30e8aceddca7b53b7f726205baa232c31c93df115e7fc5d4b60ae6619970eb8e

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30e8aceddca7b53b7f726205baa232c31c93df115e7fc5d4b60ae6619970eb8e.exe
Size

96KB
MD5

1945374d713ea5b63ca37f40d5149e98
SHA1

f51d6076aa469ec6cb8ab7ff1447705e03d4f992
SHA256

30e8aceddca7b53b7f726205baa232c31c93df115e7fc5d4b60ae6619970eb8e
SHA512

121fadc273528f2fe2c31cd83230d38198eb8309a90d0005881d66292838b5ef00822e172ecb547d39ee0a693970203587a3b98ce90ae1547fad56175b330fcc
SSDEEP

1536:g6ZJ07zV4B77pMT/IR3S4w6AjQmDI2Lk1A9PXuhiTMuZXGTIVefVDkryyAyqX:XX07aS43AjRaiPXuhuXGQmVDeCyqX

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idacmfkj.exe

Executes dropped EXE 61 IoCs

pid	Process
3924	Idacmfkj.exe
4224	Ifopiajn.exe
2380	Jpgdbg32.exe
2824	Jfaloa32.exe
392	Jdemhe32.exe
3664	Jmnaakne.exe
2868	Jfffjqdf.exe
3980	Jidbflcj.exe
4108	Jdjfcecp.exe
1376	Jmbklj32.exe
4784	Jdmcidam.exe
2696	Jiikak32.exe
2660	Kpccnefa.exe
1488	Kkihknfg.exe
4536	Kpepcedo.exe
1168	Kbdmpqcb.exe
1932	Kaemnhla.exe
1316	Kknafn32.exe
64	Kagichjo.exe
3628	Kdffocib.exe
1680	Kgdbkohf.exe
4084	Kibnhjgj.exe
4672	Kpmfddnf.exe
4892	Kdhbec32.exe
2004	Liekmj32.exe
1408	Lcmofolg.exe
4172	Lkdggmlj.exe
3104	Laopdgcg.exe
640	Lcpllo32.exe
1536	Lijdhiaa.exe
3592	Ldohebqh.exe
920	Lkiqbl32.exe
4636	Laciofpa.exe
4220	Lcdegnep.exe
2652	Lklnhlfb.exe
1472	Lnjjdgee.exe
1996	Lphfpbdi.exe
4724	Lknjmkdo.exe
1864	Mnlfigcc.exe
2180	Mdfofakp.exe
3388	Mjcgohig.exe
1448	Majopeii.exe
3452	Mcklgm32.exe
3848	Mjeddggd.exe
4440	Mamleegg.exe
2496	Mgidml32.exe
3124	Mncmjfmk.exe
4192	Mdmegp32.exe
4472	Mglack32.exe
4476	Mjjmog32.exe
4120	Mpdelajl.exe
2648	Mgnnhk32.exe
2968	Nnhfee32.exe
2428	Ngpjnkpf.exe
716	Nnjbke32.exe
3916	Ncgkcl32.exe
2016	Nqklmpdd.exe
1672	Ngedij32.exe
4932	Nnolfdcn.exe
1344	Ndidbn32.exe
4976	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Jpgdbg32.exe	Ifopiajn.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jfffjqdf.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Mnnkcb32.dll	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Lcpllo32.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Nphqml32.dll	Jiikak32.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Jmnaakne.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Ehifigof.dll	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Jiikak32.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Bpqnnk32.dll	30e8aceddca7b53b7f726205baa232c31c93df115e7fc5d4b60ae6619970eb8e.exe
File created	C:\Windows\SysWOW64\Jdemhe32.exe	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Jidbflcj.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Ifopiajn.exe	Idacmfkj.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
756	4976	WerFault.exe	147

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	30e8aceddca7b53b7f726205baa232c31c93df115e7fc5d4b60ae6619970eb8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	30e8aceddca7b53b7f726205baa232c31c93df115e7fc5d4b60ae6619970eb8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjlcankg.dll"	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 3924	1616	30e8aceddca7b53b7f726205baa232c31c93df115e7fc5d4b60ae6619970eb8e.exe	83
PID 1616 wrote to memory of 3924	1616	30e8aceddca7b53b7f726205baa232c31c93df115e7fc5d4b60ae6619970eb8e.exe	83
PID 1616 wrote to memory of 3924	1616	30e8aceddca7b53b7f726205baa232c31c93df115e7fc5d4b60ae6619970eb8e.exe	83
PID 3924 wrote to memory of 4224	3924	Idacmfkj.exe	84
PID 3924 wrote to memory of 4224	3924	Idacmfkj.exe	84
PID 3924 wrote to memory of 4224	3924	Idacmfkj.exe	84
PID 4224 wrote to memory of 2380	4224	Ifopiajn.exe	85
PID 4224 wrote to memory of 2380	4224	Ifopiajn.exe	85
PID 4224 wrote to memory of 2380	4224	Ifopiajn.exe	85
PID 2380 wrote to memory of 2824	2380	Jpgdbg32.exe	86
PID 2380 wrote to memory of 2824	2380	Jpgdbg32.exe	86
PID 2380 wrote to memory of 2824	2380	Jpgdbg32.exe	86
PID 2824 wrote to memory of 392	2824	Jfaloa32.exe	87
PID 2824 wrote to memory of 392	2824	Jfaloa32.exe	87
PID 2824 wrote to memory of 392	2824	Jfaloa32.exe	87
PID 392 wrote to memory of 3664	392	Jdemhe32.exe	88
PID 392 wrote to memory of 3664	392	Jdemhe32.exe	88
PID 392 wrote to memory of 3664	392	Jdemhe32.exe	88
PID 3664 wrote to memory of 2868	3664	Jmnaakne.exe	89
PID 3664 wrote to memory of 2868	3664	Jmnaakne.exe	89
PID 3664 wrote to memory of 2868	3664	Jmnaakne.exe	89
PID 2868 wrote to memory of 3980	2868	Jfffjqdf.exe	90
PID 2868 wrote to memory of 3980	2868	Jfffjqdf.exe	90
PID 2868 wrote to memory of 3980	2868	Jfffjqdf.exe	90
PID 3980 wrote to memory of 4108	3980	Jidbflcj.exe	91
PID 3980 wrote to memory of 4108	3980	Jidbflcj.exe	91
PID 3980 wrote to memory of 4108	3980	Jidbflcj.exe	91
PID 4108 wrote to memory of 1376	4108	Jdjfcecp.exe	92
PID 4108 wrote to memory of 1376	4108	Jdjfcecp.exe	92
PID 4108 wrote to memory of 1376	4108	Jdjfcecp.exe	92
PID 1376 wrote to memory of 4784	1376	Jmbklj32.exe	93
PID 1376 wrote to memory of 4784	1376	Jmbklj32.exe	93
PID 1376 wrote to memory of 4784	1376	Jmbklj32.exe	93
PID 4784 wrote to memory of 2696	4784	Jdmcidam.exe	94
PID 4784 wrote to memory of 2696	4784	Jdmcidam.exe	94
PID 4784 wrote to memory of 2696	4784	Jdmcidam.exe	94
PID 2696 wrote to memory of 2660	2696	Jiikak32.exe	95
PID 2696 wrote to memory of 2660	2696	Jiikak32.exe	95
PID 2696 wrote to memory of 2660	2696	Jiikak32.exe	95
PID 2660 wrote to memory of 1488	2660	Kpccnefa.exe	96
PID 2660 wrote to memory of 1488	2660	Kpccnefa.exe	96
PID 2660 wrote to memory of 1488	2660	Kpccnefa.exe	96
PID 1488 wrote to memory of 4536	1488	Kkihknfg.exe	97
PID 1488 wrote to memory of 4536	1488	Kkihknfg.exe	97
PID 1488 wrote to memory of 4536	1488	Kkihknfg.exe	97
PID 4536 wrote to memory of 1168	4536	Kpepcedo.exe	98
PID 4536 wrote to memory of 1168	4536	Kpepcedo.exe	98
PID 4536 wrote to memory of 1168	4536	Kpepcedo.exe	98
PID 1168 wrote to memory of 1932	1168	Kbdmpqcb.exe	99
PID 1168 wrote to memory of 1932	1168	Kbdmpqcb.exe	99
PID 1168 wrote to memory of 1932	1168	Kbdmpqcb.exe	99
PID 1932 wrote to memory of 1316	1932	Kaemnhla.exe	100
PID 1932 wrote to memory of 1316	1932	Kaemnhla.exe	100
PID 1932 wrote to memory of 1316	1932	Kaemnhla.exe	100
PID 1316 wrote to memory of 64	1316	Kknafn32.exe	101
PID 1316 wrote to memory of 64	1316	Kknafn32.exe	101
PID 1316 wrote to memory of 64	1316	Kknafn32.exe	101
PID 64 wrote to memory of 3628	64	Kagichjo.exe	102
PID 64 wrote to memory of 3628	64	Kagichjo.exe	102
PID 64 wrote to memory of 3628	64	Kagichjo.exe	102
PID 3628 wrote to memory of 1680	3628	Kdffocib.exe	103
PID 3628 wrote to memory of 1680	3628	Kdffocib.exe	103
PID 3628 wrote to memory of 1680	3628	Kdffocib.exe	103
PID 1680 wrote to memory of 4084	1680	Kgdbkohf.exe	105

C:\Users\Admin\AppData\Local\Temp\30e8aceddca7b53b7f726205baa232c31c93df115e7fc5d4b60ae6619970eb8e.exe
"C:\Users\Admin\AppData\Local\Temp\30e8aceddca7b53b7f726205baa232c31c93df115e7fc5d4b60ae6619970eb8e.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Windows\SysWOW64\Idacmfkj.exe
  C:\Windows\system32\Idacmfkj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3924
- - C:\Windows\SysWOW64\Ifopiajn.exe
    C:\Windows\system32\Ifopiajn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4224
  - - C:\Windows\SysWOW64\Jpgdbg32.exe
      C:\Windows\system32\Jpgdbg32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2380
    - - C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2824
      - C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4672
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4172
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1864
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3388
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3452
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3848
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4440
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2496
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3124
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2648
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2428
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:716
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2016
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        62⤵
        Executes dropped EXE
        
        PID:4976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 400
        63⤵
        Program crash
        
        PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4976 -ip 4976
1⤵
PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
96KB

MD5
4e3bc1561dde59a5507470c03534c848

SHA1
c9e08c01b6e003bea439f1227d37bf5b92c30884

SHA256
077ff056c06019df5037028f8126d629a273958d19a035c0467045e8273c5c37

SHA512
753589d9dc37f767e94ffba98a17f6794da5ebcc033d260f408f74e9d765cc7227cd49bf58f30930eb3783d52b540c288b3192635018d71ccfabcbf59e6499eb

Download Submit
C:\Windows\SysWOW64\Ifopiajn.exe

Filesize
96KB

MD5
dba7692a5256b2e19e29a2192976c5b1

SHA1
039b2a43205498a28b0cd81c311b604e2dc479e2

SHA256
193b20ffff423a8673db1ea15a3dc06253dcbde1a8e41c13a88df5b7b8888ccb

SHA512
3b71fbcfebd15137c1859b2befab57d410fc8bb05ab11805d6f283401d26156af971c2b6fe62547102182d6490b4cf2d63ab7121e7092c44a4ad834e2a28fbe4

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
96KB

MD5
4565ab6a35ec6499e39e03436d9f3fd9

SHA1
8a383b9b7a2b5ccd5def13bd3a858366bc399040

SHA256
148f67b33e786d995f3ae3299f163f2aca7a50c7731ef95c9e6dcabb73f34e67

SHA512
b5245964f701a4848e64fe3c2b3d8d52ce8876568d2bfffa0fb066e6fa7e8827c15c53e06c78dfd8a9dfaf337f60efc48c843575242b272b2f722d896fdd5875

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
96KB

MD5
92079b1774b162e4a1d141ed711b5e57

SHA1
096561feffa60a2e70840fda7c0519925d77550c

SHA256
39928f8201243076acb167207ea55470ac9b7e4745d311f2fe8787607f2186df

SHA512
5bd99814253fa770a5a41fea63b47fbba4f39b0b6ca0bc2134a41d0a490a42183a6962da0873d5a270740b9163e26aaa1f9a3f1938b37a66ad43f3ad94fb73f2

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
96KB

MD5
825cf2d23472f86e6050a738c2d33246

SHA1
42de7c8d3103ff92017e99d12a38aea81406dd05

SHA256
0b0b4250cf20ce6ba0016b159f4c8e19fa9bfa022a2dcfd4dcb3b58cbdd09c9f

SHA512
3d5187c667156901abf4edc550cd1321a78daea1b325e3f03cc853d8a1b20cde954a14ecd0326ae02d85256da051f1e83e0a9a538977320b9ce99e4266179644

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
96KB

MD5
68663ce98b4a3fe5a534b56889554111

SHA1
2ac658594b0c6ba474a711a91986c9332b5f6f62

SHA256
08fd355aaa4e54aead7cb2b2c490fb73c70633b2fb26a205b302a63effc7e2ad

SHA512
27e2ddf4bfa766a3dd2a1db04247810fe1a6102b2c9c8e8361bc82043269fadf9b17e2f68b3df0cea979ca004e1ac97eaa7ce2bf23f123f1fa602206ca2748b7

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
96KB

MD5
ce9c5efd8de1f883a97f85f00b45133d

SHA1
2267faf46ce6a4b05a03cc692696df314d62fd32

SHA256
2f7d18080a6f1861baa0efefb00a7e6d9a51f9103ec4209b5adf68e9ad8af7e0

SHA512
b0fc317d4f11f67b80875c9ea5e7d35097e1bbe18de05c9432de43adb4b8ce1b348b3476b434dbfb77139df5b9b178753a9d5a3a2f5c5d875dcea7e0546dede8

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
96KB

MD5
16089ffcd2c9ee0630d99c18763f938d

SHA1
05ce5e7713441a5b5a04a2d7bd94b42d99cf995e

SHA256
3803f2778396fdb16bd6d4ead78a20eaf9b1ecee9ed5d28e80fd4a49fdc62fef

SHA512
a25fb03fafb0d0758aef529ffe6fa264ce5b7f5cfdf89e6cdf722823155150176dd4e35259129b888edea18046c6931783a6d246cb4be2422416af46e3e29ead

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
96KB

MD5
c770b1994d9a1fe235a1f2a6fa123dda

SHA1
673e53d8d5f82c189caf5e572d7b573c4b7e0659

SHA256
20898928477ea19cb6956f600e0e736c02d0d1b0d7350030b46431b78f7c21cc

SHA512
538e242bdb1268ecaa693502a04dac693d1cf4e357558a0009ae90fdc17c1a0a4d1bd7bdac18ce545d59e1320912c5e3b8e438075976223e6bca48f7bebc56a1

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
96KB

MD5
ad9d1a23aeb41d70619ea0d133aed7e8

SHA1
a7fa1e7ad924e4f13f170ff17984c4dafa311711

SHA256
06febce3675f5dc31c9a0b9b738c247003d56c35f5989d0b46d12fed45937a6d

SHA512
6b774425dbae3aeec33afcea46829d307f48915421c6f017fc03a3badf68b8b7ae5679edece4072cd9c5ef907c1c891b8399861959ee786f96ef1ab5a24a024d

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
96KB

MD5
a164b39f7b823efce870477cf73292b5

SHA1
e36b10df6566d186e85f16e02b8b233ef5384671

SHA256
e95b73eebd01d454ea3a3570cf387614f81be7ee5c9e26a4ed6be86f10b44ef6

SHA512
4eb9e120d2fe1aae3f083eabf5883045b247b1ea7047db8c0718cca48d3c275aab5d3cc2dd84437be4d0159a754ea97b2fd72f144ebf779ab9796a9056bc9155

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
96KB

MD5
82d4d251acd61f7a6a1f3e7db3493afe

SHA1
10934b6e7f4e6c87c0fca942f8392cc103792db5

SHA256
122d11b4a09801f51fdfa798bef13d870c7eedf98c9849b713d749741f2a7821

SHA512
ebe68e5b23523b7ce349969c92712d5e6189e63e4106128c4a5c4b025dd7fad9c65f5805bd3334580fc00e947937e45b04d465aca7539454df32386a59be60f3

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
96KB

MD5
d326dd5a86a775902e25d24fa961b683

SHA1
49a9a115b00855c51df49b14974e78689463b1a1

SHA256
eedecc69bf6f95130c0d1c0ca851d817b7f208d6f2c45c26b5bf831e383c9b30

SHA512
be636f7e635de129d74eb48499ff5eb451a47df35fac6807a474118caa630e1bb686adc4d421d391ec5b58c707b8450383e6f9eb374d4362a3e3bfa45e1e14ea

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
96KB

MD5
64a66aaa0d348ec9fb2f16b6efc2d6ad

SHA1
2fcc6d1912433913b353e4e4f43270f87bcdcbac

SHA256
7d33fde98802498d969eca12ece5c90e27e796fce3afd5d13e47028c8b65758b

SHA512
d74f398e2b5f337789eee38e8a2df9e23a059a389d13984dac772ae2a5e3363f54248f8873bd84a60fc1cadf7d3d0880064baaab65f049340649122fd0b7e1d7

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
96KB

MD5
e3d2b56281e31b5448d8eb36c6cd54ff

SHA1
0ef12d5af4e31d95157d26abef0d20cf434a37ae

SHA256
abb80fa577f8a4d500d541e4b28143b9bce5fb7d81404ae4c223daede85866ef

SHA512
8dacb95e6bb35b1c4b656b6d217a789f9d2056008a7181ff822a09c8cf2e7f8a7fdf81cd75d15704393e65535a2952d80e871c38aa359b957a6c8ebfce23379c

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
96KB

MD5
e7c42c7538b1068d2652db8756a40465

SHA1
ccddc9622dd57a87f5e4565fbd5d2f17009f85a0

SHA256
b594f7ed5e5bb3d7d072aaf9a8f3085ce58673e8f163d2fde84933463ba01493

SHA512
cdef73fc42973eef7c7e61d1808024db9402c9072158ac2ef6c73c668e1081d902a6f53427e6cac58eb38a3652596eed94866f798ca61dc3111235055fb7b961

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
96KB

MD5
92889371aabd2f655c91b7dd6d10198a

SHA1
81921c68c96792d4eab61407c2742fec85844f12

SHA256
3cf8cf727f5f5a73d496a4edd9bef49d88a5c4672a9524f0ae4ee1c1f5691552

SHA512
fa12cc2cbf6e8bb8e2b72503b75047d50664bf2c93dc88ca5d38e51f081b720f0fb202f294ed89a3c5d1858a117ead7beb61176f541e5b961988419716c1c526

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
96KB

MD5
6302c2cbaa40c2a1c5c0d00b99c32e0f

SHA1
3a1e1ba81a545914ea878ba5698c96e2921630e8

SHA256
0f8343a043fa2071d9be090ee8ccf2382c40489b3ba68c21fbeda6988eb7522d

SHA512
61529b1ac15ce7793f73f6db0751ff4f0efbcf18978e2daafd87961a634ef2d722d7ae8aa0f2290d363536e4c04ab7c55d65906e536ec14d76dcc3110fbf1e7b

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
96KB

MD5
0245646fe272eea82b9c23cdcf40c745

SHA1
5bc7edb9499e0c6d561864d8df410394d823ef6f

SHA256
459b146be62aa07f821232b5c9431f2fafb848c837b9a35bb6ae1991d9091620

SHA512
2da061eba102efa6c74901db80ae5c58b02bab620d9f31fa390ff4d2e5090d36c5ccf738af65c0dd68e12d5643b9ccbafe6dff6bc739b4218e5308e7224de303

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
96KB

MD5
92685e142725124096225bb08dc7179d

SHA1
0c8b9c021884c89c5ece5502d5c194f13d3840ab

SHA256
203e120656ab48accbd1b00487d3383b01c21bebbd65e972b800fd68fa5bf346

SHA512
84f7e2a5396d8c9add2904779bc06df86ae2a943e63d378e7b24b9de412e01ec4e855b7243c02c17ee96f8bf70c03fbb9b2661fe18c00e94314580f96c6a47f5

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
96KB

MD5
5a6deb6a4fc128aad5f099a4367dc767

SHA1
4d6a09b4e70a13fcfb64a2ea4a6a0e6fd5c9a895

SHA256
0496698e09c5eddb519b6da2e7f758b09012b223342d2ea7a74838ba9a5a4a20

SHA512
61b722b027340bb157b6242958eee1239dda111d475aefafe25d9bc53fbceb8d91384eb071ff7c1ea40fe2be8f8aa7aad039fa330334d1da89837453cf453c9c

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
96KB

MD5
3d903a40268885fa35b2312bdb515141

SHA1
eac2a6c6c95726c85dff661ad7e17781371764c2

SHA256
3f82a26bfb21dec5c6097afafebd46a18ff32710fc81c546fabdd1a58d01d061

SHA512
1e18393c37ecdc4d1e6ae36bc80e19aa11825c3ac0d454ac9fd37901183e5a7e3843ccce393f3a01fe3919e94dbcb0aee261e76e5daf678c18ad28524552316c

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
96KB

MD5
5e370181408b40662bac06300f666a7e

SHA1
8e2048b449d6373215b765a61f3605fca7e0ff8f

SHA256
f4a92a04e596ff1e2687e9e5a2402b133b8ec5844fd01c7587ae13fff9dc8380

SHA512
3c93adb774231dea61ca27a6e042abf8e6f1380b4b51d3e268280a58cadeddcb08079eeccd5d486e6ff1d92e63e040786677df9e92b7dfddbec5e2fd102fffc1

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
96KB

MD5
4160081ee73395ca9e2bd3490b3780d8

SHA1
43f58a1f485d0be7ea2d21defdad20573e9d9a4d

SHA256
e1970363b3a1727a56b8965806fd66702aaeb504942649234f6598b05709998b

SHA512
d1295635de67c60ba9f6b5415dc9f2a3cf40e43ddbc76a9d8e71551ab5042731e81c6287a7a36564d1f57d746ee3149f95af318135df77009cee6b9948ecd8a1

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
96KB

MD5
fdea6fbdd68c94c5251b7ee832763146

SHA1
f148e53d235d3998601b1a62e45d98d5f2acbcbd

SHA256
475bc765dbe95423a5adac9917619855af0df651b33d7edf188946dfb85b4c41

SHA512
61b2a1e50fb8eda824c27dcbb59e56db83415d6b910d5df48d64cc598faaf2948b40f55e6dfb68a89a1b596809b6bc28f5fada3eb161d4fbbaf488f6dbb0eac7

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
96KB

MD5
2a12a4abe43424bb3d9e8cc5c8974b58

SHA1
585c8ec60bf3b61d96226831b38bf1829405abaf

SHA256
a97ec002b1fc74ed11551f82a4e691489d3f269e81620cfc4faf8a723a37faca

SHA512
04e65c0af64fa3473b8897b0b6f914ebc35ef4a9c2db652de1255e72a69bf38967816ce4d382c6465227474b511a09fb4f542da294740d53f2d8ea0cacb1fbfc

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
96KB

MD5
b621c928e98745ecb743333597fe7f84

SHA1
2ff6a2496fed209b83e2d551c08fcfe3369c6a0d

SHA256
8df2c0675018389f2df38b7d2f18e833b3fc8b5406edbf907d07dbaf6af092ec

SHA512
b0390a166e77eb41b2b3c4efcfbcaedfd580dfab2e0403912e2c80f8fd08b33408c6c04501d22b02469fff75de275110b05155adb0305938767de64c99a75c29

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
96KB

MD5
ffd7c1a1c3dfa99e9648726f54b3f606

SHA1
a651bb0b2960c0a91b4228af67e9928443977772

SHA256
5c83de82e91e102a5793922833bf7b74773e957eb5c9158bacb9d2a035a6b4b2

SHA512
dce895e919daed9ce58dfa37f1d4f9ea1a6d73a69016163ad990431315745a3d6843aa83da541df39a0a467d5842aece6a3dae746aa9667ab47a9c4144a980bd

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
96KB

MD5
4ca52df176fcdf4731a05d0961d26565

SHA1
fbc3c643b6eca1a1aac748ff1e7710a58bc6f689

SHA256
524f5cf628a0b0c27b14962661da914c3abbba185868be79bd4ea03b413d3ffb

SHA512
c205067bbf664d808b269e81f185ff64c31eeb02aa4a7039a7b31c40b0c540ce8c436d30865a776257ac2c031fd3ec42e107d31aada31d906e6ea0b2e7b5501a

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
96KB

MD5
29a1399c47b2bb8a1c4fdbc570cea086

SHA1
44e1a17158ce34ca494228fb4283e6f69203ef14

SHA256
c77672afbba87acc2cc0d994857cc9f00630edb2f2eb47c472cc38b246a04836

SHA512
6efe4d8f0d8d9173e44ab45e26ad69ab38094b9d210047f449427a52643bbe13a10af28d857bb97d5f7109efa67b308772ea344f5da9ada1be5ab5bee1178ed1

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
96KB

MD5
d82476b3f4f638645ade523e4fd0e366

SHA1
0ed5e14cd6371d6b2b214faae5bdb4d34875e628

SHA256
c4da9f2444fbd71b45a52f95734d5a46836008556f50ba61f33f6c6a48dc5d7f

SHA512
6bd2becf0f6fae025fc539fd545235caa42360c960e27fe6518f25184b8442c57e2128241f9ce202c07116f7b2e23039e552e004af7bec3b112bf3c0e7f9e9c3

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
96KB

MD5
eead8a82362d45c5ce00eaf95fe693a4

SHA1
539d1249196fac259b04e9c4e9f606f960c6d46a

SHA256
c8463a9aa72e7dbdaf5e38620aa6abaea9f369494e7acbc2408aa876942aa6df

SHA512
1f748f64dca5e0bb4dd6ad03959f4dc7e2fb811afecaa75ff5ee66ecd9c5873536728c7122f350cd67f907ac05eafdf6bd157bc66b6a419c2b9b93e0c87423d2

Download Submit
memory/64-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/64-460-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/392-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/640-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/640-446-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/716-400-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/920-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/920-458-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1168-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1168-463-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1316-149-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1344-429-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1376-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1408-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1408-445-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1448-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1472-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1472-456-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1488-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1536-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1536-459-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1616-6-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1616-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1672-418-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1680-442-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1680-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1864-453-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1864-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1932-462-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1932-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1996-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1996-455-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2004-206-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2016-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2016-433-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2180-451-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2180-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2380-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2428-393-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2496-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2496-441-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2648-436-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2648-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2652-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2652-454-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2660-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2696-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2824-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2868-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2968-435-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2968-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3104-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3104-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3124-440-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3124-351-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3388-450-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3388-315-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3452-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3592-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3592-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3628-448-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3628-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3664-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3848-333-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3916-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3916-434-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3924-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3980-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4084-182-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4108-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4120-375-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4172-447-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4172-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4192-439-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4192-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4220-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4220-444-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4224-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4440-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4440-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4472-438-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4472-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4476-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4476-369-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4536-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4536-464-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4636-457-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4636-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4672-189-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4724-452-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4724-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4784-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4892-197-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4932-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4976-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4976-432-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads