ae51854c385218f383d926976000008cc9ddd3a0a56e2f6e6b53ecf0a30b4d68

Analysis

max time kernel
144s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2024 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae51854c385218f383d926976000008cc9ddd3a0a56e2f6e6b53ecf0a30b4d68.exe
Size

352KB
MD5

b97023195364f4470fba6257db2d4930
SHA1

dfef0ca407c4346e6db6dc86205f18ea484b14ed
SHA256

ae51854c385218f383d926976000008cc9ddd3a0a56e2f6e6b53ecf0a30b4d68
SHA512

ca5870e84b00067ed4c6c2f41f54f257b52e8ffb6916e1207021799c7a7100923a9d8935c8f32c45d43b34157316b6f342456e5b955033fad9d59f4649034b3d
SSDEEP

6144:xFKN85SyKoB3Yt3XbaHJUByvZ6Mxv5Rar3O6B9fZSLhZmzbByvZ6Mxv5R:La85Z6t3XGCByvNv54B9f01ZmHByvNv5

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ae51854c385218f383d926976000008cc9ddd3a0a56e2f6e6b53ecf0a30b4d68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe

Executes dropped EXE 64 IoCs

pid	Process
1336	Jbhmdbnp.exe
2164	Jibeql32.exe
2092	Jplmmfmi.exe
5116	Jidbflcj.exe
380	Jdjfcecp.exe
4424	Jkdnpo32.exe
3144	Jpaghf32.exe
4808	Jbocea32.exe
2696	Jkfkfohj.exe
2484	Kmegbjgn.exe
2664	Kpccnefa.exe
4484	Kbapjafe.exe
4104	Kgmlkp32.exe
1908	Kmgdgjek.exe
1880	Kpepcedo.exe
4140	Kgphpo32.exe
3532	Kinemkko.exe
932	Kmjqmi32.exe
3172	Kphmie32.exe
2288	Kbfiep32.exe
4688	Kknafn32.exe
2868	Kipabjil.exe
3204	Kagichjo.exe
1584	Kpjjod32.exe
4324	Kdffocib.exe
3564	Kgdbkohf.exe
32	Kibnhjgj.exe
884	Kmnjhioc.exe
1724	Kajfig32.exe
1448	Kpmfddnf.exe
2608	Kckbqpnj.exe
3048	Kgfoan32.exe
4712	Kkbkamnl.exe
4912	Lmqgnhmp.exe
3800	Lalcng32.exe
2936	Ldkojb32.exe
3024	Lcmofolg.exe
1288	Lgikfn32.exe
2428	Lkdggmlj.exe
3572	Lmccchkn.exe
1944	Laopdgcg.exe
3224	Lpappc32.exe
1720	Ldmlpbbj.exe
1716	Lcpllo32.exe
4200	Lkgdml32.exe
2576	Lijdhiaa.exe
448	Lnepih32.exe
2420	Lpcmec32.exe
1172	Ldohebqh.exe
100	Lkiqbl32.exe
3764	Lilanioo.exe
4984	Lpfijcfl.exe
2988	Lklnhlfb.exe
2876	Ljnnch32.exe
3228	Lddbqa32.exe
4744	Lcgblncm.exe
3916	Mahbje32.exe
2256	Mgekbljc.exe
2460	Mjcgohig.exe
2260	Majopeii.exe
1820	Mkbchk32.exe
3280	Mamleegg.exe
4480	Mkepnjng.exe
3296	Maohkd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kmegbjgn.exe	Jkfkfohj.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Kpccnefa.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Bbbjnidp.dll	Jibeql32.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Kbapjafe.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Kmgdgjek.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lnepih32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Jdjfcecp.exe	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Kmjqmi32.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Kpepcedo.exe	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Bdiihjon.dll	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kpjjod32.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Kbmfdgkm.dll	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Kpepcedo.exe	Kmgdgjek.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lpappc32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4684	4380	WerFault.exe	165

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	ae51854c385218f383d926976000008cc9ddd3a0a56e2f6e6b53ecf0a30b4d68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaaagol.dll"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilhco32.dll"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphqml32.dll"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqncfneo.dll"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlgol32.dll"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Maohkd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 1336	4864	ae51854c385218f383d926976000008cc9ddd3a0a56e2f6e6b53ecf0a30b4d68.exe	88
PID 4864 wrote to memory of 1336	4864	ae51854c385218f383d926976000008cc9ddd3a0a56e2f6e6b53ecf0a30b4d68.exe	88
PID 4864 wrote to memory of 1336	4864	ae51854c385218f383d926976000008cc9ddd3a0a56e2f6e6b53ecf0a30b4d68.exe	88
PID 1336 wrote to memory of 2164	1336	Jbhmdbnp.exe	89
PID 1336 wrote to memory of 2164	1336	Jbhmdbnp.exe	89
PID 1336 wrote to memory of 2164	1336	Jbhmdbnp.exe	89
PID 2164 wrote to memory of 2092	2164	Jibeql32.exe	90
PID 2164 wrote to memory of 2092	2164	Jibeql32.exe	90
PID 2164 wrote to memory of 2092	2164	Jibeql32.exe	90
PID 2092 wrote to memory of 5116	2092	Jplmmfmi.exe	91
PID 2092 wrote to memory of 5116	2092	Jplmmfmi.exe	91
PID 2092 wrote to memory of 5116	2092	Jplmmfmi.exe	91
PID 5116 wrote to memory of 380	5116	Jidbflcj.exe	92
PID 5116 wrote to memory of 380	5116	Jidbflcj.exe	92
PID 5116 wrote to memory of 380	5116	Jidbflcj.exe	92
PID 380 wrote to memory of 4424	380	Jdjfcecp.exe	93
PID 380 wrote to memory of 4424	380	Jdjfcecp.exe	93
PID 380 wrote to memory of 4424	380	Jdjfcecp.exe	93
PID 4424 wrote to memory of 3144	4424	Jkdnpo32.exe	94
PID 4424 wrote to memory of 3144	4424	Jkdnpo32.exe	94
PID 4424 wrote to memory of 3144	4424	Jkdnpo32.exe	94
PID 3144 wrote to memory of 4808	3144	Jpaghf32.exe	95
PID 3144 wrote to memory of 4808	3144	Jpaghf32.exe	95
PID 3144 wrote to memory of 4808	3144	Jpaghf32.exe	95
PID 4808 wrote to memory of 2696	4808	Jbocea32.exe	96
PID 4808 wrote to memory of 2696	4808	Jbocea32.exe	96
PID 4808 wrote to memory of 2696	4808	Jbocea32.exe	96
PID 2696 wrote to memory of 2484	2696	Jkfkfohj.exe	97
PID 2696 wrote to memory of 2484	2696	Jkfkfohj.exe	97
PID 2696 wrote to memory of 2484	2696	Jkfkfohj.exe	97
PID 2484 wrote to memory of 2664	2484	Kmegbjgn.exe	98
PID 2484 wrote to memory of 2664	2484	Kmegbjgn.exe	98
PID 2484 wrote to memory of 2664	2484	Kmegbjgn.exe	98
PID 2664 wrote to memory of 4484	2664	Kpccnefa.exe	99
PID 2664 wrote to memory of 4484	2664	Kpccnefa.exe	99
PID 2664 wrote to memory of 4484	2664	Kpccnefa.exe	99
PID 4484 wrote to memory of 4104	4484	Kbapjafe.exe	100
PID 4484 wrote to memory of 4104	4484	Kbapjafe.exe	100
PID 4484 wrote to memory of 4104	4484	Kbapjafe.exe	100
PID 4104 wrote to memory of 1908	4104	Kgmlkp32.exe	101
PID 4104 wrote to memory of 1908	4104	Kgmlkp32.exe	101
PID 4104 wrote to memory of 1908	4104	Kgmlkp32.exe	101
PID 1908 wrote to memory of 1880	1908	Kmgdgjek.exe	102
PID 1908 wrote to memory of 1880	1908	Kmgdgjek.exe	102
PID 1908 wrote to memory of 1880	1908	Kmgdgjek.exe	102
PID 1880 wrote to memory of 4140	1880	Kpepcedo.exe	103
PID 1880 wrote to memory of 4140	1880	Kpepcedo.exe	103
PID 1880 wrote to memory of 4140	1880	Kpepcedo.exe	103
PID 4140 wrote to memory of 3532	4140	Kgphpo32.exe	104
PID 4140 wrote to memory of 3532	4140	Kgphpo32.exe	104
PID 4140 wrote to memory of 3532	4140	Kgphpo32.exe	104
PID 3532 wrote to memory of 932	3532	Kinemkko.exe	105
PID 3532 wrote to memory of 932	3532	Kinemkko.exe	105
PID 3532 wrote to memory of 932	3532	Kinemkko.exe	105
PID 932 wrote to memory of 3172	932	Kmjqmi32.exe	106
PID 932 wrote to memory of 3172	932	Kmjqmi32.exe	106
PID 932 wrote to memory of 3172	932	Kmjqmi32.exe	106
PID 3172 wrote to memory of 2288	3172	Kphmie32.exe	107
PID 3172 wrote to memory of 2288	3172	Kphmie32.exe	107
PID 3172 wrote to memory of 2288	3172	Kphmie32.exe	107
PID 2288 wrote to memory of 4688	2288	Kbfiep32.exe	108
PID 2288 wrote to memory of 4688	2288	Kbfiep32.exe	108
PID 2288 wrote to memory of 4688	2288	Kbfiep32.exe	108
PID 4688 wrote to memory of 2868	4688	Kknafn32.exe	109

C:\Users\Admin\AppData\Local\Temp\ae51854c385218f383d926976000008cc9ddd3a0a56e2f6e6b53ecf0a30b4d68.exe
"C:\Users\Admin\AppData\Local\Temp\ae51854c385218f383d926976000008cc9ddd3a0a56e2f6e6b53ecf0a30b4d68.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Windows\SysWOW64\Jbhmdbnp.exe
  C:\Windows\system32\Jbhmdbnp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Windows\SysWOW64\Jibeql32.exe
    C:\Windows\system32\Jibeql32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Windows\SysWOW64\Jplmmfmi.exe
      C:\Windows\system32\Jplmmfmi.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2092
    - - C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5116
      - C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2868
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3204
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        26⤵
        Executes dropped EXE
        
        PID:4324
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:32
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1448
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2608
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3048
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3800
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        39⤵
        Executes dropped EXE
        
        PID:1288
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3572
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1944
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3224
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2576
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:448
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1172
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:100
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3764
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4984
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3228
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4744
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2256
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2460
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        66⤵
        Modifies registry class
        
        PID:724
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2908
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        68⤵
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        71⤵
        
        PID:228
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1620
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        78⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 412
        79⤵
        Program crash
        
        PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4380 -ip 4380
1⤵
PID:4052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ehifigof.dll

Filesize
7KB

MD5
64e4d498e92da0729cf8126f3d7ad537

SHA1
8d37acfd4dc511a5923d016f417f7972ed18a2f6

SHA256
5a9932f8e510fb8d378f3dd619c15cdbaab71093a63e686446a5d643481a0892

SHA512
1b264cdab15e73aa9ed058bdafaf37366f3a6c9ded7695dd33cfb63de3b12100d5a13b4fe07a963cdb771ab544faa44f7fa38c387b05435a48a840f78026688d

Download Submit
C:\Windows\SysWOW64\Jbhmdbnp.exe

Filesize
352KB

MD5
abe32fa7a44d9042bd8c1dde3be0296e

SHA1
ae1ae70f71cb58767c75737d5c87a6036830801b

SHA256
fb6188cede2541efa61442e822f560bead7cb9d19f9a09e141debc989efebb23

SHA512
d0e728d19102bdcfb17fc454410f5f48e18860d19d4f94d037f813a063a2257da9240a34ede96d283d5abb240c06538a9999cb8d269f331aa096ac6c8aa34592

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
352KB

MD5
f1a7750c8b79a892019eb9d7d7202e2f

SHA1
dfd059490e9a8cf74bef7691e1df86992968241b

SHA256
27153921404156f1d81dfff5e6a5b8335de1eb0fc7f2ad3f0a03744ab445001b

SHA512
496b83b479b40733b88fe870265708fd2553f9042887440c55075024d3c1daf74ec100fdcd42e0dcb0afd8348a0b6821f2c8bc0e68e0d9c692c0dc387c4ba2d3

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
352KB

MD5
f9bd350cb686fe9c7aa053f3dc06b93b

SHA1
88095523ad02681d77da70457914756a5cdf8694

SHA256
6b20dfa50552e5ea00137046da6141ffa6ecf745298b3f7cad8a423925ebeaa8

SHA512
dc43d2aab393a12e611120d4bb5e9496c32e650e2526cfbd5fe2d6a1102e74250f2f0844ce5769e25c6e4b097f67b7c187d5ba60fd719833ae44ed50f17662ed

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
352KB

MD5
69cdfa4fcefdd4fa6d177c7a68b40bc2

SHA1
f84f51459cf7cb82b6753bcc9e08d31f5e6f47c1

SHA256
fb92230d56c7d450139c5eac4b4b6cb82b6f1585e36acf70b1e03455ca60785b

SHA512
e4284d2ab54397528583c3a42c7ef14d0c4afdc2a69fa8d62f1574d8ba9514527353b81d5163e295d959b45cce9a50ce203d1820737362e3adb688b40e0d77a1

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
352KB

MD5
398935f554d0bb022fd5a07ca25d9283

SHA1
b9f2d6b76129d4101e07174ad1df3e8617d0b8b3

SHA256
c846e32a0f0d3dd8d2a2eea76f668c386fcfd7e50d1062d70b669d614434053e

SHA512
1a12f319de5e4f91efd09faf8ed6d0004a74cc97e6dca2a7cd10c47c7f2d02cfd37d1d1deab35ecd7ff533f07148feee5454e283296e8fc0ab55957cef92646e

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
352KB

MD5
8b1a010b15dffe20817ec5a8131c9b7e

SHA1
3c311e74ce2cdbc0dcc082af66d6b2dc640b4508

SHA256
c9804cb1f1f7ada59b700f740afc13b8691c29b97fd88cde88c8d1e9889addc0

SHA512
48326a8eaa3c50e9741d7a83839f99f157b7233fb8b46ce5a323e84dbc4a319b3103db4500c596246071b2d4225cb0f7abf0873732701cf9055c3ad2214c9499

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
352KB

MD5
aa70fa1578d08eb2d6efeefa7ef27d82

SHA1
41aec2ef1cbe27f424164d3f29a9ac2282136181

SHA256
5e06fb381fb504b38129aa3c21b05d741f4d9f0f45ac1eb7c17a8fb141ea58ed

SHA512
86df76cefd71dba1d2d878176eafea9fb98d1f42f0277135dd13f293e6f09052e178de0d05f1b7e7b71e5a5f2fe63927e052a6a374deaf8b0bc3325056edf401

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
352KB

MD5
a3bc4f574dab2832c1b5c9e8d8a6606b

SHA1
2ce29f1bd8180dfd863c283a5411d66fbec027c0

SHA256
12c93cdd7e93757629cd31bad9b02460b014ad5d7804577c1a73af0debd27a1c

SHA512
a568663a3e80f7b36d657118ab4a3320fddccf1c4e78c1e0e63b05eae0e981c8747166466f477fab381ce9ade6e2065c15a59fb963dc5f1f6eb66cde28cc2146

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
352KB

MD5
9b2431f6f1bd81bcef7f92c4dcd0f836

SHA1
53e4778af1a55c47e830dfcbb6db91732d92c4d7

SHA256
a0a91699ee4fde3de53773c04be7871a3133983944750efb11c94f4baa22093e

SHA512
77ee2d630ed917fed68c712bfc90e3d5bba913076952aed1dd3efe68868f188f2910fc9fa681dd2a95d1bee5ea2e820cc48331a1df3b04a4bf9760c35a18576a

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
352KB

MD5
5d7fd81f01a0c967f972f93a575cbeca

SHA1
52bc1d8f51eaf9fd66c2799d9d1da9b45f95303f

SHA256
d754e52b479a0ca607b29f01fd2288d4629e08f0d1a8ad0ef9140199a08985a8

SHA512
20c48e394f6dfcd0c8876472373161b6f9956b502e73b562a941ff3316b40880af0e6fc8752527444e0b6c1b9da479966c976907f25bf98d46a65e0bd8d4a5b8

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
352KB

MD5
427b2759b7e11f0dbbb39f0eee5d3327

SHA1
c00214a443aac25dcea8343dba6fc6cd669e3adf

SHA256
1c3513aba5a71219f7442e5aa892cb912ef8c8bd82d122df0f25c700fb7fa105

SHA512
326cc74d4be5a4817f05f6664ea86e34848165642be46d3b3df3d67a48758b815fc700ada4a074ada7a117c596a8803dcd8e6775292b13843618d3b031ae09da

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
352KB

MD5
4638a384513627421d92ce66ad1a0e15

SHA1
8f5fae355eac20bd2c011eb8466143e33ee82058

SHA256
031508fdd13217f8e6152bef11bc920c4005f1db1b33153a67980c6ebaea16f8

SHA512
5f956fe242df0be5a3960905a06928c7cf459f4a4dc80492507ac7bb277a25ed7142dd67742922dfbbae69cc7a2ce388085f93c9f1aec2258af243e2ddb68b14

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
352KB

MD5
3d9e3ee078d52e117f5b6178f22e5984

SHA1
8fa105427e3f3701bbbc2f8d6289205fd04f9617

SHA256
729dcba5c1d86df99c33d839bcc3ea154a4682efb17cb07bcc3c68444ff0b5c4

SHA512
8d04f12b1d335b9ccf6ea25148f558c22fa612954e25e4c6d6f5e37d42af99294c30682b495749b576816b3cd362d0e7dce0092dfcbe054b7244f071e518e63f

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
14KB

MD5
f2ea0819376f097bd8e54faacba991b6

SHA1
0a2a67d648e36b9164a520123793b08754f31bb8

SHA256
6b1310f8b914776820eeb6580490b0dd163443e1f04fbb1b00ef7765a9608c23

SHA512
7b9495b7b50b0733391d3ce9adff655d0f3ea665af95455876151d1848555f8d52a4626d8e56e885a2a21704f6e39780788f0d4a0eec1f81807893de9ad5ff18

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
352KB

MD5
e01be3d0329b9dcf2a54c24ebb4a4a63

SHA1
fa2074593564058124893c9a3f29530004e29d01

SHA256
37cd4694c76df8d4e63d9d5868c450d126f8dd6f424a6587a91107ebd28c4b0c

SHA512
76b2b723de31e5049884ad95db8a40d29bf4b5541648bcd8701211597acf7dc2303ddf1646b0ed8cb7c0383ab7d0e838aeb7ce3e0434e51ec493c917ef7794d7

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
352KB

MD5
662b7cbe2f0ad80ca392f0d0fbc0b73b

SHA1
7540e402583d92c174937ab96900cba7f14bd390

SHA256
f6e6e6599cd395f7023260e8386d2e1ef3b35ac15485fcb0bc7b103f9f52ed07

SHA512
707998b4a6ebdba668160f15dc7eeaa903e91668adf50b4a45ca119fb45f854a537fd88946d28264f84dbdff9088820b5712c1915533c8d7093bc0db664de8cf

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
352KB

MD5
8dca4ee28327515206abdd68f42d9c2d

SHA1
e3144843e2b15fbea4965e62d62ae14fc60ce865

SHA256
8eb6ba1f72c72d59567ce3680062115ebf5ee2c1715496013b0d5f6de77927af

SHA512
81e7cad84ce51f7a9d921ad0f327d330a2b9c0cc47f87516137168819e7e561aaac7b2ac67b5d22de2a0c3124c8fc11438e43b69229eb742af3ca1c69a4244dc

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
352KB

MD5
e085d83034bdb0910a3c885d8d2bb4a6

SHA1
a2f1cc847dfb8564fc7db91af88d691ee79a8e48

SHA256
31fdedbce6e0e63dd15f613cb46be63a7f5b6653f3e87b723d0fe1d963e77110

SHA512
8e01678bbb54b4a08663f7e14bc3504c1b37e708f3408df7c4e046c9be8a24d513125522c6cf62f4ffdb6131bbeff892b3e65058e8b5812ea52a1eb30270603f

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe

Filesize
352KB

MD5
d9a635afb0b169c6a8f3185518a058f4

SHA1
850fb984cd8fecb1c7f840f31e7937acc520bc91

SHA256
2a396aa8451ce60281ad3cbfaee747a16fe22b1b9962e7f52671a23639eb9fd3

SHA512
530bb7ea972d4db1084a6fe6841ea8be92ca843756ddbcf9787f482913b515dd9db5be8d91c7eba672c89c4777670f969482b396e8fd65c9fecfaac391e6a219

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
352KB

MD5
d02faee9e6d39a1d7e7a3ef386c36f2f

SHA1
51d3c9ae958297fa26e6926c8737026c5a27284e

SHA256
b9d14072c3729f1a9ac40a589c21820e23f4156cf028906fcf6056c865a63f20

SHA512
3f05f44768af1579c0d765b95ea808610571ef489b4377788eb94e95584a2286d5d922f506244f6a2a1d7aae191dd86b0fcd307059264a732ed708ba98d02783

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
256KB

MD5
5e0d493b9bc5bf530ced7210c10ed09f

SHA1
13f8ebf0a868d4cd68dbb3bd241344cdcf642e56

SHA256
bb73bf4d8a374acc2af960bd0b81cf59b605304755c6638a5e01d9b3574b96b8

SHA512
d4c57fe89512d4d6752f43fae8d0a2a78155e76e62048e8f882793844fc1c7273bfef1324a3000e2ca62153a5b05239c0df4393f8977150b6ed9d02752b4c5d0

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
352KB

MD5
6b119cdfab72c46e999fcfbb5bd7f020

SHA1
21555c068cc99f3c9432e9f625ce979d5e1bf19a

SHA256
20678309e6c4438694348e7362d34e0aa12c08187478032636ccd9147d8ea737

SHA512
aa852482d7273c8c55e2f83c3bef50c85c4cc44bc14fb81c43568679e37dbf012c0af5f627208cf3ddcdb2cefaf85fa1b03e61a44cc46e3a7afd3e187b521cdd

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
352KB

MD5
d6a6daa5d8f439fd0b745d85ad7fbd41

SHA1
87f65eb4301e1b59ad3fc13b90fad4868a026765

SHA256
23ec901d3b9f5a17d24cd52eb086c78f69eb935cf26d097841012658026afb0c

SHA512
916a1cb9dcbbf7d9f26935d985e0d1e7bad17fb12f825f247ea4719d6a86b9e35ca62f4957129c68c0a468a39a623b31654117c25fcc0da08a215afd185938d6

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
192KB

MD5
87b03f256ac6a6aaadbc3e3c0fbb5b29

SHA1
9dea5ed73e16edd9b131284a35fb7987417d8d62

SHA256
c94ffc6a26cdab408b611ed2b2b895dcb66ec4aecaa5abd38f6e8e05a6cfff30

SHA512
8844a93f44cc1154cb177be6cfc3eb67e276e70b1da36decad1b036dfa2c6e28c0bb04868aa4b06e05882671b3c26b428b21793241c612e179c53136df60a117

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
352KB

MD5
6ac3be89b5ceab8927ce7537a7ace5af

SHA1
616769495a11d1b959c7cac17cfd6bb7faf1a0a9

SHA256
df65cb90d27d6874d8cd0bb9e5abb893d35367796c89f09ab0699c6f6de28440

SHA512
270314b7e9922040694c2edcf53d8fdbd72aa65dbc0815be51bdf54b571735dd57b186628f444e6d5bd3d314ebc748b7054fa4318f413ab446d5f68a19d36eec

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
352KB

MD5
76d800cfa31cc007d6816d026961442e

SHA1
a92216de4c334aeec26b7cfb98bbce488520da61

SHA256
eb0e2bc5863d1cefa96940c5566afc79cdb2bdb51cc0f6fc47a6bd7ce9bb80d0

SHA512
433b0798d278f0ae5afd0b207d45321f8c88df85da794e32dc83e4c5fb55ae18474b0a230b7cafa601f2bf40e1cbf72c4879872394aad4f554d05f27d1c93431

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
352KB

MD5
2ee6b157d79b301bde772511bfbb1700

SHA1
23b5420a5100827c74dfa90b12dcea6e7d3250f6

SHA256
07c0df40052add869a1725a8ccb3280471d199aa6aa140ee1832e25da896670d

SHA512
4dd404767128c144e232a368cb8b7dbc51a3e9c454e6f5026437b64af8d3c22857f62e92638e3dfc0008be554faad4e05716170a7b7b980e33bbf2f5abfc74c9

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
352KB

MD5
0ffa8834b84a7e7b8854b749df096455

SHA1
e7f6380806551d18eee1b2d3ddfbd6bc4116e904

SHA256
89052110744fa13b27b1365730875b1c61d62a356def5eddd977fabc83e4209e

SHA512
b734337744f078ca168d6867fbd59cc904066e1316280e14d9d32f01de14b66ada72e6ba1441238e8ffd75ee5d54fe7a429bf1b8591eff8b45d34b58cfa87b51

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
352KB

MD5
f7004661669ef0090fc5d3d56439f577

SHA1
85931e30c866944e473b882b897f34bcd532103f

SHA256
d2b305e46b84977f27c9a3907cee5b6e1cd7c2a109d72bf9b2bfcbc97ad2e307

SHA512
edaf3acea6768f3d4275ceb48816a1efd9bb6c065959660645a26ff1ec4339344e59ba9064a11511d31e2baf5a119017e24ea8ae853f1cd6b566787bd78fbbb0

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
64KB

MD5
a760eba4b1ebae32e158d2df6644aea4

SHA1
b7a4b5f07b1a0df76c1e9235771c4d55c6092b2b

SHA256
0a2f987983ba09ec098ba5ed48d0bcf2c0bae3b71e8acf9e91309af9ad0ad31b

SHA512
20b7b68f85d4777db835c064f8df4f35de75712e552838c6f1d0e9ada3002b369e30194bf6799628ce4bbd324e80dfcbe9a3892dc254424fc431244cb43ba3b6

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
352KB

MD5
7f243fbcdd7565a51cbf77dbb3671db7

SHA1
14c7590dd84374cae9dfbfd72900362ce8e9af33

SHA256
b380e80f4ff4e619f4f6e0c087f13658cd60723e1d8b8047f4d0718b9e95e849

SHA512
4144ca914fbf04c32cbc0587a35bac998bb04d1813eb1e2679eb8d7b5191fb6b7fac4e90a2d9787a23e11f338a93931b8c24e7922cb166329139e4787fd43579

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
352KB

MD5
f8a7be376ade301582ced9428b1c3fd9

SHA1
b9c1f706ac8097049cb23d9d5896379697711443

SHA256
f4aebc9883ab05368aa6e87225e3a90cb625fae83483c6816ee036994ace5e8b

SHA512
6dfc9a51dcd67743af0d3766eb32ee484dfddf50a3bbfecff66284690a5fbfe2c12855eb6e595e7bbfde214e2949138725e90a269517b376b59eac23a1ec2b4a

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
352KB

MD5
bb4f9c8b6173827974634f22fd2bea86

SHA1
430fb5315ec7abfd652f8f36b002cda09721f836

SHA256
8a1078ae4df8773b94d9705876cbd02f9baaeec24ecdc0b13e8bcb69480cdb39

SHA512
82f09e1aa68c0931165e0a6d007ef6feed107b7cdce6ade09280725aba9bcefeb9b793d1e5fa108516303701a948bca62f596f2fbc1b03ec3b6c3a67fda34b04

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
352KB

MD5
9ffa1fa11de6479d0d3c33e3e1939e63

SHA1
41162d649142de4fd7406f7790cb6648951ec772

SHA256
0df17c5ae82ea22eb5748cf5c76eeb3130ffb6377c918db076d0515de8da7bce

SHA512
94428c949b79bbc8bb9e2fc4aa736993287e71fe8cebcda376167cf0e9c0a750a0dc340949eb741a7f1531d2598bfae9eb7ccabf9730f28a49cc99d982de44b1

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
42KB

MD5
c9c2971fafa1993856522da1c5269cd0

SHA1
20fc879b4926855f710f3ee8dc08212c3ee75984

SHA256
76bb17e2f57e9ad8da1192286e6f96a75e12926fda36f08ec4a954d121b240ae

SHA512
869a6efe586f1b50acfaf673231e5021607bbc739e5b210e87c12a10f277dfed79219c65d44c00339c5ccd909a5bf6f6239f6bfdd591183df4789473a9d32e3b

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
352KB

MD5
cf870e3064308b3419995af57c06048b

SHA1
d0e698f759e0c9bca6106a8c644ccb48b16f7050

SHA256
091208c6b0499b1ba885adb9af91e833c9e08250520f2ff1703d6780d70060e5

SHA512
0c5875e1128ddece9902137171086847c2615d0e3cf749ec73b3c946a2ce0f14a293209d2d2fa5991174bf561e69bbf0f247cb911d2b0734a823e719b111ac54

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
352KB

MD5
f54798df52e934778e3b051eafd854d9

SHA1
d0f1b5c51b0ac9d0f02992fca8df65ff094cf8ba

SHA256
496a3b0fd0364f00d0ed913e28f6c71f34b2e0123499d5c1de3c2fd605f0855d

SHA512
e77a5708d6a5665cb2bff5c73d5cd4ae0ad99293e828043467a661a259a2f5c87f7c4b40623dc0878375dc27715bb09dd121a8e8618e5f0317b431b136f95bd2

Download Submit
memory/32-355-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/100-434-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/380-39-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/448-419-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/884-361-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/932-321-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1172-428-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1288-386-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1336-12-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1448-368-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1584-347-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1716-409-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1720-406-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1724-362-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1820-465-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1880-421-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1908-313-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1944-399-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2092-24-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2164-15-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2256-457-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2260-464-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2288-332-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2420-422-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2428-392-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2460-462-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2484-94-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2576-414-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2608-373-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2664-115-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2696-83-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2868-340-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2876-448-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2936-384-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2988-447-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3024-385-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3048-375-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3144-56-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3172-327-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3204-346-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3224-400-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3228-449-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3280-471-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3532-319-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3564-349-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3572-397-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3764-440-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3800-383-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3916-456-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4104-114-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4140-314-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4200-413-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4324-348-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4424-48-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4480-472-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4484-102-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4688-334-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4712-376-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4744-455-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4808-64-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4864-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4912-381-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4984-446-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5116-31-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads