21f3904630375f7535082597ed80c26e2e25c5730ab8fd72dbe828c15182c47d

Analysis

max time kernel
113s
max time network
16s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 02:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41889f1c5c83807421fd403492e857c0N.exe
Size

461KB
MD5

41889f1c5c83807421fd403492e857c0
SHA1

8dca1eddcc5b69995a602e2fe7bd087ad616808f
SHA256

21f3904630375f7535082597ed80c26e2e25c5730ab8fd72dbe828c15182c47d
SHA512

2ae7af4b8bb52bfc7b5a69a2ae106f069e9219104086c5f0913594b212f7bd3e67b9969f774f1eab4d547668aba236aba1e161d34470d3ddeed083d75299b09b
SSDEEP

6144:om08m76gbQ8NQDVi3ULUgNQPi3UPUgNQViEUjUgN:a8wbiUJ

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngencpel.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnlaomae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lefikg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnnndl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lehfafgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icdhnn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdadadkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnlepioj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnlaomae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnqkjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncjbba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jclnnmic.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kflcok32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcpcho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Keappgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcncbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kioiffcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnnndl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcpcho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpgdnp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgdfgbhf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngencpel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nickoldp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	41889f1c5c83807421fd403492e857c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	41889f1c5c83807421fd403492e857c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kqokgd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jngkdj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inhoegqc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipfkabpg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jclnnmic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kflcok32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laogfg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncjbba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnlepioj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keappgmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llbnnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdadadkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kioiffcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohkdfhge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laogfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jngkdj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kqokgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lehfafgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgdfgbhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnqkjl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcncbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohkdfhge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jknicnpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kobkbaac.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfaljjdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Injlkf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kobkbaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llbnnq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jknicnpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Inhoegqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipfkabpg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icdhnn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpgdnp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nickoldp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Injlkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfaljjdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lefikg32.exe

Executes dropped EXE 31 IoCs

pid	Process
2380	Inhoegqc.exe
1812	Ipfkabpg.exe
2940	Icdhnn32.exe
2976	Injlkf32.exe
3040	Jclnnmic.exe
2956	Jngkdj32.exe
2780	Jdadadkl.exe
1276	Jknicnpf.exe
2756	Jnlepioj.exe
2884	Kqokgd32.exe
2880	Kobkbaac.exe
2876	Kflcok32.exe
1104	Kcpcho32.exe
2368	Keappgmg.exe
1800	Kpgdnp32.exe
1088	Kfaljjdj.exe
2564	Kioiffcn.exe
340	Lnlaomae.exe
1072	Lefikg32.exe
2308	Lgdfgbhf.exe
1700	Lnnndl32.exe
608	Lehfafgp.exe
1956	Llbnnq32.exe
560	Lnqkjl32.exe
1940	Laogfg32.exe
1952	Lcncbc32.exe
2844	Ncjbba32.exe
2128	Ngencpel.exe
268	Nickoldp.exe
2964	Ohkdfhge.exe
2772	Opblgehg.exe

Loads dropped DLL 64 IoCs

pid	Process
1872	41889f1c5c83807421fd403492e857c0N.exe
1872	41889f1c5c83807421fd403492e857c0N.exe
2380	Inhoegqc.exe
2380	Inhoegqc.exe
1812	Ipfkabpg.exe
1812	Ipfkabpg.exe
2940	Icdhnn32.exe
2940	Icdhnn32.exe
2976	Injlkf32.exe
2976	Injlkf32.exe
3040	Jclnnmic.exe
3040	Jclnnmic.exe
2956	Jngkdj32.exe
2956	Jngkdj32.exe
2780	Jdadadkl.exe
2780	Jdadadkl.exe
1276	Jknicnpf.exe
1276	Jknicnpf.exe
2756	Jnlepioj.exe
2756	Jnlepioj.exe
2884	Kqokgd32.exe
2884	Kqokgd32.exe
2880	Kobkbaac.exe
2880	Kobkbaac.exe
2876	Kflcok32.exe
2876	Kflcok32.exe
1104	Kcpcho32.exe
1104	Kcpcho32.exe
2368	Keappgmg.exe
2368	Keappgmg.exe
1800	Kpgdnp32.exe
1800	Kpgdnp32.exe
1088	Kfaljjdj.exe
1088	Kfaljjdj.exe
2564	Kioiffcn.exe
2564	Kioiffcn.exe
340	Lnlaomae.exe
340	Lnlaomae.exe
1072	Lefikg32.exe
1072	Lefikg32.exe
2308	Lgdfgbhf.exe
2308	Lgdfgbhf.exe
1700	Lnnndl32.exe
1700	Lnnndl32.exe
608	Lehfafgp.exe
608	Lehfafgp.exe
1956	Llbnnq32.exe
1956	Llbnnq32.exe
560	Lnqkjl32.exe
560	Lnqkjl32.exe
1940	Laogfg32.exe
1940	Laogfg32.exe
1952	Lcncbc32.exe
1952	Lcncbc32.exe
2844	Ncjbba32.exe
2844	Ncjbba32.exe
2128	Ngencpel.exe
2128	Ngencpel.exe
268	Nickoldp.exe
268	Nickoldp.exe
2964	Ohkdfhge.exe
2964	Ohkdfhge.exe
2732	WerFault.exe
2732	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Efcjij32.dll	Kqokgd32.exe
File opened for modification	C:\Windows\SysWOW64\Llbnnq32.exe	Lehfafgp.exe
File created	C:\Windows\SysWOW64\Ipfkabpg.exe	Inhoegqc.exe
File created	C:\Windows\SysWOW64\Jknicnpf.exe	Jdadadkl.exe
File created	C:\Windows\SysWOW64\Kobkbaac.exe	Kqokgd32.exe
File created	C:\Windows\SysWOW64\Gfcdcl32.dll	Llbnnq32.exe
File created	C:\Windows\SysWOW64\Jclnnmic.exe	Injlkf32.exe
File opened for modification	C:\Windows\SysWOW64\Jclnnmic.exe	Injlkf32.exe
File created	C:\Windows\SysWOW64\Jngkdj32.exe	Jclnnmic.exe
File created	C:\Windows\SysWOW64\Picadgfk.dll	Jnlepioj.exe
File opened for modification	C:\Windows\SysWOW64\Nickoldp.exe	Ngencpel.exe
File created	C:\Windows\SysWOW64\Lefikg32.exe	Lnlaomae.exe
File created	C:\Windows\SysWOW64\Lnnndl32.exe	Lgdfgbhf.exe
File created	C:\Windows\SysWOW64\Ncjbba32.exe	Lcncbc32.exe
File created	C:\Windows\SysWOW64\Jnlepioj.exe	Jknicnpf.exe
File created	C:\Windows\SysWOW64\Jdfipdll.dll	Kcpcho32.exe
File opened for modification	C:\Windows\SysWOW64\Kioiffcn.exe	Kfaljjdj.exe
File opened for modification	C:\Windows\SysWOW64\Jngkdj32.exe	Jclnnmic.exe
File opened for modification	C:\Windows\SysWOW64\Kcpcho32.exe	Kflcok32.exe
File created	C:\Windows\SysWOW64\Oefkcp32.dll	Kfaljjdj.exe
File created	C:\Windows\SysWOW64\Llbnnq32.exe	Lehfafgp.exe
File created	C:\Windows\SysWOW64\Gagmjgmm.dll	Inhoegqc.exe
File created	C:\Windows\SysWOW64\Pdglfeli.dll	Ipfkabpg.exe
File opened for modification	C:\Windows\SysWOW64\Injlkf32.exe	Icdhnn32.exe
File created	C:\Windows\SysWOW64\Lpjocaab.dll	Kpgdnp32.exe
File created	C:\Windows\SysWOW64\Lnlaomae.exe	Kioiffcn.exe
File opened for modification	C:\Windows\SysWOW64\Lefikg32.exe	Lnlaomae.exe
File created	C:\Windows\SysWOW64\Bggjeedg.dll	Lnnndl32.exe
File created	C:\Windows\SysWOW64\Pmpiei32.dll	Laogfg32.exe
File opened for modification	C:\Windows\SysWOW64\Kqokgd32.exe	Jnlepioj.exe
File opened for modification	C:\Windows\SysWOW64\Kflcok32.exe	Kobkbaac.exe
File created	C:\Windows\SysWOW64\Gleaik32.dll	Kobkbaac.exe
File opened for modification	C:\Windows\SysWOW64\Ncjbba32.exe	Lcncbc32.exe
File created	C:\Windows\SysWOW64\Heknhioh.dll	Ngencpel.exe
File opened for modification	C:\Windows\SysWOW64\Keappgmg.exe	Kcpcho32.exe
File created	C:\Windows\SysWOW64\Gaiboaic.dll	Lgdfgbhf.exe
File opened for modification	C:\Windows\SysWOW64\Laogfg32.exe	Lnqkjl32.exe
File created	C:\Windows\SysWOW64\Kflcok32.exe	Kobkbaac.exe
File opened for modification	C:\Windows\SysWOW64\Lnlaomae.exe	Kioiffcn.exe
File created	C:\Windows\SysWOW64\Opblgehg.exe	Ohkdfhge.exe
File created	C:\Windows\SysWOW64\Icdhnn32.exe	Ipfkabpg.exe
File opened for modification	C:\Windows\SysWOW64\Icdhnn32.exe	Ipfkabpg.exe
File created	C:\Windows\SysWOW64\Doahjaco.dll	Jdadadkl.exe
File created	C:\Windows\SysWOW64\Lcncbc32.exe	Laogfg32.exe
File created	C:\Windows\SysWOW64\Ngencpel.exe	Ncjbba32.exe
File opened for modification	C:\Windows\SysWOW64\Lgdfgbhf.exe	Lefikg32.exe
File created	C:\Windows\SysWOW64\Lnqkjl32.exe	Llbnnq32.exe
File created	C:\Windows\SysWOW64\Laogfg32.exe	Lnqkjl32.exe
File created	C:\Windows\SysWOW64\Nickoldp.exe	Ngencpel.exe
File created	C:\Windows\SysWOW64\Blagna32.dll	Nickoldp.exe
File created	C:\Windows\SysWOW64\Hnlalbhe.dll	Injlkf32.exe
File opened for modification	C:\Windows\SysWOW64\Jnlepioj.exe	Jknicnpf.exe
File created	C:\Windows\SysWOW64\Kqokgd32.exe	Jnlepioj.exe
File opened for modification	C:\Windows\SysWOW64\Opblgehg.exe	Ohkdfhge.exe
File created	C:\Windows\SysWOW64\Inhoegqc.exe	41889f1c5c83807421fd403492e857c0N.exe
File opened for modification	C:\Windows\SysWOW64\Jknicnpf.exe	Jdadadkl.exe
File created	C:\Windows\SysWOW64\Lgdfgbhf.exe	Lefikg32.exe
File opened for modification	C:\Windows\SysWOW64\Lnnndl32.exe	Lgdfgbhf.exe
File created	C:\Windows\SysWOW64\Pakpllpl.dll	Ncjbba32.exe
File created	C:\Windows\SysWOW64\Kndlek32.dll	41889f1c5c83807421fd403492e857c0N.exe
File created	C:\Windows\SysWOW64\Kcpcho32.exe	Kflcok32.exe
File created	C:\Windows\SysWOW64\Lmieogma.dll	Kioiffcn.exe
File created	C:\Windows\SysWOW64\Kpgdnp32.exe	Keappgmg.exe
File opened for modification	C:\Windows\SysWOW64\Lcncbc32.exe	Laogfg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2732	2772	WerFault.exe	60

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heknhioh.dll"	Ngencpel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Inhoegqc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jngkdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Picadgfk.dll"	Jnlepioj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lefikg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihggkhle.dll"	Lcncbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Keappgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaiboaic.dll"	Lgdfgbhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnnndl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Injlkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jclnnmic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jknicnpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdfipdll.dll"	Kcpcho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Keappgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llbnnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laogfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngencpel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbagfo32.dll"	Jknicnpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmieogma.dll"	Kioiffcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpjocaab.dll"	Kpgdnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcncbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ohkdfhge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doahjaco.dll"	Jdadadkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jnlepioj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efcjij32.dll"	Kqokgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcpcho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpgdnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdadadkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kobkbaac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcpcho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmpiei32.dll"	Laogfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nickoldp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gagmjgmm.dll"	Inhoegqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipfkabpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jclnnmic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kioiffcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bggjeedg.dll"	Lnnndl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kqokgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbmhm32.dll"	Lnlaomae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adlqbf32.dll"	Lehfafgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfcdcl32.dll"	Llbnnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncjbba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Injlkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gleaik32.dll"	Kobkbaac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnlaomae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnlaomae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnnndl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngencpel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnlalbhe.dll"	Injlkf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jknicnpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdpnaccc.dll"	Keappgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oefkcp32.dll"	Kfaljjdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pakpllpl.dll"	Ncjbba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jnlepioj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kioiffcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llbnnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jngkdj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kobkbaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kflcok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lehfafgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neccdc32.dll"	Jngkdj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdadadkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kqokgd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lehfafgp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 2380	1872	41889f1c5c83807421fd403492e857c0N.exe	30
PID 1872 wrote to memory of 2380	1872	41889f1c5c83807421fd403492e857c0N.exe	30
PID 1872 wrote to memory of 2380	1872	41889f1c5c83807421fd403492e857c0N.exe	30
PID 1872 wrote to memory of 2380	1872	41889f1c5c83807421fd403492e857c0N.exe	30
PID 2380 wrote to memory of 1812	2380	Inhoegqc.exe	31
PID 2380 wrote to memory of 1812	2380	Inhoegqc.exe	31
PID 2380 wrote to memory of 1812	2380	Inhoegqc.exe	31
PID 2380 wrote to memory of 1812	2380	Inhoegqc.exe	31
PID 1812 wrote to memory of 2940	1812	Ipfkabpg.exe	32
PID 1812 wrote to memory of 2940	1812	Ipfkabpg.exe	32
PID 1812 wrote to memory of 2940	1812	Ipfkabpg.exe	32
PID 1812 wrote to memory of 2940	1812	Ipfkabpg.exe	32
PID 2940 wrote to memory of 2976	2940	Icdhnn32.exe	33
PID 2940 wrote to memory of 2976	2940	Icdhnn32.exe	33
PID 2940 wrote to memory of 2976	2940	Icdhnn32.exe	33
PID 2940 wrote to memory of 2976	2940	Icdhnn32.exe	33
PID 2976 wrote to memory of 3040	2976	Injlkf32.exe	34
PID 2976 wrote to memory of 3040	2976	Injlkf32.exe	34
PID 2976 wrote to memory of 3040	2976	Injlkf32.exe	34
PID 2976 wrote to memory of 3040	2976	Injlkf32.exe	34
PID 3040 wrote to memory of 2956	3040	Jclnnmic.exe	35
PID 3040 wrote to memory of 2956	3040	Jclnnmic.exe	35
PID 3040 wrote to memory of 2956	3040	Jclnnmic.exe	35
PID 3040 wrote to memory of 2956	3040	Jclnnmic.exe	35
PID 2956 wrote to memory of 2780	2956	Jngkdj32.exe	36
PID 2956 wrote to memory of 2780	2956	Jngkdj32.exe	36
PID 2956 wrote to memory of 2780	2956	Jngkdj32.exe	36
PID 2956 wrote to memory of 2780	2956	Jngkdj32.exe	36
PID 2780 wrote to memory of 1276	2780	Jdadadkl.exe	37
PID 2780 wrote to memory of 1276	2780	Jdadadkl.exe	37
PID 2780 wrote to memory of 1276	2780	Jdadadkl.exe	37
PID 2780 wrote to memory of 1276	2780	Jdadadkl.exe	37
PID 1276 wrote to memory of 2756	1276	Jknicnpf.exe	38
PID 1276 wrote to memory of 2756	1276	Jknicnpf.exe	38
PID 1276 wrote to memory of 2756	1276	Jknicnpf.exe	38
PID 1276 wrote to memory of 2756	1276	Jknicnpf.exe	38
PID 2756 wrote to memory of 2884	2756	Jnlepioj.exe	39
PID 2756 wrote to memory of 2884	2756	Jnlepioj.exe	39
PID 2756 wrote to memory of 2884	2756	Jnlepioj.exe	39
PID 2756 wrote to memory of 2884	2756	Jnlepioj.exe	39
PID 2884 wrote to memory of 2880	2884	Kqokgd32.exe	40
PID 2884 wrote to memory of 2880	2884	Kqokgd32.exe	40
PID 2884 wrote to memory of 2880	2884	Kqokgd32.exe	40
PID 2884 wrote to memory of 2880	2884	Kqokgd32.exe	40
PID 2880 wrote to memory of 2876	2880	Kobkbaac.exe	41
PID 2880 wrote to memory of 2876	2880	Kobkbaac.exe	41
PID 2880 wrote to memory of 2876	2880	Kobkbaac.exe	41
PID 2880 wrote to memory of 2876	2880	Kobkbaac.exe	41
PID 2876 wrote to memory of 1104	2876	Kflcok32.exe	42
PID 2876 wrote to memory of 1104	2876	Kflcok32.exe	42
PID 2876 wrote to memory of 1104	2876	Kflcok32.exe	42
PID 2876 wrote to memory of 1104	2876	Kflcok32.exe	42
PID 1104 wrote to memory of 2368	1104	Kcpcho32.exe	43
PID 1104 wrote to memory of 2368	1104	Kcpcho32.exe	43
PID 1104 wrote to memory of 2368	1104	Kcpcho32.exe	43
PID 1104 wrote to memory of 2368	1104	Kcpcho32.exe	43
PID 2368 wrote to memory of 1800	2368	Keappgmg.exe	44
PID 2368 wrote to memory of 1800	2368	Keappgmg.exe	44
PID 2368 wrote to memory of 1800	2368	Keappgmg.exe	44
PID 2368 wrote to memory of 1800	2368	Keappgmg.exe	44
PID 1800 wrote to memory of 1088	1800	Kpgdnp32.exe	45
PID 1800 wrote to memory of 1088	1800	Kpgdnp32.exe	45
PID 1800 wrote to memory of 1088	1800	Kpgdnp32.exe	45
PID 1800 wrote to memory of 1088	1800	Kpgdnp32.exe	45

C:\Users\Admin\AppData\Local\Temp\41889f1c5c83807421fd403492e857c0N.exe
"C:\Users\Admin\AppData\Local\Temp\41889f1c5c83807421fd403492e857c0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Windows\SysWOW64\Inhoegqc.exe
  C:\Windows\system32\Inhoegqc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\SysWOW64\Ipfkabpg.exe
    C:\Windows\system32\Ipfkabpg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Windows\SysWOW64\Icdhnn32.exe
      C:\Windows\system32\Icdhnn32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2940
    - - C:\Windows\SysWOW64\Injlkf32.exe
        
        C:\Windows\system32\Injlkf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2976
      - C:\Windows\SysWOW64\Jclnnmic.exe
        
        C:\Windows\system32\Jclnnmic.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Jngkdj32.exe
        
        C:\Windows\system32\Jngkdj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Jdadadkl.exe
        
        C:\Windows\system32\Jdadadkl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Jknicnpf.exe
        
        C:\Windows\system32\Jknicnpf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\SysWOW64\Jnlepioj.exe
        
        C:\Windows\system32\Jnlepioj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\Kqokgd32.exe
        
        C:\Windows\system32\Kqokgd32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Kobkbaac.exe
        
        C:\Windows\system32\Kobkbaac.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Kflcok32.exe
        
        C:\Windows\system32\Kflcok32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Kcpcho32.exe
        
        C:\Windows\system32\Kcpcho32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\SysWOW64\Keappgmg.exe
        
        C:\Windows\system32\Keappgmg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\Kpgdnp32.exe
        
        C:\Windows\system32\Kpgdnp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Kfaljjdj.exe
        
        C:\Windows\system32\Kfaljjdj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\Kioiffcn.exe
        
        C:\Windows\system32\Kioiffcn.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Lnlaomae.exe
        
        C:\Windows\system32\Lnlaomae.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:340
        
        C:\Windows\SysWOW64\Lefikg32.exe
        
        C:\Windows\system32\Lefikg32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Lgdfgbhf.exe
        
        C:\Windows\system32\Lgdfgbhf.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Lnnndl32.exe
        
        C:\Windows\system32\Lnnndl32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Lehfafgp.exe
        
        C:\Windows\system32\Lehfafgp.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:608
        
        C:\Windows\SysWOW64\Llbnnq32.exe
        
        C:\Windows\system32\Llbnnq32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Lnqkjl32.exe
        
        C:\Windows\system32\Lnqkjl32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:560
        
        C:\Windows\SysWOW64\Laogfg32.exe
        
        C:\Windows\system32\Laogfg32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Lcncbc32.exe
        
        C:\Windows\system32\Lcncbc32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Ncjbba32.exe
        
        C:\Windows\system32\Ncjbba32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Ngencpel.exe
        
        C:\Windows\system32\Ngencpel.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Nickoldp.exe
        
        C:\Windows\system32\Nickoldp.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:268
        
        C:\Windows\SysWOW64\Ohkdfhge.exe
        
        C:\Windows\system32\Ohkdfhge.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Opblgehg.exe
        
        C:\Windows\system32\Opblgehg.exe
        32⤵
        Executes dropped EXE
        
        PID:2772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 140
        33⤵
        Loads dropped DLL
        Program crash
        
        PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Icdhnn32.exe

Filesize
461KB

MD5
48aaa7b6f6f9e4fb5afc719429fb7f85

SHA1
064546058a053c5f1e1ef5e57e463c2d427331c5

SHA256
f67156512698bb340886ffb2d5d462d5c32e9c51c6ee24990a7bf173655ebd8f

SHA512
17b2660bdc1ae2386fb470385fc25fe87a4c64c0e7b21a8773c3b4e8bbcc9524faaa8513504dffb0f58b735cc8e74229533df4fa9fd65216f092245583287513

Download Submit
C:\Windows\SysWOW64\Inhoegqc.exe

Filesize
461KB

MD5
5d7de0e9efc0a4dbdb68e7c43287215f

SHA1
f0bba0e68a6e925e00d41ef8727593f233ca174d

SHA256
de1f3e97c161e45b2f70617d90117088da039ebe009b5fcb7b9bce092d213b19

SHA512
100b7b617b5504cbd1c91dc0c08b7f09c3bdfedb74b9f68bea75c2eac4c8f9e563dd3125a635816cd593bf1648bfa16a35a22fe837cc2ef38e110a7392315f9b

Download Submit
C:\Windows\SysWOW64\Ipfkabpg.exe

Filesize
461KB

MD5
b222f2fb1842f3f9ef8e2fe45c76899e

SHA1
6071568d3c017414f667943b518c3d5a818cc75c

SHA256
6e4c5dd3a9f5266e133f21988e32dfbd5c1f8fa9c6e92489e228004f7aeed403

SHA512
ba1621a14c8f694835342d4391a8eefca5b7f721b5f6b6fa0c134c448bf975644949f6137c774f9508f6d4aaa683d2e75f81f54ba0ee611078f3efd6b8db9ada

Download Submit
C:\Windows\SysWOW64\Jdadadkl.exe

Filesize
461KB

MD5
23261e9cd5ecfc1c5103bd531100ae85

SHA1
14101a7a48f6f94c5698fad4ff4db5ecc2266746

SHA256
be25874d9a6906522be58dfbbbc04b98643182cd5b3baa42317c20583f3c478e

SHA512
1d556235b9e9071d428cd99a4c0a3e9883015fe6ef475ec70c6c6593c95af4ac506b2e96ebad3a4272d642f3b5613f498a6f809f96fc9a5669ec2f8e723790a5

Download Submit
C:\Windows\SysWOW64\Jnlepioj.exe

Filesize
461KB

MD5
7f6ac608df8ce63acd52462028b5a38a

SHA1
5fcd1ac1a06f1c4bb8380fdab89c286cebf91ea5

SHA256
c8597cb2c1f5ad0bcd72049c241fb46c87fea69f1a25a33425e97c40900d8909

SHA512
d39c7bd2c92d83aef2e71eb4f541e48a29a96cc0b3292c296794e8507882c3a0959043f3a90600835aeef557db5e67ee5f0907cb022f76557eb3881d29383e9e

Download Submit
C:\Windows\SysWOW64\Kcpcho32.exe

Filesize
461KB

MD5
5e70d70027a412ee7b72ad170e81b1c6

SHA1
0af18054ab1153d64b5471fad8726ae94ad28dcf

SHA256
b1955afc34e8710a882e532b3f18b477db126cca0859d9dc5cb616fcc9650762

SHA512
25968e5445dfa5b6d4124a0ca5c2afeabb1ad6c419ee35e731f51e0636d392d4c0cef935a9937c1ec673ec1de751b97ac1af9f5b5fe821cf36d47da6c28cf521

Download Submit
C:\Windows\SysWOW64\Keappgmg.exe

Filesize
461KB

MD5
7df6f205f2650b0892e78dc933325d1a

SHA1
21c25193577f4bb8b8237ded9be5e128875af4de

SHA256
9f8be387dd45890af990f1848766f8ae9397f0152e6431fda536a5ac77f4a561

SHA512
88b5198eec857483ec4ffbf445083437033e1c5de70a2780c4051054a04334a9e1194e2164fd74d2da9b95c51bd40191cb0a2854b25866f63f11a2be680e0bfe

Download Submit
C:\Windows\SysWOW64\Kfaljjdj.exe

Filesize
461KB

MD5
2f93425f0c9c16b6dd66f1aa75ea26f3

SHA1
a799339f6a8fb59dbafabf74a56428f2fb99c53e

SHA256
e6134fbe14926d429b0c0554ad63f422aa2aa0b4b7ef9df6a67bf6f09857dbdd

SHA512
819cda857c5e22859504adab17c578dd733d543016d649e2e82bbfa1e1ad39c863d7f502b712279427fe392e6b52564f909884a164d1a92a3fad19810c01ae3f

Download Submit
C:\Windows\SysWOW64\Kflcok32.exe

Filesize
461KB

MD5
910e2d14256c5d4cdd9a4a881bfec6a9

SHA1
0a00bfc846d341e221e7716d861762a9095fce6b

SHA256
fec1b2c77495c34d3327d3b6b3d752db6e721610bbfc674a34db38812651f0dc

SHA512
73f86f2773d97fc14448124f011d35c29b3a57483c5a43ba4d56c5a4d28b82d202c4a92752a7db7c73b50a3700f7adafdca12a6f036a9ab9af4a58f61af43793

Download Submit
C:\Windows\SysWOW64\Kioiffcn.exe

Filesize
461KB

MD5
7b294a09002a20c6a8a2bf7f320710b4

SHA1
dd29a0c9ce1e9342ae3c7407cc9f03fd6a7f3e06

SHA256
e92bead75ee9034816c7e4b7e17f1568679278a704cf7f1e7a91dd19e1105a08

SHA512
db9f95665cde7cd3106ee49bdf46fb92e146f6c2281d7c2d42b8938ef13bcf5f8e3d9ae183a4757b22798e7c2937042bf7025d28637a742fd62c7a168341de54

Download Submit
C:\Windows\SysWOW64\Kobkbaac.exe

Filesize
461KB

MD5
7997e054558dbf24903377d5fcd06461

SHA1
bc3531518bd62cdfb02f74fa912e485c99c459ec

SHA256
8f610fad98388650c07b5cd6fbceda663efffb60d8475a162cbc555547609844

SHA512
47080687259cb182ac6a11665468d9d806cc8c9fe8ae508b5df0a0eba21cc03e387ece8524848ed42345ac8ed0ca93d609bd6a350e634f298708ccf0ac8ba0ac

Download Submit
C:\Windows\SysWOW64\Kpgdnp32.exe

Filesize
461KB

MD5
85156bd301923deae98849c78e8d3577

SHA1
4a4ad0a723149fb3694591978aff0056c709f744

SHA256
f81008acaf8d5e74d4c2a6dab1658f769f8cb7821a985548e7b0ad4f44d494ba

SHA512
89f521f8f2aac455a207aa2cb2ca4da4975229ceb958aebb8ed10cb1cd973f08478d2d65a2c5d87d451edbfe0631748811071ad7ac497c8d96cdcdb5aef1e43b

Download Submit
C:\Windows\SysWOW64\Laogfg32.exe

Filesize
461KB

MD5
e44387cbc145143d153be6594315d19e

SHA1
fe43594cc6d4305b7155436df9fe6d38f6302994

SHA256
f33eb2ffc17321f288ac2cd34b8df0c70c7061766ac9d57a86ee51ef7d740a0c

SHA512
3a5ef8f5f748835d1e9d2c2f54e465cc2dd628db478ed417116ba4f2f8840a13fa83bb73db17c6a3e1a89843de117e3f9b7b37c72da41dfc3c168b03833d0443

Download Submit
C:\Windows\SysWOW64\Lcncbc32.exe

Filesize
461KB

MD5
91930e5571f599cac75813278815cd2f

SHA1
da4411f625893f0294353dfcb1dca58537b3429b

SHA256
ac0884fe09953647e5635c3a37be29ef79a338acbf62b98927744b0e641ed0ad

SHA512
f6833a18d247e39a72d7d7d9a542501c5f94aac33668c3ee9f90810580e6957efda17334717b98fd13c4953cf454696891a7f9a69fb6fd2df76bb03f712217ad

Download Submit
C:\Windows\SysWOW64\Lefikg32.exe

Filesize
461KB

MD5
cb2e11b4baa805f40246d9f741df723c

SHA1
8bb418d3f51e8fd5f338ff66430e56285c786893

SHA256
d78342538fce74599f1c8e1b9ce0b0ec8f4b3d35349fb4160da99fe4d70fa4f7

SHA512
6b5489ed3e71c9a86b96678ac67e66188424f10fd70c4044de94e6129cf016bca91764099186db8eb5395b9b69308d1bcffcb2645f0102b2489a62cc7dd7ebbf

Download Submit
C:\Windows\SysWOW64\Lehfafgp.exe

Filesize
461KB

MD5
8a8c4b70a8aad5bc60dda64d1a671076

SHA1
6ae49828e2ceefd646472ad75fd57366cc888d09

SHA256
4cc3fe7574ebb8e7134f75c632b0ca82c0df5c65c7cc019065535ea1b6b2ee73

SHA512
cf03ac290aa7891d8a768cdc2aac0fc3f9d745be7ccb6c0171bba3e13ac3ce7be560d38e7ffe808ed4d72946fade5a5dd01cd1ba7b8388dfeb979dc6ab47efe3

Download Submit
C:\Windows\SysWOW64\Lgdfgbhf.exe

Filesize
461KB

MD5
1ace11c88bfe5032ada0514bb4e50eb4

SHA1
49e33b91ee88a58d885a937fe3024a6f761dc4ed

SHA256
ab66dc4a33508a7f2f332591a24ed78eea9aacaac68960b96021b9f1688e85e5

SHA512
b9a582deba069ac33cce314e919782857bb20c518696e2891ec7802b1dcf30dde6087ad3ef84901f3416d073652e2848ca42c2858a15b4f70d1ad3e17a111112

Download Submit
C:\Windows\SysWOW64\Llbnnq32.exe

Filesize
461KB

MD5
8efee59c16a6fdc20c96af3bc4d8e569

SHA1
4e14d6b34ec5ae82bb041b665ae308691b6acbd7

SHA256
2fec62aae36a305b88b732064b45208fcde25e8b8872fd65357bef1ed98c4926

SHA512
1c8cd15738981a5aa2bf2775ce1b4df2bd9d9b87f5bd2ae033d067e46fcb8f29f02de8ba64a94405cc99cf2e8b85d7ff93fe334804f4c2499901e085b4e6982f

Download Submit
C:\Windows\SysWOW64\Lnlaomae.exe

Filesize
461KB

MD5
3e8de28975fb1b9029678e0a75b5c931

SHA1
3818b3120e745bcc08d3e9f96f5e343fad71bdb0

SHA256
c26c2f89aa3ccd15e6031b1027a75bea92f35d7bb18a3bb29ccb25b6e4883e99

SHA512
079500f703aba30b1b73d3866df565622ac8cf3a31963d286a87d528357c03359a7c3311ea66312c0ac9c370cf8a54d5ba46cbf2771bc8886f02e30246dd438e

Download Submit
C:\Windows\SysWOW64\Lnnndl32.exe

Filesize
461KB

MD5
35255061a1b9c5c9fe1098fd8c2d6756

SHA1
44e39b19ee94a37c428034dc19beb8c4ad2be109

SHA256
c66ed095dd3ac9127290e039aeb6ef7a66b809a309bb3777300948601d217f4b

SHA512
45593781d718829bf4434ea2484823466130756328493517b9f4a90aa4453da8ca11641c9a943bb092d4884ac23824a93f51462be531aab6f27d769499de7c92

Download Submit
C:\Windows\SysWOW64\Lnqkjl32.exe

Filesize
461KB

MD5
6f8b301bcb26e6121d8291af88c4e3af

SHA1
cf1aaf1896adda960c8a3dbbc18474f81e90477a

SHA256
427ca375863e4b653caad8147ec0c86d98920410088a90d163aff265def07607

SHA512
759bcb51759a7f655259c1245d45ff408d161a2f5751e5c02b2f52a98096eb7a3a282776a1cc97d8f238d2b76f5915bee2667854042194b0ebaa78fa00912372

Download Submit
C:\Windows\SysWOW64\Ncjbba32.exe

Filesize
461KB

MD5
803e5b0c3cb07994835ba2911eca0102

SHA1
36eb875c74246c9c71cd47c452b05f711e00c930

SHA256
8feb1e8018926d519bb0072a145a947af852ab5a269ac091fbea02c7d10fe438

SHA512
5566d4ca374e386ba6dbcf3bfd53dd1b2f7013c7fea860259f923fd0248998ea3ac254fce6e5f2a72b569c4ab9601e9ea25dbd74864dedfe254f724619a297f0

Download Submit
C:\Windows\SysWOW64\Ngencpel.exe

Filesize
461KB

MD5
8e1ed5ee60270fa58b520503856dad3b

SHA1
4c34a72a785a3a23ee0139e60bd79902eb76bd8a

SHA256
d0f1564eeee97ca6fca4dc2de68ebfd2337ffddca6b1892ab1ad16db4157da9a

SHA512
171069007faf303ee00c6dc64136fb6cc8bd5744968dbaea032f3b854dbdb47815d973d6578bc511318cbb2d27eae328441e2e9df28d4e3ac890b3ad81531ba4

Download Submit
C:\Windows\SysWOW64\Nickoldp.exe

Filesize
461KB

MD5
eef2f2e966ba3b53627b719f54b58596

SHA1
d2120ccdd8ba63b204cb749c4b9db797642dc7bc

SHA256
864232e5063cfe4ff8c176231d5aaf7ad5e7be16c2830e85cd65434ceab03884

SHA512
063f7c39d9dd9d2f1d0a627c0e476d6200dfbf32b4f88fc7da525f44f61fcaa3b042375ee687450591d89ea0b73c1f7a0be79334ef16f685be83012fa29d4085

Download Submit
C:\Windows\SysWOW64\Ohkdfhge.exe

Filesize
461KB

MD5
6b1063988529c63765a0e8251d43735f

SHA1
063839017aed656f27af76c111551cf486020df1

SHA256
a1ee9e5031f2052596a2f1fc54de7b79822518db3c74832951499507a4e4feed

SHA512
2999426789d3c88b6fec2931e83e37fff2afc9095f70a5a903308602f7027d9d2c14e51d14a2f45e18232c80952ddb6845170873d7addd1c014efe2519efb559

Download Submit
C:\Windows\SysWOW64\Opblgehg.exe

Filesize
461KB

MD5
e7726654f5dcdb874168a4bce39be7b7

SHA1
2b93ddc2bf7e0872a6882e2995012287d5b7d7e8

SHA256
6d8b7a760389387ceadd66b171621e577b850746a067c2380ed927ec357c7e97

SHA512
ae7e4b054d23ebe56224dcfa2285e2abaead6faf4dcc862138cde5352d1f486c6b94e0a5ed14a94c783b1ec1f75a9ca64769452eade0d129b05d9c4fa4eea0e6

Download Submit
\Windows\SysWOW64\Injlkf32.exe

Filesize
461KB

MD5
033a2ff41c636ca08ea1aad05d00bd38

SHA1
0be2725c6c98382853b0d50331ae2e68a9ee1ba6

SHA256
0f7d16f5f08c111017ba82f8c4995209a738e34d4b958935c8389f5fcfbe4f2f

SHA512
e2d61f1b9f5197c1e695c25ba3f569edeffd28a29a2785825f7c6bc614e41fac8d54cceb649fe3182ef6b8096067d656e619e3a0f92aa52da4da2fb10f42b964

Download Submit
\Windows\SysWOW64\Jclnnmic.exe

Filesize
461KB

MD5
43d39124f5dac3c3986326e7776f9b25

SHA1
54206b63bc80e89def4dbeda484319888cf1c496

SHA256
7ada589eafd2d2f95ef4bf59a86035996a8c0c010cf8d0ae27546c6240c01828

SHA512
0755eddfd8ead9336d53296d261d132329bbc8e8a31bc61387bb3d104c5b61696f923dd54c212ebcc8c0795013db263a28526b2f8e09f0a914ad334f43974cf4

Download Submit
\Windows\SysWOW64\Jknicnpf.exe

Filesize
461KB

MD5
7a6e29ff130924e937c5af705c51a86a

SHA1
7597f98f0cf5e1d3389433fd129dbae2ecc4d6d8

SHA256
887739f7716307f39885be4e8b3ff032bf952b3ea405bfbf8558798aa1f74a16

SHA512
786ade9876a2eaf602453b3df09f323460fa2c6924286d99d70a701a4f7d1d0f4fdd333ca82670b038880f7e96db4d7bc376b77c1cb0b0bc9d6c290a4cf254f8

Download Submit
\Windows\SysWOW64\Jngkdj32.exe

Filesize
461KB

MD5
be522e9bb67e000d77f97e376140098f

SHA1
f2e4bd8f9f75f58d3d697e51ee8252b44f3b8d5d

SHA256
115c1e32dec505c060aff72f1fc8bdbe7be30751a2d28f4c680523eb541c9ac6

SHA512
2538164f4e6be25d0d6ced338a50d59bfad4e3cd2d921eccbb997b85cfa3591d4bf0a6d7f9d7fccbeefa7ef10bcdc6d737f65d23a9570eab42ef55d8b9ee84eb

Download Submit
\Windows\SysWOW64\Kqokgd32.exe

Filesize
461KB

MD5
771b99fa6bf657917af9354cc6438e19

SHA1
8d97c68b969f4eac6612ecddef1a5bba53a24cef

SHA256
e466aa1bb1f467ac92f0147e403d8460ab59cbe85ff87acc4645ea0eccdae4cf

SHA512
b0927234ef480cc3c1e26038ef3850e1af54a7d99c856dcb4095a611725fbde74e6fb7767891c381858dee956fe84b78505820b4958474890c8a8375f6d28445

Download Submit
memory/268-360-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/268-366-0x0000000000310000-0x00000000003AF000-memory.dmp

Filesize
636KB

Download
memory/268-365-0x0000000000310000-0x00000000003AF000-memory.dmp

Filesize
636KB

Download
memory/340-249-0x00000000002F0000-0x000000000038F000-memory.dmp

Filesize
636KB

Download
memory/340-244-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/340-250-0x00000000002F0000-0x000000000038F000-memory.dmp

Filesize
636KB

Download
memory/340-491-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/560-503-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/560-315-0x0000000000350000-0x00000000003EF000-memory.dmp

Filesize
636KB

Download
memory/560-306-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/608-290-0x0000000000310000-0x00000000003AF000-memory.dmp

Filesize
636KB

Download
memory/608-499-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/608-291-0x0000000000310000-0x00000000003AF000-memory.dmp

Filesize
636KB

Download
memory/608-285-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1072-263-0x00000000002D0000-0x000000000036F000-memory.dmp

Filesize
636KB

Download
memory/1072-493-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1088-228-0x0000000000510000-0x00000000005AF000-memory.dmp

Filesize
636KB

Download
memory/1088-487-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1088-229-0x0000000000510000-0x00000000005AF000-memory.dmp

Filesize
636KB

Download
memory/1104-193-0x00000000002E0000-0x000000000037F000-memory.dmp

Filesize
636KB

Download
memory/1104-195-0x00000000002E0000-0x000000000037F000-memory.dmp

Filesize
636KB

Download
memory/1104-481-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1276-460-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1276-117-0x00000000002D0000-0x000000000036F000-memory.dmp

Filesize
636KB

Download
memory/1276-118-0x00000000002D0000-0x000000000036F000-memory.dmp

Filesize
636KB

Download
memory/1276-108-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1700-497-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1700-282-0x0000000000280000-0x000000000031F000-memory.dmp

Filesize
636KB

Download
memory/1700-284-0x0000000000280000-0x000000000031F000-memory.dmp

Filesize
636KB

Download
memory/1800-221-0x0000000000320000-0x00000000003BF000-memory.dmp

Filesize
636KB

Download
memory/1800-222-0x0000000000320000-0x00000000003BF000-memory.dmp

Filesize
636KB

Download
memory/1800-485-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1812-448-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1872-444-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1872-4-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1872-15-0x0000000000710000-0x00000000007AF000-memory.dmp

Filesize
636KB

Download
memory/1940-505-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1940-325-0x0000000000360000-0x00000000003FF000-memory.dmp

Filesize
636KB

Download
memory/1940-326-0x0000000000360000-0x00000000003FF000-memory.dmp

Filesize
636KB

Download
memory/1940-316-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1952-337-0x0000000000360000-0x00000000003FF000-memory.dmp

Filesize
636KB

Download
memory/1952-328-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1952-507-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1952-336-0x0000000000360000-0x00000000003FF000-memory.dmp

Filesize
636KB

Download
memory/1956-303-0x0000000000260000-0x00000000002FF000-memory.dmp

Filesize
636KB

Download
memory/1956-501-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1956-304-0x0000000000260000-0x00000000002FF000-memory.dmp

Filesize
636KB

Download
memory/2128-359-0x0000000000510000-0x00000000005AF000-memory.dmp

Filesize
636KB

Download
memory/2128-511-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2128-353-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2128-358-0x0000000000510000-0x00000000005AF000-memory.dmp

Filesize
636KB

Download
memory/2308-264-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2308-495-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2308-269-0x0000000002060000-0x00000000020FF000-memory.dmp

Filesize
636KB

Download
memory/2308-270-0x0000000002060000-0x00000000020FF000-memory.dmp

Filesize
636KB

Download
memory/2368-483-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2368-208-0x00000000002A0000-0x000000000033F000-memory.dmp

Filesize
636KB

Download
memory/2368-207-0x00000000002A0000-0x000000000033F000-memory.dmp

Filesize
636KB

Download
memory/2380-18-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2380-446-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2564-489-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2564-243-0x0000000000300000-0x000000000039F000-memory.dmp

Filesize
636KB

Download
memory/2564-241-0x0000000000300000-0x000000000039F000-memory.dmp

Filesize
636KB

Download
memory/2756-473-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2756-119-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2756-137-0x00000000002E0000-0x000000000037F000-memory.dmp

Filesize
636KB

Download
memory/2756-138-0x00000000002E0000-0x000000000037F000-memory.dmp

Filesize
636KB

Download
memory/2772-378-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2780-102-0x0000000000250000-0x00000000002EF000-memory.dmp

Filesize
636KB

Download
memory/2780-90-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2780-458-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2844-344-0x0000000002040000-0x00000000020DF000-memory.dmp

Filesize
636KB

Download
memory/2844-509-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2844-343-0x0000000002040000-0x00000000020DF000-memory.dmp

Filesize
636KB

Download
memory/2844-338-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2876-177-0x0000000000320000-0x00000000003BF000-memory.dmp

Filesize
636KB

Download
memory/2876-479-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2876-176-0x0000000000320000-0x00000000003BF000-memory.dmp

Filesize
636KB

Download
memory/2880-477-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2880-162-0x00000000002D0000-0x000000000036F000-memory.dmp

Filesize
636KB

Download
memory/2880-163-0x00000000002D0000-0x000000000036F000-memory.dmp

Filesize
636KB

Download
memory/2884-475-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2884-139-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2884-149-0x00000000004A0000-0x000000000053F000-memory.dmp

Filesize
636KB

Download
memory/2884-148-0x00000000004A0000-0x000000000053F000-memory.dmp

Filesize
636KB

Download
memory/2940-49-0x00000000004A0000-0x000000000053F000-memory.dmp

Filesize
636KB

Download
memory/2940-450-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2956-456-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2964-371-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2964-377-0x0000000002090000-0x000000000212F000-memory.dmp

Filesize
636KB

Download
memory/2964-376-0x0000000002090000-0x000000000212F000-memory.dmp

Filesize
636KB

Download
memory/2976-51-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2976-452-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3040-76-0x00000000002D0000-0x000000000036F000-memory.dmp

Filesize
636KB

Download
memory/3040-454-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3040-64-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads