74697e0f936f9c9f108ca2c54010e4fce5e14be38695fd272942233f6f74f7a8

Analysis

max time kernel
51s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74697e0f936f9c9f108ca2c54010e4fce5e14be38695fd272942233f6f74f7a8.exe
Size

790KB
MD5

4b0b4648c3a65e3d39c30bbb3dbb91b8
SHA1

62ee0888c543397da72fcda9c9b37ddd7c46bb40
SHA256

74697e0f936f9c9f108ca2c54010e4fce5e14be38695fd272942233f6f74f7a8
SHA512

ce412489d580d9c56a8652a4b4bdf3340972e27a173c5732409942233b5c2a6d657ac805083f7c91094afa5d742826649b8309cf71f684608a039f39e247c2ac
SSDEEP

12288:bCbJqdwNFB24lwR45FB24lJ87g7/VycgE81lgxaa79y:KHdPLPEoIlg17o

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	74697e0f936f9c9f108ca2c54010e4fce5e14be38695fd272942233f6f74f7a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	74697e0f936f9c9f108ca2c54010e4fce5e14be38695fd272942233f6f74f7a8.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnfipekh.exe

Executes dropped EXE 25 IoCs

pid	Process
6116	Jbkjjblm.exe
5792	Jjbako32.exe
5780	Jigollag.exe
1804	Jpaghf32.exe
5188	Kdopod32.exe
2748	Kpepcedo.exe
1988	Kaemnhla.exe
5060	Kgbefoji.exe
4336	Kcifkp32.exe
1224	Kdhbec32.exe
3076	Liekmj32.exe
4976	Liggbi32.exe
1912	Lddbqa32.exe
1984	Mpkbebbf.exe
1900	Majopeii.exe
5076	Mjeddggd.exe
5216	Mgidml32.exe
3112	Mpaifalo.exe
4092	Mnfipekh.exe
3344	Nkjjij32.exe
5692	Ngpjnkpf.exe
3196	Ncgkcl32.exe
3884	Nqklmpdd.exe
5112	Nbkhfc32.exe
4552	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Jigollag.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Kaemnhla.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Kpepcedo.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Ggpfjejo.dll	Jjbako32.exe
File opened for modification	C:\Windows\SysWOW64\Kaemnhla.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Jjbako32.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Jpaghf32.exe	Jigollag.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Feambf32.dll	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Jigollag.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Nilhco32.dll	Jigollag.exe
File opened for modification	C:\Windows\SysWOW64\Jbkjjblm.exe	74697e0f936f9c9f108ca2c54010e4fce5e14be38695fd272942233f6f74f7a8.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Jjbako32.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Kgbefoji.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Kgbefoji.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Kdopod32.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Kpepcedo.exe	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Ldobbkdk.dll	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Liekmj32.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mnfipekh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2292	4552	WerFault.exe	105

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilhco32.dll"	Jigollag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncoccha.dll"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	74697e0f936f9c9f108ca2c54010e4fce5e14be38695fd272942233f6f74f7a8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll"	74697e0f936f9c9f108ca2c54010e4fce5e14be38695fd272942233f6f74f7a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	74697e0f936f9c9f108ca2c54010e4fce5e14be38695fd272942233f6f74f7a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	74697e0f936f9c9f108ca2c54010e4fce5e14be38695fd272942233f6f74f7a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jjbako32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jjbako32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jigollag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feambf32.dll"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Jpaghf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 6116	4836	74697e0f936f9c9f108ca2c54010e4fce5e14be38695fd272942233f6f74f7a8.exe	81
PID 4836 wrote to memory of 6116	4836	74697e0f936f9c9f108ca2c54010e4fce5e14be38695fd272942233f6f74f7a8.exe	81
PID 4836 wrote to memory of 6116	4836	74697e0f936f9c9f108ca2c54010e4fce5e14be38695fd272942233f6f74f7a8.exe	81
PID 6116 wrote to memory of 5792	6116	Jbkjjblm.exe	82
PID 6116 wrote to memory of 5792	6116	Jbkjjblm.exe	82
PID 6116 wrote to memory of 5792	6116	Jbkjjblm.exe	82
PID 5792 wrote to memory of 5780	5792	Jjbako32.exe	83
PID 5792 wrote to memory of 5780	5792	Jjbako32.exe	83
PID 5792 wrote to memory of 5780	5792	Jjbako32.exe	83
PID 5780 wrote to memory of 1804	5780	Jigollag.exe	84
PID 5780 wrote to memory of 1804	5780	Jigollag.exe	84
PID 5780 wrote to memory of 1804	5780	Jigollag.exe	84
PID 1804 wrote to memory of 5188	1804	Jpaghf32.exe	85
PID 1804 wrote to memory of 5188	1804	Jpaghf32.exe	85
PID 1804 wrote to memory of 5188	1804	Jpaghf32.exe	85
PID 5188 wrote to memory of 2748	5188	Kdopod32.exe	86
PID 5188 wrote to memory of 2748	5188	Kdopod32.exe	86
PID 5188 wrote to memory of 2748	5188	Kdopod32.exe	86
PID 2748 wrote to memory of 1988	2748	Kpepcedo.exe	87
PID 2748 wrote to memory of 1988	2748	Kpepcedo.exe	87
PID 2748 wrote to memory of 1988	2748	Kpepcedo.exe	87
PID 1988 wrote to memory of 5060	1988	Kaemnhla.exe	88
PID 1988 wrote to memory of 5060	1988	Kaemnhla.exe	88
PID 1988 wrote to memory of 5060	1988	Kaemnhla.exe	88
PID 5060 wrote to memory of 4336	5060	Kgbefoji.exe	89
PID 5060 wrote to memory of 4336	5060	Kgbefoji.exe	89
PID 5060 wrote to memory of 4336	5060	Kgbefoji.exe	89
PID 4336 wrote to memory of 1224	4336	Kcifkp32.exe	90
PID 4336 wrote to memory of 1224	4336	Kcifkp32.exe	90
PID 4336 wrote to memory of 1224	4336	Kcifkp32.exe	90
PID 1224 wrote to memory of 3076	1224	Kdhbec32.exe	91
PID 1224 wrote to memory of 3076	1224	Kdhbec32.exe	91
PID 1224 wrote to memory of 3076	1224	Kdhbec32.exe	91
PID 3076 wrote to memory of 4976	3076	Liekmj32.exe	92
PID 3076 wrote to memory of 4976	3076	Liekmj32.exe	92
PID 3076 wrote to memory of 4976	3076	Liekmj32.exe	92
PID 4976 wrote to memory of 1912	4976	Liggbi32.exe	93
PID 4976 wrote to memory of 1912	4976	Liggbi32.exe	93
PID 4976 wrote to memory of 1912	4976	Liggbi32.exe	93
PID 1912 wrote to memory of 1984	1912	Lddbqa32.exe	94
PID 1912 wrote to memory of 1984	1912	Lddbqa32.exe	94
PID 1912 wrote to memory of 1984	1912	Lddbqa32.exe	94
PID 1984 wrote to memory of 1900	1984	Mpkbebbf.exe	95
PID 1984 wrote to memory of 1900	1984	Mpkbebbf.exe	95
PID 1984 wrote to memory of 1900	1984	Mpkbebbf.exe	95
PID 1900 wrote to memory of 5076	1900	Majopeii.exe	96
PID 1900 wrote to memory of 5076	1900	Majopeii.exe	96
PID 1900 wrote to memory of 5076	1900	Majopeii.exe	96
PID 5076 wrote to memory of 5216	5076	Mjeddggd.exe	97
PID 5076 wrote to memory of 5216	5076	Mjeddggd.exe	97
PID 5076 wrote to memory of 5216	5076	Mjeddggd.exe	97
PID 5216 wrote to memory of 3112	5216	Mgidml32.exe	98
PID 5216 wrote to memory of 3112	5216	Mgidml32.exe	98
PID 5216 wrote to memory of 3112	5216	Mgidml32.exe	98
PID 3112 wrote to memory of 4092	3112	Mpaifalo.exe	99
PID 3112 wrote to memory of 4092	3112	Mpaifalo.exe	99
PID 3112 wrote to memory of 4092	3112	Mpaifalo.exe	99
PID 4092 wrote to memory of 3344	4092	Mnfipekh.exe	100
PID 4092 wrote to memory of 3344	4092	Mnfipekh.exe	100
PID 4092 wrote to memory of 3344	4092	Mnfipekh.exe	100
PID 3344 wrote to memory of 5692	3344	Nkjjij32.exe	101
PID 3344 wrote to memory of 5692	3344	Nkjjij32.exe	101
PID 3344 wrote to memory of 5692	3344	Nkjjij32.exe	101
PID 5692 wrote to memory of 3196	5692	Ngpjnkpf.exe	102

C:\Users\Admin\AppData\Local\Temp\74697e0f936f9c9f108ca2c54010e4fce5e14be38695fd272942233f6f74f7a8.exe
"C:\Users\Admin\AppData\Local\Temp\74697e0f936f9c9f108ca2c54010e4fce5e14be38695fd272942233f6f74f7a8.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Windows\SysWOW64\Jbkjjblm.exe
  C:\Windows\system32\Jbkjjblm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:6116
- - C:\Windows\SysWOW64\Jjbako32.exe
    C:\Windows\system32\Jjbako32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5792
  - - C:\Windows\SysWOW64\Jigollag.exe
      C:\Windows\system32\Jigollag.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5780
    - - C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1804
      - C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5188
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5216
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3344
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5692
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        26⤵
        Executes dropped EXE
        
        PID:4552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 412
        27⤵
        Program crash
        
        PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4552 -ip 4552
1⤵
PID:4972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Eplmgmol.dll

Filesize
7KB

MD5
46415898da8b1279fdfe65eabce1a05b

SHA1
e9296f5f84bbcb179f649631969c22a59255cb0d

SHA256
74594ef0a3b65b06d8792ace1232cda18698b1ed1534148c4cbd9dd27c8fa597

SHA512
947092f0c237804e759adcd13d5edb44dd852f4b8250354c2ad303db8254bb6e74097aa839ca213ad69d82a5d0cba7366178bde678d6f746adf8316a65893722

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
790KB

MD5
99217e9e17914a2680f6a66e43993cca

SHA1
408226ff40e8b81f6ebf2cfc9cdb1e3ea8a6848d

SHA256
c70d98b618862e9f5b9c3fc6a41af56e2860eb87ba9e2a296f4c48157814ed0a

SHA512
2feb54f8ea07dde96d6aa24630ccd52c0c03f9d6ba26a86dcee073fb13831dca49d72f9a062beb215723d83eec0eb24a83791d35b769cfc00988bb4e8880d1ea

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
790KB

MD5
db265e5635bc6e91da04c61cca18157b

SHA1
3b3d1c917483e9333cb035168814859bafcd97f6

SHA256
c8f9864d652f2ddcaf90d4fac98a5ed87938b106a15995e504cc6d363ded5e4b

SHA512
52d0583b6f2e756889104742e2242b5224b7be01253d34fab56650445656142e7a603bc421cc8182706cf63f828d667ea3b5a37d5297b7753818d8b0bc6d25f3

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe

Filesize
790KB

MD5
ba64df31d8677437fde5fcc608879220

SHA1
5505b46d651a752e8ba66cacd2bf8f0be8372fc6

SHA256
f70d567c21caf2fb42fefbc3f4fe6ed97bbac3eb08d1662dee062b538cc29c09

SHA512
33388c09ce5aa74118d2dc7278e12925b194af9bf567cb7202406d3fcd081db946a9624af48ff8e28da782ced40cfa483968763fe6f9f1c3653e461a8cf6c303

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
790KB

MD5
29588e9fe87c18f4e86dae766bf4ea78

SHA1
e89dc76ae7ffad8651401359ab5cff858eb69168

SHA256
36f773dd896fe9e4a0a648550ebd295f192bcd596ad245029ca4ed0e4bf74ae4

SHA512
4317c3b9612d030de79a1602b71f8e981051d888a5e84ebee96d5ef812d1cd2539c585f0923f4a39a891618ffe500c2020e52049ea4bd6b0bcf11bd903d7f593

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
790KB

MD5
9d2c93919b3aaf49ca83e8ad38ec073a

SHA1
d100c8963b370ca97af6cf09144db42dfc33e3a2

SHA256
8614aa6f4c411ebe20f5eacb93a100cfc4631266bf02702aad8301966f1a79c7

SHA512
279e1674f257c921382e983a4bd3f33b82f60507e5b9f039eb0c76de744dfeb4eac724c410550f40c1723710cf28ab7fa1390f75df53754eebbf99dee756dc43

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
790KB

MD5
7488e3a86d562d9ad7f02c012862ba2e

SHA1
f08d41a2cdb4f80840501ab28858918c19af1cdd

SHA256
b5ba294fe9ee17941b7c08dcf28c008a47565f494195f9db605a392c6eafcac8

SHA512
e9ca84ad6e69d2ec5946b540fb657f55fdee9b67d9b18413508b5197428ebb2ce2c99943e60f3175afdb9762e844a0862d034db5f741b5042be0fa7149fa0823

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
790KB

MD5
80cfe03a66b0c6a4ac93bc986d6c22c1

SHA1
55b93b08d783ca30bbc09f5312033786d0a9efc9

SHA256
c72096e646f3e81b1fb8656387f5679ff489868fd1af132083b98b7c585b5c88

SHA512
d31ecc4bf04c1197af71d6d40a219b10b339cb19664b4fe694248ee1f1fc6fd381c3f5dcfb0439e92e7b6b621df78c12c26a9ad536d089fd68636dba6a3f4a46

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
790KB

MD5
a1e4a6bd447febd6dadcbf2b59e41112

SHA1
e69f8c47802b10f9162ccc259148d08eb90c2a73

SHA256
ba64bafaf08909edc6553d8e3e4fea524acf58f7ac159deb9450857840c85c85

SHA512
3e076d795d07bbe69df7a7d887a71e76efb92b55bdb575f5b5fb55f66f8102c98a53acd92f9d06d3726337bedeed4127ec7da8846f1c16328bb150dbeb0d225f

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
790KB

MD5
06c76dee2232b86f8717c14fc964833d

SHA1
64b935b96149bdf6a1624ae4c43dd1925c9171b8

SHA256
f7826e664fbc5661ec01c9d473589da399115dab0e3a81068b7b9f9a0e8e6b24

SHA512
65e475c19a47d1a8fc0e7f965f07924e03ae0c847be6bf70afee50dcf555212ad0db3c0e77eb0a8724bd8d480383f69359106ddb2d2cec7b127e1e8590dab418

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
790KB

MD5
404cdfe70b99f390383e127dc12537f1

SHA1
8291b9b1a75cf479b9d161fc0b712d84b1c5f610

SHA256
35c6cef702b4e0241d00e43eb8ae255685404487ff90368d891e372f25211a60

SHA512
008c4dafd95aa8349fe032573bf06e648a3f4f285e79b13fabb9828c7a9d6f0fb84b44ce7a922f4d668183c7732c343c644ea84534c7e566fab039b1696ec595

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
790KB

MD5
2fb67e8b15d059f89976ad233668b55f

SHA1
db71828435df2f64e45dadf99c966b10d4f1e03b

SHA256
a288d41e08abb9f7a5bb77e77834b27b69a3d64e326a8ca740ddf3dbeee988ac

SHA512
8a52494a76ccddc59d647c5fe522c69cb8d6c0ec198735d6fa5258d22f3b5baf6e092b5dbf83dcd7f216636e13a75e35fe9e4a334530770d23628f69d9609041

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
790KB

MD5
2c53ad62a96e3b6c9f92f88e380d075b

SHA1
c50273ae845f257168e1baaf93e6c4c9bef62c33

SHA256
a615fbf4faadac9dfc2fb06899d9c36fb7e3ed7c48af5378a95f6eace5698f57

SHA512
7a34a27a5d124a894a0ee9f99656514ef624db962a90645119810f0be4c587405910e738becc88d229bfcd6790387b7cc57ae19695b4e69cca9c1b31ef95ec02

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
790KB

MD5
ac5f1c7875f2372c0fe06f3b192ecffe

SHA1
912afec5f1a2703b6c0af1422e1bd5b1095797e3

SHA256
611dfe8605b623b619ad9f17f3fada7b505513a63801cbdb90848716d987217d

SHA512
92d81464c4ab8683b76a7b74509a5c9336ee210e47c339175d9325febd0e9132dde7975532c061456814fc33225cb3c1adbd0c87406f1bd1047f275e0f48c63d

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
790KB

MD5
9a02f9cab8f24930302d7f03aece18e2

SHA1
1f2ec0b134304fc505b11153f306d7b1a9bf5b91

SHA256
a672629f602a3f0eff29a75d858deed196e84a3e58b70f94f16542cdeff48b07

SHA512
c06be341e1f9356820faff9522b7647b023f62d91fe0cd8766eef57e62deb00f56ec50aa52c163fd346ba4827efd29473b91a11fde7a057f5b9f969c05def195

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
790KB

MD5
62c873c3d3fc2f597dc69bcbc18c2010

SHA1
cf2ed40bb46d7e5d5959ff754663c1f54a74942b

SHA256
ac5cead6e5a8e6e82c3a8b0bdf25a0005ab5dc22a90da3a5f68d0477f0bed7c5

SHA512
b1dbca2bac9043b2935b84d88463814f5f15eab9d0fa0e80dd2abf63347b7b517d11401f646def20d8b5378feb40fd986311f202c668059c963a3058c38cf246

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
790KB

MD5
13e314572b01290819bccc7586594244

SHA1
2b74057a7651c4a4265f387db458a27a047409e3

SHA256
a41548b4d9ae58feb251b433c3047fcc9c31d840a342a46b141baa585056e924

SHA512
7cbaab012943b8a2988476889526495c61766640f0cd8ed9d24f3d9935f2faa7ed754d5ddc6e806b1c50d3638e5a81070a3ede97fcabfac0d984d48c1530abcd

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
790KB

MD5
890bb70fe70317460f233d8e046b1eb2

SHA1
14dde4224ea86c31ea9b14f078b7f7091c385659

SHA256
6c989d38301c61dce75829b6d3ea3f9006bbce82c924bd4699df4182b91fffb5

SHA512
7cdc3547a57944560f1950259def72675b68d4a3ba5c8ceb6baecc13e7979bbc4048c6f8018daf763c5b78e0ac2dde16cecff172fa4d2df1cc7a9f062e37ccec

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
790KB

MD5
d841dd2023b67cd6aaba8fd08e58df2c

SHA1
5a4350498ae2d8273bce0c0774bb0745eba7f917

SHA256
92ecac01bf4745b1eb3664e8c53affca9d450eee0b885748891fda2ea051f8a8

SHA512
f3df27f9c8add99e554932d698d4165acc9ce67c559c1d272b46d519d9fb8cef8e1b6e50a12a0cbad83080508ceaa66af082f65bbf43ed459e5b2680d9f3c660

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
790KB

MD5
64067ad86a573cce5efbf498e98c4358

SHA1
01b99d4597530c497249042d318352e2b4d0e302

SHA256
8a883fc7a8e96d080ed8e71fbd31a4ae33945634d21858d536720ba49bc9e4c6

SHA512
08c62dce1623307c9ef512a1441f9cf34672e93dd0553ceef4b184f253f84b783a21869933af775155ae58572238fce0b17ad3341ad8dbe73e674ba8ab560e1b

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
790KB

MD5
9399722edfaf6a249acfa64f4fbe5f1c

SHA1
7638112c3b85003542c8d3fd03c4e8a925a1e6ba

SHA256
f818356e0f981c1c21357e38d53124a215e3bd19ff2e0b7643df9967fc7a21a6

SHA512
c38d7d56e988e8ef19375d51aacd238f1bace1ca58de2e53c3f563493cf14603d15c8bed0230738abafb9c6a3d21da1b9930bd44cd56b479b8462ba013633240

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
790KB

MD5
dc8dae927f75c6cd6a363ba6761b2a2f

SHA1
2eec4d2edb4380428a823a2a849c44d0f95aff2e

SHA256
425045051b2757696a750b3a0f9103bda98242d4465917d14977724848ed5781

SHA512
c54b68e9d76ea6cb8d6b4cdc9e7e0cb3d5354de5e61d3cc72da9b252dca3937b3e1010cb519696f74d716964c3b6fbca7796c8e590798670ed7f8c533228a730

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
790KB

MD5
d0274d71f184bcc4679425a58ef373e3

SHA1
f6ebdcd425856ad08d2c7fd946a0bda36e8088b2

SHA256
277b4ddf9490310ba15bce4c7387ddd511fc254ee76abdf678b5a52383fa9d8b

SHA512
2aa38b0bdeb3707387930a86c4ffb448ec431091ce85e48b271a5dccfedd8cb0f8f8a229f3c9e7635fd31f4b2a1fca4d54cad14cddd8623a5d786330d66ca57e

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
790KB

MD5
13978ec5c5bc75db153a9330b03f1f9e

SHA1
bd902d603f1200e447338307d44f0526b9e94e50

SHA256
9faf57c251a41a7ae0911277733dac96346819166fd0a640e866bf2721c0d370

SHA512
38955e5714dc4896a4c98cf50eabffbd2b05b51a55e8b7cb7f6a1a93e1bdf8a62bb841b6b600cb2fc6cef42bc7dce3ff7d7d40fc52ea6faeb822d909cb3282a5

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
790KB

MD5
80a4a6e543d3634b8e8d9926a041a42b

SHA1
adffc98df1685ef1bd2707aed7533c8bf7c1b253

SHA256
aebe65e297cce47655855d7160474644edb03863174ca9da9247e98c291b8b5c

SHA512
8a5ca47541832a1463889d0f004e28e99af0912ebb7cf8434522b0f8adc402fbfe83c62080b3be31d50b676d7c3bf5756746bf4b18723bf814bfa43df407a4ae

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
790KB

MD5
98e5dc2b9dd68ab4d2953b0c79ed9fb7

SHA1
e0a172158d807bb4f1cf5cc67cf14357e0e2247f

SHA256
cade4cb6bb8de6ce1c2fe6c1d636d7e7f2d529214636a4d442aa0c3214f64ba9

SHA512
f2166901380bd1d6ef4d67c68885223fcd31674ff2baf5b04709a74e93c5304197f4ac777326e00b76bf770fac7f83daa5ef5573e6e949e7d118dd1ebbba2dd7

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
790KB

MD5
f548b567d903137f2921207d79151455

SHA1
fb7502306b74f2ccb4f26fbf24fd15fb603b5c31

SHA256
91b5dc755fcea7c2471c7362f9f0fc96175ceff849985960236dbf1c9d6ceb3a

SHA512
b4f1375f96e246812ee0fe17ad8ca27385cbd0d0f5ae1cee0a8700635f304bb705243268c067c2a817818dad1d546d83ea3e8b8537e544ad7c57a1f8e366640a

Download Submit
memory/1224-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1900-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1900-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3076-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3076-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3112-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3112-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3344-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3344-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3884-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3884-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5112-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5112-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5188-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5188-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5216-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5216-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5692-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5692-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5780-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5792-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5792-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6116-12-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads