e6a23bca9baf4953064aa76f31bbec93c6c900800982bf0c9055cc0b60e5df5d

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/04/2024, 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6a23bca9baf4953064aa76f31bbec93c6c900800982bf0c9055cc0b60e5df5d.exe
Size

161KB
MD5

0014e31e0ba92b6a97a61cc4199dab2e
SHA1

a10df1a0d1d53569d51d64d0b452a3add62e1ca7
SHA256

e6a23bca9baf4953064aa76f31bbec93c6c900800982bf0c9055cc0b60e5df5d
SHA512

82f0ef7cf6415869ff702d81cfbc64927b5ec4862e416bde4a7fbaab2609cb521aa0fe760811f60d483a31f6f1b83af0a3a0df487b9bf4e4200f93e5b65e6d50
SSDEEP

3072:S1OcyQhi22lZNAUpu7t2kMVwtCJXeex7rrIRZK8K8/kv:SOZZ6Upu7t2kMVwtmeetrIyR

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjqiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngkogj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ihjnom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdbkjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbmjah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhkpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgemplap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hoamgd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iedkbc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipllekdl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knklagmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Legmbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Legmbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ichllgfb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihjnom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kiijnq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbidgeci.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiijnq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lghjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Leljop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mbmjah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mieeibkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iedkbc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkoplhip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lghjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbfdaigg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbidgeci.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfpclh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlcnda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdqbekcm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jqilooij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Modkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkhnle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmplcp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlekia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hoamgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgemplap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mieeibkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmplcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Knklagmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lfpclh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkmhaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkmhaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlhkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hkhnle32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ichllgfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipllekdl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leljop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpjqiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jkoplhip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbdklf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmapm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	e6a23bca9baf4953064aa76f31bbec93c6c900800982bf0c9055cc0b60e5df5d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hdqbekcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ikfmfi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdbkjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpmapm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlcnda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Modkfi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e6a23bca9baf4953064aa76f31bbec93c6c900800982bf0c9055cc0b60e5df5d.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikfmfi32.exe

Executes dropped EXE 34 IoCs

pid	Process
3060	Hoamgd32.exe
2628	Hkhnle32.exe
2652	Hdqbekcm.exe
2432	Iedkbc32.exe
2340	Ichllgfb.exe
1824	Ipllekdl.exe
1312	Ikfmfi32.exe
1180	Ihjnom32.exe
2864	Jdbkjn32.exe
2320	Jqilooij.exe
1884	Jkoplhip.exe
2040	Jmplcp32.exe
824	Kiijnq32.exe
1928	Kbdklf32.exe
2316	Knklagmb.exe
2804	Kbidgeci.exe
2140	Kgemplap.exe
2944	Lghjel32.exe
1252	Leljop32.exe
2996	Lfpclh32.exe
1332	Lbfdaigg.exe
1556	Legmbd32.exe
3020	Mpmapm32.exe
1672	Mieeibkn.exe
2828	Mbmjah32.exe
1344	Modkfi32.exe
2768	Mlhkpm32.exe
2928	Mkmhaj32.exe
2600	Mpjqiq32.exe
2536	Ngfflj32.exe
2476	Nlcnda32.exe
2516	Nlekia32.exe
1596	Ngkogj32.exe
2388	Nlhgoqhh.exe

Loads dropped DLL 64 IoCs

pid	Process
3044	e6a23bca9baf4953064aa76f31bbec93c6c900800982bf0c9055cc0b60e5df5d.exe
3044	e6a23bca9baf4953064aa76f31bbec93c6c900800982bf0c9055cc0b60e5df5d.exe
3060	Hoamgd32.exe
3060	Hoamgd32.exe
2628	Hkhnle32.exe
2628	Hkhnle32.exe
2652	Hdqbekcm.exe
2652	Hdqbekcm.exe
2432	Iedkbc32.exe
2432	Iedkbc32.exe
2340	Ichllgfb.exe
2340	Ichllgfb.exe
1824	Ipllekdl.exe
1824	Ipllekdl.exe
1312	Ikfmfi32.exe
1312	Ikfmfi32.exe
1180	Ihjnom32.exe
1180	Ihjnom32.exe
2864	Jdbkjn32.exe
2864	Jdbkjn32.exe
2320	Jqilooij.exe
2320	Jqilooij.exe
1884	Jkoplhip.exe
1884	Jkoplhip.exe
2040	Jmplcp32.exe
2040	Jmplcp32.exe
824	Kiijnq32.exe
824	Kiijnq32.exe
1928	Kbdklf32.exe
1928	Kbdklf32.exe
2316	Knklagmb.exe
2316	Knklagmb.exe
2804	Kbidgeci.exe
2804	Kbidgeci.exe
2140	Kgemplap.exe
2140	Kgemplap.exe
2944	Lghjel32.exe
2944	Lghjel32.exe
1252	Leljop32.exe
1252	Leljop32.exe
2996	Lfpclh32.exe
2996	Lfpclh32.exe
1332	Lbfdaigg.exe
1332	Lbfdaigg.exe
1556	Legmbd32.exe
1556	Legmbd32.exe
3020	Mpmapm32.exe
3020	Mpmapm32.exe
1672	Mieeibkn.exe
1672	Mieeibkn.exe
2828	Mbmjah32.exe
2828	Mbmjah32.exe
1344	Modkfi32.exe
1344	Modkfi32.exe
2768	Mlhkpm32.exe
2768	Mlhkpm32.exe
2928	Mkmhaj32.exe
2928	Mkmhaj32.exe
2600	Mpjqiq32.exe
2600	Mpjqiq32.exe
2536	Ngfflj32.exe
2536	Ngfflj32.exe
2476	Nlcnda32.exe
2476	Nlcnda32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mieeibkn.exe	Mpmapm32.exe
File created	C:\Windows\SysWOW64\Gfkdmglc.dll	Mkmhaj32.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Ngkogj32.exe
File created	C:\Windows\SysWOW64\Ibeogebm.dll	Hoamgd32.exe
File created	C:\Windows\SysWOW64\Ichllgfb.exe	Iedkbc32.exe
File created	C:\Windows\SysWOW64\Hnepch32.dll	Ihjnom32.exe
File created	C:\Windows\SysWOW64\Jqilooij.exe	Jdbkjn32.exe
File opened for modification	C:\Windows\SysWOW64\Hkhnle32.exe	Hoamgd32.exe
File created	C:\Windows\SysWOW64\Hdqbekcm.exe	Hkhnle32.exe
File created	C:\Windows\SysWOW64\Mpcnkg32.dll	Kgemplap.exe
File created	C:\Windows\SysWOW64\Ogjgkqaa.dll	Ngfflj32.exe
File created	C:\Windows\SysWOW64\Jmplcp32.exe	Jkoplhip.exe
File created	C:\Windows\SysWOW64\Allepo32.dll	Kbidgeci.exe
File created	C:\Windows\SysWOW64\Hnecbc32.dll	Leljop32.exe
File created	C:\Windows\SysWOW64\Kklcab32.dll	Nlekia32.exe
File created	C:\Windows\SysWOW64\Pgegdo32.dll	e6a23bca9baf4953064aa76f31bbec93c6c900800982bf0c9055cc0b60e5df5d.exe
File created	C:\Windows\SysWOW64\Lafcif32.dll	Ipllekdl.exe
File created	C:\Windows\SysWOW64\Legmbd32.exe	Lbfdaigg.exe
File created	C:\Windows\SysWOW64\Mgecadnb.dll	Modkfi32.exe
File opened for modification	C:\Windows\SysWOW64\Ngkogj32.exe	Nlekia32.exe
File opened for modification	C:\Windows\SysWOW64\Hoamgd32.exe	e6a23bca9baf4953064aa76f31bbec93c6c900800982bf0c9055cc0b60e5df5d.exe
File opened for modification	C:\Windows\SysWOW64\Ipllekdl.exe	Ichllgfb.exe
File opened for modification	C:\Windows\SysWOW64\Jqilooij.exe	Jdbkjn32.exe
File opened for modification	C:\Windows\SysWOW64\Jmplcp32.exe	Jkoplhip.exe
File opened for modification	C:\Windows\SysWOW64\Nlekia32.exe	Nlcnda32.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Ngkogj32.exe
File created	C:\Windows\SysWOW64\Jnfqpega.dll	Jqilooij.exe
File opened for modification	C:\Windows\SysWOW64\Knklagmb.exe	Kbdklf32.exe
File created	C:\Windows\SysWOW64\Mlhkpm32.exe	Modkfi32.exe
File created	C:\Windows\SysWOW64\Nlekia32.exe	Nlcnda32.exe
File created	C:\Windows\SysWOW64\Knklagmb.exe	Kbdklf32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmapm32.exe	Legmbd32.exe
File created	C:\Windows\SysWOW64\Mieeibkn.exe	Mpmapm32.exe
File created	C:\Windows\SysWOW64\Jdbkjn32.exe	Ihjnom32.exe
File created	C:\Windows\SysWOW64\Gcopbn32.dll	Lghjel32.exe
File created	C:\Windows\SysWOW64\Lfpclh32.exe	Leljop32.exe
File created	C:\Windows\SysWOW64\Mkmhaj32.exe	Mlhkpm32.exe
File opened for modification	C:\Windows\SysWOW64\Mbmjah32.exe	Mieeibkn.exe
File created	C:\Windows\SysWOW64\Nlcnda32.exe	Ngfflj32.exe
File opened for modification	C:\Windows\SysWOW64\Mlhkpm32.exe	Modkfi32.exe
File created	C:\Windows\SysWOW64\Dlpajg32.dll	Hkhnle32.exe
File opened for modification	C:\Windows\SysWOW64\Iedkbc32.exe	Hdqbekcm.exe
File opened for modification	C:\Windows\SysWOW64\Ichllgfb.exe	Iedkbc32.exe
File opened for modification	C:\Windows\SysWOW64\Kbdklf32.exe	Kiijnq32.exe
File created	C:\Windows\SysWOW64\Mbmjah32.exe	Mieeibkn.exe
File created	C:\Windows\SysWOW64\Modkfi32.exe	Mbmjah32.exe
File opened for modification	C:\Windows\SysWOW64\Mkmhaj32.exe	Mlhkpm32.exe
File opened for modification	C:\Windows\SysWOW64\Mpjqiq32.exe	Mkmhaj32.exe
File created	C:\Windows\SysWOW64\Ipllekdl.exe	Ichllgfb.exe
File created	C:\Windows\SysWOW64\Phmkjbfe.dll	Nlcnda32.exe
File created	C:\Windows\SysWOW64\Fffdil32.dll	Hdqbekcm.exe
File opened for modification	C:\Windows\SysWOW64\Ihjnom32.exe	Ikfmfi32.exe
File created	C:\Windows\SysWOW64\Kgemplap.exe	Kbidgeci.exe
File opened for modification	C:\Windows\SysWOW64\Leljop32.exe	Lghjel32.exe
File created	C:\Windows\SysWOW64\Iggbhk32.dll	Mbmjah32.exe
File created	C:\Windows\SysWOW64\Cljiflem.dll	Jmplcp32.exe
File created	C:\Windows\SysWOW64\Kacgbnfl.dll	Lfpclh32.exe
File opened for modification	C:\Windows\SysWOW64\Hdqbekcm.exe	Hkhnle32.exe
File created	C:\Windows\SysWOW64\Mpmapm32.exe	Legmbd32.exe
File opened for modification	C:\Windows\SysWOW64\Ngfflj32.exe	Mpjqiq32.exe
File created	C:\Windows\SysWOW64\Ngkogj32.exe	Nlekia32.exe
File created	C:\Windows\SysWOW64\Lghjel32.exe	Kgemplap.exe
File created	C:\Windows\SysWOW64\Ibddljof.dll	Lbfdaigg.exe
File created	C:\Windows\SysWOW64\Hljdna32.dll	Mpjqiq32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
688	2388	WerFault.exe	61

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mieeibkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Modkfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpjqiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Legmbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jqilooij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jkoplhip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjfhfnim.dll"	Kbdklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nlcnda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	e6a23bca9baf4953064aa76f31bbec93c6c900800982bf0c9055cc0b60e5df5d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pplhdp32.dll"	Kiijnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbdklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kacgbnfl.dll"	Lfpclh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olahaplc.dll"	Legmbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nlekia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlhkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfkdmglc.dll"	Mkmhaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hoamgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hoamgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Knklagmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fffdil32.dll"	Hdqbekcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iggbhk32.dll"	Mbmjah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdkghm32.dll"	Ikfmfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jkoplhip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmplcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lghjel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	e6a23bca9baf4953064aa76f31bbec93c6c900800982bf0c9055cc0b60e5df5d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlpajg32.dll"	Hkhnle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafcif32.dll"	Ipllekdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipllekdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ikfmfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hkhnle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iedkbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ichllgfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Knklagmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibddljof.dll"	Lbfdaigg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaqkcf32.dll"	Mlhkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kklcab32.dll"	Nlekia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hdqbekcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpebiecm.dll"	Iedkbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jqilooij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lbfdaigg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjgkqaa.dll"	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phmkjbfe.dll"	Nlcnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hdqbekcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cljiflem.dll"	Jmplcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pelggd32.dll"	Knklagmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngkogj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgemplap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Legmbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Modkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Ngkogj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgegdo32.dll"	e6a23bca9baf4953064aa76f31bbec93c6c900800982bf0c9055cc0b60e5df5d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kiijnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngkogj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ikfmfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkmhaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpdcnhnl.dll"	Jkoplhip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbdklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnecbc32.dll"	Leljop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ihjnom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lfpclh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgemplap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njfppiho.dll"	Mieeibkn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 3060	3044	e6a23bca9baf4953064aa76f31bbec93c6c900800982bf0c9055cc0b60e5df5d.exe	28
PID 3044 wrote to memory of 3060	3044	e6a23bca9baf4953064aa76f31bbec93c6c900800982bf0c9055cc0b60e5df5d.exe	28
PID 3044 wrote to memory of 3060	3044	e6a23bca9baf4953064aa76f31bbec93c6c900800982bf0c9055cc0b60e5df5d.exe	28
PID 3044 wrote to memory of 3060	3044	e6a23bca9baf4953064aa76f31bbec93c6c900800982bf0c9055cc0b60e5df5d.exe	28
PID 3060 wrote to memory of 2628	3060	Hoamgd32.exe	29
PID 3060 wrote to memory of 2628	3060	Hoamgd32.exe	29
PID 3060 wrote to memory of 2628	3060	Hoamgd32.exe	29
PID 3060 wrote to memory of 2628	3060	Hoamgd32.exe	29
PID 2628 wrote to memory of 2652	2628	Hkhnle32.exe	30
PID 2628 wrote to memory of 2652	2628	Hkhnle32.exe	30
PID 2628 wrote to memory of 2652	2628	Hkhnle32.exe	30
PID 2628 wrote to memory of 2652	2628	Hkhnle32.exe	30
PID 2652 wrote to memory of 2432	2652	Hdqbekcm.exe	31
PID 2652 wrote to memory of 2432	2652	Hdqbekcm.exe	31
PID 2652 wrote to memory of 2432	2652	Hdqbekcm.exe	31
PID 2652 wrote to memory of 2432	2652	Hdqbekcm.exe	31
PID 2432 wrote to memory of 2340	2432	Iedkbc32.exe	32
PID 2432 wrote to memory of 2340	2432	Iedkbc32.exe	32
PID 2432 wrote to memory of 2340	2432	Iedkbc32.exe	32
PID 2432 wrote to memory of 2340	2432	Iedkbc32.exe	32
PID 2340 wrote to memory of 1824	2340	Ichllgfb.exe	33
PID 2340 wrote to memory of 1824	2340	Ichllgfb.exe	33
PID 2340 wrote to memory of 1824	2340	Ichllgfb.exe	33
PID 2340 wrote to memory of 1824	2340	Ichllgfb.exe	33
PID 1824 wrote to memory of 1312	1824	Ipllekdl.exe	34
PID 1824 wrote to memory of 1312	1824	Ipllekdl.exe	34
PID 1824 wrote to memory of 1312	1824	Ipllekdl.exe	34
PID 1824 wrote to memory of 1312	1824	Ipllekdl.exe	34
PID 1312 wrote to memory of 1180	1312	Ikfmfi32.exe	35
PID 1312 wrote to memory of 1180	1312	Ikfmfi32.exe	35
PID 1312 wrote to memory of 1180	1312	Ikfmfi32.exe	35
PID 1312 wrote to memory of 1180	1312	Ikfmfi32.exe	35
PID 1180 wrote to memory of 2864	1180	Ihjnom32.exe	36
PID 1180 wrote to memory of 2864	1180	Ihjnom32.exe	36
PID 1180 wrote to memory of 2864	1180	Ihjnom32.exe	36
PID 1180 wrote to memory of 2864	1180	Ihjnom32.exe	36
PID 2864 wrote to memory of 2320	2864	Jdbkjn32.exe	37
PID 2864 wrote to memory of 2320	2864	Jdbkjn32.exe	37
PID 2864 wrote to memory of 2320	2864	Jdbkjn32.exe	37
PID 2864 wrote to memory of 2320	2864	Jdbkjn32.exe	37
PID 2320 wrote to memory of 1884	2320	Jqilooij.exe	38
PID 2320 wrote to memory of 1884	2320	Jqilooij.exe	38
PID 2320 wrote to memory of 1884	2320	Jqilooij.exe	38
PID 2320 wrote to memory of 1884	2320	Jqilooij.exe	38
PID 1884 wrote to memory of 2040	1884	Jkoplhip.exe	39
PID 1884 wrote to memory of 2040	1884	Jkoplhip.exe	39
PID 1884 wrote to memory of 2040	1884	Jkoplhip.exe	39
PID 1884 wrote to memory of 2040	1884	Jkoplhip.exe	39
PID 2040 wrote to memory of 824	2040	Jmplcp32.exe	40
PID 2040 wrote to memory of 824	2040	Jmplcp32.exe	40
PID 2040 wrote to memory of 824	2040	Jmplcp32.exe	40
PID 2040 wrote to memory of 824	2040	Jmplcp32.exe	40
PID 824 wrote to memory of 1928	824	Kiijnq32.exe	41
PID 824 wrote to memory of 1928	824	Kiijnq32.exe	41
PID 824 wrote to memory of 1928	824	Kiijnq32.exe	41
PID 824 wrote to memory of 1928	824	Kiijnq32.exe	41
PID 1928 wrote to memory of 2316	1928	Kbdklf32.exe	42
PID 1928 wrote to memory of 2316	1928	Kbdklf32.exe	42
PID 1928 wrote to memory of 2316	1928	Kbdklf32.exe	42
PID 1928 wrote to memory of 2316	1928	Kbdklf32.exe	42
PID 2316 wrote to memory of 2804	2316	Knklagmb.exe	43
PID 2316 wrote to memory of 2804	2316	Knklagmb.exe	43
PID 2316 wrote to memory of 2804	2316	Knklagmb.exe	43
PID 2316 wrote to memory of 2804	2316	Knklagmb.exe	43

C:\Users\Admin\AppData\Local\Temp\e6a23bca9baf4953064aa76f31bbec93c6c900800982bf0c9055cc0b60e5df5d.exe
"C:\Users\Admin\AppData\Local\Temp\e6a23bca9baf4953064aa76f31bbec93c6c900800982bf0c9055cc0b60e5df5d.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\Hoamgd32.exe
  C:\Windows\system32\Hoamgd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\Hkhnle32.exe
    C:\Windows\system32\Hkhnle32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\SysWOW64\Hdqbekcm.exe
      C:\Windows\system32\Hdqbekcm.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Windows\SysWOW64\Iedkbc32.exe
        
        C:\Windows\system32\Iedkbc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
      - C:\Windows\SysWOW64\Ichllgfb.exe
        
        C:\Windows\system32\Ichllgfb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Ipllekdl.exe
        
        C:\Windows\system32\Ipllekdl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Ikfmfi32.exe
        
        C:\Windows\system32\Ikfmfi32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\Ihjnom32.exe
        
        C:\Windows\system32\Ihjnom32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\Jdbkjn32.exe
        
        C:\Windows\system32\Jdbkjn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Jqilooij.exe
        
        C:\Windows\system32\Jqilooij.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\Jkoplhip.exe
        
        C:\Windows\system32\Jkoplhip.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\Jmplcp32.exe
        
        C:\Windows\system32\Jmplcp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Kiijnq32.exe
        
        C:\Windows\system32\Kiijnq32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\Windows\SysWOW64\Kbdklf32.exe
        
        C:\Windows\system32\Kbdklf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Knklagmb.exe
        
        C:\Windows\system32\Knklagmb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Kbidgeci.exe
        
        C:\Windows\system32\Kbidgeci.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2804
        
        C:\Windows\SysWOW64\Kgemplap.exe
        
        C:\Windows\system32\Kgemplap.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Lghjel32.exe
        
        C:\Windows\system32\Lghjel32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Leljop32.exe
        
        C:\Windows\system32\Leljop32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1252
        
        C:\Windows\SysWOW64\Lfpclh32.exe
        
        C:\Windows\system32\Lfpclh32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Lbfdaigg.exe
        
        C:\Windows\system32\Lbfdaigg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Legmbd32.exe
        
        C:\Windows\system32\Legmbd32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Mpmapm32.exe
        
        C:\Windows\system32\Mpmapm32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:3020
        
        C:\Windows\SysWOW64\Mieeibkn.exe
        
        C:\Windows\system32\Mieeibkn.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Mbmjah32.exe
        
        C:\Windows\system32\Mbmjah32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Modkfi32.exe
        
        C:\Windows\system32\Modkfi32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Mlhkpm32.exe
        
        C:\Windows\system32\Mlhkpm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Mkmhaj32.exe
        
        C:\Windows\system32\Mkmhaj32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Mpjqiq32.exe
        
        C:\Windows\system32\Mpjqiq32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Ngfflj32.exe
        
        C:\Windows\system32\Ngfflj32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Nlcnda32.exe
        
        C:\Windows\system32\Nlcnda32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Nlekia32.exe
        
        C:\Windows\system32\Nlekia32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Ngkogj32.exe
        
        C:\Windows\system32\Ngkogj32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        35⤵
        Executes dropped EXE
        
        PID:2388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 140
        36⤵
        Program crash
        
        PID:688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbldmm32.dll

Filesize
7KB

MD5
17a2ca61faa924cffbebb0884eb5db47

SHA1
7d2fe4141865316e5088c41f7448d37a2280c678

SHA256
72f85e1899420fde6ed856b45569a7d13cd52395a4d24788f45b8cb4c766bf11

SHA512
266fef15d77814f58cb6d740b0c5c11d1396923fbdf95cfccf00833d57a5fce36d8891ff80bc74d8a572033d42fe2924d5ad3f2f4d0f02eb9296bceb84f53055

Download Submit
C:\Windows\SysWOW64\Hdqbekcm.exe

Filesize
161KB

MD5
177714ecbc4c57e61cdd6e5692c58e1a

SHA1
83d4750c9155a4f0e604ac0f0a4ce0eb0bf66451

SHA256
f9c7b74efe20dc2dd5f3e8e2535e6590bf66d13ccea84c1762c7a684dbde3b57

SHA512
aacfbc3e9151a4472c3a3340566f39dc234174ab8bf6ee523a8a2f08a05621cc60b51af1fe271dcdff927921833bfe4557e86c87a690c85639fa9e08b829c690

Download Submit
C:\Windows\SysWOW64\Hkhnle32.exe

Filesize
161KB

MD5
8e386b1814bc637b1b6cc3e8e739a4da

SHA1
b9665fa59f676302bf751d002567a95ce9646d65

SHA256
5d28b5bfdd9ba24f7361aac6a5b184c7233f8663a10433e130dca98c62286421

SHA512
ff894098ce7da497b324607bd808486e3cf72abe30a197fb25f2b71fe8e4a2ecd1923bc19ec99a2ef1470491f779020bfe01ac034d537f2b22bfcfc8ad3cdc98

Download Submit
C:\Windows\SysWOW64\Ichllgfb.exe

Filesize
161KB

MD5
f46902c031bab562da85318b1c5f76ad

SHA1
dc57d11975b38fa6961b4569fc8070406367bfb9

SHA256
eb24120fd0f39824c0752f65192b4a4b35ec13c12d4cc067bf2f5f2b9fb91680

SHA512
f045b61380037b170fbe046426300f6529314c4f8023495eb3bd7bfefbdd119b2ecab0f28132f4a35f822ba0ef26c42b66460ba2a2cfc38c9b78f8126da1c2d4

Download Submit
C:\Windows\SysWOW64\Ikfmfi32.exe

Filesize
161KB

MD5
896e8ba937542a12d447b9d4d91b4429

SHA1
aeaeaf2b20023f7c9fc0611e1d57e40ce5cddfde

SHA256
34b0d78dd3441ea1c2ea34a0a78812f251910528aebe5a1a47c95a8f8e07fd5e

SHA512
e45e00bf59177998851e5d81baaf461f5d478683420ed9882ac6a67d9d5086b7b1a86ee6177c35872d1174aece9e842e879bcfae194b32c07da6a7a67f101df5

Download Submit
C:\Windows\SysWOW64\Jdbkjn32.exe

Filesize
161KB

MD5
fe9dd885c147319c467234b2c526d21d

SHA1
2e9527c8639005ff8c43cfee08097b45b1264f9d

SHA256
c94c4563da82bb2d3407e6f649622fab2cc588be9d542a9795375b0b4bf416f3

SHA512
1bc6e3fd4d75663564d7ad14da4d928cf38c925dbc42c7f88e2aba24c72df1870418d8de2b3aac8430c87c44411fb345e3c327206aa251208623e815158e4018

Download Submit
C:\Windows\SysWOW64\Jkoplhip.exe

Filesize
161KB

MD5
b21d0a095a8e0db4f27e5c891bfc2eb6

SHA1
6d3351e0810e39dfa5cca4632e29d99289914a96

SHA256
1fa9b81f8c9944e94e7d8b3d10c1f51a0d49a7b0e97c339d41495e14a493bdc1

SHA512
0da84397eb1e1b79bc6660b04af83621d97873adddbe2f6d9e23481b15618b2b14af8738a882dc533d7f300a267c6bf438a9c659f583218f5b22858e5546ad39

Download Submit
C:\Windows\SysWOW64\Kgemplap.exe

Filesize
161KB

MD5
380eb43e23ec1d8d1e68240ee81bc837

SHA1
9d8e8ba07c8aee3489755a8121acbb2daf97a455

SHA256
29cbc8d3ac64b46354dae270d287d7577ff694ef87b7417949a66b4d0ae0d856

SHA512
f64501544325d3336b9bd58db3b6a03e0205a7b40151c21f0290f6dc6f182ac26b8f705ae20ab393be651afdf950bf4302a3cae62ee0c1688a0cc15578f9a6c8

Download Submit
C:\Windows\SysWOW64\Kiijnq32.exe

Filesize
161KB

MD5
0edb0e9e9dd84335e7ff35a796bac1b5

SHA1
6fa168340a8d5784631622a31c1bb2a01e332b86

SHA256
746c0c970faa9931b5a0b0c84ff58bf2d4466a41aa512ce748430be4c014b591

SHA512
00f3ca838d0a2abf07f5cdf0890577a1c6bf67894c5db5c5ffba8c844554bff3290be232c523bd5ff40bc267f6bff7a927ea0162fb35e4a2f7e66b935e4ae34d

Download Submit
C:\Windows\SysWOW64\Lbfdaigg.exe

Filesize
161KB

MD5
05429e5cfd267b1357bad1ec6358e8da

SHA1
52123989b2a34bfb16e002a215a92054724e66ee

SHA256
6f332da9202cab2bea27188c02a1dfb59d6b1556baaa37ddd9da66b81e7d7a1d

SHA512
02797e57b74a181628081a91197ad9ffdf2114ee0770688c8697cb2277a0b51771e6cb88961284e07e44b1a40a232f3de3e889e78d2b33864128a5cfb326e3c4

Download Submit
C:\Windows\SysWOW64\Legmbd32.exe

Filesize
161KB

MD5
b7484e718e8d18a7ef430e3628890ff8

SHA1
6c4f0e2d6774a99f383626f64547480ff263c897

SHA256
e4fc102555c51829342d186bb95ea5aef705aa7aee836dfd7da0daf340fe0e58

SHA512
625a710bdf9dc10364ec5e6233668049fb3dee8ceee609c792cf75be946ebbd0acd39303da47e691fea2394a624f54fb9b6034c047e95ac7fe7904eb681d5ba5

Download Submit
C:\Windows\SysWOW64\Leljop32.exe

Filesize
161KB

MD5
95056a4f603b97a451642c862dd5b914

SHA1
da06c2a5a59f934937dbfbea1f5532062a76ad69

SHA256
98dbf5218e880e8a7cf1fad06e0a099f8df0d9b7cb7f77d8a5152b1c4044ef84

SHA512
6b60ca417f31f5afd426cf6dd189c87bc60179053b30c42a53674ec0906f4ef9b896460256125cf06d5d7eb74314c9d2731975f18422f5856ef16098e20a10af

Download Submit
C:\Windows\SysWOW64\Lfpclh32.exe

Filesize
161KB

MD5
4f62e45bda4f8680d7a4a621131f0343

SHA1
3fb5bf4e25a99ec69392ec39d1aa678da8785023

SHA256
cd51eb05768e9035e63e6bf4b558a77e7e83e4065ccd5aa81aca50c1adabdfbe

SHA512
8e3b7725c8507b3985fc3b6853864f37fa875dc134416b3b946e1d0aab586744c292bf6af7b32fca76a780afdb7fa77f650d445b55a37101177be927a70a0b66

Download Submit
C:\Windows\SysWOW64\Lghjel32.exe

Filesize
161KB

MD5
d676571b91a9de2d3d3eaeafa3bfe401

SHA1
6ddd9fed4e956b939c496d710dfc126fd518dc4f

SHA256
6be1702f45bef2ac986ae3b92b4ac262856d6364e206a8418e5c4775bdfb9713

SHA512
1bbb64075a333b0ab5f50d1c78438c284d3c79226c89ec93638bf04a555078b5a13f034dc75961fea2e1e1972951350c1a52141daec6730d730f541800ca38b5

Download Submit
C:\Windows\SysWOW64\Mbmjah32.exe

Filesize
161KB

MD5
12f024a845f62165ba9c550e0a1dbe24

SHA1
e348a114f573d3d36e0572a80856bb2c45627254

SHA256
7d25837ea78947253060fc1d44ffcdbe19caf39e31b4f2c6f15bbda864cfbbc5

SHA512
c260f8cad9d70dafefd223c2e00339480cacf00d216bfded0981a6f1bf809e6eb86daf50bdca7432bc3b645f7cd8c871864da8fc3dd112dd4efd2870ac9d3022

Download Submit
C:\Windows\SysWOW64\Mieeibkn.exe

Filesize
161KB

MD5
e6409f384ccabd0075005bc4b212d66d

SHA1
765ce0a03466e2af17bb8f2dba059555c22b7784

SHA256
a31366e8a49aca9e20ef2e038904a2c92577be53694e09b740d21620ccc2cc07

SHA512
6124cd42e48405b6770777b01694326890a170ce53dcdd4cccb2ffb23304aaf5050196c2196521d0da866cc38ac5457ff695788b049022225b0f91ce83c7f06c

Download Submit
C:\Windows\SysWOW64\Mkmhaj32.exe

Filesize
161KB

MD5
18a5ca4ff1067a4465e43bc2171a0312

SHA1
748e98386aadcb3873cb3b4ce252128da8fda6ff

SHA256
a30b8092df1a053e75a96db97491d0e70fc53e1067eb4a1879bd842186333bb7

SHA512
d78ff5d328311eb1f855b1d7fdc80b6130f1012b37f2691b5e72518d81ebdaff06c4604c964d2fc125ffd3f1bd2a40ad7cbd6cae3d0b7ff0738f1268c78e0111

Download Submit
C:\Windows\SysWOW64\Mlhkpm32.exe

Filesize
161KB

MD5
96b85c0f945a98b69044cce4af4456f9

SHA1
ca5ed843797b3c3e966e93fbc0a9e44db221584f

SHA256
6d22bea477d8075b90cf5b0ea599906f28ce490c8f4c63a4f345bc1af3c80310

SHA512
94f5811ff25757e40004475f1005a00b1d41b06a947fa61e1b0d5c7a6cc65ebca1a16af2d843af88ba37659b5e5e7c49f2d37a59668effba555d797421ebf1df

Download Submit
C:\Windows\SysWOW64\Modkfi32.exe

Filesize
161KB

MD5
17dde6edae5491799204ed813c88d060

SHA1
43de622ac95066dfd77bc10d26d82730fc64590f

SHA256
02a6747ed91e308eb9e0cdbb5bd812204a433f9fa42b561ab17ed8fdfd547c35

SHA512
bfd66b1a2589101c1acee74b7d4178e8b3fa4b3bed0ae6fbe8a7e7d8f2ae481dea8dfead1a1509d0f8f66aa89999b5ac91b304d15eba91e46f1425c9695367e8

Download Submit
C:\Windows\SysWOW64\Mpjqiq32.exe

Filesize
161KB

MD5
bb29264346f10ac4b1012072fbd5fe9a

SHA1
0557fac33adb54c5eddc5978c3893b7d7fde1773

SHA256
4f1b13f56a099ab47eb2021bb3be92c10b216a22d4ec2577d310456cd061f480

SHA512
93ca928bbe22274055b288c67794b38cbc6ccad91d47e7591e1df084fbca7bba340a558e414027244eb2a955d18a323a73bbfdcd87d38072c87691db62df9f61

Download Submit
C:\Windows\SysWOW64\Mpmapm32.exe

Filesize
161KB

MD5
104137d583c4fa99f08c7c3b97414e95

SHA1
98a4e420d7ac9dd0c591868321b82a69d814cdaf

SHA256
3ab960f72a13ec8d42a7c29b86937c338048d5d10425445cc07fd88bafa207f6

SHA512
e62b727f7f68e214aaf1854b7bdc694ee791e6a3f8e6783e618dfade52e4d79d65076792d21dd2b90f1321fe31609299d516e60e3705baa2750d1cf05d653a08

Download Submit
C:\Windows\SysWOW64\Ngfflj32.exe

Filesize
161KB

MD5
4b9db0d1e3f14838ac354a811f78ba44

SHA1
99b98b498db8358001536abd29eed026ecb86cd8

SHA256
fb9691bf96308f993f4438edcc6696623909942a3ba2f33e7b68c3d93ce9f1c6

SHA512
ce4b283f89ac76007b0fa1f8b5a9ee0c20c698db09bdc52007360717eca71bdcde53b7312dc3d3d1dcb6d03a17a11429a1f166a4fb96fbafaa54d58fec979196

Download Submit
C:\Windows\SysWOW64\Ngkogj32.exe

Filesize
161KB

MD5
837bc73d914753f6d95627547e7e9720

SHA1
f21aa574d5a6145b625967feb61e5fda9e2691e8

SHA256
03566c42a967ebfdcff3cc8bdb0714f0a3aeb7fcfe0d9224ac580cbd93022421

SHA512
bd07a286f7ed0c2ddffa59fbe3161b842a99e1f81734fe2e6ae98e059935c23be14970e8e2ab33556c6c0842246dc32de315edb931ce3792a6b3d528e0dacb24

Download Submit
C:\Windows\SysWOW64\Nlcnda32.exe

Filesize
161KB

MD5
d99610787e6d90dc9444174470410630

SHA1
21be48130d92ec916ab4113d1c93495099a52997

SHA256
7a19237f39c66147f0a4e9a3e3085819b02c2625fc24d7bca11487e498b99452

SHA512
249a1a0320ad3e17ad876d629833dfbe376782f8735526bcc927255037266d4f84d7e7b0be7225ada7429dbca08ceb6ba651b984a99625d5ea44b9cfed2981d1

Download Submit
C:\Windows\SysWOW64\Nlekia32.exe

Filesize
161KB

MD5
e4ec2d0a1450bcff9592c52f83b5d75e

SHA1
8eb861522618f04f3c2a6e01fa7cbcdce6d06a40

SHA256
afb801f4ccadb02aabd108f19401bf1b94fd14f45c1fe676f0ada148bdd4186d

SHA512
e8c2c54c88dca542ea0080db753f725c464c40379a272579d120f47e7b74908bcb33c4f31506c74f9958bc60e352769ffeac8f18adf06554e10717462d588a97

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
161KB

MD5
9ddb56ee315fce10f8649b7db81f4cb7

SHA1
bc6e4c8400540f300d1f18e61f2fb7d489921a63

SHA256
b115237dea3afa09082fd43e51983d31576978c9aa855b4600e8dc2e08ab197f

SHA512
bb63405c842113cd7705b6652b91c89ea3826d511ecf34419061877124575a0170d2bf0e13d4f9dbcca927e1a21bbac193e0256ee01e35943bc0506908fa8c58

Download Submit
\Windows\SysWOW64\Hoamgd32.exe

Filesize
161KB

MD5
3f1bf12a3765ead1acf7a8e925b51e93

SHA1
0443aa50da0cf2e37ff6b024db26b091a8cf628d

SHA256
b505035f7f17b64ce84d862a045b35f6b1b30c55572aefdf9cc5e39ce8f243df

SHA512
758169164b3a361d7950bc827db6516a89f8890178a19ee792c3281341ca8458edf258131708f3aeef78edbce3b7df9749259e91b698112e68dc1c5ead44808f

Download Submit
\Windows\SysWOW64\Iedkbc32.exe

Filesize
161KB

MD5
b9c7bdb16daecca65fa033a075da3856

SHA1
7747388cb85b9032826a3c0525c9a5cc6f06abd7

SHA256
4fb7fd5405731ec62c1899d6ceabf49b264d788d14040b04134c1823b8c86335

SHA512
93826030c980b17cb6332842bc0a0604fce2d1e1c5048f15805f6460df5b7eff18608553295f19e7bb9d83f4162ded55a6d9ec6fd9bf0e348d781beae476d129

Download Submit
\Windows\SysWOW64\Ihjnom32.exe

Filesize
161KB

MD5
0e145cf13aa741b90f6cc1da5add7f97

SHA1
1b4abeca95090699aabbf953509dd1b408d4be08

SHA256
5e251ca44809d5d4c1d01c8b0c47d426facbe9dfee902beb8cc8f30b08c021df

SHA512
5fb098d63d7ca445ab0316f1f0db60ba427a95a2c18514f5a8ca1786890681f6db2733b176ddbc80f2bcb78565eb8f1986e22144504095624356a4b6a7de22e0

Download Submit
\Windows\SysWOW64\Ipllekdl.exe

Filesize
161KB

MD5
38373bdeeb4a236b34a3dc2d6677db8d

SHA1
f4b18a393b24a720db213aa253934cc3ed59bf4a

SHA256
b5111c9e79026e3a43d6290703a45343e21097ef45f1a974531ab999f6b1c082

SHA512
4eeb781f2774d0dd7ee42bb1c2376935553d480620da70f7d8b3248c707d8e3a03e9a6454d259074e04d62cc0e1fc3e0a7f2fd7ea6f17dd660fb06e4326f7b9b

Download Submit
\Windows\SysWOW64\Jmplcp32.exe

Filesize
161KB

MD5
fea02c1d3aa73f2d00eaaffd720fc920

SHA1
8d15bde6c418a9a8d2ceb896953b4e7d3540721e

SHA256
d2080aa99da083da01d3ea4e12aa14cf5418ac54a46e3e68edab38888173778f

SHA512
67ae8703ae04f1d0bbe1fd58f2d5bef236e047cec565b1d4b4be394221594cfaeb47768e1135e2a28070ca04b3312206be36706a580f03d20c176536cb14eb7c

Download Submit
\Windows\SysWOW64\Jqilooij.exe

Filesize
161KB

MD5
796879e3d7133dc57a74178029b494c1

SHA1
a358de5ab29f1d9b590ff95c6a60a3793072a077

SHA256
891154d14f0e9dcf25c14b0613aea1fa52520cd7455c04e1514966ff7e788cc4

SHA512
b96524b93d80d15a7ce416ba76d6b3a15f5ec304b65b302aef674b84cfaa185fa454c0f0112c40d7b8e4bfdd713535d255311fef19b664839e72c10fc4d3ed62

Download Submit
\Windows\SysWOW64\Kbdklf32.exe

Filesize
161KB

MD5
869179845fe8626c892d2f6fae91d41f

SHA1
2d1baf79185f9c3dd628ce9fe3cf4da507b56316

SHA256
e30d861b12e59a0b8e1bfaeef27a88971952f4c0023db72b453e91f3a90c5d3f

SHA512
c3630389af117b3e18cb55dcfa91e3fbb0576097cc57616b1f4c965cba30aedf47b7fd8bad04f5e81a0df53623784a24353df37bd5973cc46e7c9fae91228c85

Download Submit
\Windows\SysWOW64\Kbidgeci.exe

Filesize
161KB

MD5
9cc487d253b6612519abf92bc25a8468

SHA1
1e453b6c08cbab295fb2b5f6ed7c674f4f256c5a

SHA256
d3f5ed1743514d822089ed76c696507ba7456fc5254a22196d788c90b173e7f4

SHA512
bfc065f970c72efb20b9c172fa484c5f2248f4f74fa7bf885d5cfde125aa449b4c3d18dbb1fa357cdc7b971b92e9257ee275c30652a3abb01a70308be3ee4845

Download Submit
\Windows\SysWOW64\Knklagmb.exe

Filesize
161KB

MD5
da6e0303bb3dc4b9d1bf629d620ac969

SHA1
3d6674889f51ab7ee6bf3acc3febd10042f441ca

SHA256
a7c85bee3a86339af1fb8dc9c782ff5a27b2a320b193978ebbf22cd797e1f945

SHA512
ebb989a7281d6fe925525667a50dcd140ece007e21b3383af4d1066bff6d7c04d8930e9c0757fb5ec682dcba43f65021458e31840d9b12d60c11b84627212614

Download Submit
memory/824-266-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/824-175-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1180-226-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1180-232-0x00000000002C0000-0x00000000002FF000-memory.dmp

Filesize
252KB

Download
memory/1180-109-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1252-349-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1252-260-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1252-267-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1312-106-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1312-98-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1332-283-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1332-293-0x00000000001B0000-0x00000000001EF000-memory.dmp

Filesize
252KB

Download
memory/1344-333-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1344-334-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1344-327-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1556-288-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1672-318-0x00000000002C0000-0x00000000002FF000-memory.dmp

Filesize
252KB

Download
memory/1672-307-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1824-97-0x0000000001BD0000-0x0000000001C0F000-memory.dmp

Filesize
252KB

Download
memory/1824-194-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1824-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1884-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1928-188-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1928-269-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2040-265-0x00000000001B0000-0x00000000001EF000-memory.dmp

Filesize
252KB

Download
memory/2040-247-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2040-161-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2140-234-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2140-243-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2316-278-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2316-208-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2320-134-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2320-231-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2340-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2432-173-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2432-53-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2536-370-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2600-371-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2600-365-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2600-360-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2628-38-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2652-153-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2652-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2768-350-0x00000000005D0000-0x000000000060F000-memory.dmp

Filesize
252KB

Download
memory/2768-339-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2804-312-0x00000000001B0000-0x00000000001EF000-memory.dmp

Filesize
252KB

Download
memory/2804-220-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2804-222-0x00000000001B0000-0x00000000001EF000-memory.dmp

Filesize
252KB

Download
memory/2828-328-0x00000000001B0000-0x00000000001EF000-memory.dmp

Filesize
252KB

Download
memory/2828-326-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2864-238-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2864-126-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2928-355-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2928-344-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2944-250-0x00000000002A0000-0x00000000002DF000-memory.dmp

Filesize
252KB

Download
memory/2944-244-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2944-255-0x00000000002A0000-0x00000000002DF000-memory.dmp

Filesize
252KB

Download
memory/2996-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3020-302-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3044-101-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3044-6-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/3044-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3060-26-0x0000000001BD0000-0x0000000001C0F000-memory.dmp

Filesize
252KB

Download
memory/3060-18-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads