3c3359ee9986e9114c5c1259ac7e5e1acd041d396f53bf792878c795481ec8fa

Analysis

max time kernel
94s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2024 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c3359ee9986e9114c5c1259ac7e5e1acd041d396f53bf792878c795481ec8fa.exe
Size

57KB
MD5

a1fa94fca4def0541477cb80603d8aef
SHA1

50b34b8ba5d929d142b628b50e8087e6def53a46
SHA256

3c3359ee9986e9114c5c1259ac7e5e1acd041d396f53bf792878c795481ec8fa
SHA512

66a5c13dc35afcf381e06cd8661d06c1c6beb2bd3d9195a75e8b66f7f5c5c4f59d64e5f9f0585a3b976606813d030130ce85310b30d9a4e12ee549a5c896c4bc
SSDEEP

768:l+qUtW3hQwHpAPczstzTGx11GGu6CSvRS6GF06p/1H5lWXdnhg:VUt6Q2wcQBTK1S6jvR2L/U

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbdmpqcb.exe

Executes dropped EXE 64 IoCs

pid	Process
2024	Jaljgidl.exe
3272	Jbmfoa32.exe
4060	Jfhbppbc.exe
3580	Jigollag.exe
4736	Jangmibi.exe
1292	Jbocea32.exe
60	Jkfkfohj.exe
1532	Kmegbjgn.exe
4596	Kbapjafe.exe
3428	Kilhgk32.exe
4892	Kpepcedo.exe
4308	Kbdmpqcb.exe
1420	Kgphpo32.exe
2120	Kinemkko.exe
3052	Kknafn32.exe
3568	Kdffocib.exe
5024	Kgdbkohf.exe
2668	Kmnjhioc.exe
3712	Kpmfddnf.exe
4000	Kgfoan32.exe
4752	Lmqgnhmp.exe
4196	Lpocjdld.exe
4604	Lgikfn32.exe
1296	Liggbi32.exe
3332	Lpappc32.exe
2728	Lcpllo32.exe
4228	Lkgdml32.exe
2084	Laalifad.exe
1216	Ldohebqh.exe
2096	Lkiqbl32.exe
4960	Lnhmng32.exe
4888	Laciofpa.exe
4636	Lcdegnep.exe
776	Lklnhlfb.exe
3660	Lnjjdgee.exe
4428	Lddbqa32.exe
2704	Lknjmkdo.exe
4844	Mnlfigcc.exe
3544	Mpkbebbf.exe
4992	Mciobn32.exe
4724	Mkpgck32.exe
3176	Mnocof32.exe
2520	Mpmokb32.exe
972	Mgghhlhq.exe
3700	Mkbchk32.exe
2080	Mnapdf32.exe
3276	Mcnhmm32.exe
4884	Mkepnjng.exe
4212	Maohkd32.exe
4592	Mglack32.exe
4740	Mjjmog32.exe
4336	Maaepd32.exe
4156	Mdpalp32.exe
3420	Mgnnhk32.exe
2564	Njljefql.exe
892	Nacbfdao.exe
2744	Nceonl32.exe
4404	Nklfoi32.exe
3180	Nqiogp32.exe
4132	Ngcgcjnc.exe
2264	Nbhkac32.exe
2532	Ndghmo32.exe
3252	Ngedij32.exe
512	Njcpee32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Laalifad.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Kgphpo32.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Kgfoan32.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Kmegbjgn.exe	Jkfkfohj.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Jbmfoa32.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Bdiihjon.dll	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Ojmmkpmf.dll	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Qekdppan.dll	3c3359ee9986e9114c5c1259ac7e5e1acd041d396f53bf792878c795481ec8fa.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Jangmibi.exe	Jigollag.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Kgfoan32.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Jkfkfohj.exe	Jbocea32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kgdbkohf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2380	3956	WerFault.exe	152

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jangmibi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	3c3359ee9986e9114c5c1259ac7e5e1acd041d396f53bf792878c795481ec8fa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmmkpmf.dll"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	3c3359ee9986e9114c5c1259ac7e5e1acd041d396f53bf792878c795481ec8fa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4236 wrote to memory of 2024	4236	3c3359ee9986e9114c5c1259ac7e5e1acd041d396f53bf792878c795481ec8fa.exe	85
PID 4236 wrote to memory of 2024	4236	3c3359ee9986e9114c5c1259ac7e5e1acd041d396f53bf792878c795481ec8fa.exe	85
PID 4236 wrote to memory of 2024	4236	3c3359ee9986e9114c5c1259ac7e5e1acd041d396f53bf792878c795481ec8fa.exe	85
PID 2024 wrote to memory of 3272	2024	Jaljgidl.exe	86
PID 2024 wrote to memory of 3272	2024	Jaljgidl.exe	86
PID 2024 wrote to memory of 3272	2024	Jaljgidl.exe	86
PID 3272 wrote to memory of 4060	3272	Jbmfoa32.exe	87
PID 3272 wrote to memory of 4060	3272	Jbmfoa32.exe	87
PID 3272 wrote to memory of 4060	3272	Jbmfoa32.exe	87
PID 4060 wrote to memory of 3580	4060	Jfhbppbc.exe	88
PID 4060 wrote to memory of 3580	4060	Jfhbppbc.exe	88
PID 4060 wrote to memory of 3580	4060	Jfhbppbc.exe	88
PID 3580 wrote to memory of 4736	3580	Jigollag.exe	89
PID 3580 wrote to memory of 4736	3580	Jigollag.exe	89
PID 3580 wrote to memory of 4736	3580	Jigollag.exe	89
PID 4736 wrote to memory of 1292	4736	Jangmibi.exe	90
PID 4736 wrote to memory of 1292	4736	Jangmibi.exe	90
PID 4736 wrote to memory of 1292	4736	Jangmibi.exe	90
PID 1292 wrote to memory of 60	1292	Jbocea32.exe	91
PID 1292 wrote to memory of 60	1292	Jbocea32.exe	91
PID 1292 wrote to memory of 60	1292	Jbocea32.exe	91
PID 60 wrote to memory of 1532	60	Jkfkfohj.exe	92
PID 60 wrote to memory of 1532	60	Jkfkfohj.exe	92
PID 60 wrote to memory of 1532	60	Jkfkfohj.exe	92
PID 1532 wrote to memory of 4596	1532	Kmegbjgn.exe	93
PID 1532 wrote to memory of 4596	1532	Kmegbjgn.exe	93
PID 1532 wrote to memory of 4596	1532	Kmegbjgn.exe	93
PID 4596 wrote to memory of 3428	4596	Kbapjafe.exe	94
PID 4596 wrote to memory of 3428	4596	Kbapjafe.exe	94
PID 4596 wrote to memory of 3428	4596	Kbapjafe.exe	94
PID 3428 wrote to memory of 4892	3428	Kilhgk32.exe	95
PID 3428 wrote to memory of 4892	3428	Kilhgk32.exe	95
PID 3428 wrote to memory of 4892	3428	Kilhgk32.exe	95
PID 4892 wrote to memory of 4308	4892	Kpepcedo.exe	96
PID 4892 wrote to memory of 4308	4892	Kpepcedo.exe	96
PID 4892 wrote to memory of 4308	4892	Kpepcedo.exe	96
PID 4308 wrote to memory of 1420	4308	Kbdmpqcb.exe	97
PID 4308 wrote to memory of 1420	4308	Kbdmpqcb.exe	97
PID 4308 wrote to memory of 1420	4308	Kbdmpqcb.exe	97
PID 1420 wrote to memory of 2120	1420	Kgphpo32.exe	98
PID 1420 wrote to memory of 2120	1420	Kgphpo32.exe	98
PID 1420 wrote to memory of 2120	1420	Kgphpo32.exe	98
PID 2120 wrote to memory of 3052	2120	Kinemkko.exe	99
PID 2120 wrote to memory of 3052	2120	Kinemkko.exe	99
PID 2120 wrote to memory of 3052	2120	Kinemkko.exe	99
PID 3052 wrote to memory of 3568	3052	Kknafn32.exe	100
PID 3052 wrote to memory of 3568	3052	Kknafn32.exe	100
PID 3052 wrote to memory of 3568	3052	Kknafn32.exe	100
PID 3568 wrote to memory of 5024	3568	Kdffocib.exe	101
PID 3568 wrote to memory of 5024	3568	Kdffocib.exe	101
PID 3568 wrote to memory of 5024	3568	Kdffocib.exe	101
PID 5024 wrote to memory of 2668	5024	Kgdbkohf.exe	102
PID 5024 wrote to memory of 2668	5024	Kgdbkohf.exe	102
PID 5024 wrote to memory of 2668	5024	Kgdbkohf.exe	102
PID 2668 wrote to memory of 3712	2668	Kmnjhioc.exe	103
PID 2668 wrote to memory of 3712	2668	Kmnjhioc.exe	103
PID 2668 wrote to memory of 3712	2668	Kmnjhioc.exe	103
PID 3712 wrote to memory of 4000	3712	Kpmfddnf.exe	104
PID 3712 wrote to memory of 4000	3712	Kpmfddnf.exe	104
PID 3712 wrote to memory of 4000	3712	Kpmfddnf.exe	104
PID 4000 wrote to memory of 4752	4000	Kgfoan32.exe	105
PID 4000 wrote to memory of 4752	4000	Kgfoan32.exe	105
PID 4000 wrote to memory of 4752	4000	Kgfoan32.exe	105
PID 4752 wrote to memory of 4196	4752	Lmqgnhmp.exe	106

C:\Users\Admin\AppData\Local\Temp\3c3359ee9986e9114c5c1259ac7e5e1acd041d396f53bf792878c795481ec8fa.exe
"C:\Users\Admin\AppData\Local\Temp\3c3359ee9986e9114c5c1259ac7e5e1acd041d396f53bf792878c795481ec8fa.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4236
- C:\Windows\SysWOW64\Jaljgidl.exe
  C:\Windows\system32\Jaljgidl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\SysWOW64\Jbmfoa32.exe
    C:\Windows\system32\Jbmfoa32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3272
  - - C:\Windows\SysWOW64\Jfhbppbc.exe
      C:\Windows\system32\Jfhbppbc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4060
    - - C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3580
      - C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3332
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4228
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2084
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2096
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4888
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:776
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3660
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4428
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2704
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4844
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        40⤵
        Executes dropped EXE
        
        PID:3544
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:972
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3700
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3276
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4212
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4592
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        53⤵
        Executes dropped EXE
        
        PID:4336
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3420
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:892
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        61⤵
        Executes dropped EXE
        
        PID:4132
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:512
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1324
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        69⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 412
        70⤵
        Program crash
        
        PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3956 -ip 3956
1⤵
PID:4660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
57KB

MD5
aaef39b9d8f02f2499e169e816cc56de

SHA1
6a82fce8427bdeda4d7a59700637438c189c0bc2

SHA256
683ebf50b9fac85314b357159ec22abf2bd8a7fde73f258785ad1b6319240ce2

SHA512
f6bf58fcdf3e081b37cfabfab858bbf7e5da1b86bd1523ebe9a54512a2cec0af8acd50c08aeb001bd1627c27235830a779989c53f495cbbd477c5137ad9176f5

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe

Filesize
57KB

MD5
45c9bd644946b0df0a5119b23250f62d

SHA1
80df0cd2db21f335d2c3d5339e040ba13483d80a

SHA256
1dd3e159fcec374df6a7f54d17eb65aa4acdbf5c94b7f52a2761012279012696

SHA512
6aa01f58a8f331dbbe5983c4cee541da890cd334d47b45671553def14f895ff8bde08236c78ff4471938520899308bf1b3b79227f07b75bfe4b258ed57438dc4

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe

Filesize
57KB

MD5
f07d1abec473f87b7526e645a4aef865

SHA1
290f75ac4e5f271a884d434233e61b1cc65f5866

SHA256
24b11acea527f92e951872a3150576f4d907c250f2edfc0813a01b126163e614

SHA512
1e1b61683a7a260ee63afce684d309d51fba6896823b815a8a8e838193ee9ca23df912c57d3c1175ccf427102fbf78f0740840d24849bc0df6457caaf54d9f3d

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
57KB

MD5
75ac5c76dfb676eef39b5768bc8804d4

SHA1
f5403348ea007268465eea9924198d5232429f12

SHA256
9d4f239ef650e05e1a7a3cddcbc1151682ce91997740ef0fc5ac6052c3118ace

SHA512
03eaa59d8f21665c444154e8a93dda58a2e931e618142c392fbf4f324dc2209a02d0952d2cea7bf4c6185fd0689a51c7e379cc5e0c0848d3da5641ed93bd159e

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
57KB

MD5
58aa7cb3d48f46bb77bcbec3b8962926

SHA1
d889d03f84f2b280c2f8b64637f02fa61d895a45

SHA256
ddb67c63e098a1bd2d550eb54f7c1dc41eda0d51a9bba05275c3c3ecbc9d4b21

SHA512
df35464be3e084c63a054082521b7477f3333f6597e71c1b83388f7781a7a12141fc5201095368a7578690208f789fa3ab3732bd5ee0dbbabb1b7a7f6c4dc571

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
57KB

MD5
d508d00ddcb734b065ccd35cf95fd465

SHA1
e156b50a4c74c610c2a9c119d35542cefc5ac842

SHA256
5ed4bebc253c011d1cc0de86367327341f233b813367f12f597535ff23fc1537

SHA512
954126f380cd872082e4b2df778889f55325b58152e5809cd6d2b56b9e4256d69ed2cab4df11b27b817e8612af6d472b211d1fe87848172f7dafdc462fa453b0

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
57KB

MD5
27a1fb60566aab0470316c5a5c17cb5d

SHA1
ed5f4ea74072920e02a3f697669fcede62c5ee41

SHA256
991af6ad0ad567788bb173d3ae61d869e9f475da5e0b8ea59a36e8b77811365d

SHA512
7dc0324fffdef5ae1642d2a37c5d1d1b255777f51bb0f5cf3a390f7bed28c23dd5ada9ab81e7377c508f0cc0d3a11933e49c8fb4ed4aee4a83c41b8d8c4e0972

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
57KB

MD5
fa4ed5e2161e6b2f43193e413916c0bb

SHA1
5e25c1d58d433e3eab158fed4ed38913c42aa64d

SHA256
218f7a2044fad66348b2bab5cfdc9a05d4c93c259ef97d16911ef83c47ca8993

SHA512
9e7c7ce05aec135d3fd7ee34faff6ea307deeb338c7361e2d2ebd225131505f314ae99ddbc07e6b62e02bbb5ae9bf8e4bf9566daf83c57b8117665d6fb297bea

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
57KB

MD5
0d629f124cdde4e145e4563761189039

SHA1
a9101aa92566dabab11518ba5bc8a0c5dc4507c1

SHA256
dde215e8543a0988cb8059081540100e42bab0beaa2be3e7b09a8ddc8c000905

SHA512
1862008aaf85b13b1602d11f79dce1db34aed057420ad9cc94603daa50969bff71ed307bc0359e93e277c42defbaab56b4cfd404f194581ae115fc2782acdbeb

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
57KB

MD5
4c15ca6d50659f90deadf26e5aab0791

SHA1
119ffd681691c209da60dd9abf84cb2f04b44ad9

SHA256
9b788bc3a3e93d6e8729f60181843f1121c61458514cdd8b3e02ff2c0dc57201

SHA512
1047a14bd91aecf1e325aeaad056195ec2527a861fc97578540c591d3941d59b4bb93afe10060c5822ab1e0e8333cfab1d0f3a64492dc79fe5da9eab625b1511

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
57KB

MD5
605fe986923f99ab4891731c38a9db94

SHA1
f12c4838960cfa02c3a2d16b6716b29e4e233a17

SHA256
9adcdacea668f0742972b3b7a7fdc99bc6b4234804c29ad4695ec746d0a67c87

SHA512
fea5b3bde5dca6fc16b8daedd9b9c418746bcf966975bdb3f9039e035656c10a79400814988e4fb16dab6ef0aabbe17bf625e4eb2d6002c0516044ae40a42ca5

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
57KB

MD5
96dd7741a00cbd83dcb97c1aea45095e

SHA1
633e2b298929fed4513f279776d0dc0d4dccb24b

SHA256
a6293d03a3be20567277c95422a8ee382576f0955348ab85daf7c276642e3531

SHA512
fef662cb562c54c8eb05ccbb215e460e83b58f8baf9a8d5d0e9c146c7149a892c130f3da944cbeebf832e67754d13e6b740502f83a477b025b2f51ba59ae3552

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
57KB

MD5
db2f2278dd030b05fc302fcac7af54fe

SHA1
5006b8bd4d7a1734254fea3348be421e92142905

SHA256
ff38a3e882ef30a104bdc379f600e7e1f24bed51beeb29582f56f20c748f24cc

SHA512
f5566ca4aa86f1d8ee6f9cee235e1b0116b178bd0ebf4fd3b40be1cd80214c41a26fde7af17d9ea07540f2f147538d89d9d92b247e98e6a02c4be94b9bacc326

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
57KB

MD5
9e567947e90a6c66f3683016cb91893c

SHA1
c459f7a22416436653242da392285ef98d67ecbf

SHA256
488616ecceedc0de21a4eb652f17a58a4b882cad91af05988aaea03db52c98e5

SHA512
17a7e3a097d93d8a7267596387a8ed02c59202d3f9b6792c93d2a74fe806209fd5b18a9c6c2e5d4d4faa0278e9001d016c6fe3405bdfb01b01957e2840634a60

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
57KB

MD5
6fc5b4fb4c35de9859c9013e869ab2b5

SHA1
c7d3a6f3c49fcbf6e97b5949886f2e0792342a7d

SHA256
9ffdb8225cdcb16ad9926f3c4ffb658feb3c0f5f2607fbcee98da0672649c805

SHA512
16606ddbb971b8cc912c13c6af0a9d120f0db5e9bcada20313ee59edef80443a1350ac60dd9f47c637d46c90ca1377271ba83697bc30d2455263218cc008bca1

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
57KB

MD5
fa9e169e03a1a1c162b010d06f6a5026

SHA1
741d41a67db9f74fdc1634e0986e17c86877e598

SHA256
160f7ce9b5f55ec4137045e2f90c0351fbf17e6305a08917c3e696b36d4f13d7

SHA512
cf9617f7fc243c826f0e87b5547d6577450f4e2ae611b94bb1e637956fe9b775fcf665f6d0143107af727774061f03f7334164345382c69938188c598fbf859d

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
57KB

MD5
e0446117de225facb45cb972d77c12c2

SHA1
748f035967e170e6ae4a8ebd5e0489a4a9d79a5e

SHA256
341e8aaf71cab230aaf79c6ccc1d8bfc26e2e6da2cf534638a6d051d775e3943

SHA512
e335d3d634d70a7508fc05b236c058265bb26f13dbacb134bbaf97dd56113b659e5856dd3d452f519b848490175f9fed260d4e7cd9cbfc82fab345080bcea37e

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
57KB

MD5
a64bb00be67c10f8e854d8193df69919

SHA1
6bbff87d5b8326023d81bc63eabcacc78eaeaca5

SHA256
e700d0ff8e2cd0975efa690a294837cbc66b62219c7cbc6b07c31ad86863f59c

SHA512
9ca5ed5adc41b49f0c650f95feb7440a58f07342491d998bfeaf31cbfe0d41cf185478527f86ac4105234a6d8270e41da46a9ad24ab683d9774f7db113311de9

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
57KB

MD5
e0b476aa658b2c7790d320cbb9ab3f0f

SHA1
abb04f0207e954d1abc8975d667731cc28f99303

SHA256
0e665383f4c9d55ec1ee8a54a1e12499edc92c6c77405fd968370c75efb3ac46

SHA512
f0db1f6d798f805bb8ec6af40ef5aa77adb8c7b85a88b2d26e38dd2665a5375174914acf6f2f1fa16df6e50a457d91b363873326fca4fea2af373566826e0034

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
57KB

MD5
4fc3335c0ff6a20edd47096161d05400

SHA1
386712d57ba2ec884bbab5199eff01e0ac9e6de9

SHA256
67e195fd9fd3bd0ee8bf4db7d8f870a9538e761a2f98b0b4296ab7bb0738357d

SHA512
b8850d62e70d221837579ac7826543c7c534e76f855828e9b5270d2766cda4c93d430ec401a5a756f62049fc59c79cc1fa3684d9cae7a7da7b26a2acb14a69db

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
57KB

MD5
27666e0671da3d26d3bf0915fb1b8161

SHA1
ce2ece8416aa4e549757d184cd5dc992b5d41263

SHA256
f534fe553b6cdfd0692a6fe7b2983e42db6de09448514602f8fda96798663a73

SHA512
b73c120b26ec692aefd9350000b38b1acd4fa27c09b2f6c02592f5c60f3fcb78cfd5315d93f6b6c75f45cc00e4d8ec92fd88e5a1fce97d2a80af6635a5df354f

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
57KB

MD5
cb3b909492b78136b316ea43c69c7b3f

SHA1
8c0ab2d8d8d829ec25a64c1140b4cb5466592d74

SHA256
4fe8f8d121e0715ef1ded0f1a9c85ef3080943528c61d79f8ae69803d4706d5a

SHA512
f348d8166992a6dfb3e82cf9b740d9ce9c137bdca938d4d86aca55ca9ba8a6d31faad41f8f340e17fce8c6723d3bb074d11854ec298a0b76521f4efc495268ee

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
57KB

MD5
d97111f1633caae1dd64caecd2916249

SHA1
36481b179126ab2b328f897385058ea43a856745

SHA256
1d05ccb6c015b3c4bda17ed08c7b4f0c250bb88cc8f76a57a118db36ee41b63c

SHA512
ac93753de7af200207890627aade384f5611d7ff3b0fa9b07375f93c55623da8a841c19b5e9c5b6f0c5aa8179321c65ab18962b4722e5200a43223c640f0da2c

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
57KB

MD5
cc64d4e20a1d042940659a54e12a2f0f

SHA1
a1573937805b6c3f84b3dc3f4d9f67d8d88d19a8

SHA256
55358c23ac3b82009e6b7e11d5b7ce8dcf62ac1290a3c0b0902538b4231094d1

SHA512
84bba75339a77c5c810c57ebf3b5c8823f76e82e8a8cfc9312e021fa50c9ff3d4e4fd93c0605622b56f4a64c0a87e4a7b8f0c6bc6d6ce0df8be8652a6e6a591f

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
57KB

MD5
f6170cbd95714d65faaefb243de50f81

SHA1
a71d3e5deda90baf97b865dc45e601a35e530565

SHA256
eb0dbf937b0fcdf7930ec0584902f4b92615c9f36471cd07ffdcb24e6059b8b0

SHA512
148ab3bfc92abe5b672538fa53e043b20ea91f440786dd4300a609f14c4031564d107e6064000e286c151222748472c976afad904758c619944d1d78553e9d90

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
57KB

MD5
d2967b58b96487e0e377e196733d3f69

SHA1
5af88e3ba9aab6de834b6d7c35ff8c29bdc0ca8e

SHA256
ab28d7a4739db5ff93509c0930a0fd60c600593d1f5648377bd67df2660d92f4

SHA512
0f367ff84c3704896c6cf36428a5ea91e56432cc02fe8e55d3271f8911092531da35c8a189b816de7cdb5d7a14a69caf21f2fb95da06fe6bf994aa67ed83fb76

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
57KB

MD5
2cd6afcaf9134c094640b7514ae194da

SHA1
adc921f69c42aa0ef90a8d28c01990d7ad64caec

SHA256
105fc94782f7c5b940042251608c47d97b9880becd75bb061360410d83375804

SHA512
27cf74f05016b9ca1530d23e3d67fad2faec0851b509302513027bc5219b7bd95b921b514c68e8ea028307f2f2b6b48975fae3edbda0cf4cccef6da2622d0569

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
57KB

MD5
dd1d3e923c63a0847e56bb163edc06fb

SHA1
5be7b00269b70c687144e52bfa72f9af6e8aef63

SHA256
633d55f3d74e67c24e220a1389a627ba356d226b7120adfa3d621f21f6987e08

SHA512
2b75a7de03c5d1fd0f2a2a51314c24505427b67fbe1a0812db33173d9b5a5c09661e3dd5bb33e977542f59274c7bdefaac2b4fbbc99a5bfc2f9ad7ff4c4eb5d1

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
57KB

MD5
1812ed3e9f8370810c51c771c0541da4

SHA1
9869eaec0990f62afe6bf334829bd8ca83b06db0

SHA256
2d223d458a4fdbbe255bea1f717e9dab0c5f962fa0fef3dc15005b5e785196c0

SHA512
ceff7844d9da1ff881b0f5832542a50e18f888e517d12ab14a3686283240b77756578552f9afb4e33169587d080332caae2ee5e3d773f52f8841763b165014a6

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
57KB

MD5
e41f4dc358917451452695b793f99e87

SHA1
4eace41c691dbb84554d9c88048e4120ff77d644

SHA256
ff7e382a39211b79d8926c498740e4d6e23b6bbd7c9cf14c050222973dd791cd

SHA512
3c61de83e1ec7316a5aabdc4993fc851e738214a891a9f0fe7d15fa7bc249646951871be329de537656f613a36affe7a299f724fa999d9c003ac21c839432c77

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
57KB

MD5
b6433e8d8ad7678462b3c8233f5055a0

SHA1
b47b12e3216b86f486ed216dc1f17dee794c468a

SHA256
40229e123cfcc77596300da4e849578b48a524b6aba5274c92111ca7a4e32379

SHA512
ff4aed5732569d29c8c20c0d0439308be89981eae01ed7501fe9272e534c34401d40ed7debd8f17fec9aefcdc2a6c65e05d5d2587680b28d0496ea92916343da

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
57KB

MD5
f9668667705eb0626eded1cacf3e02fa

SHA1
5739b03cc5c0cfd6e57a535ebccbcf928a9869d1

SHA256
e6d8531431a5e8d36eb8084868cd968bd088939e1590b875dce76b11265d4bb7

SHA512
f6b96eba4bb9a30e80a5bd288a941159f9977ca720db78a8cb0c84a05f5a97a0fa8360763624811e713f0dbabef3e9ecf681e3427885bd257288cfbba653cd28

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
57KB

MD5
8e18df58b1ed56c970b20df7da4ad3c6

SHA1
5c1bf941ed14418a016919b5116975bb4acd37bc

SHA256
395079c2c208c69d62284d8664348f78334fee88499401671487dbceed650674

SHA512
72d407e79b0d1c584de6e37b460b19e5142e3970387332eb74e69cf2700c4d1d19574bd7d5f5e83cf3f42a631345a5df4dcf80ebb1affec7a0f1fdd675404485

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
57KB

MD5
46b50fa4c77c511161a8ed9a2bcc792a

SHA1
c9ef0e2b285462148d2bbbdba0e4718d4d0e5ac9

SHA256
dfe51f4c83ed711030ddee55dd22c74774cd5aee9354d3379d99c6d88cbd2160

SHA512
b175e2107d6a02ff1f92f76708a5cd5a429e94b87ac14a139b158f11e20a75816fed0dc3a760eab12d73013fe9fc7cc649b19d09c779317a0ed309fb7458d4c2

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
57KB

MD5
38b397c548175b7e55c4d6be350e792e

SHA1
3573ed3b7ec2aec51efd5560947afd2316cba302

SHA256
3d23878ebe6a5ea0d2c5a702fa480b81b319dd5f1d5699766cb6f32c32c6530f

SHA512
aacf8e94c12d9afe19f2a9d1c73537c44c574edf5c261f7613c1cd35736758842013fccff97c21cdae9f3f315c9675a20f6a564937a5929b92531ed9dc4f585c

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
57KB

MD5
7115eff9b8ab23b7172288052ac19808

SHA1
654ada49e3809c219804fbaffd37dbf014dd63be

SHA256
b8b80b7b5363e10905d069ea6037f383cee05834418967e6f944de4b23bb8cd5

SHA512
066811a712e81669bf60d3486bd28b5558e6c013c12abaf6677a3896872ff18e8da1d8f0dcc9f3ffffc019925afadefc9200eccfe165adcf1d9f03816f3c851a

Download Submit
memory/60-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/776-270-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/892-402-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/972-330-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1216-234-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1292-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1296-194-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1420-106-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1532-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2024-9-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2080-342-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2084-226-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2096-241-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2120-113-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2264-432-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2520-324-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2564-396-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2668-150-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2704-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2728-210-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2744-408-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3052-121-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3176-318-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3180-420-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3272-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3276-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3332-202-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3420-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3428-81-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3544-300-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3568-129-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3580-33-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3660-276-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3700-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3712-153-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4000-162-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4060-25-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4132-426-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4156-384-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4196-177-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4212-360-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4228-217-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4236-4-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4236-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4236-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4308-102-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4336-382-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4404-414-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4428-282-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4592-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4596-73-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4604-189-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4636-264-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4724-312-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4736-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4740-376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4752-170-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4844-294-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4884-359-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4888-258-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4892-89-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4960-249-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4992-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5024-138-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads