8664fd0f2b0082f6523e69c386a95a444e4d96b12b59d15891110d6beb16d2c3

Analysis

max time kernel
134s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 00:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8664fd0f2b0082f6523e69c386a95a444e4d96b12b59d15891110d6beb16d2c3.exe
Size

361KB
MD5

e3a04e46b98d0c29511fa23c54b92791
SHA1

9878c638f03150be817af9d5c534ae1358d5f24b
SHA256

8664fd0f2b0082f6523e69c386a95a444e4d96b12b59d15891110d6beb16d2c3
SHA512

331f2b6143fd63aa8b6181cc958e75e70b06d6a1b945a2ade8dc5624a0f86466502cf03476231cd9731f0249c766e8a6995de7447c143d6fdac78bdc411f7a85
SSDEEP

6144:G7sBf8sVQ///NR5fLvQ///NREQ///NR5fLYG3eujPQ///NR5f:G74fw/Nq/NZ/NcZ7/N

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	8664fd0f2b0082f6523e69c386a95a444e4d96b12b59d15891110d6beb16d2c3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8664fd0f2b0082f6523e69c386a95a444e4d96b12b59d15891110d6beb16d2c3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe

Executes dropped EXE 64 IoCs

pid	Process
2332	Jfaloa32.exe
4416	Jiphkm32.exe
1264	Jmnaakne.exe
700	Jbkjjblm.exe
2064	Jpojcf32.exe
2308	Jdjfcecp.exe
1876	Jpaghf32.exe
2488	Jbocea32.exe
4804	Kpccnefa.exe
3944	Kbapjafe.exe
4976	Kilhgk32.exe
4352	Kgphpo32.exe
2588	Kkkdan32.exe
1428	Kknafn32.exe
1056	Kpjjod32.exe
2852	Kdffocib.exe
5044	Kdhbec32.exe
3608	Kckbqpnj.exe
3768	Lalcng32.exe
2932	Liggbi32.exe
4936	Laopdgcg.exe
2528	Lijdhiaa.exe
3052	Laalifad.exe
1912	Lgneampk.exe
3348	Laciofpa.exe
4508	Lcdegnep.exe
232	Lklnhlfb.exe
4564	Laefdf32.exe
3392	Lphfpbdi.exe
3704	Lddbqa32.exe
4504	Lgbnmm32.exe
3168	Lknjmkdo.exe
2540	Mjqjih32.exe
4932	Mnlfigcc.exe
1840	Mpkbebbf.exe
5084	Mpkbebbf.exe
3956	Mdfofakp.exe
780	Mciobn32.exe
4484	Mgekbljc.exe
1612	Mjcgohig.exe
704	Mnocof32.exe
2620	Majopeii.exe
4380	Mpmokb32.exe
2124	Mdiklqhm.exe
1732	Mgghhlhq.exe
1284	Mnapdf32.exe
1064	Mcnhmm32.exe
2148	Maohkd32.exe
3672	Mcpebmkb.exe
3356	Mjjmog32.exe
4344	Maaepd32.exe
4444	Mcbahlip.exe
1156	Mgnnhk32.exe
972	Ndbnboqb.exe
4604	Ngpjnkpf.exe
4616	Njogjfoj.exe
412	Nddkgonp.exe
1248	Ngcgcjnc.exe
4948	Nkncdifl.exe
4848	Nqklmpdd.exe
2092	Ncihikcg.exe
4892	Njcpee32.exe
2368	Nqmhbpba.exe
2356	Ncldnkae.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kgphpo32.exe	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Jiphkm32.exe	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Jfaloa32.exe	8664fd0f2b0082f6523e69c386a95a444e4d96b12b59d15891110d6beb16d2c3.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Gmlgol32.dll	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Ibimpp32.dll	Jmnaakne.exe
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	Jpaghf32.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Jmnaakne.exe	Jiphkm32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Jdkind32.dll	Jfaloa32.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Ehifigof.dll	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kpccnefa.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Jdjfcecp.exe	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Mghpbg32.dll	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Kilhgk32.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jdjfcecp.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Laalifad.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1424	2964	WerFault.exe	151

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilhco32.dll"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	8664fd0f2b0082f6523e69c386a95a444e4d96b12b59d15891110d6beb16d2c3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdeek32.dll"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	8664fd0f2b0082f6523e69c386a95a444e4d96b12b59d15891110d6beb16d2c3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aajjaf32.dll"	8664fd0f2b0082f6523e69c386a95a444e4d96b12b59d15891110d6beb16d2c3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphqml32.dll"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	8664fd0f2b0082f6523e69c386a95a444e4d96b12b59d15891110d6beb16d2c3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	8664fd0f2b0082f6523e69c386a95a444e4d96b12b59d15891110d6beb16d2c3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlgol32.dll"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 2332	4532	8664fd0f2b0082f6523e69c386a95a444e4d96b12b59d15891110d6beb16d2c3.exe	84
PID 4532 wrote to memory of 2332	4532	8664fd0f2b0082f6523e69c386a95a444e4d96b12b59d15891110d6beb16d2c3.exe	84
PID 4532 wrote to memory of 2332	4532	8664fd0f2b0082f6523e69c386a95a444e4d96b12b59d15891110d6beb16d2c3.exe	84
PID 2332 wrote to memory of 4416	2332	Jfaloa32.exe	85
PID 2332 wrote to memory of 4416	2332	Jfaloa32.exe	85
PID 2332 wrote to memory of 4416	2332	Jfaloa32.exe	85
PID 4416 wrote to memory of 1264	4416	Jiphkm32.exe	86
PID 4416 wrote to memory of 1264	4416	Jiphkm32.exe	86
PID 4416 wrote to memory of 1264	4416	Jiphkm32.exe	86
PID 1264 wrote to memory of 700	1264	Jmnaakne.exe	87
PID 1264 wrote to memory of 700	1264	Jmnaakne.exe	87
PID 1264 wrote to memory of 700	1264	Jmnaakne.exe	87
PID 700 wrote to memory of 2064	700	Jbkjjblm.exe	88
PID 700 wrote to memory of 2064	700	Jbkjjblm.exe	88
PID 700 wrote to memory of 2064	700	Jbkjjblm.exe	88
PID 2064 wrote to memory of 2308	2064	Jpojcf32.exe	89
PID 2064 wrote to memory of 2308	2064	Jpojcf32.exe	89
PID 2064 wrote to memory of 2308	2064	Jpojcf32.exe	89
PID 2308 wrote to memory of 1876	2308	Jdjfcecp.exe	90
PID 2308 wrote to memory of 1876	2308	Jdjfcecp.exe	90
PID 2308 wrote to memory of 1876	2308	Jdjfcecp.exe	90
PID 1876 wrote to memory of 2488	1876	Jpaghf32.exe	91
PID 1876 wrote to memory of 2488	1876	Jpaghf32.exe	91
PID 1876 wrote to memory of 2488	1876	Jpaghf32.exe	91
PID 2488 wrote to memory of 4804	2488	Jbocea32.exe	93
PID 2488 wrote to memory of 4804	2488	Jbocea32.exe	93
PID 2488 wrote to memory of 4804	2488	Jbocea32.exe	93
PID 4804 wrote to memory of 3944	4804	Kpccnefa.exe	94
PID 4804 wrote to memory of 3944	4804	Kpccnefa.exe	94
PID 4804 wrote to memory of 3944	4804	Kpccnefa.exe	94
PID 3944 wrote to memory of 4976	3944	Kbapjafe.exe	95
PID 3944 wrote to memory of 4976	3944	Kbapjafe.exe	95
PID 3944 wrote to memory of 4976	3944	Kbapjafe.exe	95
PID 4976 wrote to memory of 4352	4976	Kilhgk32.exe	97
PID 4976 wrote to memory of 4352	4976	Kilhgk32.exe	97
PID 4976 wrote to memory of 4352	4976	Kilhgk32.exe	97
PID 4352 wrote to memory of 2588	4352	Kgphpo32.exe	98
PID 4352 wrote to memory of 2588	4352	Kgphpo32.exe	98
PID 4352 wrote to memory of 2588	4352	Kgphpo32.exe	98
PID 2588 wrote to memory of 1428	2588	Kkkdan32.exe	99
PID 2588 wrote to memory of 1428	2588	Kkkdan32.exe	99
PID 2588 wrote to memory of 1428	2588	Kkkdan32.exe	99
PID 1428 wrote to memory of 1056	1428	Kknafn32.exe	101
PID 1428 wrote to memory of 1056	1428	Kknafn32.exe	101
PID 1428 wrote to memory of 1056	1428	Kknafn32.exe	101
PID 1056 wrote to memory of 2852	1056	Kpjjod32.exe	102
PID 1056 wrote to memory of 2852	1056	Kpjjod32.exe	102
PID 1056 wrote to memory of 2852	1056	Kpjjod32.exe	102
PID 2852 wrote to memory of 5044	2852	Kdffocib.exe	103
PID 2852 wrote to memory of 5044	2852	Kdffocib.exe	103
PID 2852 wrote to memory of 5044	2852	Kdffocib.exe	103
PID 5044 wrote to memory of 3608	5044	Kdhbec32.exe	104
PID 5044 wrote to memory of 3608	5044	Kdhbec32.exe	104
PID 5044 wrote to memory of 3608	5044	Kdhbec32.exe	104
PID 3608 wrote to memory of 3768	3608	Kckbqpnj.exe	105
PID 3608 wrote to memory of 3768	3608	Kckbqpnj.exe	105
PID 3608 wrote to memory of 3768	3608	Kckbqpnj.exe	105
PID 3768 wrote to memory of 2932	3768	Lalcng32.exe	106
PID 3768 wrote to memory of 2932	3768	Lalcng32.exe	106
PID 3768 wrote to memory of 2932	3768	Lalcng32.exe	106
PID 2932 wrote to memory of 4936	2932	Liggbi32.exe	107
PID 2932 wrote to memory of 4936	2932	Liggbi32.exe	107
PID 2932 wrote to memory of 4936	2932	Liggbi32.exe	107
PID 4936 wrote to memory of 2528	4936	Laopdgcg.exe	108

C:\Users\Admin\AppData\Local\Temp\8664fd0f2b0082f6523e69c386a95a444e4d96b12b59d15891110d6beb16d2c3.exe
"C:\Users\Admin\AppData\Local\Temp\8664fd0f2b0082f6523e69c386a95a444e4d96b12b59d15891110d6beb16d2c3.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Windows\SysWOW64\Jfaloa32.exe
  C:\Windows\system32\Jfaloa32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\SysWOW64\Jiphkm32.exe
    C:\Windows\system32\Jiphkm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4416
  - - C:\Windows\SysWOW64\Jmnaakne.exe
      C:\Windows\system32\Jmnaakne.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1264
    - - C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:700
      - C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3348
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:232
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4564
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3392
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3704
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4504
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2540
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1840
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3956
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:780
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:704
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4380
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2124
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1284
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3356
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1156
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:972
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4604
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:412
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        62⤵
        Executes dropped EXE
        
        PID:2092
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        66⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 400
        67⤵
        Program crash
        
        PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2964 -ip 2964
1⤵
PID:1016

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
361KB

MD5
5fb1fffc7480bed1f3bc8190b2233031

SHA1
8b5d841c474274c91d0344e3b522df2277217e98

SHA256
a84ee4fad9fc2785f7fb03627e925459bd93862840edffc90ac8b88464856e63

SHA512
d3baf93aa7fd1eb4ff430202ecde0668905d4209dfe093aea81e853d4b1d873eba49c726dded890bf5007f0e78e4247199af61cf30cacdc7b727ff6312634f53

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
361KB

MD5
e7cfd977e6d91e7e90604d49884c6863

SHA1
a622f7922f6ded60dc4788443203800dd09e992e

SHA256
75b950172909bc2fe0acd8438c15f2ece94a5c53a5eb047d5db7dfff593cf898

SHA512
8c4697e8476c77f72832471bbbff38b81f5620bc799ecbe23dbd28b2b4e965b4e60c9ae66b162c54934ffd96b2ca13caba9094cc0d8a709cdd3184d9a43c3cd8

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
361KB

MD5
1176ef15a119efb90680475f4132ed15

SHA1
0c5915f9c9d6969942cd7d2d983e7ed2582f2972

SHA256
494cf1bad51b87a52790804439d7a23886c6b6d22eb85593c356a6e2ce20d44f

SHA512
fe271b08e84cc8ee5532d0ad6e34e01a91b4fc5573f390e37e2613fa24d684e3b5e848884909dd18042c3879497e672791ffbd3d4922c2e2b87ba8fa919dde09

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
361KB

MD5
d9743dd6c47e49e63aaf8748abc81f1e

SHA1
5d7daf2f17d7c1be2b30480edd24f07cce51c22e

SHA256
127548dad1afd12e409545ab44e8e93c12c024e887cf034c09939c3542ec14f1

SHA512
2849b1230027c541c7b19f0b830867e527c6ff3713d72fff746f1ed13daafe76b70c654bf1f64e38f6fd3f3ec1aaee41a023fa007d2094094c05fd6cd06b1bbf

Download Submit
C:\Windows\SysWOW64\Jiphkm32.exe

Filesize
361KB

MD5
d0b25eca8ea2a252778777e59399af2e

SHA1
053da3d78109be1f75dc86aef246643bfdf6ac39

SHA256
609daf9201da3ee4f136de87b1a66d69a4dca93e7439488ede965202d9974aee

SHA512
8359e78d5356c71e33b95d68a600af6d2d10be94d3d1ccec6dfa1c614d1fb45ee2b8c38f8493a11bb23056ceb8f5570e31302ee151b920b13d55e5d75adc8581

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
361KB

MD5
088e790094fbf6fd9bd29d6eb5ea8249

SHA1
7433efcc346697b0ce4ed07f293aa3aafda05817

SHA256
c132c227cfe723dc92883bef165ee660d7d4ae08fd43504e6fdb2a70e79f0b15

SHA512
2e77e35734303109bccd74e8f529ac2189552a063990867f320e0cae20dad2f5b998b24e23243510ae26232a7039b2eb6f0adb768abf952e9ac158400be360e9

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
361KB

MD5
839cdefe33d7b51364aa54d176a7d624

SHA1
f8f91ecee1e7bac0ac0d6b39d02f449a17044201

SHA256
298544d8166344d73b1e6cc7ee5ef280202081259fcf668e3858839d57652ea2

SHA512
26a00df0aa76d3edd11b8454b4933566c9d8b21b6a811629b4f110cba1670d29319a6bbef4ca6d7b63ffe1ba6e5e005c1f2381c2a107cce3d2f646dace2a87c9

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
361KB

MD5
c6c1275386c38076b247fac4904dd558

SHA1
d36d7f7a4c1fd149c37ba79545f618edb4ffa80c

SHA256
ddd9518ef0aa565c59721c38ae34b2fc58fe246c59c65754eac910eff34d3c16

SHA512
7f4d549c246639aaefeb2e7400d05c558f3b9400dc87e7d158b0c5fd384729aeb459c65ee143fabcdd2953aee2b913e604f812ed0eb9fb70789be0e2843d10fb

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
361KB

MD5
038119095c7274cb79213c7ee03c3c76

SHA1
538f75a8290c75889f78ea512f2c7509c1596e8c

SHA256
180a3a9ff0c5449da341d7349d8ee1e3b75b36218a10ebf629fbff74fa7120a7

SHA512
609ac1204bde6db2add6fe14b524cf4a6bb2acbc26aff7ca8e3f23e59a6acb4264a2fe013bbd8933df5a61b95ecec7b6518bee5039876b8a1601689faee80dfc

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
361KB

MD5
259a95cd220bbc17ec5b6e61cd853195

SHA1
27871aff11ed87f40aa8cca5a7277ba98512c73a

SHA256
939125003713ea8d62ff788d5cb92d2478375365e060186b54116ef9df3b7f0b

SHA512
11a8cc4e4af8c8de6870e725f6f9cf979149a5b542f597b1d754615adacab267f58614a1c8114111d39ead4d7ee1cc8411d5328ed774959d9e9f526ed0afad77

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
361KB

MD5
567527aae605009064ca73b3bf5ac2f5

SHA1
383c74a853dc430f5835f4e856a5421049a307e8

SHA256
c2b884fd2e557ca79c210c67522dd8cee905fcd016671098fc8cd83d66ba8967

SHA512
c1a4ffbc64e6a49bbc61936e8fb8719fd693278242d0edf479c8529e51580e18a93a324b92a0c1db63eeb3261c4d5df50385bc5b1fdc230574c7ac646d19a46b

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
361KB

MD5
90d9569bf9369329ca1de47aa39e11e0

SHA1
07ff9035beac28422f0c467bb4e5bef03243e5e2

SHA256
1f051f973a9a015f9b66572ad31cc8cc3b9546a5fc0f997e70149e00ec59aaec

SHA512
4e1a960d3446213640f6cf4df6c0db1d3821062562d349819b352a4a085ce65f57e93414fc34abe64c1260726a0b16432c6875b4be0952dfb4f37ed0e798fc92

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
361KB

MD5
1675e37efb156b6a9a660198f46d3907

SHA1
f49c008b36d3508a45b67fb6fd76df9a8f6790c9

SHA256
e6752171156c6b4b503556a807c96869b221b3a5414467a73edf3060663b7d77

SHA512
acf7e74a83540e83ab9fc5ae7584909a98ddaa451e077ad17953e5facc90580d66ff24c0b81a792d43eb1ce3a1d34ae9e78ccac8bb2e783a1b735bdee05389f3

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
361KB

MD5
7986f97a6804de9c389135fee0ebff01

SHA1
9061fc24b58c6786553aac1902863f140543d384

SHA256
427df960f4adf78fa0c63f71f2be2f481878789167937a7e71100e8368aceb78

SHA512
7cc080d78554f2c4331be1fc15dcc10d4d5387c98ab961be83f04d39b9a5ec21aec9bde23fdcc55f0b6e9743ae53601f760628832e1cd8be8e6975358c870746

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
361KB

MD5
0ceebad621d4de7168ac1d4dcc1c3ce8

SHA1
8d4a7a2be0327b92d2f13f2d6ea2dfcac9c44b33

SHA256
0715b53f21f0d47355e09d8a263b07a9f53229c1517b341d11d7080e366809db

SHA512
906b810e8362551b6cd61e7ab8388e580ea559409e87716ecb8c50ecb1d1c1c22ab19a81a1c559e8ea7fc48242333245b97eb8f43c7c24d351ef749f328393a8

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
361KB

MD5
866bed1579fb53aa0468243b72e5a48b

SHA1
1ec09aa5a0c294d708f74c692d12d873bb97c14e

SHA256
2823bbaac5f9efaffabf65423a2bf14c0156ea7018df9ef557091117b3b3530c

SHA512
773ebdc4a23fc709728b2a73731f80662824e2fb6994d15a0efdc83e71dd7e7fef34e7b5783d387aecc2cc3236a95efaae625e7b11d08e725a544a4e5b3211ff

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
361KB

MD5
d1163b61b9212453f4a014dd4f4b8aa8

SHA1
d03f2d374e501ccdb3bb75872f5c53951580cf02

SHA256
db932b649337632ad485520f7da7d508fff27db00a7e0b8577e2ce9c77c7f6b9

SHA512
77f363e2b50df8fcc1581706e5b9e0df543d933c35981a1db01720e0fa5c66d7c4e115569fff55553b69c6974ea9c97a184949eb63551b567277be6a9efcc826

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
361KB

MD5
5477abed4e8d41475349d1c743909716

SHA1
11c5694ec0058cb5d8e1d2db9a905091c99288dc

SHA256
7d104444e8e7170029bca330cf9d8888c3c89d4bc9a910a44bd427e54e16b558

SHA512
1b53ad64a4fd4c7ad196181e322123efdba48b09a2adc05fddc31365891f588840a0026dd39f09737a82d61bdc0e7e5e9f7b67b0d506652763fdfb06b20dc20d

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
361KB

MD5
5cb86c9e9dd9ef6b931874c82e6ec363

SHA1
9d99579e5494bd0306b15cbcebd763f1eb311462

SHA256
f0717d4eb3565c1a45bd1fba9e9fa6c95406a76d02fb382cce027a06101fa1e2

SHA512
144efbd19c3924c8c4102f07db595445d4239931a3a84775dfe819a70192873758e1c1fbdddfc5d34208cf9bc533eea251961cec13503734a3d68cfbdfcf020d

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
361KB

MD5
82d336dff3281aeea82d5f7dfb6b1d46

SHA1
18c1a993f6758c0e24ad2fd4991dc941adbed8f1

SHA256
3ae2dc1a09db745b6c27e6727e3c7349e8f4066eec567459398f49b95ec23ed4

SHA512
7bea159ec98168d1d7844326ada984a4cb5d559e570f7a2b24278d18dddf5486b728dfa33ecc4c3b9251eb63926d3bb70423b10cf0cfd29c8cb29c9a64979bd5

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
361KB

MD5
50a96edc64e73d162db8cd2ef7453ef0

SHA1
716404378b39a47bded2c84c69996716c3d70142

SHA256
a87761bbf7f5b10a953cbcb14d4fdc2a78b66a8549191d26b1eb96577a284f35

SHA512
e60e1d0343df11af5691d0fdb9be7d32066125853539f46134ba42d6264dcba6a85caa180d3620833b16c366644b789147d743a4089e20da86bdf81397d4eccd

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
361KB

MD5
82f6a1cf234d38c99463d59c07f53e70

SHA1
7e0f438110eb7b2b2a7459480a940eb81f3ef0ee

SHA256
25e68765d244824bac86af111ffd8991f918ac22db6f99a734729edc890fca10

SHA512
56dad8163e3850f4a748b6026f3dea31d93b4e12858bc0e5cb0871fc41a058958a565c694da9888f3255e035feaecd1ac0bdcbdf59d3e81e07fa8376bbd6ee70

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
361KB

MD5
51646089ace7906784403112a7595634

SHA1
72acf572253584f5c4740959b924c9aae23c0209

SHA256
343abf73cdfa9f541542a9208273aa4862fbf69a30529e69bcc932f40fa1ff68

SHA512
500d01156d0bc0141d14c77e5bd039766e8d17172bc261c1170de1c1256cdd43c5a52b12a13408bc4c842f8ef2bc70dc697ab7e4ebbf57e5346107ba4e2c2bfb

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
361KB

MD5
00522f3b90a63efcbf6973703ce69653

SHA1
fc38b2f67a304492c19b39266da54213fcc91b13

SHA256
cdf29ba79df612ec60f0a48c05f27f11a1ad1dc23ce26832ae1585b8ead27f35

SHA512
aae42d2a3ead6706100ec305a96ec6ff0cc282ad140741f029474c89b120fbbb6d6ed62ff7f7fc6fe1e5d4ca080459036c17b6b1efa18228f0de9c1be7a9436f

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
361KB

MD5
d738a70461659521c4f26d91d4f8d1ff

SHA1
c1ea3d53add1827847223d6063c4714823f297a4

SHA256
4f29fc7fd23878b687fbf2566b5f996af91680ac8f54b825967726c3db625320

SHA512
103fa4825cbdcaa6e81422edb797bb8dc57c695f63801a35b36aa09ad093eaeeff50e3f1c0c5b4af1007720bf8a7192cf2d8b609b7bd89ff4c5f8686417b234c

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
361KB

MD5
88018ed731c97ba002a0f61b6f0a131b

SHA1
7f0b86a659484fab7e598342233d6761e48bc232

SHA256
9254e9f44d3f29438ac88dd55b2a69006a164a11eefe41e5515e2e4f0044137a

SHA512
56be26ba94190c10dd9e54eee098479af2d9d242e31167c09f37c53f17ff4c6fafbef7985844c2c663777344c982fc4e361df871abf891982cb91458bf8cc919

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
361KB

MD5
c2e6420d2437502a96ef540380edd9f1

SHA1
db3c6eae9f657a1785d7df9244244c4dd26788b9

SHA256
18f50fd44bcf99cc134fd25547e15fc3e2bd027fa108a598cf4af5fc924ad63e

SHA512
85c47994f9b709bb3ae3ab6ed9468ad1573d73b41284c1e553da24772b8f73e9ee5efb65c0387baa0e9ab8c678a43ceab4a2e48d046938c375e9fc4b00cda30b

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
361KB

MD5
7e5fc97a5004c63667af6081a0a23564

SHA1
26e427d3aaccd53d873c3eeabe752b12062d0d8f

SHA256
270fc1819ef248483efdef4bdc20c4c3562bfb35b99287eaf2473ac7104cf78e

SHA512
961fc168ae1e3e1e529ba0270d68397273d4e0d7235db0539a2ed1fbe28a0836da43de2898b8833d82711973ca2d43f9c5569cef49fa391e52d04fabcdf61591

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
361KB

MD5
0e584e9a129e5152900bdc3f7726478c

SHA1
b7dc3ddc00cd34b266e60a5318f52fba3e56419a

SHA256
f7c92fdbc10a380d76d51e432e17dd24b9bafd16631e572b33d33c5d9cd05f9e

SHA512
d0818cd2e5f8189e0608b99261959dd4dd12e679d40471f8614491c4704f981e5e2e31af82940838a27def3880125c6bc82dd7ec7c35b51f71ec80b89e53eb19

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
361KB

MD5
51a519171c96e3792e97f54d7ec0dbf7

SHA1
da103a727645994da00bb4f76d5798515be573d1

SHA256
f96124abb21ad19613be8adf2473d7289d03d76a979c4cd793bf4a9a9d9e873f

SHA512
1e540643c3df0df5ff952ca94a72156c0732558b159186cdf921507f49aee744d01e9ba979da907b99ba2017b298457d30854243b19376bb82eb4fa9147dd0fc

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
361KB

MD5
8fb146f5e17e8dbd428b737a0051a8e8

SHA1
8d0b3a523fe002b52dc3ef88c5e8db9a9b52eae0

SHA256
4ebbd1fd70c478261cd9c6951a4da4bb7a0b0802dfed94f00469c094108ad4b4

SHA512
c912eb2b0bfa80affc78b6067cb85ac8f650a915e0d186dc7fbda8161d23d72b1b957f75ee0c65e6ccd6af1942e8dc99451a1bc2207fb4e1c8e33b4b04b3cc85

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
361KB

MD5
e880ef01a4c104332a6320a3f2df6593

SHA1
9798239e1d82a4d78604544fe1c112d065d777cc

SHA256
0d3c62e5329c36681c743c6a9a4f6e3ad63760fdb0548575006365bffd3ef231

SHA512
0807cb12c86ec7df098480b45e0791c3ed84e402a239f39313e78c785bbc787da424ab671a268ec6da120ac8e7c1a5cfbfa18440f5b2154456d4c9e45c64619c

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
361KB

MD5
558d6e832010e53b35cf5634170e9f35

SHA1
4e8444b9117d89d0631b75b50d826484f70030ae

SHA256
524458f7d9eaa0cfaa71b9c870212accbd32c3d3299d26047b205e908ebdd221

SHA512
dc6f43404cd52deee93f7ddcc90f7aded800d62149c84ffb8971c537a3933f5d6c62846d0eddea414677f87f3f47ebcbf181b72a4ddaf5fdccfca6bbeb5720e3

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
361KB

MD5
a63c1ea869987c1e4ac9baf425aab432

SHA1
7ecaae8c4bb014fca976ccf02f10b272f437efee

SHA256
f464b2a748646a258dc240c4f1b89313488f0065b41617421a5484f0aafa4c12

SHA512
137bdae5e25c1fe1bdad6d3fa090218c5811d0a2f497092231390b86c31e98eff0f9288324826f6052c58b3d5c1aecb3cfdb1145600314c081365cd1f4a37aad

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
361KB

MD5
f84ee501f9eb3ec65edfa1f6b754f9af

SHA1
74c6fb3b26650a8cee0975d3805d4ded9458d8bc

SHA256
915889133278ce51411ec03446e774ecc8e57a46c4888d9d840556b7a2e69055

SHA512
8547eef387b449a648e65643d396afe964caed854682307f207779c7527afa44dbf3ec445758600401ca86877e6c625ab40d5993da961d2102da38b457bd3315

Download Submit
memory/232-509-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/412-449-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/700-32-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/704-481-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/780-487-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/972-455-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1056-124-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1064-328-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1064-469-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1156-459-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1156-362-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1248-390-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1248-447-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1264-25-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1284-323-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1284-471-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1428-111-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1612-483-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1732-473-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1840-493-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1876-61-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1912-191-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1912-515-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2064-40-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2092-441-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2092-412-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2124-475-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2148-334-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2148-467-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2308-49-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2332-9-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2356-435-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2368-420-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2368-437-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2528-519-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2528-175-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2540-497-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2540-314-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2588-104-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2620-479-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2852-127-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2932-523-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2932-163-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2964-433-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2964-431-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3052-186-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3052-517-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3168-313-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3168-499-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3348-203-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3348-513-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3356-349-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3356-463-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3392-310-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3392-505-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3608-527-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3672-465-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3704-311-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3704-503-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3768-525-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3768-151-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3944-79-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3956-489-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4344-461-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4352-96-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4380-477-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4416-17-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4444-458-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4444-360-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4484-485-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4504-312-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4504-501-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4508-211-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4508-511-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4532-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4532-0-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4564-507-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4604-453-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4604-378-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4616-379-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4616-451-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4804-72-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4848-402-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4848-443-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4892-414-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4892-439-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4932-495-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4932-316-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4936-167-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4936-521-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4948-396-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4948-445-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4976-88-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5044-140-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5044-529-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5084-491-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads