c7d0a3e94e15489486006b53e2c5323d91e1ab51029161c07e8aa4bbf1f6d06c

Analysis

max time kernel
93s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7d0a3e94e15489486006b53e2c5323d91e1ab51029161c07e8aa4bbf1f6d06c.exe
Size

93KB
MD5

54ada33fadd168d638e153be85943f2e
SHA1

1620f7ba2563e5ae03e54a6c1f26c08a0d3135a1
SHA256

c7d0a3e94e15489486006b53e2c5323d91e1ab51029161c07e8aa4bbf1f6d06c
SHA512

ffdbd6f96019512e0b745e6672fa817f25baef745a43612f70d0ef13c0fd3e28bd9a39f17bb3b7891aa1c9474403ed201375ac63f0b5824567162826663df448
SSDEEP

1536:ORu5u8EptA3E8ZAvALi5l0tAfgSwrajNsRQ4xRkRLJzeLD9N0iQGRNQR8RyV+32r:Q8v7deuX/e+SJdEN0s4WE+3

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	c7d0a3e94e15489486006b53e2c5323d91e1ab51029161c07e8aa4bbf1f6d06c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c7d0a3e94e15489486006b53e2c5323d91e1ab51029161c07e8aa4bbf1f6d06c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nklfoi32.exe

Executes dropped EXE 45 IoCs

pid	Process
4588	Jidbflcj.exe
1660	Jaljgidl.exe
2004	Jdjfcecp.exe
2404	Jfhbppbc.exe
732	Jpaghf32.exe
940	Jfkoeppq.exe
3088	Jiikak32.exe
644	Kdopod32.exe
2876	Kkihknfg.exe
3728	Kacphh32.exe
1460	Kkkdan32.exe
3472	Kdcijcke.exe
3488	Kgbefoji.exe
392	Kpjjod32.exe
2812	Kcifkp32.exe
1620	Kajfig32.exe
3304	Kdhbec32.exe
4464	Kkbkamnl.exe
3844	Lmqgnhmp.exe
4632	Lcmofolg.exe
4520	Lkdggmlj.exe
2664	Lcpllo32.exe
4188	Lkgdml32.exe
3588	Lkiqbl32.exe
3832	Lnhmng32.exe
3536	Ljnnch32.exe
3572	Lphfpbdi.exe
2716	Mnlfigcc.exe
404	Mdfofakp.exe
5080	Mciobn32.exe
3408	Majopeii.exe
1832	Mgghhlhq.exe
3056	Mpolqa32.exe
100	Mcnhmm32.exe
3140	Mdmegp32.exe
1196	Mjjmog32.exe
4320	Mpdelajl.exe
1756	Nacbfdao.exe
640	Nklfoi32.exe
1900	Nafokcol.exe
4884	Ngcgcjnc.exe
1520	Nbhkac32.exe
2076	Ngedij32.exe
1512	Nbkhfc32.exe
2988	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jiikak32.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Jidbflcj.exe	c7d0a3e94e15489486006b53e2c5323d91e1ab51029161c07e8aa4bbf1f6d06c.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kkihknfg.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Jaljgidl.exe	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Kgbefoji.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	c7d0a3e94e15489486006b53e2c5323d91e1ab51029161c07e8aa4bbf1f6d06c.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Jaljgidl.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Kkkdan32.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Jdjfcecp.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Qekdppan.dll	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kdopod32.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kkkdan32.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kajfig32.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Jdjfcecp.exe	Jaljgidl.exe
File opened for modification	C:\Windows\SysWOW64\Jpaghf32.exe	Jfhbppbc.exe
File opened for modification	C:\Windows\SysWOW64\Kdopod32.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kgbefoji.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2148	2988	WerFault.exe	125

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	c7d0a3e94e15489486006b53e2c5323d91e1ab51029161c07e8aa4bbf1f6d06c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	c7d0a3e94e15489486006b53e2c5323d91e1ab51029161c07e8aa4bbf1f6d06c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilhco32.dll"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	c7d0a3e94e15489486006b53e2c5323d91e1ab51029161c07e8aa4bbf1f6d06c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcpllo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 4588	4876	c7d0a3e94e15489486006b53e2c5323d91e1ab51029161c07e8aa4bbf1f6d06c.exe	81
PID 4876 wrote to memory of 4588	4876	c7d0a3e94e15489486006b53e2c5323d91e1ab51029161c07e8aa4bbf1f6d06c.exe	81
PID 4876 wrote to memory of 4588	4876	c7d0a3e94e15489486006b53e2c5323d91e1ab51029161c07e8aa4bbf1f6d06c.exe	81
PID 4588 wrote to memory of 1660	4588	Jidbflcj.exe	82
PID 4588 wrote to memory of 1660	4588	Jidbflcj.exe	82
PID 4588 wrote to memory of 1660	4588	Jidbflcj.exe	82
PID 1660 wrote to memory of 2004	1660	Jaljgidl.exe	83
PID 1660 wrote to memory of 2004	1660	Jaljgidl.exe	83
PID 1660 wrote to memory of 2004	1660	Jaljgidl.exe	83
PID 2004 wrote to memory of 2404	2004	Jdjfcecp.exe	84
PID 2004 wrote to memory of 2404	2004	Jdjfcecp.exe	84
PID 2004 wrote to memory of 2404	2004	Jdjfcecp.exe	84
PID 2404 wrote to memory of 732	2404	Jfhbppbc.exe	85
PID 2404 wrote to memory of 732	2404	Jfhbppbc.exe	85
PID 2404 wrote to memory of 732	2404	Jfhbppbc.exe	85
PID 732 wrote to memory of 940	732	Jpaghf32.exe	86
PID 732 wrote to memory of 940	732	Jpaghf32.exe	86
PID 732 wrote to memory of 940	732	Jpaghf32.exe	86
PID 940 wrote to memory of 3088	940	Jfkoeppq.exe	87
PID 940 wrote to memory of 3088	940	Jfkoeppq.exe	87
PID 940 wrote to memory of 3088	940	Jfkoeppq.exe	87
PID 3088 wrote to memory of 644	3088	Jiikak32.exe	88
PID 3088 wrote to memory of 644	3088	Jiikak32.exe	88
PID 3088 wrote to memory of 644	3088	Jiikak32.exe	88
PID 644 wrote to memory of 2876	644	Kdopod32.exe	89
PID 644 wrote to memory of 2876	644	Kdopod32.exe	89
PID 644 wrote to memory of 2876	644	Kdopod32.exe	89
PID 2876 wrote to memory of 3728	2876	Kkihknfg.exe	90
PID 2876 wrote to memory of 3728	2876	Kkihknfg.exe	90
PID 2876 wrote to memory of 3728	2876	Kkihknfg.exe	90
PID 3728 wrote to memory of 1460	3728	Kacphh32.exe	91
PID 3728 wrote to memory of 1460	3728	Kacphh32.exe	91
PID 3728 wrote to memory of 1460	3728	Kacphh32.exe	91
PID 1460 wrote to memory of 3472	1460	Kkkdan32.exe	92
PID 1460 wrote to memory of 3472	1460	Kkkdan32.exe	92
PID 1460 wrote to memory of 3472	1460	Kkkdan32.exe	92
PID 3472 wrote to memory of 3488	3472	Kdcijcke.exe	93
PID 3472 wrote to memory of 3488	3472	Kdcijcke.exe	93
PID 3472 wrote to memory of 3488	3472	Kdcijcke.exe	93
PID 3488 wrote to memory of 392	3488	Kgbefoji.exe	94
PID 3488 wrote to memory of 392	3488	Kgbefoji.exe	94
PID 3488 wrote to memory of 392	3488	Kgbefoji.exe	94
PID 392 wrote to memory of 2812	392	Kpjjod32.exe	95
PID 392 wrote to memory of 2812	392	Kpjjod32.exe	95
PID 392 wrote to memory of 2812	392	Kpjjod32.exe	95
PID 2812 wrote to memory of 1620	2812	Kcifkp32.exe	96
PID 2812 wrote to memory of 1620	2812	Kcifkp32.exe	96
PID 2812 wrote to memory of 1620	2812	Kcifkp32.exe	96
PID 1620 wrote to memory of 3304	1620	Kajfig32.exe	97
PID 1620 wrote to memory of 3304	1620	Kajfig32.exe	97
PID 1620 wrote to memory of 3304	1620	Kajfig32.exe	97
PID 3304 wrote to memory of 4464	3304	Kdhbec32.exe	98
PID 3304 wrote to memory of 4464	3304	Kdhbec32.exe	98
PID 3304 wrote to memory of 4464	3304	Kdhbec32.exe	98
PID 4464 wrote to memory of 3844	4464	Kkbkamnl.exe	99
PID 4464 wrote to memory of 3844	4464	Kkbkamnl.exe	99
PID 4464 wrote to memory of 3844	4464	Kkbkamnl.exe	99
PID 3844 wrote to memory of 4632	3844	Lmqgnhmp.exe	100
PID 3844 wrote to memory of 4632	3844	Lmqgnhmp.exe	100
PID 3844 wrote to memory of 4632	3844	Lmqgnhmp.exe	100
PID 4632 wrote to memory of 4520	4632	Lcmofolg.exe	101
PID 4632 wrote to memory of 4520	4632	Lcmofolg.exe	101
PID 4632 wrote to memory of 4520	4632	Lcmofolg.exe	101
PID 4520 wrote to memory of 2664	4520	Lkdggmlj.exe	102

C:\Users\Admin\AppData\Local\Temp\c7d0a3e94e15489486006b53e2c5323d91e1ab51029161c07e8aa4bbf1f6d06c.exe
"C:\Users\Admin\AppData\Local\Temp\c7d0a3e94e15489486006b53e2c5323d91e1ab51029161c07e8aa4bbf1f6d06c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Windows\SysWOW64\Jidbflcj.exe
  C:\Windows\system32\Jidbflcj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4588
- - C:\Windows\SysWOW64\Jaljgidl.exe
    C:\Windows\system32\Jaljgidl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Windows\SysWOW64\Jdjfcecp.exe
      C:\Windows\system32\Jdjfcecp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2004
    - - C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
      - C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:732
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4188
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3572
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3408
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:100
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1196
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        46⤵
        Executes dropped EXE
        
        PID:2988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 228
        47⤵
        Program crash
        
        PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2988 -ip 2988
1⤵
PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
93KB

MD5
f9011798dafac50072f585566d52985c

SHA1
58b14363a66052c7c03a7b44306a8d7ae16658ec

SHA256
5f3e2e40de2790213ecd933542819044c69683b7c6c4f08ec41361b3625dd6e5

SHA512
1f73fe1f2f6819e1971f0ea2cf9c72283185e2b48c69729a03184b9dd9fd41ee048a4c6b8fa7e61cfa66fecf1df454361a3ed7999ba313c4d06ec29af8ef4395

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
93KB

MD5
4feebae6b6b80c383e1acf627822c04b

SHA1
fde78f855a9e6b38bebe58de2f467827c8c166c8

SHA256
b329226802e099d8715ba5fec7c9f7831b9e2af1caac8916a01cb02ec9d92697

SHA512
cf7764cb7ca9c4e8ae86e9ac03398d7f1502922834a795427568bd4733c2c3e279416d8a3babaa17d257f2213c6ba1ba79895e5481f1478e70e59dbf9196b04d

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
93KB

MD5
2b832897e5750b5de2da9c4b9425e6e6

SHA1
f122b52c059d5d9c37f014b164d040d62ac8d67c

SHA256
01cf62b0854c12dddc6ecead9173fcee7e8cce58a67d03344e142c450114823e

SHA512
538aa202222770c376d36da27980956262946d9cf5f89d5dd47cc50d9f683024238fccf93f51df2dd70233c32723df97df3834fd63c1b985a2b2c6ce3eb9a3c3

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
93KB

MD5
74f60c4e96b9b31b86f5f193ac972d01

SHA1
36bd191d638aed94dcf479a3287260568db7a635

SHA256
e96b3fc65f39525673b76c9d760a1f3f9f583199929c3a1f43537ce3e777780c

SHA512
73e444d31e0ae141fba6e530d76bdca3810dd94a5876d7699649e6371b39e9a14c8f32f75c5608e1c292bd2d6b4278e527d66f1b764a5997678fffc6bb2a21bb

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
93KB

MD5
955d16f5da048a70c00efece46ff5b13

SHA1
0a16a2e2639bb5354b06d5f02f0d2e02cf4b05e1

SHA256
55899fc6a06ed8cb68e5c98bb9afda4e3a8eb465cb00e1d9f8a1fd20d4d15efd

SHA512
fd7b4251bfa265d3b3285d5848f43dfebdce180f63233d2ac7b22abbf36324d97672a7eca2acc72a91a7e79bb1dd916259b53c8da3381555456b5f3b52f361d4

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
93KB

MD5
1c413f9185a52b42377ba15109743e06

SHA1
971414da48793732fb061201667039858dfdc05a

SHA256
b19cd3dc384c0a73ab0efb0c7f4fc10948fe462debda9d0c77d5f3fe30337b73

SHA512
e0a6f6ff5946ec98eb5d7bf76e4eb67850b0f5847287e5d987387d639c73fa2487fe5c70d6f50a9d2316036593faa73cae5dcf9be318b7b21484142b3c674b75

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
93KB

MD5
1593a77bf8f2c498ee2a71db00803673

SHA1
f750930d108a62ee5acecc1512b81b5d13bee844

SHA256
bb6990c4c83903e5db84f7cf1e6d642620f1eab77466930ae2a30d76ed0171ed

SHA512
b684cea29ee4f5be3b3d23a49facadc4f9f0baf2c664b295b2a7c4d59e032e8299e2cdd234be8df71207ec6ce055717049fbb8438bab61458d7f722dd47ac518

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
93KB

MD5
9b8efdbc6d2479fde851b5f1525b2870

SHA1
9c5d3581f10bf2faceb8c6f12ca0cb86280e18e4

SHA256
c08a5b44821ed750dfdafb48bf16ce181c212fbc919f1bbbf0e2a49a1520e835

SHA512
1bfc1fdf0735fa1c06d31c563e825295d106ad027297b4112d9222f6777b1d2b1a067b0c2c70ece235f0f3fd8a5b3c2a39698a12550c5267256d606f2bb34465

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
93KB

MD5
c8e086474873d38862843cd73465aaf4

SHA1
ebcae18f9775ee8af3dde7af431381c3135085ed

SHA256
f883fe3933c030d7f57fec3c7f5de4e07260581564e32c1808d37faf2084d8c6

SHA512
f3fb11926a7b8de23874be96eb29cb6a1f2c4c5ffeabeb435e5d34f0bf3e563a8a235b3ccb933504229e5c8a894b850f214791bf0a3842d5b9fd48928f59779e

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
93KB

MD5
f6ab1538d00f2b7a44ce0a4f0427acd0

SHA1
e4586b0ce7260f9422d4df4af660b7c64292afb1

SHA256
505a35cee4a2f689e459f086f13b2f3e7d50870a22522fe60d02d7afbadf612d

SHA512
87c361034231289b425be573aa807a13a6a9f881c0ee70db454cb6446cb35b24c642202469a3dbe5cddcd6f1f1ece134171bd3f89b051fb92a93a1c4f548741f

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
93KB

MD5
de1325e51203795c4f9b4078050161c6

SHA1
6c7115d2aec1e1ed050cd4ed3f5bfc7d84ddff21

SHA256
d0f20bbd53a36446d2db1f09786bfceaa7821e29b0fa265c81ce0c4cd3e34556

SHA512
9f9961cccdb9bbb886a3626b503538df1f04934d7078e3fe982c3ec8a915ee95c4dc5a8faa4a6a8a6e74c6978c23ed518aef75302418817990fd52d735b0474e

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
93KB

MD5
aea868e759485dac07688ad4d7e11bd3

SHA1
4b8c4ede7d71668385aaf8011efa2bd1252e3e5c

SHA256
28f476b9522213cca28676b6e79c1bc76b0631a30e7909a7a90f7f6331256b78

SHA512
f357717f391de4072474196ab908071e359b7c9dbecc4cd8b7639701b9f27fbd84e75361e98199630366ff4d68c24af9d74ee35e68cd5a7f0514ecb8c3405788

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
93KB

MD5
cea362561cff662c54516dc5871e5db5

SHA1
c09ec8500ad908acf941058f3e2d49100ad87f91

SHA256
00c7393df5fc3a631921f8ecb104e18d86b37ba8e50ec42954f98b9963abebbb

SHA512
5dc5d8045560f18374315d8151f1e2f564f886fbf8a5fbcf8897861132693138be21fbc86875629074d33b1e15eb7965d635d48ec53907fa51d01903d5811d78

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
93KB

MD5
5407a3cc2c9af3eac8a2cd632df17748

SHA1
78e2b9f30d17e176be20323d17f009037c09f0d5

SHA256
e6f9a76487bb85f4fc13707af8ca0c50f159b0ac6814dd1b645f2e565baa03e0

SHA512
aa47077e5882ec527528d6a142730ad73aa9085dc238c7164f87ac1e3ea3582de13ff0e0edc620f1ff520b8c97f1dd2c3fc6d7d2d89e9adbc0b6e72036a37c30

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
93KB

MD5
694e0c95cf6acff133da18d9a3a8e4af

SHA1
1724e812abcd8140dfee9ed1769a7f656c26d46c

SHA256
51c73320fb88ef2732d898816fa406c004e8cf38a104c2def315471f43984552

SHA512
fa708bfb853a4b8377d5eea56ec9a2af0159a9c2a20b5952a0f27e1f241502ac1f773656a8f7c0bfa1ffaff8c3c42d9cf19ef3341068125b39e6478e3e9e6e5a

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
93KB

MD5
e06e416cd76a4109c4af24c0f9184cb2

SHA1
b3955a8c3842ba9decfdd5010b174ed65c12dc01

SHA256
278b85605829a476313654e604c93a05bf8d7e61e34cccb9bbbbde8aa31b376c

SHA512
77b52f3e393b0990c415520ebf8fe7eac36a32b724bc7589e1ce950d83199b5a370e33e5c9a48f9d3a6ad835064cc247b8ae12853c034a55e1db9f8812f67edc

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
93KB

MD5
e445f911212aa80ea4deffe172e99d12

SHA1
52b2677a24035a6a92f24fb747f6861eda53eb46

SHA256
67b9c4efb2c21ca4a411b02bc250d6c07c84b5df4c7ebfc21f0e5f1ea5719318

SHA512
cb267507c6b0ca261aecbb9da4a458731ccfdb37695d2dca57abc51f583bde8d9b90fc1dffa816e5813e7eb48ccd634dfc74216cf2910255a38f5ef2c24cb033

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
93KB

MD5
25d382211907516030471925d049b701

SHA1
998f1dd95dfc299dea090d9a0b3b44f8f9baed04

SHA256
71e264b1cabda6dd8117b0b6774d67a1a8b298555c4e33037ea665541de5b206

SHA512
83500863901b57e29c34e41628e3b8ef28a08c0e6a8b9cec14cdbc4fcaa34f5efa8351bd8c6fb915c8c1f9a1c50030e09d920298e9c0a46e0d5c2e23c5cd5961

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
93KB

MD5
bf8fddd8fc7be401f2f2dbedc718abbd

SHA1
3fd43f3790ec3d3a6171b89ff48b37430136dbc5

SHA256
c5f89a009cbddd9fbd7b98fbc1e0d64bcb46c42fe218e29903c4f68995c21777

SHA512
15cac70d051b99b3bc72f7498c3eebf339bea3cb32cf8db44f9390c3b92c4b2aa94cf5aff527ca70a972fb0f8bb7d6f8120a83311b9512171d470b0ac22f4bb0

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
93KB

MD5
174d3d059da86a41617ec6d3121a7a8d

SHA1
c1d73cf45ec880a42619daaecb6121b6790d9f3d

SHA256
7ee3eb6f3bb5c9a278759ce4d181c85cbdd8acf6ee5efde8224dc252c13137e7

SHA512
fdb0c39e1f6c6a20935bfd618e38455144464668e20f900ed53d73f0b165f5e53d42aa57e4a92e7cf41f1873239a297788139500865ceeb4e0db591dd28dd5a8

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
93KB

MD5
e93e3919e3f7b51823a1ca78b43831cf

SHA1
cd29a9da4a93a00c81fd40d37f8d9953c8250a81

SHA256
7ecaf8099036c9456de4981337c2c94ebb1d3f2f4e1f0016f2b9dda066102002

SHA512
c18c26e5230dd13c712079b13ee20d322fda87334c21f20850ac11c22b4480232b8d2f8af9dafcbe7101d5f04fa57b5e72c26abfcac777b441361e76c4e3f802

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
93KB

MD5
64fc2f3b974a38cda9c72fd6f3425d98

SHA1
1c22442a8091d0a9387f60b540a52a452b51b20e

SHA256
2dc07df7eb8e9493f0565d949feb19a94b28026f30ae1672d5a8520efae866d0

SHA512
d595eae51319ac606bc591f43aaadc93a39286797093a6fc4d31e2be411717b97c920cddbace5d440752a1c1c899189a2bea674ad1c5a940ea965e8d6c09d897

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
93KB

MD5
190ed2a26415430c8d7bd5f0e26eaea7

SHA1
e4fa0b59056b65ed64b30ca7ee789e34465de0ae

SHA256
f30c2f0470ca74030b69372e2ea11ff7a3adf147509957046ed9cbbbe4c131f0

SHA512
a2f64d575e4fa8c32873116b3cf10d5123ad4362f8ea9b8cf954ad1e734da758948ae49690850de23fbb142c909410fda36f393320e58c3a1b915b41f9cc2c3f

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
93KB

MD5
0de6c88289292be38740739aea5e01c0

SHA1
42b0385423781054da6ade6bb882d07da8873404

SHA256
6054ade158d5eeabc539640ecfe403b3a22015a7e1c16ea2c2628e83a9bb6686

SHA512
4a945328d79a3dc034ee0efd2ce894445c0a914107ed3f7ea8f150c28d4312b059c08df1cb557d136f4388291c860e64da0151e565ab8b4e86ba2fc399337a89

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
93KB

MD5
f11309636ed43fe37597ec8db3d9f791

SHA1
ad22498f4f56002c66d8d43c2677b81fdc78cd00

SHA256
47911e4d36c81f4d1586929085613bad1edac9103893b46240c9a25c4884e88d

SHA512
f1c85512d9e421ee610ef4de1287924e21f183a08f7558dbc02d6963f208c7d0463cc02697690b4ad57c5ca0d888fc524975a93b8fd0cb4edad2d1cf5819a2e2

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
93KB

MD5
392e5215d4e645e8c021ffaaa01a9289

SHA1
3da620d249ab7e9cced855c01bc281985823a675

SHA256
eff04a7919de6a432de1b0a0833a4b4850d22a73421c040b352b00f1127c4a12

SHA512
3157509a35719e876279fd15c295c9228e647ef664876b117fb26bd37f852991deef7fe495c102b9f9e5d23a289281810d7b17922dd1f37a05601faa3d721855

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
93KB

MD5
f9b96e2f7483390e5528893f9a73ebad

SHA1
23f936d192250047f2b8b30bd7a41c2578a756c7

SHA256
bc970cf28adda2b8f7221af220144211115466045cc56855d16ae309b5b80f71

SHA512
73c748e40865b43a12781741a1f82591724d6c6f7e8f248321101b79a67b5fb9b85a4f7c1ce7f3d76424fd9d76930de4da9b9196f4726798bc72ed76eed8753f

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
93KB

MD5
d2f27c9ae7bd0aa1bed7f65ecb5d59dd

SHA1
2ebfd12e18b1d73856b34a4261852b3d73ac8ad5

SHA256
0e3c5d8dc67e7239f8fcec9113e703c951ef1ea16ea1a03f85445ebe54aa5799

SHA512
b20deb320ea4086951ac43ff53cbfabec51d88db9b8da044ef5afa304bc8b951a8fa40b38f3d3d5557dfecbefad350af9b8084b726f8916d0755a6275e5e4dee

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
93KB

MD5
11c88407e2be7e0c9977cfbd7a9bd4db

SHA1
a7a93d5c369555848d633e95d5cc49172e4a5e0f

SHA256
9385f0c9588a66701f6fffc1e9dd5b60475e57b00799e64d7f0d0d4548f11e82

SHA512
cc502d1cc99c1278353655337fd04d13d8288e2ddda714c9da77b1a0ce036f11e3a6822dc77d489c9852332caf014bb9eb230416d6a2565cfce14388160666b7

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
93KB

MD5
827fdd23d245bf273d1ca3b95df9971e

SHA1
8a7420468c9c7914502cb094dc28b3f3d049576d

SHA256
ec85a30d08d65014bce16de14e565cc58362b2bd836285fd10d10a1e5aad2a9f

SHA512
a832f4e6abf27b272521e047c1d2fa3eb3c9955407540afa3c5bd73332940f37422a0ba912742e304cc4c7a99f1c0da410663660fc20f65490e3e47789ad2557

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
93KB

MD5
bc41132ccb4725a44ecd33af19b9e63a

SHA1
7b71da1abe8aa9174ed9b9386535b3f0c4e6f19f

SHA256
c858f383d1f7b61cd8c98acb775401900e1747812f70a50f2d70fb6878903a5e

SHA512
8e29fa3c4fe5a0116c029e39c0aef629b649588ca58d719a27c80f9d78cde04d433a4852a52b348226ebfa4473ef0e8af485df39483a090915e66c60afc63c78

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
93KB

MD5
f01f3b6f447313b49896e6577f77f414

SHA1
5e265523c347e1b14413feb2d14bb44b1ba5019a

SHA256
ae6c6efc1486def37d76dedcad180dce67c171dd2cb265340318574243b79479

SHA512
975e9c16b522e2af169260c626b4b150d5b76e766de6f77abbed5a815edf78e7532c34a3e0e497328d283005c8e47c5dea5973b80c9396f51631d817efe7a2c9

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
93KB

MD5
b8a24cddd95c75b809b08384e786fad6

SHA1
8b0273c29b260bc73dd5fbfd02e124d60f936cd1

SHA256
5835f6b79c232f1f88980e6e4fcec89e36b36ad1ca9bee9445cd88fc477595ee

SHA512
31183f2bd9f8ab01ffee9083c2705ee9ed72e9349e2dc4404f2c521ff4a7fb2ee49b4f151b34051beed03efe9a5456bcb886c233f0b157a007cde089938374ef

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
93KB

MD5
ae8ef4ecf7031065ffdf3cf62f6bebba

SHA1
0fc5f159abd64aaf0831d0a896e1d2c582cc05e4

SHA256
88d64be79d2608454f9d75e6a15eaea9d2f18b3200b7d237cf049e7e8efe62ea

SHA512
598204bade40f9f685859f63063747c480c3924552841af0b061620bee08501dc17bb9071717a4b9f4f3ffc31386ee0bb237dc6f52dd45ee4bdd3437bc34e2ca

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
93KB

MD5
b7364aec094801f081028bd8eec1ac40

SHA1
23fd78b0dbb68191c41b3f2cf78d19ba614f661f

SHA256
a0c26c34a0d290b94caa1ed7f05255e8a0ad0e45fee4b90487ff20542035be9e

SHA512
75680777f8d75ff35f94174cb0b5a76f1746212f145983f2592a7dc0c38169a3933d71bb97e70b52d56ba08628c681033f59b65b5e71bcaffd4e0cf1168e2bcf

Download Submit
C:\Windows\SysWOW64\Nilhco32.dll

Filesize
7KB

MD5
dba83b757aed71992ae5d19e5b4d2beb

SHA1
06151f714b164892bd7b039dbb89ca8dfbdfb9f7

SHA256
211f4d20c19db5246ee783006c91b6542922cd26bc28f3e1ef8eb7411566aaf2

SHA512
3f0fa101d8ce085104193fd1cb659fcbdb0cede12c922926eda1a1df411c44c6ecfa1bc0403acb0b9360a08ed67f26478ce16cd18ee4e44a4b42e5b40f1f84c3

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
93KB

MD5
2ff0212d4636ecb4ecb25e3e6b5dff1d

SHA1
475714050a4b8754ed1fbea1ef770220399571eb

SHA256
cf5fc237a86aac5c07a5a1a6c83cb45371c1d16e7608f634cba2d571b2afd6db

SHA512
f1ad5c7b1f74765df47ba0db63ec3e08fbc7c29f221364d4209ef2a3a83d28ce18e70361070b6f2e3b5a4f694838fc53656d46f3bb0435284a0dbf67371d5188

Download Submit
memory/100-288-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/100-356-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/392-117-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/392-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/404-253-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/640-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/640-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/644-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/644-156-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/732-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/732-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/940-138-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/940-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1196-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1460-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1460-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1512-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1512-357-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1520-343-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1520-368-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1620-139-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1660-102-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1660-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1756-316-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1756-372-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1832-342-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1832-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1900-369-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1900-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2004-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2004-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2076-367-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2076-350-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2404-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2404-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2664-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2716-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2716-315-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2812-126-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2812-213-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2876-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2876-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2988-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2988-364-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3056-349-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3056-282-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3088-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3088-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3140-363-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3140-295-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3304-230-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3304-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3408-267-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3408-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3472-103-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3488-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3488-195-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3536-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3536-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3572-231-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3572-308-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3588-210-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3728-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3728-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3832-294-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3832-214-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3844-250-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3844-162-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4188-196-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4188-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4320-309-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4320-373-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4464-157-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4520-266-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4520-179-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4588-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4588-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4632-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4632-171-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4876-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4876-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4884-370-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4884-336-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5080-258-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5080-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads