ebed7f942d9f1b5e97a493f0a5a6e5a77a6dbf65f80b12e324c3d43f8bf2f573

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 05:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16440066141793fc6d76fa2f8c900d55.exe
Size

192KB
MD5

16440066141793fc6d76fa2f8c900d55
SHA1

d6086316f210e11198cc27a87f22739e3b75c520
SHA256

ebed7f942d9f1b5e97a493f0a5a6e5a77a6dbf65f80b12e324c3d43f8bf2f573
SHA512

fc5f58a2bedb8e256f5bb0c20362b14ba00e5885656dc9d25516f0ccd1a5ac69111e17f7d9dcbeb07a7dd06a7548260a65b778b21c166e600fcf01b4a251f66d
SSDEEP

3072:vdh3oaJARXIdjqr2B1xdLm102VZjuajDMyap9jCyFsWtex:LvJAJIder2B1xBm102VQltex

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	16440066141793fc6d76fa2f8c900d55.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe

Executes dropped EXE 64 IoCs

pid	Process
2568	Jdhine32.exe
2396	Jjbako32.exe
2344	Jaljgidl.exe
1588	Jbmfoa32.exe
3092	Jkdnpo32.exe
3388	Jmbklj32.exe
5104	Jdmcidam.exe
3260	Jkfkfohj.exe
4988	Kmegbjgn.exe
2644	Kdopod32.exe
3212	Kkihknfg.exe
4996	Kmgdgjek.exe
4216	Kpepcedo.exe
4736	Kbdmpqcb.exe
1620	Kgphpo32.exe
3228	Kinemkko.exe
3336	Kaemnhla.exe
3672	Kphmie32.exe
4244	Kdcijcke.exe
4904	Kgbefoji.exe
3588	Kknafn32.exe
2768	Kipabjil.exe
4424	Kagichjo.exe
2024	Kkpnlm32.exe
1880	Kpmfddnf.exe
740	Kgfoan32.exe
3668	Liekmj32.exe
4948	Lpocjdld.exe
3804	Lcmofolg.exe
2460	Lkdggmlj.exe
1064	Ldmlpbbj.exe
2544	Lijdhiaa.exe
4452	Lpcmec32.exe
3248	Lgneampk.exe
1200	Lilanioo.exe
1008	Lpfijcfl.exe
4992	Lgpagm32.exe
4428	Ljnnch32.exe
4932	Lphfpbdi.exe
3840	Lddbqa32.exe
3568	Lgbnmm32.exe
864	Mjqjih32.exe
4484	Mpkbebbf.exe
668	Mgekbljc.exe
392	Mjcgohig.exe
3188	Mpmokb32.exe
2264	Mcklgm32.exe
2888	Mkbchk32.exe
1680	Mnapdf32.exe
4460	Mpolqa32.exe
2632	Mcnhmm32.exe
3020	Mgidml32.exe
1576	Maohkd32.exe
4560	Mdmegp32.exe
3888	Mglack32.exe
4328	Mjjmog32.exe
3340	Maaepd32.exe
4588	Mdpalp32.exe
1856	Mcbahlip.exe
3932	Nkjjij32.exe
4468	Nnhfee32.exe
4420	Ndbnboqb.exe
916	Ngpjnkpf.exe
4864	Njogjfoj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kgfoan32.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Kpmfddnf.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Jaljgidl.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kipabjil.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Kkihknfg.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Ecppdbpl.dll	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Qekdppan.dll	Jjbako32.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Feambf32.dll	Jdhine32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Kgphpo32.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kdopod32.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Jkfkfohj.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Qknpkqim.dll	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Kmegbjgn.exe	Jkfkfohj.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Jkdnpo32.exe	Jbmfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1316	4920	WerFault.exe	161

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kinemkko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdhine32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	16440066141793fc6d76fa2f8c900d55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpkbc32.dll"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2568	2380	16440066141793fc6d76fa2f8c900d55.exe	85
PID 2380 wrote to memory of 2568	2380	16440066141793fc6d76fa2f8c900d55.exe	85
PID 2380 wrote to memory of 2568	2380	16440066141793fc6d76fa2f8c900d55.exe	85
PID 2568 wrote to memory of 2396	2568	Jdhine32.exe	86
PID 2568 wrote to memory of 2396	2568	Jdhine32.exe	86
PID 2568 wrote to memory of 2396	2568	Jdhine32.exe	86
PID 2396 wrote to memory of 2344	2396	Jjbako32.exe	87
PID 2396 wrote to memory of 2344	2396	Jjbako32.exe	87
PID 2396 wrote to memory of 2344	2396	Jjbako32.exe	87
PID 2344 wrote to memory of 1588	2344	Jaljgidl.exe	88
PID 2344 wrote to memory of 1588	2344	Jaljgidl.exe	88
PID 2344 wrote to memory of 1588	2344	Jaljgidl.exe	88
PID 1588 wrote to memory of 3092	1588	Jbmfoa32.exe	89
PID 1588 wrote to memory of 3092	1588	Jbmfoa32.exe	89
PID 1588 wrote to memory of 3092	1588	Jbmfoa32.exe	89
PID 3092 wrote to memory of 3388	3092	Jkdnpo32.exe	90
PID 3092 wrote to memory of 3388	3092	Jkdnpo32.exe	90
PID 3092 wrote to memory of 3388	3092	Jkdnpo32.exe	90
PID 3388 wrote to memory of 5104	3388	Jmbklj32.exe	91
PID 3388 wrote to memory of 5104	3388	Jmbklj32.exe	91
PID 3388 wrote to memory of 5104	3388	Jmbklj32.exe	91
PID 5104 wrote to memory of 3260	5104	Jdmcidam.exe	92
PID 5104 wrote to memory of 3260	5104	Jdmcidam.exe	92
PID 5104 wrote to memory of 3260	5104	Jdmcidam.exe	92
PID 3260 wrote to memory of 4988	3260	Jkfkfohj.exe	93
PID 3260 wrote to memory of 4988	3260	Jkfkfohj.exe	93
PID 3260 wrote to memory of 4988	3260	Jkfkfohj.exe	93
PID 4988 wrote to memory of 2644	4988	Kmegbjgn.exe	95
PID 4988 wrote to memory of 2644	4988	Kmegbjgn.exe	95
PID 4988 wrote to memory of 2644	4988	Kmegbjgn.exe	95
PID 2644 wrote to memory of 3212	2644	Kdopod32.exe	96
PID 2644 wrote to memory of 3212	2644	Kdopod32.exe	96
PID 2644 wrote to memory of 3212	2644	Kdopod32.exe	96
PID 3212 wrote to memory of 4996	3212	Kkihknfg.exe	97
PID 3212 wrote to memory of 4996	3212	Kkihknfg.exe	97
PID 3212 wrote to memory of 4996	3212	Kkihknfg.exe	97
PID 4996 wrote to memory of 4216	4996	Kmgdgjek.exe	98
PID 4996 wrote to memory of 4216	4996	Kmgdgjek.exe	98
PID 4996 wrote to memory of 4216	4996	Kmgdgjek.exe	98
PID 4216 wrote to memory of 4736	4216	Kpepcedo.exe	99
PID 4216 wrote to memory of 4736	4216	Kpepcedo.exe	99
PID 4216 wrote to memory of 4736	4216	Kpepcedo.exe	99
PID 4736 wrote to memory of 1620	4736	Kbdmpqcb.exe	100
PID 4736 wrote to memory of 1620	4736	Kbdmpqcb.exe	100
PID 4736 wrote to memory of 1620	4736	Kbdmpqcb.exe	100
PID 1620 wrote to memory of 3228	1620	Kgphpo32.exe	101
PID 1620 wrote to memory of 3228	1620	Kgphpo32.exe	101
PID 1620 wrote to memory of 3228	1620	Kgphpo32.exe	101
PID 3228 wrote to memory of 3336	3228	Kinemkko.exe	102
PID 3228 wrote to memory of 3336	3228	Kinemkko.exe	102
PID 3228 wrote to memory of 3336	3228	Kinemkko.exe	102
PID 3336 wrote to memory of 3672	3336	Kaemnhla.exe	103
PID 3336 wrote to memory of 3672	3336	Kaemnhla.exe	103
PID 3336 wrote to memory of 3672	3336	Kaemnhla.exe	103
PID 3672 wrote to memory of 4244	3672	Kphmie32.exe	104
PID 3672 wrote to memory of 4244	3672	Kphmie32.exe	104
PID 3672 wrote to memory of 4244	3672	Kphmie32.exe	104
PID 4244 wrote to memory of 4904	4244	Kdcijcke.exe	105
PID 4244 wrote to memory of 4904	4244	Kdcijcke.exe	105
PID 4244 wrote to memory of 4904	4244	Kdcijcke.exe	105
PID 4904 wrote to memory of 3588	4904	Kgbefoji.exe	106
PID 4904 wrote to memory of 3588	4904	Kgbefoji.exe	106
PID 4904 wrote to memory of 3588	4904	Kgbefoji.exe	106
PID 3588 wrote to memory of 2768	3588	Kknafn32.exe	107

C:\Users\Admin\AppData\Local\Temp\16440066141793fc6d76fa2f8c900d55.exe
"C:\Users\Admin\AppData\Local\Temp\16440066141793fc6d76fa2f8c900d55.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\Jdhine32.exe
  C:\Windows\system32\Jdhine32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\SysWOW64\Jjbako32.exe
    C:\Windows\system32\Jjbako32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Windows\SysWOW64\Jaljgidl.exe
      C:\Windows\system32\Jaljgidl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2344
    - - C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1588
      - C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1880
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4948
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3804
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1064
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2544
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3248
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4992
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4428
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4932
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3840
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4484
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:668
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3188
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1680
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4460
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3888
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        61⤵
        Executes dropped EXE
        
        PID:3932
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4468
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        68⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        72⤵
        Drops file in System32 directory
        
        PID:2384
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        73⤵
        Drops file in System32 directory
        
        PID:5020
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1544
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        75⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 400
        76⤵
        Program crash
        
        PID:1316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4920 -ip 4920
1⤵
PID:3116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
192KB

MD5
377e21c2ec500d821eeb492f1eabea1c

SHA1
c73e6dd5a36705c5b0e28a299710d6281053e6a6

SHA256
886ed650e9208e1c1850ba4e3d713da7b23c23ebd6d8e0bb62728aaf400309a8

SHA512
2adeaf87cfa700f84ba36f97bd8450e22a144d11e8d35bdd5a00b57faf241cefe4dedefa259fdeac0e51beabe7c8747fe6affed490ecafee5cd233b56d5373ae

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe

Filesize
192KB

MD5
40ce1cd6458a647e000476768857f668

SHA1
ac1b4f8b1adb78f16c175265844d4b12590d6eb1

SHA256
6824fe516dd7f10025faad872460af9a76789230c85c5264c0606de7e007942d

SHA512
6a4580ab1b4f6fda199d3ed197a1a03b968ce998130aa895db61e253904e53c6c8e84414fe9c08e334a268a00858d077b102a281be601fac1be05f164f0abeed

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe

Filesize
192KB

MD5
2ca08136baca3bd51ebf4e3bd642267e

SHA1
9c008437d9d96d852e41e41730adcf705b363537

SHA256
456ee1bef0212c17094968f77a1925af6fff0cc5903988f3d0e9bc93015a5d94

SHA512
7909a4eeec7c45c7cf14d55e6227636abdae2518ae1707676c159957936b3267d4ac70f474add63cc89a5d1a2d243652ef7ad5caa261cc22773060431baa3e81

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
192KB

MD5
535792e47d94b39adb3452c68022b680

SHA1
62aecee9d2299457d3db0bfe4d20fda4e60d7e27

SHA256
a3bf38a2b03046820c66a8120ab9bc3f4d668fe5b9b76ba388c842f65fbb755e

SHA512
15aba4e6ae2611e6510d1c5053e582c63be3d0d95b403d5f75915d7ebacdf13e8de84995bc69f6f3e2d92c08bb0785c045d38ef944561c18a866f9c60c58ffa6

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe

Filesize
192KB

MD5
4d0d725e1a4dce6a8f1d8aee280b1319

SHA1
c647ecd68b8531b1a7ac27f960c2c163a29356f8

SHA256
3a8499ad780d8a24283c8ff7904f75df675adfa4f4a4a7ddfd3ffc21c03b7300

SHA512
4bdeecbee53ddbf5c35aa3dd17802791b47051bbce36250d38de7cb341ccb3ecd30e6f3551758661244d02911ccc3719dce6032163b83fe9c499ebc7061601ec

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
192KB

MD5
f20c4fd55a6c453805a174bac7ea4fee

SHA1
87d4a2e5c9b438481ff76f618b4e6dfe8fd43dbe

SHA256
05fcb2536a6e5320ed1bbbb5f1311318ad0ae30a964d73cc176903d9da29d11c

SHA512
fbd15033ef0b016ef827502cd60d0b2210f1249f0c7f523175ecfd8f00ddbeea2fbcde09e5f7ea51224c0c1d14046bb7e2700dd23a1e9035d9b28f611f066f58

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
192KB

MD5
f41a1b1fb3238fb07bd0f396e4613b6b

SHA1
59984adbe71997e23940d562807bce3dd4c5b618

SHA256
1d6ab69517e3f3624c6149a6faabaad0ae98feb5bb6d4f70bc39092a2c29178a

SHA512
a0d8e9ad96b5a4de85b66f6864a7d393abb6aba10bac6726d35fdc2b3c24f67b1bad7f0faa36e3b8c4f8e7135807d5c9fc661b129dc8d88bc9cf28a378df9f05

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
192KB

MD5
00ef4a1103813caf8f0d294a2e23034a

SHA1
feba42479781a8c2e47b62273b22c347096c69bb

SHA256
5c2ac5a54ff1cd4153cb2b0460156b390e2b2c673bee50240f5c472e3c6517f1

SHA512
ece799d6f177601ae2de45f0544ecb21d0a153e86aec8aa13f80bef659907f1fe941c43993d78b6d51977dbefc811767851bb20096e4790f61e90de0edf1b4bd

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
192KB

MD5
3286c39692341c732eed92dbb3898a76

SHA1
043d32e83afdd151a512d4f760be3459442f5a54

SHA256
f8790cb3f8394abce1916a60cc3190062d5506b4286250c670b9101251a6480e

SHA512
cdc558a80cefc356c79c651c8e0f968b493a76caec3da26bc8216802adc4d0abbd2d588510783fcf9b64d33d143166774bf8ee3dc2f39970be5404b3ea449730

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
192KB

MD5
b740e45ba008ce4775acfed87c2f5835

SHA1
cf5314decdef0208248c5942194de969f02678c0

SHA256
8ec143c2c4f16754d60dcc399678fb8daa8b30f910cdd7882517caefa1d3c964

SHA512
0281b5394811deaac33672d01b711a8430f6eb9a532bd01ee9512f44eb437ad6fa8eff363d05cdbfd560ea5453e86e260ee959b77cd1375a4aa979d31c54c1b0

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
192KB

MD5
20bb24933a5003e0f041ddf379b276e7

SHA1
bb0f32407c7aa3144e5374be2b4233a1f4b0be9b

SHA256
0f6d0cca747d430bcb5a972f0a18ef4afc5c211a2b4b549a21ba44b00757330b

SHA512
b434e8431c97326a243f8326673ba21c94fda639369d68d2c96e8cac97e3d07a18bf9a266ed7c8afb65adf99f3d40014c208531f2d1a63863d85ba8983c5ca01

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
192KB

MD5
eefe0f160ef39a3d71ba93a853ef5af2

SHA1
ddd5021f5d56e87cd5821bcc4bff310951d408ae

SHA256
b8db7d8c6871cb95acc3922946052e2e8f93e5e895e1543eddf51113667f9629

SHA512
ebec7f3df0601ace35c8f593e48c3d83525efa40ba788f69f870ae29b203b4882c375c6a7588fb89cbc3e498f1af06b1ec3000251cb788e649df584cd6391b6a

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
192KB

MD5
62f94db63e66f705293e35d2122eecfa

SHA1
8320151b20993c862162ecd5fa2ba4f5cf714597

SHA256
976225323e385bf0381ff970f5b5d28a6265cdedddae51097b5bcb95f37b24b0

SHA512
efd4345ba8b723a489f01f8e4845bbff397f27a286a7c170b07419c82df5a925b2a788e6f262224986444f190afc7406ed10eeec52b686c4b0a5c1233607fce8

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
192KB

MD5
65fcc0dfcc647471e1cfe367fcf577a2

SHA1
29ed7db1ca3b60931310b1259b2cc2bbb73a3d50

SHA256
6edf0e5d2caedec67070f800f80af938c3dab0e92baebacdf84928f5eff35030

SHA512
5f176d8886d78e1dbc6486b640528914424c77b83f2a3cccda03f873fc3d9b5d3fb1cd7c589698215086073ac43ebbd0a9645fe8d9937c41d63beee5843eba67

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
192KB

MD5
afeda9c8711be30bbc66b66383b48f57

SHA1
9bc6dee8a441063e63ec8261f25746b50e95a117

SHA256
02927b7e5f83096ee514fba17d414f5f954c8770fcb9e088feb22da40a4dc98b

SHA512
dedd0a9c5f5f6f40c2abdb3ec2e75573140ff58888041c01cca889070db3f033c2e5f3dfcc8409cd417b2a86b5ea968466955c7661c67642cd178fee1c57fd53

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
192KB

MD5
373c47d2821243676eda72631a51f97e

SHA1
5fa2949697b531abba934011ca7c7c3c5a0bb9f3

SHA256
8c5033634fd219c74aa639903093f651dcb6240e23f0251997a76a13d1a6d5a0

SHA512
6eed5741cdcf79e413a45c35e42e3952caa40041e332dfb0df7c25e9466bcc83edc6425e95516a279ec589ce37589e83278351e8d030224dc2009e39a250b4bd

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
192KB

MD5
ead02ff9554a5cef5467a71161be59e9

SHA1
279f3d0e77ac26f1d91a7ef50deb968e5fbbed55

SHA256
d336d8a8687705ba40eaa4ac1fcb2138fb0e8ab87584e4a9660ef6b511409ae8

SHA512
58b21e9060b092a3175495f15e23c0a902386f5acc3441c7c8e428500e573b1c90b8b5015d24680519b25af67d17dbc6ee12e6f379abfc68019715e47f2ba3e6

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
192KB

MD5
6b4414b356250f4feebf8b07bda6328d

SHA1
914867ede3638d3b01cd835bb63238e372444da2

SHA256
38045dc1434f77479a8314494f9d841649ead198ca34c61e3f295d6693fbc5d8

SHA512
817e08ba32f735f7a0cc15baea0f2f2b107f2171504cebb1f21d944ecaa8457eb9ab13d91259a396632975213f9bb8e0fa3af4a67c6b54582cdf005c5f306448

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
192KB

MD5
18c644805e1de3d3d73aadb319ecdcf2

SHA1
524cad7e6a2672d89cb0afb7e7441393b5d1798a

SHA256
f1308683f95acc4ddb682230116a47fa51723b9b6f66c71107d6e24189f516bc

SHA512
6f0c0241ea9d3616d91e0edc97423150923639bdfb55d368c793176e79cb5da54290d1d9c8c224328fdbb74d2146a8ad073a80c85f04a640e2e6949f6b1a8667

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
192KB

MD5
15ea1196a0ff85b63eeab55b727a1ea4

SHA1
c6bf630599f15fe9de5650af0632ce3ffb79fffc

SHA256
f8c36af2ecb276177aa5a05802db5c64ae63d48b6ef6b603cced69dfe149f618

SHA512
04cc39ee162a05d976b26663728464356aa2e00a553787d1f6c8ac9ca659e805686122f93eb12b1cebeab16f528553dc09e66a94a17c106055a6fa5842e77ad9

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
192KB

MD5
5fa97c77b81e52ea5cca4505058ddc05

SHA1
48784ffca4d49c636b75a229b4ba0b2e7ed03411

SHA256
fcd7841d031abe19d184e20e4f4ae09ea03d228f6fba355b91824f7d2939bf6d

SHA512
e2833556cd8de3eaed166a6886470460bb5c0d6ec53dbe2b8e8a69ecf8f6128cbc4726fc31a3b767eee5a87cf65922de6304de14219377759991ec793eb3a354

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
192KB

MD5
6a0f70d0fb54001438c2df4814f60bfb

SHA1
ef4d68a6573d26c71414d753b949a833ea24e03d

SHA256
466b5989a326cfb8614463e4c604028e2af0a2039da087c43c41b9b662729a7b

SHA512
921da4983ffaefc5bfc4185e02c18586686cca65fee117c81ba06e0942df212866e25c735f1204c7944a93c6ac70e2d0259fd976997398b88a8927940738837b

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
192KB

MD5
bcf014c7140f474c49962f82a918418e

SHA1
dd77e34b6cc65f613e966fe09c2640cdfe6d4e87

SHA256
93529240b3c33a8d0fd4ef6d3eb4af7dc63ce0064e781a507cf6ef9c3b59b711

SHA512
2153ca753186e4d592932482242ba79ded299d1a7b4463e9e151ef2fdae7df215476281fc120c3fdcde15eef331f130d10000b694f0471f3574bc9b12ef3d980

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
192KB

MD5
4b12401a6d7f2b6110f83f605d5c654d

SHA1
d08f521bcb00a1d042610c11d75ecad6c1274b6e

SHA256
2d9d963f8953ce03c5ee319b02fbece68fd9ef025890684a23a04abcd5bbacf9

SHA512
63538d8bc7def68f14ca66768bbcb1d82c4383b7092e166755b9378f98f6ab4e9139077277fa963a2c1f1fe41d06c79013c63251c9a29e39c159fc701fc63d35

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
192KB

MD5
438454895e230075cfcd2875a9de76c5

SHA1
7ae9d363dfcde2daa38d409f3cbe86472fc22a26

SHA256
0097d8d2222f279e93c80eaf3b269da08e195f84e5cb9dc4ace72d4a0af219d1

SHA512
c4531501eabfbe18cc7caa0cea68ed4bb3378cf135383d4c24180f5c78b7d05697300d59665a500f4655fd05bb3b952936eb4588e77e7b2bb9d2266d099aba45

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
192KB

MD5
a5152be5c42589b062ebc718df083b8f

SHA1
fca03911323bde56453ca1e8cf0a7363811ac925

SHA256
2c4a56331818a63b1cfa84c71dd651cdaa19685b80ade931cb10a6f23eec0bd7

SHA512
d72512869d3fa41bf8a1254b20ab08bd7cab264c5bfd565879dcc19ebe25a50039f2dd7b1d42c2a9143e1b40f9f88dd95c150ee44fd6a5666a2dabce9291d950

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
192KB

MD5
7e5cc4ae74945ce58ae92f9bf0838326

SHA1
a9c300127a4f40559d02b44ccbb66a18f13348f1

SHA256
616b0da022d73ced8c64bdd8a2de5f38eb9714cb26d3b26ee8f0c98f3fe8f7f7

SHA512
d6def5f763261796a05ad0e4b942ce309517b359071a318b8175a75d8d5f478659f590283b6ed3cdbc7fbec292aa6b06ff67f5c550810db98066b874a7a353ea

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
192KB

MD5
60f4c4a89551976f2a9709498b106e4c

SHA1
89bc48c12dabfc699aaa2ea25125910bbddb9902

SHA256
18f50e49af104c14e13fff931e1848d58edc510c6965a48d4775d42263875d03

SHA512
4f2ead3a8e9f9037166b2887c1bdc5f01088c08b42360e6dc8ce39d98ecc7e5f20b5d7854e2d107b2994ad3cd5a08c949f2e56eb99f227ade608fda06145d018

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
192KB

MD5
391d89b4ae2bf035eb4fdffb149e4189

SHA1
fdea4e24c755d7554dcb40ae15a65741e2d61bbf

SHA256
8f9e2c8184e13ae604b890a2f836d209c769daf5b5524922bef1230b40bb0079

SHA512
e77c409b46e4e695450612ac7a4f4a3fbff8d813226650429b54d8a93f12f017801cdcdfec6b9c7f399f595f3223539602be00effe1f81b0ac6a37443ce99bf2

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
192KB

MD5
fc9a6e3fa19c1e930a70f81a0b085d19

SHA1
220c4f8e6139cb3845b8046af2e25df0b246d013

SHA256
a213cb38d33bde942f77ccdf449e2d2a76e8e481be2a255009b1e706e23d9cfb

SHA512
4e8406dfacabed5b42b1788656ec7aa5e7db9f785aadaa663355f2874c36b776dd3e0d30a286d767867b50dd5f5c5d1fbe1124e418b20f5ce6a1dca2ec8ae736

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
192KB

MD5
6dc481a12251797e9144c763097ee469

SHA1
b1a101416519770cc29e5e1d363b15ca8ea6b0eb

SHA256
0e65b1de849b8b629d56ab6d33e06a8f3fb21f570a2abcd48d05019afcbde5cf

SHA512
2d789ef527aefa214a005e958b6208c788bbf90c9d3c5278931648060efa391cde0e957460072a3d64db38eaa8a8853375b0141c61301bfd5766a726964f7cbe

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
192KB

MD5
b36d4eecff31de17369c9dc3b273a434

SHA1
f32e5fcce1cadb9f72a07bc3395887378b6a6331

SHA256
8a714195ccd2de14eb2d0b8d6607ad2826979a530a5a2b5bb27b227e6653db9f

SHA512
530d06d733e29b9c76da7e55355b552d365da246f053ba02aa7d672687254a64238a25798bdf2d01e8a6d7f9ce6ece9a6857965ba17aca6053853ed3e56cb805

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
128KB

MD5
89a3abbf70c9b149ae5c0ae7ec884c83

SHA1
29d49dd1c63ef3cb48a768b9784d72c3e65c1c62

SHA256
ee89ce846ac8d866abe824bc47e56edba7a5ea726f666c1cf16d125822138744

SHA512
ce24477beea2a390472486c0be5b15f65bdaba38f812bb67f5dad2b11d8a95812e4dfe6d9a7c28f33868b1b2a87e7ca71d27e60dd57897d20381a197fa3faaf1

Download Submit
memory/392-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/536-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/668-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/864-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1008-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1200-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1200-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1620-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-5-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2544-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2544-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2888-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3092-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3092-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3112-543-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3188-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3212-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3228-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3248-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3260-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3260-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3336-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3388-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3388-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3568-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3672-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3804-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3840-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4216-115-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-190-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4428-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4428-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-172-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-537-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads