=w:011BA1D4-FCB1-62A8-177E-91C13F9689FB&deviceId=6966557510629837&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3A9720550061687214BE34120146692E

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=Vl7bhbLieSNAEstLlWCSiD4xFQo_Rn2phnI3fikmlxw; domain=.bing.com; expires=Sun, 13-Apr-2025 22:17:18 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 89295B73CA80409BBC4E9BF2A9CF21C5 Ref B: LON04EDGE0722 Ref C: 2024-03-19T22:17:18Z
date: Tue, 19 Mar 2024 22:17:17 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1a4dc347da144234807cb47585031fd0&localId=w:011BA1D4-FCB1-62A8-177E-91C13F9689FB&deviceId=6966557510629837&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1a4dc347da144234807cb47585031fd0&localId=w:011BA1D4-FCB1-62A8-177E-91C13F9689FB&deviceId=6966557510629837&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3A9720550061687214BE34120146692E; MSPTC=Vl7bhbLieSNAEstLlWCSiD4xFQo_Rn2phnI3fikmlxw

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D95940BE64084EFBA90AF8129B0BBA8E Ref B: LON04EDGE0722 Ref C: 2024-03-19T22:17:18Z
date: Tue, 19 Mar 2024 22:17:17 GMT
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
DNS

185.13.222.173.in-addr.arpa

Remote address:

8.8.8.8:53

Request

185.13.222.173.in-addr.arpa

IN PTR

Response

185.13.222.173.in-addr.arpa

IN PTR

a173-222-13-185deploystaticakamaitechnologiescom
DNS

185.13.222.173.in-addr.arpa

Remote address:

8.8.8.8:53

Request

185.13.222.173.in-addr.arpa

IN PTR
DNS

119.110.54.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

119.110.54.20.in-addr.arpa

IN PTR

Response
DNS

119.110.54.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

119.110.54.20.in-addr.arpa

IN PTR
DNS

217.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.135.221.88.in-addr.arpa

IN PTR

Response

217.135.221.88.in-addr.arpa

IN PTR

a88-221-135-217deploystaticakamaitechnologiescom
DNS

204.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

204.178.17.96.in-addr.arpa

IN PTR

Response

204.178.17.96.in-addr.arpa

IN PTR

a96-17-178-204deploystaticakamaitechnologiescom
DNS

18.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.134.221.88.in-addr.arpa

IN PTR

Response

18.134.221.88.in-addr.arpa

IN PTR

a88-221-134-18deploystaticakamaitechnologiescom
DNS

199.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

199.178.17.96.in-addr.arpa

IN PTR

Response

199.178.17.96.in-addr.arpa

IN PTR

a96-17-178-199deploystaticakamaitechnologiescom
DNS

199.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

199.178.17.96.in-addr.arpa

IN PTR
DNS

194.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.178.17.96.in-addr.arpa

IN PTR

Response

194.178.17.96.in-addr.arpa

IN PTR

a96-17-178-194deploystaticakamaitechnologiescom
DNS

194.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.178.17.96.in-addr.arpa

IN PTR
DNS

205.47.74.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

205.47.74.20.in-addr.arpa

IN PTR

Response
DNS

0.205.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.205.248.87.in-addr.arpa

IN PTR

Response

0.205.248.87.in-addr.arpa

IN PTR

https-87-248-205-0lgwllnwnet
DNS

0.205.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.205.248.87.in-addr.arpa

IN PTR

Response

0.205.248.87.in-addr.arpa

IN PTR

https-87-248-205-0lgwllnwnet
DNS

43.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.134.221.88.in-addr.arpa

IN PTR

Response

43.134.221.88.in-addr.arpa

IN PTR

a88-221-134-43deploystaticakamaitechnologiescom
DNS

19.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.229.111.52.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388198_1GADU0ALT21F8UZ71&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239339388198_1GADU0ALT21F8UZ71&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 425606
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2C86D90CAC7F4B77AFA566EAD5AD2E9E Ref B: LON04EDGE0914 Ref C: 2024-03-19T22:18:57Z
date: Tue, 19 Mar 2024 22:18:57 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388197_1WZILQES2P5AMHCG6&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239339388197_1WZILQES2P5AMHCG6&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 223754
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A1A27DEBEEFF41E19737CECC4D5B8AAA Ref B: LON04EDGE0914 Ref C: 2024-03-19T22:18:57Z
date: Tue, 19 Mar 2024 22:18:57 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301309_1JFFGJ64L9I4K3JMP&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301309_1JFFGJ64L9I4K3JMP&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 380166
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 33C3D83E0B91469D9833B8D068586703 Ref B: LON04EDGE0914 Ref C: 2024-03-19T22:18:57Z
date: Tue, 19 Mar 2024 22:18:57 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418565_1OUCQO7VP7RV95UTY&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340418565_1OUCQO7VP7RV95UTY&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418566_1KUOCUMD7VRU52NBF&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340418566_1KUOCUMD7VRU52NBF&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301718_1O49LH3F36Y9OZ53W&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301718_1O49LH3F36Y9OZ53W&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

204.79.197.200:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1a4dc347da144234807cb47585031fd0&localId=w:011BA1D4-FCB1-62A8-177E-91C13F9689FB&deviceId=6966557510629837&anid=

tls, http2

2.3kB
9.2kB
23
18

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1a4dc347da144234807cb47585031fd0&localId=w:011BA1D4-FCB1-62A8-177E-91C13F9689FB&deviceId=6966557510629837&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=1a4dc347da144234807cb47585031fd0&localId=w:011BA1D4-FCB1-62A8-177E-91C13F9689FB&deviceId=6966557510629837&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1a4dc347da144234807cb47585031fd0&localId=w:011BA1D4-FCB1-62A8-177E-91C13F9689FB&deviceId=6966557510629837&anid=

HTTP Response

204
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.7kB
8.1kB
17
13
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239317301718_1O49LH3F36Y9OZ53W&pid=21.2&w=1080&h=1920&c=4

tls, http2

30.8kB
806.1kB
600
592

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388198_1GADU0ALT21F8UZ71&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388197_1WZILQES2P5AMHCG6&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301309_1JFFGJ64L9I4K3JMP&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418565_1OUCQO7VP7RV95UTY&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418566_1KUOCUMD7VRU52NBF&pid=21.2&w=1080&h=1920&c=4

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301718_1O49LH3F36Y9OZ53W&pid=21.2&w=1080&h=1920&c=4
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.7kB
8.1kB
17
13
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.3kB
9.2kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.9kB
9.9kB
20
14

8.8.8.8:53

232.168.11.51.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

232.168.11.51.in-addr.arpa

DNS Request

232.168.11.51.in-addr.arpa
8.8.8.8:53

74.32.126.40.in-addr.arpa

dns

142 B
157 B
2
1

DNS Request

74.32.126.40.in-addr.arpa

DNS Request

74.32.126.40.in-addr.arpa
8.8.8.8:53

178.178.17.96.in-addr.arpa

dns

144 B
137 B
2
1

DNS Request

178.178.17.96.in-addr.arpa

DNS Request

178.178.17.96.in-addr.arpa
8.8.8.8:53

149.220.183.52.in-addr.arpa

dns

146 B
147 B
2
1

DNS Request

149.220.183.52.in-addr.arpa

DNS Request

149.220.183.52.in-addr.arpa
8.8.8.8:53

241.154.82.20.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

241.154.82.20.in-addr.arpa

DNS Request

241.154.82.20.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

112 B
158 B
2
1

DNS Request

g.bing.com

DNS Request

g.bing.com

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

185.13.222.173.in-addr.arpa

dns

146 B
139 B
2
1

DNS Request

185.13.222.173.in-addr.arpa

DNS Request

185.13.222.173.in-addr.arpa
8.8.8.8:53

119.110.54.20.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

119.110.54.20.in-addr.arpa

DNS Request

119.110.54.20.in-addr.arpa
8.8.8.8:53

217.135.221.88.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

217.135.221.88.in-addr.arpa
8.8.8.8:53

204.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

204.178.17.96.in-addr.arpa
8.8.8.8:53

18.134.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

18.134.221.88.in-addr.arpa
8.8.8.8:53

199.178.17.96.in-addr.arpa

dns

144 B
137 B
2
1

DNS Request

199.178.17.96.in-addr.arpa

DNS Request

199.178.17.96.in-addr.arpa
8.8.8.8:53

194.178.17.96.in-addr.arpa

dns

144 B
137 B
2
1

DNS Request

194.178.17.96.in-addr.arpa

DNS Request

194.178.17.96.in-addr.arpa
8.8.8.8:53

205.47.74.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

205.47.74.20.in-addr.arpa
8.8.8.8:53

0.205.248.87.in-addr.arpa

dns

142 B
232 B
2
2

DNS Request

0.205.248.87.in-addr.arpa

DNS Request

0.205.248.87.in-addr.arpa
8.8.8.8:53

43.134.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

43.134.221.88.in-addr.arpa
8.8.8.8:53

19.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

19.229.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

124 B
173 B
2
1

DNS Request

tse1.mm.bing.net

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jaimbj32.exe

Filesize
80KB

MD5
bd42c2b6621512809edac953f75603ec

SHA1
021f3f6016f36f1b41edc503173bb026d2e7a4ea

SHA256
c7d99e4bb6d2ec105e6a0ff87be42f98bd64541ef36a622d451fbadf78b715ed

SHA512
c0ffe49645e1964ebc8aa568aff74a9197a51707af8400dd01eb68046bb01e44004bf102cdacd28995955dba5ec45201d0a75f0d6426d491834fd60eed2af4a4

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
80KB

MD5
ccc16b6bbcf304d71adbe3ae3d1eb949

SHA1
99fe97d06f90f9b9240df8cbd4d96ea9c16b4571

SHA256
61c0f12caa18c6804bc2953e51133887e7bec3b6a6f599ae9df17f77f67a4c93

SHA512
760ec4c81383f3760be1e5858cbce5751b6b6180f8899c8d04bc06604297888ff9da9ee57bc533c594ea793813d2a830c64963889df3f411eed5f9e073e3933a

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
80KB

MD5
bde941b0cbb0c06c358521e19133e012

SHA1
3834d95780ace895d7dabc0c337a61ad93806428

SHA256
83eec520affa444f28eee991b357d9763aee575e9e807e9bae49c5e2a5dc1349

SHA512
d8b846d5c20e8217e4932be5930b28ab0b5c86ef342fd789549bc70b39360340a3924c9b4f4232c62a8b044ceae30d45716aeb780a57cde8a6500395959d5266

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
80KB

MD5
bb2d94d117dd9b23baebb10dabb023a4

SHA1
f0395cc328da7830b147026745b6a676d77c1b01

SHA256
f8729be294209eda308cbbe17b34cd7d32d175a5fd6e31ab484d06e4f0d296c3

SHA512
59fb673e1d272d51a72c6f7b35b7534cde92b23e2b38d901b241a182ee5938eb41ee54420b000357b2a678ab29a4be23ecec665127e0d31fba73d52562b24c63

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
80KB

MD5
ffca23bfdd535c61998f073a58cdd32d

SHA1
bfae0b02a196d31dfe39924ed4ef190753ef9edf

SHA256
bccf30643865368a1974d172a51e9d6b60c8b9d86e90b645ff9490349f5f07c6

SHA512
52842430ec0bcde81d93d9044e92aa1f9f8c283685479b8080b8e9a1cfdb587c4896458e56ef922491cc3ee8cb832bf649372ac854fa855dacc7fa0c428a17ff

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
80KB

MD5
51ed65b7d5862af55a9145e4637fbcba

SHA1
343c8295a0f76bcd7392f062bf6b4d698ceb288d

SHA256
964d0fb2208bf72d0f7a7f6b723a4e6c20d5e8da5fdaa3703275129bcc4b07f1

SHA512
d0eb48e311e09a3fd4ed2a3fca021b187f6a71486d3711a4c7f4506938f99e037925eade201cfc59568d7e746551efe20ab35a510a47c0ec819ac30b8391bea9

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
80KB

MD5
3a76783b794c4f2fbee4b71d0f8f856b

SHA1
76599749dd36252071baa68bf63621d607a4a182

SHA256
c619b007f552c2fa2ad978ab26ec56fa0bf522fe1d4d9004053629413aacd05a

SHA512
d0158fb5d4fa5dd836d638f30dfe25b6201432d5ec419238800dccd533708bf46f14f818f53babdc7a9966989128e73ab3d0b61bd0eaf608a67e1dac4353f623

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
80KB

MD5
dab3f10a3ee47d80aba51b83b48512a8

SHA1
99e3cd760eeea54654420f9cbe0acfea23c75b31

SHA256
361e1b53dfe4f8370cdac0dece3bd7d96bd86039c9592072ec84feb2de6987b9

SHA512
221b1f75d5acc28d3a8c76a6ca1ee6eaae3d83f6373563cb964d69b6716783ddd6f77df035b203cfefa6074a87e2caba8e835a086006667497101d90dcc7df29

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
80KB

MD5
2fa3f3d2798cdce9b545758f7e47cd29

SHA1
93c8416806c120a6250812eeedfe6a9be403ea25

SHA256
4ca41619a2d2afc76bfbaf2cf77cfd6d94dd2ac2950bf74cbe271dac3ebdaeae

SHA512
fc4cc22c87ab75952ec699353410191778fcf5a0b88c3bc64f634d956512bf135be7889fac3f77925abad6f901230757313e6fcfff1b4e7d02c08961f61d6875

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
80KB

MD5
6629f6af6fa287f00fa0c12189f6130a

SHA1
7c2f8495602f0a85eeb70017129102e3ab609bcb

SHA256
380356325b56b9faf570b556d7d23604c7d406384f6b371de7ce8cb21b88f821

SHA512
a4923d7e448eaedf641347fbf57ce117bf5c77a3a40c3743d416a5507af26c3b7b571bf459f857875d441d0872fb063328fb689deff2ef6bcd0e63d201fd5d2e

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
80KB

MD5
c450b9c627d8969adc6732ed7d091e5b

SHA1
544ec26d948de91ee95878428f3d52c4af09beef

SHA256
e29ba59c133c4879cc431329f5793e077d9100c3c7a8ea7240437efa4dce80fa

SHA512
f4c3bced4b558d1d338a6c8330d6b8fc40e0128c6e3c8646ec530cfb606ce4858f08ba4ce4d61a41dfaa669fa59898caae6d8bb580dc831d2429ee55a80e4bed

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
80KB

MD5
97668d62fd8c29de118f7f01306ddff4

SHA1
f86414707ab42ee8c1b12b4b4632e13b8eba5424

SHA256
af542451750afc933f7130e3588d6016ef86dfe75a1e4e8ad08074d6376813cf

SHA512
1d16f3a87b44ad4afe88e3a509153e495e6a0350b1c8780406855e2081387b9efcc8563d8b7da33cc4503beaa8245ce8a9c4525f27926764fe0f614bcc8a2bb3

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
80KB

MD5
16ee230fd649068648b83fc55a83d900

SHA1
131ce66747a705b14e0eecddd4c2080247f6212c

SHA256
3ad224948497a84a03849a811ee9824a10ead44993bbdd490c0a0758fca21d4a

SHA512
0ea59dc5dc4c0b56cde6950801eb88463730d509957ba971dd4f124bc8e8cf181bf880a3b623ebfd8dbb936df11dbdf8a6ecd40038cd1789947ba9be69973b95

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
80KB

MD5
ccc0345e4d29ba05d63f162fe59fbbe7

SHA1
13c5a15f343d95fe61d30c5a2aa04aba2947ab71

SHA256
c14aef05999204af29091e9dc5fc8468ddf80869193e9f7868a43a5c1e6f23f8

SHA512
520bad40b00d0484273cb771fe77bb10bcc304b4883322253cb5d5ca664806852cdae260c097ecdbba52cd234086278f818914a8e58fa5b32466d10d65a8ffbe

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
80KB

MD5
c4417243d0f73cb6019a7a47dcf4d565

SHA1
fd7b828d7fe52150cb60bdbdb9491568df064320

SHA256
7d9fd1d626acf8059dea8bc21d4e88b7793f7557cde6be874c395443de514185

SHA512
88a86def2fb21c3d15f92c3372c744464478ca108e3076822677a242924d1a6d982d02f1dd70dac7baba3fa0199d59d6bcda55fd5a6403f01c7cfbce5a1f4099

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
80KB

MD5
875445021cba95c36ad8ef86cfbdb787

SHA1
fec6697458c369444d6c225a83add4573398c67e

SHA256
1503de293dc0b7a0382cbf1b32f9404e81f50a705584cd12ca1a048fdafd3642

SHA512
63e09e96567e8f0c000e56bb639648205d080bb1d5d227c5df6c714d5c7bc1ad3883a402a3acf4ade2dbd13145cc2c93fae230fe45de64d1954ecb248dd1d40d

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
80KB

MD5
10c34d169d99f00f27f0ae3cd1edc482

SHA1
de4ce6c1674f9624f6def4d386763701e1aa6062

SHA256
9e71d6c2e6e184f4f5277c78b7fea03e6b97f114d551cd2c73b3684017143399

SHA512
9b98a1d7a7da9bd5babe0e59e082158ab367f269cf17e9ede1c8eb7ec529b1c940241a9c454daf55fef6dccb11ac5baf915261d3a4e446b9d6d3cfa966a6ff5d

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
80KB

MD5
8b3b179c8fa818a1ddef93771d6f5f2c

SHA1
52ad46fedd8987e6abc9747040dbb49d9097033e

SHA256
fa7132910561cb437e72c72c1429de53c9b74d6a66318abd551681d86ccf3a02

SHA512
e064ec9f49965896653969efc3a8b5dfda864bfafd55eeb3900fd5f864e1442d4ab1e667d3e9e70415a615145424fffa19d0c62d771c12faffafdc5d817d7030

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
80KB

MD5
8a7c4c173c608d3fc94ec81667cf7ccb

SHA1
333bba6fe6bcdc39c1b3b6c736e9aa0116361bed

SHA256
3574342ab8ba67bdfeb5b47b2958e397b534ebc44e03b9b09c9f7268e68cc0f8

SHA512
d4eebba35891cfa58bff6a1aa9d4a14ed9cce8686d8c1ea9ddcaf6e4e36900a8b29273d2c93f6e26bfe948a2f97a704b4153d1b1e374c5fcfb307e1313642f51

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
80KB

MD5
71bc66b55445361783fddacde3872c70

SHA1
66e0b37b0946fa2189adc2d1042dc7e8ce7cd087

SHA256
128796453be54c292232bf6d01d21a1099a76236f75b22bec17f1b27ec75f9f1

SHA512
34b6b16e8ca0e21effee3ecee7bf1bd9af293fb7547dae9975060c10903472ee9c03e09a7f14d56d7764fcc61f0fd8cc41360b3bd9ef9cd84332654ade49a39f

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
80KB

MD5
059014a06439fba3cbe1dab848a1356d

SHA1
ec00a4383cc2d4a75a2d0fffcacf422d275cd481

SHA256
9d1179aa77a5adbc19696ee276e4840cd47975efc4dfa5fe65b209ae332f89b4

SHA512
23d5b268bafea5a26fe18212b768cde759f8935bd88c30f56261e48c4624fb02f40d327ebb926fbb3d424296edd2a6f2c22028ef59a94e9aa394bbd064110585

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
80KB

MD5
96a66a42e986b03643ed1b91cf589524

SHA1
44eeca9b57f2d28fe31de6831ddac43137400a9f

SHA256
03abf589c53993fab04ea628cdf5131a8023f3d89cb5ba9bb741c1e07b06ee84

SHA512
e3d490af13c76e63af4a4ebd34621cfbfd978446a4a2d8c70db8150c2ce2fc8ca206aa982ef2d3c4d74de84a42dae09e5ee6a798d20175784ebdbdbf047d28a5

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
80KB

MD5
a2aeff3c56b081e3f8dc71281aaefd00

SHA1
a242228487cc91632cb91b5fc0acdba25e32345b

SHA256
4fe2475afaedc002de0e7ae37caca1b567fb119529afdd5002e409c9901e8d80

SHA512
b2476a605b3a3068d2a3ef4bed4b654c0483e2cd932d44d823654c3c0d809e169850a8d129fde735c0704645b329d9b1473b6f1ba4cba093a9e32d9d0e23e29f

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
80KB

MD5
752168c813f91ba86bd545e9f3ef2003

SHA1
448ec5b95b0cd9bfcde5b8d4831a864edbcb4211

SHA256
5a9785b6697c2ac82f9ec1ec793db11ce78596d6c6c2c3cfc4e48c660f3fdd23

SHA512
29aa09a1fda93e94f25fbfadc716e5bfc6245bd6c60759019d90dd69fe5a557925c4c44b4bd4720389b317d03818dbc9edbef0b29c7e39da4819e67a8aa3bef4

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
80KB

MD5
a5e614117b02442b881195d2f56f23e6

SHA1
abcd24fda94bc79177d0c440d210607bf38340c4

SHA256
d58491a19eb1531ffb80dd32e6ce18068a8ece5fde47b8e16ec90930f3b9340d

SHA512
286fa006a80789746264b04a5fa1830d7cafc6f43d7d71c29605cbb46fa1f92f05745e395d940267c91ead6661e8be32a4290d74bc3ac29072be37924bef35dc

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
80KB

MD5
77c0aa70248f7495cc9f89c7b468d819

SHA1
8eb03adb43e1b700bdbc4dbc48c2bcc9e74e60ea

SHA256
c5110b8bde58e0969b125eaf68dda991fea480fb80a986f3518ea75d25e22dc1

SHA512
c870aff1581ea5d374905f4a590a5a554772447e299d318465cc8a5959ab55729af733ef1a464ea4fb7cc2af2a51d6c83e63c6eacac76a287a8f5284f0c227c6

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
80KB

MD5
e776372681eac92e54ad6833c8bef0f4

SHA1
d9e5a307cdc2b6d4750f8006fd6a8f708a724ffb

SHA256
4ff9675f3ba2571234c8b0d282c5861801026914be0e212bf8425052eaa4cf4d

SHA512
c8342689261ad4c10b5c0c57ba951db0f9e06b39ab75e0c8c2d84d1a50afc8c825ff26be248099ad4e76cdaebbf11448743dc92edd29d6739e62215acbec9ac2

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
80KB

MD5
932276f09fda5e631f7760a745f0dbc7

SHA1
69a47e3df431ba5ca1c4af16e9c4a927c2dd1bd5

SHA256
03d1ea54bac138bc1ee49ce46492919093eecc0571dfdbc22d81f7efbd392d85

SHA512
61e5f55f49b68cffcfb3d4ae2002e6ab098eee766cff0899477b27befb9a271566b342cad1c47b8cede2a745b5e6242644ceff8d4e3d15e36ea8593da997b54a

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
80KB

MD5
ec62568a1d24eaf0c571b515832ce7a3

SHA1
0f0d654450ac9965a4f9e0d03ec3d3093a7d1e56

SHA256
7057d0e6af11858f0d791074a73b4810a7717e101121aada2ab4a6ab6a23e6f3

SHA512
d7c72d014a752fe6e44d5b39e8d7b3c51222f941990900a56f991d80e9ee5e46c272c6b41043da32499ce3d70a5a44d947f7191d39f9b98926742bef49c93431

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
80KB

MD5
44338cafd98c186a27216304e4942e8d

SHA1
08c39d3f2c769b8e32988610717d6a034c2b4c35

SHA256
75a2f1603e47619c27f9cc777db75e33339fe944e63abd9df0b1ccb01f7a7439

SHA512
eb07acfc2dd5bfdcbf086b061dd8c007e71c28671a86e2901259eb4ff072736e8e3ee991ed27846e75fc57b1a57067dd37fb7aec71c0123286814da292deeca5

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
80KB

MD5
7c2a530294ab82f6aa04509f46bc1c18

SHA1
f0621a5939e987477fc0881abf62d54e70c684a8

SHA256
d0b860480e3e9065df5a2771b52bf9de2429a78d176b22aa90544da1593f4061

SHA512
720fe35a4e63963f98ec863fbb4ae0018efa73aedb2ddd8d6198d674762c7aabea0b71d3d3ce4e0eb8eb773a7fdf51c6fa8ffcf571d06a7d8cb32976f4c9236c

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
80KB

MD5
d572382cb0859fb941d8977a7812caf2

SHA1
47be73d06a3978a4e8d3cbabfea46b06fdf21d06

SHA256
031a845052e2b2312f22bfa835fce5020d8343211f2adcd0d44450dcb135a645

SHA512
300ba61e81b95f284dd8622544ed0d4698eff67a0e1f73a5ff7ca21dfc5776eca7a28f7d0fc1adee31d0b19a775902620519b099828e93377c89c3959e59b025

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
80KB

MD5
0f13c7fcdc68d872a30680d0e3554cb9

SHA1
9449b19e5052b8c47cf4d8abe8e843101a2bf552

SHA256
27a08ba0fcae4f272d82c3cd8e673962392fe2e2fc9005a5f6335531c19c2ef1

SHA512
42d749de52a9058b4fa2b49eeb509a7f804511bb384e028529b70495e6018d203b829b540209baa10c74774736c619ad423ead7663a56e89320bc96b399b4aab

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
80KB

MD5
7b631d7c7c67b5e28acad73191fb1442

SHA1
eb32c8e32725e039186468489c21e8e4795294b1

SHA256
eb9c252d109b25d9ba116fe76da96921568e1f9c83984a00848c6dc796855a53

SHA512
e31f2abf83bc8913c5363b82292eb52bccfcbbc00da865bf1ab2e1f482f9d647fc6233fc344ec7a7dc931f8c6c10ce8a712655fb91cf35c0c0df234fc271b606

Download Submit
memory/244-194-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/404-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/456-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/456-5-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/456-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/532-270-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/540-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/760-348-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/816-420-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1032-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1036-130-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1048-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1180-414-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1312-330-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1336-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1436-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1708-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1824-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1888-186-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2044-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2092-246-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2144-254-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2240-146-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2288-318-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2344-436-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2460-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2548-288-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2604-214-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2828-202-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2872-360-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2880-264-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2912-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2936-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2968-402-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3004-86-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3024-372-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3264-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3268-280-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3312-122-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3420-426-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3484-286-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3784-300-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3812-294-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3840-262-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3876-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3984-114-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3992-138-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4092-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4288-399-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4368-226-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4420-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4448-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4548-336-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4704-222-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4744-378-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4876-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4880-158-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4936-384-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4940-342-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4996-408-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5088-324-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5092-162-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5100-94-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5116-37-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.