8deab906908d47b125cb0f5982195500b652023dd692b247b1171a07db28e74d

Analysis

max time kernel
142s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8deab906908d47b125cb0f5982195500b652023dd692b247b1171a07db28e74d.exe
Size

192KB
MD5

aa9255107e13372f5de39f13cb77c3ec
SHA1

2878201382a10aefbf452a4b9f144d0d2d92d1e4
SHA256

8deab906908d47b125cb0f5982195500b652023dd692b247b1171a07db28e74d
SHA512

ee7444e3e5cc9352e11bf99f0ff21a9637a7549fccaf4c90444a7d0c3a5dd8953104122407b39266a99e57bb8a33ff65f7193574633e3892f69a636b482bcdd4
SSDEEP

3072:/3GNcPxr65NGdiCv/psDoGDd1AZoUBW3FJeRuaWNXmgu+tAcrbFAJc+RsUi1aVDw:/icP85CJssEdWZHEFJ7aWN1rtMsP

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe

Executes dropped EXE 58 IoCs

pid	Process
3664	Ijfboafl.exe
3632	Ipckgh32.exe
2424	Ibagcc32.exe
1428	Ipegmg32.exe
1584	Idacmfkj.exe
1256	Ifopiajn.exe
3120	Jdcpcf32.exe
2808	Jiphkm32.exe
904	Jdemhe32.exe
744	Jdhine32.exe
2660	Jmpngk32.exe
2672	Jpojcf32.exe
1660	Jbmfoa32.exe
2884	Jbocea32.exe
1356	Kmegbjgn.exe
4784	Kdopod32.exe
2932	Kkihknfg.exe
388	Kpepcedo.exe
2700	Kgphpo32.exe
2000	Kmjqmi32.exe
3248	Kgbefoji.exe
2096	Kmlnbi32.exe
1108	Kgdbkohf.exe
1520	Kpmfddnf.exe
5048	Kdhbec32.exe
2788	Lalcng32.exe
3660	Lgikfn32.exe
3484	Lmccchkn.exe
4616	Lpappc32.exe
4004	Lijdhiaa.exe
2512	Laalifad.exe
2616	Lilanioo.exe
1284	Lgpagm32.exe
2540	Laefdf32.exe
2796	Lddbqa32.exe
2464	Mnlfigcc.exe
4868	Mdfofakp.exe
4900	Mjcgohig.exe
4672	Majopeii.exe
4776	Mcklgm32.exe
2400	Mjeddggd.exe
3604	Mamleegg.exe
3572	Mkepnjng.exe
2508	Maohkd32.exe
3556	Mcpebmkb.exe
2032	Maaepd32.exe
4648	Mgnnhk32.exe
4536	Nacbfdao.exe
4848	Ngpjnkpf.exe
4360	Nnjbke32.exe
940	Nqiogp32.exe
332	Nkncdifl.exe
3012	Nnmopdep.exe
5028	Ndghmo32.exe
2456	Njcpee32.exe
2160	Nbkhfc32.exe
2668	Ncldnkae.exe
4116	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Lpfihl32.dll	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Jdemhe32.exe	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Mjlcankg.dll	Jiphkm32.exe
File opened for modification	C:\Windows\SysWOW64\Kmegbjgn.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Kmjqmi32.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Bpqnnk32.dll	Ipegmg32.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Kmegbjgn.exe	Jbocea32.exe
File opened for modification	C:\Windows\SysWOW64\Kgphpo32.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Kgbefoji.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Jiphkm32.exe	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Jeiooj32.dll	Jpojcf32.exe
File opened for modification	C:\Windows\SysWOW64\Kpepcedo.exe	Kkihknfg.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Kdopod32.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Ipckgh32.exe	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Ipegmg32.exe	Ibagcc32.exe
File opened for modification	C:\Windows\SysWOW64\Idacmfkj.exe	Ipegmg32.exe
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	Jbmfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Jdhine32.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Fbkmec32.dll	Jmpngk32.exe
File opened for modification	C:\Windows\SysWOW64\Jbmfoa32.exe	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Ifopiajn.exe	Idacmfkj.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Laalifad.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3268	4116	WerFault.exe	147

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmklllo.dll"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdhine32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	8deab906908d47b125cb0f5982195500b652023dd692b247b1171a07db28e74d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmfdf32.dll"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkmec32.dll"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldobbkdk.dll"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfihl32.dll"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjmhmfd.dll"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlgol32.dll"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmack32.dll"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcklgm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 3664	4468	8deab906908d47b125cb0f5982195500b652023dd692b247b1171a07db28e74d.exe	82
PID 4468 wrote to memory of 3664	4468	8deab906908d47b125cb0f5982195500b652023dd692b247b1171a07db28e74d.exe	82
PID 4468 wrote to memory of 3664	4468	8deab906908d47b125cb0f5982195500b652023dd692b247b1171a07db28e74d.exe	82
PID 3664 wrote to memory of 3632	3664	Ijfboafl.exe	83
PID 3664 wrote to memory of 3632	3664	Ijfboafl.exe	83
PID 3664 wrote to memory of 3632	3664	Ijfboafl.exe	83
PID 3632 wrote to memory of 2424	3632	Ipckgh32.exe	84
PID 3632 wrote to memory of 2424	3632	Ipckgh32.exe	84
PID 3632 wrote to memory of 2424	3632	Ipckgh32.exe	84
PID 2424 wrote to memory of 1428	2424	Ibagcc32.exe	85
PID 2424 wrote to memory of 1428	2424	Ibagcc32.exe	85
PID 2424 wrote to memory of 1428	2424	Ibagcc32.exe	85
PID 1428 wrote to memory of 1584	1428	Ipegmg32.exe	86
PID 1428 wrote to memory of 1584	1428	Ipegmg32.exe	86
PID 1428 wrote to memory of 1584	1428	Ipegmg32.exe	86
PID 1584 wrote to memory of 1256	1584	Idacmfkj.exe	87
PID 1584 wrote to memory of 1256	1584	Idacmfkj.exe	87
PID 1584 wrote to memory of 1256	1584	Idacmfkj.exe	87
PID 1256 wrote to memory of 3120	1256	Ifopiajn.exe	88
PID 1256 wrote to memory of 3120	1256	Ifopiajn.exe	88
PID 1256 wrote to memory of 3120	1256	Ifopiajn.exe	88
PID 3120 wrote to memory of 2808	3120	Jdcpcf32.exe	89
PID 3120 wrote to memory of 2808	3120	Jdcpcf32.exe	89
PID 3120 wrote to memory of 2808	3120	Jdcpcf32.exe	89
PID 2808 wrote to memory of 904	2808	Jiphkm32.exe	90
PID 2808 wrote to memory of 904	2808	Jiphkm32.exe	90
PID 2808 wrote to memory of 904	2808	Jiphkm32.exe	90
PID 904 wrote to memory of 744	904	Jdemhe32.exe	91
PID 904 wrote to memory of 744	904	Jdemhe32.exe	91
PID 904 wrote to memory of 744	904	Jdemhe32.exe	91
PID 744 wrote to memory of 2660	744	Jdhine32.exe	92
PID 744 wrote to memory of 2660	744	Jdhine32.exe	92
PID 744 wrote to memory of 2660	744	Jdhine32.exe	92
PID 2660 wrote to memory of 2672	2660	Jmpngk32.exe	93
PID 2660 wrote to memory of 2672	2660	Jmpngk32.exe	93
PID 2660 wrote to memory of 2672	2660	Jmpngk32.exe	93
PID 2672 wrote to memory of 1660	2672	Jpojcf32.exe	94
PID 2672 wrote to memory of 1660	2672	Jpojcf32.exe	94
PID 2672 wrote to memory of 1660	2672	Jpojcf32.exe	94
PID 1660 wrote to memory of 2884	1660	Jbmfoa32.exe	95
PID 1660 wrote to memory of 2884	1660	Jbmfoa32.exe	95
PID 1660 wrote to memory of 2884	1660	Jbmfoa32.exe	95
PID 2884 wrote to memory of 1356	2884	Jbocea32.exe	96
PID 2884 wrote to memory of 1356	2884	Jbocea32.exe	96
PID 2884 wrote to memory of 1356	2884	Jbocea32.exe	96
PID 1356 wrote to memory of 4784	1356	Kmegbjgn.exe	97
PID 1356 wrote to memory of 4784	1356	Kmegbjgn.exe	97
PID 1356 wrote to memory of 4784	1356	Kmegbjgn.exe	97
PID 4784 wrote to memory of 2932	4784	Kdopod32.exe	98
PID 4784 wrote to memory of 2932	4784	Kdopod32.exe	98
PID 4784 wrote to memory of 2932	4784	Kdopod32.exe	98
PID 2932 wrote to memory of 388	2932	Kkihknfg.exe	99
PID 2932 wrote to memory of 388	2932	Kkihknfg.exe	99
PID 2932 wrote to memory of 388	2932	Kkihknfg.exe	99
PID 388 wrote to memory of 2700	388	Kpepcedo.exe	100
PID 388 wrote to memory of 2700	388	Kpepcedo.exe	100
PID 388 wrote to memory of 2700	388	Kpepcedo.exe	100
PID 2700 wrote to memory of 2000	2700	Kgphpo32.exe	101
PID 2700 wrote to memory of 2000	2700	Kgphpo32.exe	101
PID 2700 wrote to memory of 2000	2700	Kgphpo32.exe	101
PID 2000 wrote to memory of 3248	2000	Kmjqmi32.exe	103
PID 2000 wrote to memory of 3248	2000	Kmjqmi32.exe	103
PID 2000 wrote to memory of 3248	2000	Kmjqmi32.exe	103
PID 3248 wrote to memory of 2096	3248	Kgbefoji.exe	104

C:\Users\Admin\AppData\Local\Temp\8deab906908d47b125cb0f5982195500b652023dd692b247b1171a07db28e74d.exe
"C:\Users\Admin\AppData\Local\Temp\8deab906908d47b125cb0f5982195500b652023dd692b247b1171a07db28e74d.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Windows\SysWOW64\Ijfboafl.exe
  C:\Windows\system32\Ijfboafl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3664
- - C:\Windows\SysWOW64\Ipckgh32.exe
    C:\Windows\system32\Ipckgh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3632
  - - C:\Windows\SysWOW64\Ibagcc32.exe
      C:\Windows\system32\Ibagcc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2424
    - - C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1428
      - C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:904
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        30⤵
        Executes dropped EXE
        
        PID:4616
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        31⤵
        Drops file in System32 directory
        
        PID:3784
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4004
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2796
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2464
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4672
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3572
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3556
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:332
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2456
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2160
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2668
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        60⤵
        Executes dropped EXE
        
        PID:4116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 412
        61⤵
        Program crash
        
        PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4116 -ip 4116
1⤵
PID:4228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bpqnnk32.dll

Filesize
7KB

MD5
f408afdd3f25a6ebc2463bfb2a4847bd

SHA1
543c2ddfb6b44afaf4cf247db22976066acc7341

SHA256
c203a6d118c08b0b368ef798e50aecc2fd78f459595267b0041133d296afaffa

SHA512
fcb23cd3f025d0e743b886322885a1a08d81c96408eb0f6801953755ccd91a6963a6a5b950800aec42c26ba28b50e959f0261011be53ce2f3cba176d24bb893b

Download Submit
C:\Windows\SysWOW64\Ibagcc32.exe

Filesize
192KB

MD5
2aac07d3d600f1c81f732338b6b48333

SHA1
f3e495b05d55666b4da95ec2efd4694d64e03947

SHA256
3897c558aa2b607ecb71d634ea12e7863243c2bc12f3c6938c176e9f5a3edd83

SHA512
d40010cb50a279a86b4d73d99f875af3db46691fccdb4ff478549970920ef21d8dc224fb6a943650947585c60cf3c8ab5303b25bad44601d5c47361694127305

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
192KB

MD5
ed70ca6aea70ad88a4a0cb0d67829e8b

SHA1
3233f2a7e0b1f7b3ffc3a5a1488dc84544c66fe4

SHA256
c2faa5f7eec02625378efdf3b33983f11ceeeda06463831f196816be5edecacb

SHA512
bdec92fcdef88528d16e115a21baf94c78041eddfb6e732d1917920981b15f5fcb8c6774716f2c8a4ae10e0b0ae2d771492f544b14199f5d4faabcae9595debf

Download Submit
C:\Windows\SysWOW64\Ifopiajn.exe

Filesize
192KB

MD5
8fcac5de8fb50deda257cd5ec519f5b7

SHA1
a7380758830c08958801d328b81e7318cbf30ec7

SHA256
4141fcb40ed5f5111fe1085eba181380d9d936837beb41beec396318a59a0fcd

SHA512
0e2c4c7fb2247b6bda9db6d6ff86435d0fb7076003cce9065cc4bf2d95d76fd24b9b59b3b585b9d86d2c39b57b05a709341089d0c190078c0257037155b588a3

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
192KB

MD5
9b01db9426bd1fd0118f0f0e863dc646

SHA1
eeec8b272654b1bdf587d6b7cf4f0f17362883fb

SHA256
c7e31028fc34a09abb195562cfcc6c630c8e4d67fdd61079bd14154c8846b054

SHA512
8f7a0bd1eb49fa8b8a9dbc25e98703b5ea0ef056c5edcd262d37140332e02310e1183ba6531d62bee90b57326c578896c1664f0646b105950536066e1ed10b6e

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
192KB

MD5
aa26fe5b7a7fb56782613cab1130f2c3

SHA1
ca0725a81014f0b9cb4e775bbd7ff93bf6706867

SHA256
7e20f176aab41dc509b72f9fdd07b1f47b5d94dfe6e178a7416e7ee14bfd6be8

SHA512
00e1c0924180143c04cb91c6516256517928b6dba526dddd50e13e5a806594965575fa1649e797132322fb724a866e6a59309b003882f1cd7969b8373b3e8576

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe

Filesize
192KB

MD5
11e74214676842b5fcdb2990fc0be61c

SHA1
3cb18b1b391ca75a80657f52943696fdd5ba78dd

SHA256
4cfa144af3dc9ab0aa2e7316b3308f58b6767e9027ef6c99fed12728fa5d8b43

SHA512
b1a00fc6a4172f8ce22c7614efe1904faf924713f474c95267feab23b2cbb794db6dab3b8e4c1551790192eb1ac33d2c78821d5c1c01fbd1c084ef22e88c3c0e

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe

Filesize
192KB

MD5
12204c91c45339459f91ef131fc91789

SHA1
3f06499efb0f60716175b53bfe96092441b45029

SHA256
cef29b57e56b4c7ef08aafa4f282caabbdcdf54d59b04a258f1e1a552eeba598

SHA512
26b12e19dd4724c9b11e9fcecb18ea45939d4aecb85ee279d618cd4ef52aa625d673d90d01e57c5116fd4a994fa5596a90bca8d8dddd6daccb5b739ec07376a1

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
192KB

MD5
e15ac24e241ddac39af2a61d4d82774e

SHA1
90e6881aabd1d8f03f062336a10bc705d73eda33

SHA256
7b26a3da4c71e4709bb18673efd672aea0c94e4aa1f69d03dbb099f0a296e48b

SHA512
6e8e119ceb8bc72cf2b3b8a676a7d697219771a85324961d5d77d6d6721bf22bdd76deb9072e83a21b83d34f55bb2b0ed22e0fdb4bb790d25e5cad201f802032

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
192KB

MD5
e61ed4bd33ad8571c44f43afd65e8556

SHA1
40eaa94a59696040aa1e29196b93ba6438eb0974

SHA256
0a1ec93d0659169c101733e9adfe69332149b5a433056eb2e73e0a36635d9d43

SHA512
f8510af34c5f41f77c754553a5f670389de36c6b2247af1986fd0d31adebfbf3c91ac2c44257a8010b55266c0b5349630d8c124a1a72324a318c37055891f72b

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
192KB

MD5
e51649b29cdd3f41f4570188f8b295ed

SHA1
d5f20acb870e8bbdb99fc04a5787415ab7ff9178

SHA256
562ec322e9adc2bac53114ff3977a8d82fbae5366181bf8376c3c970a5706f21

SHA512
68a3d038778aa1a2e823a0322971f6dad42a9eb5155d829eb181dd3fa6ba8731fb7586d7f25e282c643b9e7a9089b2ce6be2fec4241f0b375a15a4b6a89a6d8f

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe

Filesize
192KB

MD5
4e716a563b44b5259a0203f8e4e85726

SHA1
cb62b8d7cbe411974ee40806d64b2af00fe5f2ab

SHA256
99b77fca96a897f6fd91e2d65fc17b2c546e0eb93a95aa1ef5294a5e6adbf9ec

SHA512
08884322e9209a075197da951dd4f465c61b0caefea7292dbcca2b85fd6081d1d0a61e7472d450e522c6e74aa68b9e8c0947d4f053c824ccc0d14ebbdcc5446b

Download Submit
C:\Windows\SysWOW64\Jiphkm32.exe

Filesize
192KB

MD5
00c755bd0926152c5da5a65ee98d4625

SHA1
87e5b7697f9f47d103c044eb922df41bdc1b234f

SHA256
7be23ea39154132b2e6bd14eeb4e7b7d7c34de7b4517b9aaed7b48b4625eccd7

SHA512
3e9a6b703834755457e6b515558314398cefb4174c02f79422fc4cd69c57a66cc2ab08bff42598c1fb6c79b4177e07c68b609f5d13ce47323f951eb532a188f5

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
192KB

MD5
f7e98fd37ef24f77688de2e5595e61f2

SHA1
aa7d62bd0480d0423a177f2577aecd1157ed0a0b

SHA256
b143fca33231e45a99c7d57b03bb31a534ddc5fdadd733f0bded3eec5a3a81c5

SHA512
5df4f915b9eb271271e8f49e2c6c6903d2e03b2883c3a7903b40493e7fbaf2708fb20ad14f1b631ab52ac0b5c2bc5b8b43e8dce6c84c80deace9ed00056a7489

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
192KB

MD5
01a5d45ead888e385711789824f202ac

SHA1
36efbc6ec64d9882f259bbe8ff059854ea6ce4b9

SHA256
92f3f4c46758772bdb93387f908e351f65cf57fd936be36cb7e4d6b991471ffc

SHA512
71a1001a206300e76a162f0d0dd7f550fc52a7b7436bb7016c72b081f6866de92efc263265ad09a01abee27955f719f81b3ac9e05f0e7df069ecf1687c70e1e5

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
192KB

MD5
5a187b6e4ec3e1ccbffd7438b2ec9577

SHA1
a09f3b98a13d1547f08717f1c71796ed1d7dc59f

SHA256
5e16c283614a57b8bfdbbaa711175d18ecaedc49bcf082a235eddb08e74b17c1

SHA512
a14fc1ce8b964a4810ad3dc713086ac46c3b1f0f8fcc4f3c3acf1c1c9d31e80c178d7338a0b4900ab5628527f481a191419ab0a3b8ff7683305b081e954e5ad0

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
192KB

MD5
969ead35231da19e5afb46aca2e6dde2

SHA1
34e7d7edff0ac10a5c5ba4d134025591b28512f9

SHA256
bb311bd7c8244325ddf259fe5734c02c778a6eae92127277eec9e310ca804e50

SHA512
aaf7860c8317b190518e8d03132c1a69e826bf335725d47a09a3578015efed5861c359e8af13687b8c295a8e0d325b4165c1924247760d914ed48dea3d1ce58b

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
192KB

MD5
0bb5faba4b2e7ad432fc2cfad9fa2599

SHA1
5aac2e24beaa6f8b16c0ec47219d21da9df19210

SHA256
7593f6b5a3b766843befb5fe047d048d6fc7ea2f25085295826e84f34d2117e5

SHA512
2451ef99e84a4c517016d1b0a963c540e0826a986943016e0826bed41bc334b386c15be6a2fa5baf90cecd3fe85bcc360d240520ade2344605bcf9d2d2498acf

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
192KB

MD5
12eceb170626644d5c470370b50a8b85

SHA1
a815d7886c0a85ff6e09bbc4e8c9b56673030211

SHA256
ec53f05cab96fe8fe0e3c7ec3aa825714053fa117f506581cbe2e4237c7d7b34

SHA512
30a131c8ebf69d597da3b975c261ebcc5b7c525211260430ea94fb2d672851dcde58d56887d44883cec2b4142a50afbaa9823224fb133ec754c4b5cf116f2ba5

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
192KB

MD5
a447bd8fd7a9dd804ce0eac3a117a3ec

SHA1
310b6f0d2bf276c47c8c45c94b4c04dae136267a

SHA256
3e4ba6f0c0d2c11db7a9462d516a559ad63fd76c2a80b674a05454f9d6b30119

SHA512
c8b4d43c885fed15870dda81f38569601068cf8261a35a4893a1a1ad9c3dea6bb890711d8869f4a94d6d1a7ca6b836ddc661d79d619be0a1ac56939f71ff3f11

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
192KB

MD5
5233c438faf7d86f8132f8eed86d7253

SHA1
8aab7a4bd2525a6d06f786a350c0fc567d6ea38e

SHA256
cc1e080dea4ccb2c2e8bc7800b720d9bda30d552eb3f49a196dd4755bc01e9d3

SHA512
c02b18d0260ccd08794c3d4a5f89fa3f0ff8d54f349f8d251e6df18a0d68284844aa1a6453f3cd4b490cda99ccdaebe042099f317f12ce679cc405254063a4e3

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
192KB

MD5
1f11811cd34f4f1ab6bb602b3db1a429

SHA1
8bd1a7db2a37be8e3cd50b965f5d638c9dfc8741

SHA256
f1858fd610f249919105dd6918bfa243a1d5c2b17d0524054227c6d55199176d

SHA512
1346e6a237750d185fe94ceb95fb9f22f576636bc13306e9a9038c10179505000bac70cd8ab2a3a89560ad1bbf2ed4643cb18a822c2b3465785afeb52aa93536

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
192KB

MD5
ea64ea52d1ebc3cfa425017274ae7b21

SHA1
523b3ca4e5e333109ca92bccc6b41913d9bf2894

SHA256
f42a16d354a2c1c358bfd79daa93fc1b02151ecc8e4b8ea322152818a120e850

SHA512
456563b5ec00e1caff0aac1c25097dee428c202490e4a07ba8d14bf7c79ce065c42da926b33e5da1084346abeb4cfa8a08da6a683184ecff1e701fcb8d538e26

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
192KB

MD5
111ed37945cbd8ce3d7343a5c019044f

SHA1
fa561fab972d40a21a2f9f31ca8acd718a055e52

SHA256
c78d3e1c1afdaeffcb2f3a7769b775be3c8e33150846969a1ee28f46cd68799f

SHA512
dbb364b13c9822b952bc32da7cd464b120971230995c6a9f1cb090d4909faf4809ad6fc301181a5fdf61761989a89b73e36da602cf0f42520c654a79b721eeae

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
192KB

MD5
8a800741e5b68ea99a8ef64d179ffb08

SHA1
c19c41f77dce01b1a4af377fa56e8f2d26c57373

SHA256
edb363687cf2b7466e927568147cf3c878c015569d4dcd965df9788a3910feb9

SHA512
f5df75df4830fb4ae3215861c3e2b1ea121cafcfaf5e49ca7244387f5133dfb2b8c26553d58fd27468c3fe87bd3a39dc58ade4decbaca99b0f9d97f5d4fe7bb5

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
192KB

MD5
545189c693dc7777afa1f77255bb44ea

SHA1
3ef9cd4f55f987a897b20944caae6e462a9df9bf

SHA256
ba9b4988efee3acda3ad4d463fd2caba8c0f53d9071ac9939a111a9ed1944d82

SHA512
8e74973a22bb2e6db6eb4778b4af8ff81522d1de798b4c092eea7089520c8ac84750d853ba690cf54928b43da990fc89baa942b3b90495e7c8344a7a9675432c

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
192KB

MD5
4301a5240e5d25c0d3ee9d345293085b

SHA1
5353a065961ac353ef102b50476c5382fa292ccd

SHA256
7ebf63b7415cfe0c093b65eb829ec1c1358b6dde38d9d76d79023bf46e1714a1

SHA512
f10522868514c21780e4fcf774ed165ed322eee75c1af9a925a39b59f5d0f1661e486762c3919da99a8e9e5523b8852eae32142a00bdf3ed05cd604c4f8fe387

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
192KB

MD5
d8054d60f35c19759d8d9b80bc49046a

SHA1
d712851a74dcb038920afdfb4a25f54787375d67

SHA256
7868a8694f39aade13d238211d402cef4ae52d11385456eda84b99c177a81579

SHA512
25f5ee6282651c52a9d3730baf5982eee9f971ef56392f9c56ee39612177aeed842346c10a6fe2d4641aed1d44de768ddc46648648841fc56e3839cac3886cb1

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
192KB

MD5
b1f99f4ed6fd130540e889dd3bb54c09

SHA1
3efe74a99bcdb9e87115a26a1147ab18d63615d5

SHA256
b4d5c318d7a566b6f0e44b15709e4002aa92c4256f5ef99022a85f5701d4bdc3

SHA512
cf7d662a984154eca3ada9627a44520844fd36a62328795856a6a4bb35da5de1cad69204c0482dea59a1c3945c980aed312100ce168e19673aa7d09f84175183

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
192KB

MD5
96b0229a016c76dd877059d81f3c189d

SHA1
b64028fc1fdc31150f2ce91395b9c751ce0357b4

SHA256
ba77c26ec26b713705a80d5d5319fb098c9c8db1d1e3322e7e5efebefea1bffe

SHA512
0b3242b255a5e98332f35a615943a5f735d7ea7f59ea291845e830741ed6de12d9d0cc7fbf1690238bf1d0bde45fd680c4371f6ad7a2185bc3096cbb62dec99b

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
192KB

MD5
e93c5a77d7f46d0d02f7eacaf0fae5b2

SHA1
d6eaed842bc497706052f6ff0762b21fe8378f71

SHA256
a4f353ced810f884935e87f15d2e1affa7b6a48298bf3964f21c6aeb98312fac

SHA512
cf742a455d678962e60646385d04fc1cdb64a970563422841813f7ac69b4a83cd493f820c4525dafe1caebc831951b20acc80d52d492b8f13bb143ac60bff2c4

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
192KB

MD5
2dab6025db62b1d010d25948e4a929db

SHA1
e17b2ed84ddc212c38f89b8a6ac3ab6760a0e316

SHA256
15ee72574d4637dedac22844fe2efb733d516eb76ce59e8835f7b5341810757c

SHA512
b95601750dd6512a92c0e23934a4244f3c0173c8f50e6b932f4d477939d1d35f74ac8912e3be06d37796681274971990c73f05321e950441786df20d2cc7a036

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
192KB

MD5
f3a870c1e84405bed666b0baeba0356e

SHA1
a3e073da5173b749b6e6ac03b8b8740b396b2456

SHA256
3506c050d81b555960a2ccc2fc2c4d895adbed16fcac1e56b8ef6fff96566cd2

SHA512
9f763f28d30d9018b9aac81bcfd45cac0e680e71de80a64545e8760ce217c8663e7aae16a8590a4cb08ac33035ae75c1fec36a41b861a3fc2547e60b1f29c018

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
192KB

MD5
2e99dd7d6ef2c2f816c83042054b3339

SHA1
05c547529ee16444e5da7444f3dcfcc44df5c9a3

SHA256
cc9cffaac735cd7d3dad86445f004675bf747aaf6304a809cdbf68e9b91b194b

SHA512
21c71164f569b7b869db173246f01e836509019170c19cf88b3b59d6b19e578ae18c0c80cba02085ac1b30f4bb643b2db47852fb532d218df8059e569fe11468

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
192KB

MD5
9982b7834f42c6f4f9a0903570656f83

SHA1
0c2f07ac5ded6d8fd15f61347e35c65272ae67e1

SHA256
4cbf07d43897ec00601c56599b9fdd7056dc09f88a3ab3c01e0f280771ecacb3

SHA512
13238b258ee9935f074049896f884ff94cc4e9eb6ec17df03c54f065d06d1b781a9687a2590f4f19e6101f20684550985f0624fa767c07f35af297baa2d95fa5

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
192KB

MD5
bfb4442c5e001498c747ab572618d8e4

SHA1
4e15413ce8375f79facdb14da4a66f0e186d0fb8

SHA256
bca9e76dd4c169259cf66f241b355c23507ab5b73753f9d7ae312ca6eb7f04c3

SHA512
76de13930b6b7b3703ad7e690b59f139f64e9be87ace298a39595ada611e5e9fb1a22ef7d64c1499de79ef8713de7a87e805340697ab9d1830f006f61db9cf9f

Download Submit
memory/332-414-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/388-243-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/388-151-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/744-81-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/744-168-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/904-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/904-158-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/940-407-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1108-195-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1108-283-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1256-133-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1256-48-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1284-350-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1284-284-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1356-212-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1356-125-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1428-115-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1428-34-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1520-290-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1520-204-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1584-44-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1660-108-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1660-194-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2000-261-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2000-169-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2032-372-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2096-185-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2096-274-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2400-337-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2400-406-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2424-107-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2424-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2464-305-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2464-371-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2508-431-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2508-360-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2512-267-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2512-336-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2540-357-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2540-291-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2616-343-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2616-275-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2660-94-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2672-99-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2672-184-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2700-247-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2700-159-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2788-222-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2788-304-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2796-364-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2796-298-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2808-68-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2884-116-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2884-203-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2932-229-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2932-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3012-421-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3120-142-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3120-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3248-176-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3248-266-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3484-244-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3556-434-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3556-365-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3572-351-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3572-420-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3604-413-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3604-344-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3632-20-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3632-98-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3660-311-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3660-230-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3664-93-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3664-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3784-262-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4004-263-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4360-400-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4468-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4468-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4536-386-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4616-248-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4648-379-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4672-392-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4672-324-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4776-399-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4776-330-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4784-134-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4784-221-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4848-393-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4868-378-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4868-312-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4900-385-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4900-318-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5028-432-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5048-213-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5048-297-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads