009ae39a4742564b12f3f844c54c9bf5b9dd09ef54ca5f0646e3def154cefe8e

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

009ae39a4742564b12f3f844c54c9bf5b9dd09ef54ca5f0646e3def154cefe8e.exe
Size

256KB
MD5

d156b0bdd1558f6983d432ac7e6388b4
SHA1

374b12e9b11bde51cd1ae533b394cfdeba844ccd
SHA256

009ae39a4742564b12f3f844c54c9bf5b9dd09ef54ca5f0646e3def154cefe8e
SHA512

c0572d59caf2245846f5f83b22652592adbda9efd52071eebec6c8fdb5cf71cb9255cba97e6cb60f8c778c515934c3b012053121573563863ac49b7c17346339
SSDEEP

3072:20SzxfkcOGviI2VceK3KcWmjRrzqzWspSnocyA5qKcWmjRrzeceKSAxpce7fuFfl:2rMcOGvi3HVpaopOpHVILifyeYVDcfR

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kegqdqbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhhfdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liplnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdifkpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkmcfhkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkmcfhkc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiqpop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngdifkpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jocflgga.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdehon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Modkfi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lclnemgd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	009ae39a4742564b12f3f844c54c9bf5b9dd09ef54ca5f0646e3def154cefe8e.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jqnejn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kegqdqbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgmcqkkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdcpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	009ae39a4742564b12f3f844c54c9bf5b9dd09ef54ca5f0646e3def154cefe8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdehon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjifhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmapm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmapm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhhfdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Modkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdcpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jocflgga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lclnemgd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgmcqkkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnmlhchd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnmlhchd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjifhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jqnejn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kiqpop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liplnc32.exe

UPX dump on OEP (original entry point) 18 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012248-5.dat	UPX
behavioral1/files/0x0029000000016d62-19.dat	UPX
behavioral1/files/0x0007000000017554-28.dat	UPX
behavioral1/files/0x0006000000018687-51.dat	UPX
behavioral1/files/0x0005000000019387-58.dat	UPX
behavioral1/files/0x0005000000019423-77.dat	UPX
behavioral1/files/0x000500000001943f-85.dat	UPX
behavioral1/files/0x000500000001946e-98.dat	UPX
behavioral1/files/0x0005000000019489-111.dat	UPX
behavioral1/files/0x0005000000019494-126.dat	UPX
behavioral1/files/0x0005000000019509-137.dat	UPX
behavioral1/files/0x00050000000195a1-153.dat	UPX
behavioral1/files/0x00050000000195a4-163.dat	UPX
behavioral1/files/0x00050000000195a7-177.dat	UPX
behavioral1/files/0x00050000000195ab-190.dat	UPX
behavioral1/files/0x00050000000195af-204.dat	UPX
behavioral1/files/0x00050000000195b3-220.dat	UPX
behavioral1/files/0x00050000000195b7-230.dat	UPX

Executes dropped EXE 18 IoCs

pid	Process
2880	Jocflgga.exe
2628	Jkmcfhkc.exe
2896	Jdehon32.exe
2980	Jnmlhchd.exe
2592	Jqnejn32.exe
2488	Kjifhc32.exe
1828	Kiqpop32.exe
680	Kegqdqbl.exe
2876	Lclnemgd.exe
1964	Lgmcqkkh.exe
2176	Liplnc32.exe
2768	Mpmapm32.exe
2772	Mhhfdo32.exe
1020	Modkfi32.exe
1356	Mdcpdp32.exe
2384	Ngdifkpi.exe
1344	Ngibaj32.exe
616	Nlhgoqhh.exe

Loads dropped DLL 36 IoCs

pid	Process
2352	009ae39a4742564b12f3f844c54c9bf5b9dd09ef54ca5f0646e3def154cefe8e.exe
2352	009ae39a4742564b12f3f844c54c9bf5b9dd09ef54ca5f0646e3def154cefe8e.exe
2880	Jocflgga.exe
2880	Jocflgga.exe
2628	Jkmcfhkc.exe
2628	Jkmcfhkc.exe
2896	Jdehon32.exe
2896	Jdehon32.exe
2980	Jnmlhchd.exe
2980	Jnmlhchd.exe
2592	Jqnejn32.exe
2592	Jqnejn32.exe
2488	Kjifhc32.exe
2488	Kjifhc32.exe
1828	Kiqpop32.exe
1828	Kiqpop32.exe
680	Kegqdqbl.exe
680	Kegqdqbl.exe
2876	Lclnemgd.exe
2876	Lclnemgd.exe
1964	Lgmcqkkh.exe
1964	Lgmcqkkh.exe
2176	Liplnc32.exe
2176	Liplnc32.exe
2768	Mpmapm32.exe
2768	Mpmapm32.exe
2772	Mhhfdo32.exe
2772	Mhhfdo32.exe
1020	Modkfi32.exe
1020	Modkfi32.exe
1356	Mdcpdp32.exe
1356	Mdcpdp32.exe
2384	Ngdifkpi.exe
2384	Ngdifkpi.exe
1344	Ngibaj32.exe
1344	Ngibaj32.exe

Drops file in System32 directory 54 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ihlfca32.dll	Kiqpop32.exe
File opened for modification	C:\Windows\SysWOW64\Lclnemgd.exe	Kegqdqbl.exe
File created	C:\Windows\SysWOW64\Fdilgioe.dll	Lclnemgd.exe
File created	C:\Windows\SysWOW64\Modkfi32.exe	Mhhfdo32.exe
File created	C:\Windows\SysWOW64\Mdcpdp32.exe	Modkfi32.exe
File created	C:\Windows\SysWOW64\Kjifhc32.exe	Jqnejn32.exe
File opened for modification	C:\Windows\SysWOW64\Modkfi32.exe	Mhhfdo32.exe
File created	C:\Windows\SysWOW64\Kiqpop32.exe	Kjifhc32.exe
File created	C:\Windows\SysWOW64\Bpmiamoh.dll	Kjifhc32.exe
File opened for modification	C:\Windows\SysWOW64\Kjifhc32.exe	Jqnejn32.exe
File created	C:\Windows\SysWOW64\Jnmlhchd.exe	Jdehon32.exe
File created	C:\Windows\SysWOW64\Kegqdqbl.exe	Kiqpop32.exe
File opened for modification	C:\Windows\SysWOW64\Kegqdqbl.exe	Kiqpop32.exe
File created	C:\Windows\SysWOW64\Ngdifkpi.exe	Mdcpdp32.exe
File created	C:\Windows\SysWOW64\Jocflgga.exe	009ae39a4742564b12f3f844c54c9bf5b9dd09ef54ca5f0646e3def154cefe8e.exe
File created	C:\Windows\SysWOW64\Lgpmbcmh.dll	Lgmcqkkh.exe
File created	C:\Windows\SysWOW64\Iddnkn32.dll	Jkmcfhkc.exe
File created	C:\Windows\SysWOW64\Jmbckb32.dll	Ngdifkpi.exe
File opened for modification	C:\Windows\SysWOW64\Jkmcfhkc.exe	Jocflgga.exe
File opened for modification	C:\Windows\SysWOW64\Kiqpop32.exe	Kjifhc32.exe
File created	C:\Windows\SysWOW64\Pghhkllb.dll	Kegqdqbl.exe
File created	C:\Windows\SysWOW64\Mhhfdo32.exe	Mpmapm32.exe
File opened for modification	C:\Windows\SysWOW64\Mhhfdo32.exe	Mpmapm32.exe
File created	C:\Windows\SysWOW64\Iggbhk32.dll	Mhhfdo32.exe
File opened for modification	C:\Windows\SysWOW64\Ngdifkpi.exe	Mdcpdp32.exe
File opened for modification	C:\Windows\SysWOW64\Jocflgga.exe	009ae39a4742564b12f3f844c54c9bf5b9dd09ef54ca5f0646e3def154cefe8e.exe
File created	C:\Windows\SysWOW64\Lgmcqkkh.exe	Lclnemgd.exe
File created	C:\Windows\SysWOW64\Aeaceffc.dll	Modkfi32.exe
File created	C:\Windows\SysWOW64\Jkmcfhkc.exe	Jocflgga.exe
File opened for modification	C:\Windows\SysWOW64\Jnmlhchd.exe	Jdehon32.exe
File created	C:\Windows\SysWOW64\Fbpljhnf.dll	Mdcpdp32.exe
File created	C:\Windows\SysWOW64\Jqnejn32.exe	Jnmlhchd.exe
File created	C:\Windows\SysWOW64\Akbipbbd.dll	Jnmlhchd.exe
File created	C:\Windows\SysWOW64\Jdehon32.exe	Jkmcfhkc.exe
File opened for modification	C:\Windows\SysWOW64\Jqnejn32.exe	Jnmlhchd.exe
File opened for modification	C:\Windows\SysWOW64\Liplnc32.exe	Lgmcqkkh.exe
File created	C:\Windows\SysWOW64\Mpmapm32.exe	Liplnc32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmapm32.exe	Liplnc32.exe
File created	C:\Windows\SysWOW64\Cogbjdmj.dll	009ae39a4742564b12f3f844c54c9bf5b9dd09ef54ca5f0646e3def154cefe8e.exe
File created	C:\Windows\SysWOW64\Olahaplc.dll	Liplnc32.exe
File opened for modification	C:\Windows\SysWOW64\Mdcpdp32.exe	Modkfi32.exe
File created	C:\Windows\SysWOW64\Ngibaj32.exe	Ngdifkpi.exe
File created	C:\Windows\SysWOW64\Jpfdhnai.dll	Jocflgga.exe
File created	C:\Windows\SysWOW64\Fpcqjacl.dll	Jqnejn32.exe
File created	C:\Windows\SysWOW64\Lclnemgd.exe	Kegqdqbl.exe
File created	C:\Windows\SysWOW64\Liplnc32.exe	Lgmcqkkh.exe
File created	C:\Windows\SysWOW64\Ggfblnnh.dll	Mpmapm32.exe
File opened for modification	C:\Windows\SysWOW64\Ngibaj32.exe	Ngdifkpi.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Mcblodlj.dll	Jdehon32.exe
File opened for modification	C:\Windows\SysWOW64\Lgmcqkkh.exe	Lclnemgd.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Ngibaj32.exe
File opened for modification	C:\Windows\SysWOW64\Jdehon32.exe	Jkmcfhkc.exe

Modifies registry class 57 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdehon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lclnemgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhhfdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogbjdmj.dll"	009ae39a4742564b12f3f844c54c9bf5b9dd09ef54ca5f0646e3def154cefe8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jnmlhchd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlfca32.dll"	Kiqpop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kiqpop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jocflgga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpmiamoh.dll"	Kjifhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggfblnnh.dll"	Mpmapm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdcpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbpljhnf.dll"	Mdcpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkmcfhkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kiqpop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pghhkllb.dll"	Kegqdqbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdilgioe.dll"	Lclnemgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngdifkpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jqnejn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngdifkpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpmbcmh.dll"	Lgmcqkkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liplnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdcpdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	009ae39a4742564b12f3f844c54c9bf5b9dd09ef54ca5f0646e3def154cefe8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kjifhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdehon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgmcqkkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	009ae39a4742564b12f3f844c54c9bf5b9dd09ef54ca5f0646e3def154cefe8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcqjacl.dll"	Jqnejn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	009ae39a4742564b12f3f844c54c9bf5b9dd09ef54ca5f0646e3def154cefe8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jocflgga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kjifhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lclnemgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iggbhk32.dll"	Mhhfdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	009ae39a4742564b12f3f844c54c9bf5b9dd09ef54ca5f0646e3def154cefe8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkmcfhkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jnmlhchd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kegqdqbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olahaplc.dll"	Liplnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhhfdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmapm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	009ae39a4742564b12f3f844c54c9bf5b9dd09ef54ca5f0646e3def154cefe8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddnkn32.dll"	Jkmcfhkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jqnejn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgmcqkkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liplnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmapm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Modkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbckb32.dll"	Ngdifkpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeaceffc.dll"	Modkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpfdhnai.dll"	Jocflgga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcblodlj.dll"	Jdehon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akbipbbd.dll"	Jnmlhchd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kegqdqbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Modkfi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2880	2352	009ae39a4742564b12f3f844c54c9bf5b9dd09ef54ca5f0646e3def154cefe8e.exe	28
PID 2352 wrote to memory of 2880	2352	009ae39a4742564b12f3f844c54c9bf5b9dd09ef54ca5f0646e3def154cefe8e.exe	28
PID 2352 wrote to memory of 2880	2352	009ae39a4742564b12f3f844c54c9bf5b9dd09ef54ca5f0646e3def154cefe8e.exe	28
PID 2352 wrote to memory of 2880	2352	009ae39a4742564b12f3f844c54c9bf5b9dd09ef54ca5f0646e3def154cefe8e.exe	28
PID 2880 wrote to memory of 2628	2880	Jocflgga.exe	29
PID 2880 wrote to memory of 2628	2880	Jocflgga.exe	29
PID 2880 wrote to memory of 2628	2880	Jocflgga.exe	29
PID 2880 wrote to memory of 2628	2880	Jocflgga.exe	29
PID 2628 wrote to memory of 2896	2628	Jkmcfhkc.exe	30
PID 2628 wrote to memory of 2896	2628	Jkmcfhkc.exe	30
PID 2628 wrote to memory of 2896	2628	Jkmcfhkc.exe	30
PID 2628 wrote to memory of 2896	2628	Jkmcfhkc.exe	30
PID 2896 wrote to memory of 2980	2896	Jdehon32.exe	31
PID 2896 wrote to memory of 2980	2896	Jdehon32.exe	31
PID 2896 wrote to memory of 2980	2896	Jdehon32.exe	31
PID 2896 wrote to memory of 2980	2896	Jdehon32.exe	31
PID 2980 wrote to memory of 2592	2980	Jnmlhchd.exe	32
PID 2980 wrote to memory of 2592	2980	Jnmlhchd.exe	32
PID 2980 wrote to memory of 2592	2980	Jnmlhchd.exe	32
PID 2980 wrote to memory of 2592	2980	Jnmlhchd.exe	32
PID 2592 wrote to memory of 2488	2592	Jqnejn32.exe	33
PID 2592 wrote to memory of 2488	2592	Jqnejn32.exe	33
PID 2592 wrote to memory of 2488	2592	Jqnejn32.exe	33
PID 2592 wrote to memory of 2488	2592	Jqnejn32.exe	33
PID 2488 wrote to memory of 1828	2488	Kjifhc32.exe	34
PID 2488 wrote to memory of 1828	2488	Kjifhc32.exe	34
PID 2488 wrote to memory of 1828	2488	Kjifhc32.exe	34
PID 2488 wrote to memory of 1828	2488	Kjifhc32.exe	34
PID 1828 wrote to memory of 680	1828	Kiqpop32.exe	35
PID 1828 wrote to memory of 680	1828	Kiqpop32.exe	35
PID 1828 wrote to memory of 680	1828	Kiqpop32.exe	35
PID 1828 wrote to memory of 680	1828	Kiqpop32.exe	35
PID 680 wrote to memory of 2876	680	Kegqdqbl.exe	36
PID 680 wrote to memory of 2876	680	Kegqdqbl.exe	36
PID 680 wrote to memory of 2876	680	Kegqdqbl.exe	36
PID 680 wrote to memory of 2876	680	Kegqdqbl.exe	36
PID 2876 wrote to memory of 1964	2876	Lclnemgd.exe	37
PID 2876 wrote to memory of 1964	2876	Lclnemgd.exe	37
PID 2876 wrote to memory of 1964	2876	Lclnemgd.exe	37
PID 2876 wrote to memory of 1964	2876	Lclnemgd.exe	37
PID 1964 wrote to memory of 2176	1964	Lgmcqkkh.exe	38
PID 1964 wrote to memory of 2176	1964	Lgmcqkkh.exe	38
PID 1964 wrote to memory of 2176	1964	Lgmcqkkh.exe	38
PID 1964 wrote to memory of 2176	1964	Lgmcqkkh.exe	38
PID 2176 wrote to memory of 2768	2176	Liplnc32.exe	39
PID 2176 wrote to memory of 2768	2176	Liplnc32.exe	39
PID 2176 wrote to memory of 2768	2176	Liplnc32.exe	39
PID 2176 wrote to memory of 2768	2176	Liplnc32.exe	39
PID 2768 wrote to memory of 2772	2768	Mpmapm32.exe	40
PID 2768 wrote to memory of 2772	2768	Mpmapm32.exe	40
PID 2768 wrote to memory of 2772	2768	Mpmapm32.exe	40
PID 2768 wrote to memory of 2772	2768	Mpmapm32.exe	40
PID 2772 wrote to memory of 1020	2772	Mhhfdo32.exe	41
PID 2772 wrote to memory of 1020	2772	Mhhfdo32.exe	41
PID 2772 wrote to memory of 1020	2772	Mhhfdo32.exe	41
PID 2772 wrote to memory of 1020	2772	Mhhfdo32.exe	41
PID 1020 wrote to memory of 1356	1020	Modkfi32.exe	42
PID 1020 wrote to memory of 1356	1020	Modkfi32.exe	42
PID 1020 wrote to memory of 1356	1020	Modkfi32.exe	42
PID 1020 wrote to memory of 1356	1020	Modkfi32.exe	42
PID 1356 wrote to memory of 2384	1356	Mdcpdp32.exe	43
PID 1356 wrote to memory of 2384	1356	Mdcpdp32.exe	43
PID 1356 wrote to memory of 2384	1356	Mdcpdp32.exe	43
PID 1356 wrote to memory of 2384	1356	Mdcpdp32.exe	43

C:\Users\Admin\AppData\Local\Temp\009ae39a4742564b12f3f844c54c9bf5b9dd09ef54ca5f0646e3def154cefe8e.exe
"C:\Users\Admin\AppData\Local\Temp\009ae39a4742564b12f3f844c54c9bf5b9dd09ef54ca5f0646e3def154cefe8e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\SysWOW64\Jocflgga.exe
  C:\Windows\system32\Jocflgga.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\Jkmcfhkc.exe
    C:\Windows\system32\Jkmcfhkc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\SysWOW64\Jdehon32.exe
      C:\Windows\system32\Jdehon32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Windows\SysWOW64\Jnmlhchd.exe
        
        C:\Windows\system32\Jnmlhchd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
      - C:\Windows\SysWOW64\Jqnejn32.exe
        
        C:\Windows\system32\Jqnejn32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\Kjifhc32.exe
        
        C:\Windows\system32\Kjifhc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Kiqpop32.exe
        
        C:\Windows\system32\Kiqpop32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\SysWOW64\Kegqdqbl.exe
        
        C:\Windows\system32\Kegqdqbl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\SysWOW64\Lclnemgd.exe
        
        C:\Windows\system32\Lclnemgd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Lgmcqkkh.exe
        
        C:\Windows\system32\Lgmcqkkh.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\Liplnc32.exe
        
        C:\Windows\system32\Liplnc32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Mpmapm32.exe
        
        C:\Windows\system32\Mpmapm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Mhhfdo32.exe
        
        C:\Windows\system32\Mhhfdo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Modkfi32.exe
        
        C:\Windows\system32\Modkfi32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Mdcpdp32.exe
        
        C:\Windows\system32\Mdcpdp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\Ngdifkpi.exe
        
        C:\Windows\system32\Ngdifkpi.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Ngibaj32.exe
        
        C:\Windows\system32\Ngibaj32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        19⤵
        Executes dropped EXE
        
        PID:616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jdehon32.exe

Filesize
256KB

MD5
bc52fbb03750f69763d0c92a69e1555d

SHA1
67da8db3b140f7b15813a1ee9cd8622eb24de3e8

SHA256
2da4726651e06a5a1dcec5fd746d7d0c50fdd9c6a9dcd41f538bcbd280460d4c

SHA512
672219df3e38b4331b8a4b7753ba09ab705245b511dd80799e9a241fcb34dea6da25c216576f9508492e5073690aec58774ab54ac3bdcb171842f4c0b39c0240

Download Submit
C:\Windows\SysWOW64\Jnmlhchd.exe

Filesize
256KB

MD5
eb84c250654064c42468525d0831bc78

SHA1
514aa552c9151357dc85e0d11d90bc14be357baf

SHA256
bc589c2383221d6ce1ef1e6d9dd8b2bd5859a6e65e4866d17943cb4e2c31ddec

SHA512
0f36c9dc3896828c95af354d57515ccc469f4a740da53d6de87e082ee0227353aca4d76695d8ec545aa90c49252860529d13f2373f7ecfdfdc5067140f5e70a3

Download Submit
C:\Windows\SysWOW64\Kjifhc32.exe

Filesize
256KB

MD5
c1f4de4bb1b2496c75b1ea574b873592

SHA1
6f12659266bd18b013c162899966e9ce4ab4eceb

SHA256
1e4b781a6b9890a2c442a68005360f56c65bf8173f9aeb2ca25c8198c3296b5b

SHA512
31c200e7bd74b273174f7045f92729168dc8a35e480a59148c0ac158cca4590886ab1503815aa319199c00ba00bce8a30ed4662c6ac5a21794dc9db91bdd2723

Download Submit
C:\Windows\SysWOW64\Mpmapm32.exe

Filesize
256KB

MD5
00aa534564f69f99f4fd1696643a4967

SHA1
ac4b732f7c1f028d877675efa26ec07b203e7594

SHA256
f9de8c8563906a84c89c280534c63869a815fa299120479355dcb2d983c9256a

SHA512
208c045987d37c3b6cbaca4880e1f3741d7f77fa35b051247a0b07b7aed3c7549225557214d63589f92392dabf715b5272c1508020ce03b162dd6b326aa3788b

Download Submit
C:\Windows\SysWOW64\Ngibaj32.exe

Filesize
256KB

MD5
7a2fd97c8c59fa473ef02230110ac4ed

SHA1
1b8395e6bbd87983263f2f482cc5976e29400eff

SHA256
6dae4946ce1cd5920422ef5a476bd09fe4ebd9ef31a4bd5e29d48f700e5efe9f

SHA512
50b7b230748e1120101288e303a02e7cc0646b289e5d742d0ee428035af062498c287172fa0dc737eb2c45c15dfbd4f95d7c2bb1ae26ca9f4ff8fe9e7588764b

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
256KB

MD5
4c949526c0bbc8a84fb08bf97b686a8e

SHA1
f1e0a3fb4510eaa25de507b257ef437c936f007a

SHA256
e0aefc312f0cece7294a867fd251851ddd87342c6be53d9213362fef20afe537

SHA512
1fd8f9c9517702e5328fc4800e8e31c2eb8d3d69cd8e079f847820deda336038dd098e127c680b7e8ff3420973277f2314e0fddbe20b50865b221e77893116df

Download Submit
\Windows\SysWOW64\Jkmcfhkc.exe

Filesize
256KB

MD5
fc5779c7ca2f18f13e964d0e5c692a68

SHA1
1682c91d45c7a75c0fc72486bd104c0f6797981e

SHA256
19df179fc97b73ce70eb0f28a1c04f3ea1d19c4107df173e8b01f9cbeab929d3

SHA512
734308c25fd3b5b11239ac988b14d19f2b22b32fc7d6d983e7858fdb242b10b01c28771c3ab8b78b98fb4cd61de992f5b03479b2fe7ff53c32b16c549b5ac51a

Download Submit
\Windows\SysWOW64\Jocflgga.exe

Filesize
256KB

MD5
051cae7b6d5b176ec0e4344cd9d0cf63

SHA1
4f3a612d6b403046100bdbf743a09c085d95f011

SHA256
2ddff0e791504e740cea9c55b681c5a99c8f98ae57e5c19663fdfaf996397cfb

SHA512
6ef5ef86d97e474543a10b20e8c2131d3e2c9cd2b2622d0bf693bee7bb3464f14570532191029ee92c64102bb87b808781f4063df16bb3a9d6a5c44ef635dfcb

Download Submit
\Windows\SysWOW64\Jqnejn32.exe

Filesize
256KB

MD5
47888d25f30a538a1f3e1141125d7982

SHA1
92295d681cf4c064a630612388dd74a814e18b5b

SHA256
0c905e141c75167dcd68b6ff74c54b8b2961eb49eb24284fdbf17a6b7fa020d4

SHA512
7ec330a87a1a3816c66ff941f5caf43e367c4a9a8ec7fd2ae6695798e3654b93ba3e8f3f3f10240c48b2e8e84142c9c547eadba380fb2fb7182e57ba0d54dc2f

Download Submit
\Windows\SysWOW64\Kegqdqbl.exe

Filesize
256KB

MD5
e3da2e9f620b9d89f3721135e63fc1d9

SHA1
0da14b7a3507075687aae80fb25bdb44c7bc591b

SHA256
0232a89a4aecb04e339d3d36f4b7d5e74ae9831c99214cd6fd59c7c4754b8d25

SHA512
fb90cf4ea753230f08adc8abc9b6c7d7a479304a34aba41d4ae0f9a297ae20da3b5a911959ed72bd4a42ae0b2252233362138c446e5a29abf2e144582996bbf9

Download Submit
\Windows\SysWOW64\Kiqpop32.exe

Filesize
256KB

MD5
339ccf0b1c0207b1c55d77448e7bd1a8

SHA1
ac811bbbd034086d63d03a017f2c260166a240b0

SHA256
1b16b741dda955a8e01b1456202f711d7079764cda1bb2fcc3c19c4517791bee

SHA512
c5292f22f42b744d488dc69b3cb341cb16da5d95f9bb5a0f173ddec1676b21b9c075bae46c811d287fdfa452a2366fba16c6841f750f52933e0e019070850170

Download Submit
\Windows\SysWOW64\Lclnemgd.exe

Filesize
256KB

MD5
2d8d2143106d0be896a016a00d814a8c

SHA1
cfafcc979e5e441d0fe15c70f149df50fbf89a1f

SHA256
664da0140f4ea5b89581878b1aa59742c894d53a5b1dbd5e4b929d492a5c7800

SHA512
4597fa14d8255e575ed897a8907b9ad8e8e4218cf140f9433c58a829ab4e99b81515741c5767e159b6627dd2dc8c6860782e133fb47132830e588834e1475e89

Download Submit
\Windows\SysWOW64\Lgmcqkkh.exe

Filesize
256KB

MD5
2e50c06a36c2b0a41f5cde4c32c46324

SHA1
f17e3a332ee758f01b575052d7b477e0d60404c5

SHA256
4efcddb872580b30c34b0c26d291b20ae3accf5da75018d933769d5ce1173f86

SHA512
73581aef8b2f2a5225036741830728685b707d7fd72dcbf64f9c312615c7836d3bbc16392b27742165ec3788464ccfe14f5b89de7576a735235e5ac93bedacb3

Download Submit
\Windows\SysWOW64\Liplnc32.exe

Filesize
256KB

MD5
ce87c360a80820bb5662f7176db692cc

SHA1
cd7a76cfa6a9373aca932a0b3acadf04d0377b4c

SHA256
079c7650a68195c6f3dc47c5e990ff2407d9c1126755b10bd83604753f69b581

SHA512
f86515dfe5ddd4f355d94db162b71382ad4256f178a233e116378429b1c59c4d78207a2e06f55c4282b0beeb1871bf8b21bb88e50c2efa0ce47bd7cf3c84d9cc

Download Submit
\Windows\SysWOW64\Mdcpdp32.exe

Filesize
256KB

MD5
59c1f9040efe528823c2b2b719b2501a

SHA1
0dba65a536327ab1457608b983a21461f7c2534b

SHA256
a22ea28b5dcf349ca77a0e5bd68213f3d18ed9eac4e88efcef555e9c105d912c

SHA512
c4b8b47a33408a311093874e0723ffdf280ed2dc5bab112eca5e6eee62b6bd218f10e0893fd7747cba9a46e5aea403e57ac053fea8243caf41362b79d9770be2

Download Submit
\Windows\SysWOW64\Mhhfdo32.exe

Filesize
256KB

MD5
2c764290d0a0c7bb215a12856b928ab2

SHA1
b1ffd5ea0dfcba79a6fac0b6ada16cd7d140829f

SHA256
fedeb3f67f85bbd758ecdd53b025cf767cb82022234b4542e58f4c8347ba4a61

SHA512
0526b8f8583c32147a8f0c88eb19e0ab8314da541a3ded06efab5ca7bb71daf612bd77e13797f1fdecab5e33269000c881923e03591e408e316a26a38cc3da84

Download Submit
\Windows\SysWOW64\Modkfi32.exe

Filesize
256KB

MD5
155edfc30db9e916d23f0fb448ead5a9

SHA1
cc0a46330ad06a382d78bb28998c5234d5c09910

SHA256
b421a0a66abe38417ce4dbef67514968b4cc93e941ae6a1628f86111445d8d8f

SHA512
eeecac3ee41787804e72fa747423cb97280fb2bf6467d3b84abcc7be665e77ec2c9f8548769ae5c63e1b2c95a0163f04399a13606684f8985a6b4d5e9445e31b

Download Submit
\Windows\SysWOW64\Ngdifkpi.exe

Filesize
256KB

MD5
4200d86a5fbd973ff247dde4cbe16e97

SHA1
4941704f419c969e6aeeb707a393beb7ba41fb56

SHA256
2dafd0378a0d0fc336117a6571f49b0cebadb465926d8c0a1e49916ea74c1c81

SHA512
c0876996b50d7734fd27a232625ca2797d0b22f508b46a2954a8cfa16c5f840db453b4f231c988cc5daa8a994c090643976d355a8f885fe1637248a0668a580d

Download Submit
memory/616-243-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/680-261-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/680-105-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1020-183-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1020-196-0x00000000004D0000-0x0000000000529000-memory.dmp

Filesize
356KB

Download
memory/1020-202-0x00000000004D0000-0x0000000000529000-memory.dmp

Filesize
356KB

Download
memory/1020-257-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1344-263-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1344-254-0x0000000000220000-0x0000000000279000-memory.dmp

Filesize
356KB

Download
memory/1344-237-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1356-218-0x0000000000220000-0x0000000000279000-memory.dmp

Filesize
356KB

Download
memory/1356-210-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1356-217-0x0000000000220000-0x0000000000279000-memory.dmp

Filesize
356KB

Download
memory/1356-252-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1828-267-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1828-92-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1964-256-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2176-266-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2176-151-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2352-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2352-6-0x0000000000230000-0x0000000000289000-memory.dmp

Filesize
356KB

Download
memory/2352-269-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2384-228-0x0000000000220000-0x0000000000279000-memory.dmp

Filesize
356KB

Download
memory/2384-227-0x0000000000220000-0x0000000000279000-memory.dmp

Filesize
356KB

Download
memory/2384-251-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2488-258-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2592-272-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2592-84-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2628-265-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2628-44-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2768-255-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2768-162-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2772-264-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2772-182-0x0000000000220000-0x0000000000279000-memory.dmp

Filesize
356KB

Download
memory/2772-189-0x0000000000220000-0x0000000000279000-memory.dmp

Filesize
356KB

Download
memory/2876-271-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2876-118-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2876-130-0x0000000000220000-0x0000000000279000-memory.dmp

Filesize
356KB

Download
memory/2880-268-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2880-26-0x0000000000230000-0x0000000000289000-memory.dmp

Filesize
356KB

Download
memory/2880-13-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2896-270-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2980-64-0x0000000001B80000-0x0000000001BD9000-memory.dmp

Filesize
356KB

Download
memory/2980-262-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2980-52-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2980-78-0x0000000001B80000-0x0000000001BD9000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads