db79a3c7e902f8e95adf8fd5bb41385b9e7ce9038280b860bc53add8c7cd7b8d

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50de3bd5f9616c760d134189bc5fd390N.exe
Size

45KB
MD5

50de3bd5f9616c760d134189bc5fd390
SHA1

0622570384f8833c706036ceef28aa827d882154
SHA256

db79a3c7e902f8e95adf8fd5bb41385b9e7ce9038280b860bc53add8c7cd7b8d
SHA512

97c27faa349e8f57523edd039002263acb2cf2d9c560d3ef517dc4a068f3d4f6aca86772c3830992d63aa6591fb7fa957ed6f693afee7fd00a6519ad3fd16bb9
SSDEEP

768:NKKeiBJjN7/L3EJp0Ysot6d2t/cNW0nuLUF7/1H5Ju:NKv8JNOBvtw2t/EnuL2tW

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcohahpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjhcag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhiddoph.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcadghnk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	50de3bd5f9616c760d134189bc5fd390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khgkpl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkjpggkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkjpggkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkmmlgik.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhlqjone.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcadghnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	50de3bd5f9616c760d134189bc5fd390N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jimdcqom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jedehaea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jedehaea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhiddoph.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcohahpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmfcop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpjifjdg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kenhopmf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpgionie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgfjggll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jimdcqom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kapohbfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kapohbfp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjhcag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgfjggll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhlqjone.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmfcop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjifjdg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibnop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jibnop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khgkpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kenhopmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgcnahoo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llbconkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmklh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmklh32.exe

Executes dropped EXE 22 IoCs

pid	Process
1512	Jmfcop32.exe
2596	Jimdcqom.exe
2712	Jedehaea.exe
2808	Jpjifjdg.exe
2928	Jibnop32.exe
2556	Kbjbge32.exe
2028	Khgkpl32.exe
2592	Kapohbfp.exe
2748	Kjhcag32.exe
1464	Kenhopmf.exe
512	Kkjpggkn.exe
1944	Kpgionie.exe
2204	Kkmmlgik.exe
2880	Kgcnahoo.exe
1652	Lgfjggll.exe
968	Llbconkd.exe
1660	Lcmklh32.exe
1476	Lhiddoph.exe
1768	Lcohahpn.exe
1348	Lhlqjone.exe
3024	Lcadghnk.exe
1396	Lepaccmo.exe

Loads dropped DLL 48 IoCs

pid	Process
2192	50de3bd5f9616c760d134189bc5fd390N.exe
2192	50de3bd5f9616c760d134189bc5fd390N.exe
1512	Jmfcop32.exe
1512	Jmfcop32.exe
2596	Jimdcqom.exe
2596	Jimdcqom.exe
2712	Jedehaea.exe
2712	Jedehaea.exe
2808	Jpjifjdg.exe
2808	Jpjifjdg.exe
2928	Jibnop32.exe
2928	Jibnop32.exe
2556	Kbjbge32.exe
2556	Kbjbge32.exe
2028	Khgkpl32.exe
2028	Khgkpl32.exe
2592	Kapohbfp.exe
2592	Kapohbfp.exe
2748	Kjhcag32.exe
2748	Kjhcag32.exe
1464	Kenhopmf.exe
1464	Kenhopmf.exe
512	Kkjpggkn.exe
512	Kkjpggkn.exe
1944	Kpgionie.exe
1944	Kpgionie.exe
2204	Kkmmlgik.exe
2204	Kkmmlgik.exe
2880	Kgcnahoo.exe
2880	Kgcnahoo.exe
1652	Lgfjggll.exe
1652	Lgfjggll.exe
968	Llbconkd.exe
968	Llbconkd.exe
1660	Lcmklh32.exe
1660	Lcmklh32.exe
1476	Lhiddoph.exe
1476	Lhiddoph.exe
1768	Lcohahpn.exe
1768	Lcohahpn.exe
1348	Lhlqjone.exe
1348	Lhlqjone.exe
3024	Lcadghnk.exe
3024	Lcadghnk.exe
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jedehaea.exe	Jimdcqom.exe
File created	C:\Windows\SysWOW64\Iddpheep.dll	Jimdcqom.exe
File opened for modification	C:\Windows\SysWOW64\Lhlqjone.exe	Lcohahpn.exe
File created	C:\Windows\SysWOW64\Lepaccmo.exe	Lcadghnk.exe
File created	C:\Windows\SysWOW64\Pccohd32.dll	50de3bd5f9616c760d134189bc5fd390N.exe
File created	C:\Windows\SysWOW64\Ebenek32.dll	Jedehaea.exe
File created	C:\Windows\SysWOW64\Kapohbfp.exe	Khgkpl32.exe
File opened for modification	C:\Windows\SysWOW64\Lhiddoph.exe	Lcmklh32.exe
File opened for modification	C:\Windows\SysWOW64\Lcadghnk.exe	Lhlqjone.exe
File created	C:\Windows\SysWOW64\Khgkpl32.exe	Kbjbge32.exe
File opened for modification	C:\Windows\SysWOW64\Kenhopmf.exe	Kjhcag32.exe
File created	C:\Windows\SysWOW64\Gcakqmpi.dll	Lgfjggll.exe
File created	C:\Windows\SysWOW64\Nmdeem32.dll	Lcmklh32.exe
File created	C:\Windows\SysWOW64\Annjfl32.dll	Lhiddoph.exe
File created	C:\Windows\SysWOW64\Jmfcop32.exe	50de3bd5f9616c760d134189bc5fd390N.exe
File created	C:\Windows\SysWOW64\Pgodelnq.dll	Kkmmlgik.exe
File created	C:\Windows\SysWOW64\Hfopbgif.dll	Kgcnahoo.exe
File created	C:\Windows\SysWOW64\Lcohahpn.exe	Lhiddoph.exe
File created	C:\Windows\SysWOW64\Jpjifjdg.exe	Jedehaea.exe
File opened for modification	C:\Windows\SysWOW64\Jpjifjdg.exe	Jedehaea.exe
File created	C:\Windows\SysWOW64\Lcmklh32.exe	Llbconkd.exe
File created	C:\Windows\SysWOW64\Kkmmlgik.exe	Kpgionie.exe
File created	C:\Windows\SysWOW64\Jedehaea.exe	Jimdcqom.exe
File opened for modification	C:\Windows\SysWOW64\Khgkpl32.exe	Kbjbge32.exe
File opened for modification	C:\Windows\SysWOW64\Kapohbfp.exe	Khgkpl32.exe
File created	C:\Windows\SysWOW64\Jmegnj32.dll	Khgkpl32.exe
File opened for modification	C:\Windows\SysWOW64\Jimdcqom.exe	Jmfcop32.exe
File opened for modification	C:\Windows\SysWOW64\Jibnop32.exe	Jpjifjdg.exe
File created	C:\Windows\SysWOW64\Mobafhlg.dll	Jibnop32.exe
File opened for modification	C:\Windows\SysWOW64\Llbconkd.exe	Lgfjggll.exe
File created	C:\Windows\SysWOW64\Lhiddoph.exe	Lcmklh32.exe
File created	C:\Windows\SysWOW64\Onkckhkp.dll	Lcohahpn.exe
File opened for modification	C:\Windows\SysWOW64\Kbjbge32.exe	Jibnop32.exe
File created	C:\Windows\SysWOW64\Jpnghhmn.dll	Kjhcag32.exe
File created	C:\Windows\SysWOW64\Onpeobjf.dll	Kpgionie.exe
File created	C:\Windows\SysWOW64\Lcadghnk.exe	Lhlqjone.exe
File created	C:\Windows\SysWOW64\Oldhgaef.dll	Lcadghnk.exe
File created	C:\Windows\SysWOW64\Cbdmhnfl.dll	Jmfcop32.exe
File created	C:\Windows\SysWOW64\Kenhopmf.exe	Kjhcag32.exe
File created	C:\Windows\SysWOW64\Lhlqjone.exe	Lcohahpn.exe
File opened for modification	C:\Windows\SysWOW64\Lgfjggll.exe	Kgcnahoo.exe
File created	C:\Windows\SysWOW64\Fhdikdfj.dll	Lhlqjone.exe
File opened for modification	C:\Windows\SysWOW64\Jmfcop32.exe	50de3bd5f9616c760d134189bc5fd390N.exe
File created	C:\Windows\SysWOW64\Jimdcqom.exe	Jmfcop32.exe
File created	C:\Windows\SysWOW64\Jibnop32.exe	Jpjifjdg.exe
File opened for modification	C:\Windows\SysWOW64\Kkmmlgik.exe	Kpgionie.exe
File created	C:\Windows\SysWOW64\Hnanlhmd.dll	Llbconkd.exe
File created	C:\Windows\SysWOW64\Hlekjpbi.dll	Kenhopmf.exe
File created	C:\Windows\SysWOW64\Kpgionie.exe	Kkjpggkn.exe
File opened for modification	C:\Windows\SysWOW64\Kpgionie.exe	Kkjpggkn.exe
File created	C:\Windows\SysWOW64\Kgcnahoo.exe	Kkmmlgik.exe
File opened for modification	C:\Windows\SysWOW64\Kgcnahoo.exe	Kkmmlgik.exe
File created	C:\Windows\SysWOW64\Lgfjggll.exe	Kgcnahoo.exe
File opened for modification	C:\Windows\SysWOW64\Lcohahpn.exe	Lhiddoph.exe
File created	C:\Windows\SysWOW64\Ifkmqd32.dll	Jpjifjdg.exe
File created	C:\Windows\SysWOW64\Kbjbge32.exe	Jibnop32.exe
File opened for modification	C:\Windows\SysWOW64\Kkjpggkn.exe	Kenhopmf.exe
File opened for modification	C:\Windows\SysWOW64\Lepaccmo.exe	Lcadghnk.exe
File created	C:\Windows\SysWOW64\Kjhcag32.exe	Kapohbfp.exe
File created	C:\Windows\SysWOW64\Kkjpggkn.exe	Kenhopmf.exe
File opened for modification	C:\Windows\SysWOW64\Lcmklh32.exe	Llbconkd.exe
File created	C:\Windows\SysWOW64\Jbdhhp32.dll	Kkjpggkn.exe
File created	C:\Windows\SysWOW64\Pcdapknb.dll	Kbjbge32.exe
File opened for modification	C:\Windows\SysWOW64\Kjhcag32.exe	Kapohbfp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2264	1396	WerFault.exe	51

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkjpggkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhiddoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pccohd32.dll"	50de3bd5f9616c760d134189bc5fd390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdhhp32.dll"	Kkjpggkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbdmhnfl.dll"	Jmfcop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kapohbfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgcnahoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhlqjone.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhdikdfj.dll"	Lhlqjone.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jimdcqom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlekjpbi.dll"	Kenhopmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpnghhmn.dll"	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kenhopmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmklh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmfcop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jibnop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcohahpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Annjfl32.dll"	Lhiddoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onkckhkp.dll"	Lcohahpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhlqjone.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcadghnk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	50de3bd5f9616c760d134189bc5fd390N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcakqmpi.dll"	Lgfjggll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmdeem32.dll"	Lcmklh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpjifjdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgodelnq.dll"	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpgionie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgfjggll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnanlhmd.dll"	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mobafhlg.dll"	Jibnop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmegnj32.dll"	Khgkpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkjpggkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebenek32.dll"	Jedehaea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khgkpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jibnop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kapohbfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcmklh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldhgaef.dll"	Lcadghnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmfcop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jedehaea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpjifjdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khgkpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpcafifg.dll"	Kapohbfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kenhopmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgfjggll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhiddoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcadghnk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	50de3bd5f9616c760d134189bc5fd390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifkmqd32.dll"	Jpjifjdg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	50de3bd5f9616c760d134189bc5fd390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcdapknb.dll"	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcohahpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	50de3bd5f9616c760d134189bc5fd390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddpheep.dll"	Jimdcqom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfopbgif.dll"	Kgcnahoo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 1512	2192	50de3bd5f9616c760d134189bc5fd390N.exe	30
PID 2192 wrote to memory of 1512	2192	50de3bd5f9616c760d134189bc5fd390N.exe	30
PID 2192 wrote to memory of 1512	2192	50de3bd5f9616c760d134189bc5fd390N.exe	30
PID 2192 wrote to memory of 1512	2192	50de3bd5f9616c760d134189bc5fd390N.exe	30
PID 1512 wrote to memory of 2596	1512	Jmfcop32.exe	31
PID 1512 wrote to memory of 2596	1512	Jmfcop32.exe	31
PID 1512 wrote to memory of 2596	1512	Jmfcop32.exe	31
PID 1512 wrote to memory of 2596	1512	Jmfcop32.exe	31
PID 2596 wrote to memory of 2712	2596	Jimdcqom.exe	32
PID 2596 wrote to memory of 2712	2596	Jimdcqom.exe	32
PID 2596 wrote to memory of 2712	2596	Jimdcqom.exe	32
PID 2596 wrote to memory of 2712	2596	Jimdcqom.exe	32
PID 2712 wrote to memory of 2808	2712	Jedehaea.exe	33
PID 2712 wrote to memory of 2808	2712	Jedehaea.exe	33
PID 2712 wrote to memory of 2808	2712	Jedehaea.exe	33
PID 2712 wrote to memory of 2808	2712	Jedehaea.exe	33
PID 2808 wrote to memory of 2928	2808	Jpjifjdg.exe	34
PID 2808 wrote to memory of 2928	2808	Jpjifjdg.exe	34
PID 2808 wrote to memory of 2928	2808	Jpjifjdg.exe	34
PID 2808 wrote to memory of 2928	2808	Jpjifjdg.exe	34
PID 2928 wrote to memory of 2556	2928	Jibnop32.exe	35
PID 2928 wrote to memory of 2556	2928	Jibnop32.exe	35
PID 2928 wrote to memory of 2556	2928	Jibnop32.exe	35
PID 2928 wrote to memory of 2556	2928	Jibnop32.exe	35
PID 2556 wrote to memory of 2028	2556	Kbjbge32.exe	36
PID 2556 wrote to memory of 2028	2556	Kbjbge32.exe	36
PID 2556 wrote to memory of 2028	2556	Kbjbge32.exe	36
PID 2556 wrote to memory of 2028	2556	Kbjbge32.exe	36
PID 2028 wrote to memory of 2592	2028	Khgkpl32.exe	37
PID 2028 wrote to memory of 2592	2028	Khgkpl32.exe	37
PID 2028 wrote to memory of 2592	2028	Khgkpl32.exe	37
PID 2028 wrote to memory of 2592	2028	Khgkpl32.exe	37
PID 2592 wrote to memory of 2748	2592	Kapohbfp.exe	38
PID 2592 wrote to memory of 2748	2592	Kapohbfp.exe	38
PID 2592 wrote to memory of 2748	2592	Kapohbfp.exe	38
PID 2592 wrote to memory of 2748	2592	Kapohbfp.exe	38
PID 2748 wrote to memory of 1464	2748	Kjhcag32.exe	39
PID 2748 wrote to memory of 1464	2748	Kjhcag32.exe	39
PID 2748 wrote to memory of 1464	2748	Kjhcag32.exe	39
PID 2748 wrote to memory of 1464	2748	Kjhcag32.exe	39
PID 1464 wrote to memory of 512	1464	Kenhopmf.exe	40
PID 1464 wrote to memory of 512	1464	Kenhopmf.exe	40
PID 1464 wrote to memory of 512	1464	Kenhopmf.exe	40
PID 1464 wrote to memory of 512	1464	Kenhopmf.exe	40
PID 512 wrote to memory of 1944	512	Kkjpggkn.exe	41
PID 512 wrote to memory of 1944	512	Kkjpggkn.exe	41
PID 512 wrote to memory of 1944	512	Kkjpggkn.exe	41
PID 512 wrote to memory of 1944	512	Kkjpggkn.exe	41
PID 1944 wrote to memory of 2204	1944	Kpgionie.exe	42
PID 1944 wrote to memory of 2204	1944	Kpgionie.exe	42
PID 1944 wrote to memory of 2204	1944	Kpgionie.exe	42
PID 1944 wrote to memory of 2204	1944	Kpgionie.exe	42
PID 2204 wrote to memory of 2880	2204	Kkmmlgik.exe	43
PID 2204 wrote to memory of 2880	2204	Kkmmlgik.exe	43
PID 2204 wrote to memory of 2880	2204	Kkmmlgik.exe	43
PID 2204 wrote to memory of 2880	2204	Kkmmlgik.exe	43
PID 2880 wrote to memory of 1652	2880	Kgcnahoo.exe	44
PID 2880 wrote to memory of 1652	2880	Kgcnahoo.exe	44
PID 2880 wrote to memory of 1652	2880	Kgcnahoo.exe	44
PID 2880 wrote to memory of 1652	2880	Kgcnahoo.exe	44
PID 1652 wrote to memory of 968	1652	Lgfjggll.exe	45
PID 1652 wrote to memory of 968	1652	Lgfjggll.exe	45
PID 1652 wrote to memory of 968	1652	Lgfjggll.exe	45
PID 1652 wrote to memory of 968	1652	Lgfjggll.exe	45

C:\Users\Admin\AppData\Local\Temp\50de3bd5f9616c760d134189bc5fd390N.exe
"C:\Users\Admin\AppData\Local\Temp\50de3bd5f9616c760d134189bc5fd390N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\SysWOW64\Jmfcop32.exe
  C:\Windows\system32\Jmfcop32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\SysWOW64\Jimdcqom.exe
    C:\Windows\system32\Jimdcqom.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\SysWOW64\Jedehaea.exe
      C:\Windows\system32\Jedehaea.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Windows\SysWOW64\Jpjifjdg.exe
        
        C:\Windows\system32\Jpjifjdg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
      - C:\Windows\SysWOW64\Jibnop32.exe
        
        C:\Windows\system32\Jibnop32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Kbjbge32.exe
        
        C:\Windows\system32\Kbjbge32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Khgkpl32.exe
        
        C:\Windows\system32\Khgkpl32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Kapohbfp.exe
        
        C:\Windows\system32\Kapohbfp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\Kjhcag32.exe
        
        C:\Windows\system32\Kjhcag32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\Kenhopmf.exe
        
        C:\Windows\system32\Kenhopmf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Kkjpggkn.exe
        
        C:\Windows\system32\Kkjpggkn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\SysWOW64\Kpgionie.exe
        
        C:\Windows\system32\Kpgionie.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Kkmmlgik.exe
        
        C:\Windows\system32\Kkmmlgik.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Kgcnahoo.exe
        
        C:\Windows\system32\Kgcnahoo.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Lgfjggll.exe
        
        C:\Windows\system32\Lgfjggll.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Llbconkd.exe
        
        C:\Windows\system32\Llbconkd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Lcmklh32.exe
        
        C:\Windows\system32\Lcmklh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Lhiddoph.exe
        
        C:\Windows\system32\Lhiddoph.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Lcohahpn.exe
        
        C:\Windows\system32\Lcohahpn.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Lhlqjone.exe
        
        C:\Windows\system32\Lhlqjone.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Lcadghnk.exe
        
        C:\Windows\system32\Lcadghnk.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Lepaccmo.exe
        
        C:\Windows\system32\Lepaccmo.exe
        23⤵
        Executes dropped EXE
        
        PID:1396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 140
        24⤵
        Loads dropped DLL
        Program crash
        
        PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jibnop32.exe

Filesize
45KB

MD5
3f2b241d4773133efd9425bdd3059698

SHA1
68f9c55dafaffe7c50b4c8393c033472fcecd9cb

SHA256
631db75834572ec90f28815c0f276975c3fb88a7eaae019559a2eb379f6608b2

SHA512
14fc4a2a89c930da60d2435b91bf2d2bb6775a280effecffbffd072bd67788bf307a41a5ed10217edc6da0ca84c37d0e15a28a0df515c433397aa5c6f4d9876f

Download Submit
C:\Windows\SysWOW64\Jmfcop32.exe

Filesize
45KB

MD5
a7fd255745a934784883ca59be6a78b9

SHA1
2f74561ddfa153fdc2499f36c71d2efd7fab5115

SHA256
e0fc0b5cbfb9bf4675634db7e8fe1ec34eb9bf672af2b10e5f6e9a64cf285633

SHA512
f4914c2994bd1b032b5e9e6e8debe42af4a853c5d70f6f34b0ff9f9c4e73d7fe97e4aed874650c5c6b7421b5436caf5741e55ecbf6bf37b4dea1e64bc9006c7d

Download Submit
C:\Windows\SysWOW64\Kapohbfp.exe

Filesize
45KB

MD5
9d3592c4a28cc84ad4c669f20cd31603

SHA1
9a3118579a6f379f353c1ab13b92df1ecf0e5524

SHA256
fd1ceeaee4ef7304006cb91d08748d070beb628ec2c908fe1f18618ca1406ac1

SHA512
ba829d0a45c0775fc5681201c4309ae39f681351850c2c263dd96d73a75ddf83d54ccf688f4686b510d54ae2303bae42d8fa0f32938dfccef34a2ce6536a4761

Download Submit
C:\Windows\SysWOW64\Kbjbge32.exe

Filesize
45KB

MD5
285e41a96561c159cd5c0d9fa8997899

SHA1
5cb63a1401b019ef5b4c9701aa3602dba8930eb5

SHA256
37019e2db06bcc94f1b539f3a347509a7f70328bee2bd676c44cf23d5a555117

SHA512
ebf7664dcfb68d8ea739f7d6f37446cb5680738e65cd1b97fa145094b16d214339f42c04531a0fe3743e48830f35b86d0a7c60ebed5ac62a853df62fd9e6fbb8

Download Submit
C:\Windows\SysWOW64\Kpgionie.exe

Filesize
45KB

MD5
89ba874540c0787929458069fc058a76

SHA1
9c596123673915806b7773d32bf11bf95b0be239

SHA256
dbe3a5214c46777718ef520651b74ca38ea69f31b8fd3dba8e33f53be230a4e7

SHA512
19259e249e0e06e05079b1b5643a9f4481651b307848cbf3be9c170da22d8b9a4edb633f39539d2e226fa7ca131f04f321f062505069adc879548f14aeca4ef6

Download Submit
C:\Windows\SysWOW64\Lcadghnk.exe

Filesize
45KB

MD5
5a3719aed4001f4a71d9a65cc6f13da2

SHA1
bac4a079f9cfcab79c24fa9fd859f1546d8c767c

SHA256
0e7ac550dc11fddd576cf20ab9fd35d6ae0cfbe8083e899cc2a67a88326577c9

SHA512
c0aa10e63cdc6c9e2890783c119cd9fbfbc6429c7c479e263ae962dd4cd5281fe7a0d6dcda8e5aafd37188af488ddbfc4c06e17e37c02ca055f2b045939f7f5d

Download Submit
C:\Windows\SysWOW64\Lcmklh32.exe

Filesize
45KB

MD5
a99cb9e2e83de7f1186e490f8637fbad

SHA1
23e6f06701244ee33260ae2c9f40a19cabdc0510

SHA256
f16b083126d28163e53ab378d37956664457afa2583de57dd9be53498737638f

SHA512
5a79a454a0f4ccd3643a144100f34928e69e441298e4efae982421d921043a96675ee2d3a2c9c8b89e6f9fdee83469cd84d2d7bd4c877a9b51e33cee09fffc6a

Download Submit
C:\Windows\SysWOW64\Lcohahpn.exe

Filesize
45KB

MD5
25d5f068dc83edf260a4934f6f4ace7f

SHA1
27691304372991e355af8b0403ebc6bc9bbce07e

SHA256
f69d06a274d28e0f642208d5fe67715d0ccf0e347bc284c0b15104386fbd1a81

SHA512
7821e6cf3c0ad099a32d377d484ce20bfa9b3a8756b07df3f3dd1fb709abc4d5cfa3b25f0b74f832b9c3dd015546295391c1a2aee513c8dfa476b5b675d82716

Download Submit
C:\Windows\SysWOW64\Lepaccmo.exe

Filesize
45KB

MD5
329d5f578abab72166d20f4554179c57

SHA1
1be457e92406ac9525e1abeb1bd58e91b5d4f4ca

SHA256
5fd575f9d20f70d384aaa11664d868b5f9efd2e078ea112f6d5250f8eebc4a86

SHA512
f4d0147ced0d0425c6adec69b3ba8aca19e9df4d34fbe1f67cae434962ed02437afa242668d634774f56ed5209d331ef89d9bb7a9f85e575f7342fdd91ffc9ed

Download Submit
C:\Windows\SysWOW64\Lgfjggll.exe

Filesize
45KB

MD5
ddff6594d2d2579d017d7325420611f9

SHA1
b1d45478b37752fd693023bf3eb267222c9cf2cb

SHA256
d8ebd1ea92bddc1fd825b7c170b054a2133b35f06148c52f310bed99f77e859c

SHA512
37129fa1502ba08e1c1d025deb333fb1cc6b85b11db617cfbf73c1de36b14d817f3f66069963c6c17cc8ec82f149552a2bf03a70255c021ad5581cf613a9ad06

Download Submit
C:\Windows\SysWOW64\Lhiddoph.exe

Filesize
45KB

MD5
13ceeeffe189841bc2f267a96d58392a

SHA1
5dddffd810f5fbd20edfbfad10c5d3df3e14b649

SHA256
dfa4a7dfb5606fb4193d973bc022d443a67eed4e6da1b3c43445adfc4dde552b

SHA512
a5bbe4d64ec394b4d1963f15593978d21879d3a686479afaaa64ac63e6797f8046c6c4d470cc83563e412f2aff6510f4b035bb53a1bff9f03e11a2243cfe949e

Download Submit
C:\Windows\SysWOW64\Lhlqjone.exe

Filesize
45KB

MD5
71d31a3924830eb527f120f5a5edb759

SHA1
f9a044bb053eebf5b5c696891db72ec3da0380cb

SHA256
66309b89ab7a59f4d6487e52054a726a3d2493f8a779e270f0b86d2cfcc30fb6

SHA512
2e1cfa887a64328eb34c80b4d1f999d5a31668dd49343db2cc87741562fe8f5a3c9e11e9722994268d00b3f00e14baca6aad130e83344513c04808a53b620f95

Download Submit
C:\Windows\SysWOW64\Llbconkd.exe

Filesize
45KB

MD5
6cb713ddf40e4ee61e089ec8876aa91c

SHA1
6d16601cce0705df6fb57d4977c9f172036401d2

SHA256
7e9217b249ebe1e6d932da340d21083081df89a9d6af3c3e4927f7b14ecd571a

SHA512
98ce5a3951404a7bff16dc01d7201c803f2f9afd3574c09917c1f811127748b0b51246f417d9af7c6e49c51888af35c557d9f1c9bc2fd70430a8767169d8c2ef

Download Submit
\Windows\SysWOW64\Jedehaea.exe

Filesize
45KB

MD5
6304ef1a6f9d265064eafe7d231cf4f0

SHA1
d14cd35b203a7dc28a33ba647647a974f9d96e74

SHA256
256a38bcc42cb56b37a3f2b3e616365f073fe6e923a993a1b3de34113fc1a7f0

SHA512
87e64fc3dae6c9835e1151d24188d1cf074c12788007bbcacca6922c1aa44d85943c98c25cf78e4a2e3b732a0add370f2f303cfc7c3d7f885d6bac111bc6044b

Download Submit
\Windows\SysWOW64\Jimdcqom.exe

Filesize
45KB

MD5
34d5937e77f0e3ad4a156ea938884efa

SHA1
492640e0e5cfb0ed7ed2bd1a2336751dae16ccf7

SHA256
b0f18961cf26d8ee2061f44721a5771be193934fd1e514078304d4aad3c8969d

SHA512
45d91569b8e8dcfee34605a9ef16bdbab2c3c1386700d562966f863b4b522c1f25014e777199736b2ffa39ec810ef898849c48d60aedeaee18b21a528709c513

Download Submit
\Windows\SysWOW64\Jpjifjdg.exe

Filesize
45KB

MD5
356f7d12fb3493a3496202357d68cee8

SHA1
905e6ad35323b5e5c4312f3d4f806b5ccdb780b3

SHA256
151490b1ae1802e663d1b400b015ad4fceccf8a71282b860abd3bdfceb426501

SHA512
09b145f5c6ed7b37641675b75bbd87857b39173f9259713b16f2d33ffb2fafc222eb7f98cbee5d6766b329a6c3544e39c2cf958c0b877d3728096d531085d37e

Download Submit
\Windows\SysWOW64\Kenhopmf.exe

Filesize
45KB

MD5
d6ba8facf4195109e777f4d6c7802b45

SHA1
08255e4f545099a4f68b1381a6437b1e18cf5e2a

SHA256
8b21653c1c8515547a14c03ee3ea710823346240bc34540fca13ba579af11f62

SHA512
25a2e3507ee9e0134f8e76d655641e3d401670ec68b583f976544e8dc5ce3c450db60299ae9555345261860fbee6052a64816afa4f1199bd2b287cdcf60ad5f3

Download Submit
\Windows\SysWOW64\Kgcnahoo.exe

Filesize
45KB

MD5
68bef6559aadae098f97f3a12e3ced76

SHA1
2f1b90e9a79371a02b3c6667db5c07873e085dd5

SHA256
cc9ad37d2b161d461d84c629f87970aac1a1c36b87567b5dbf6d9f6a00d4fefb

SHA512
12bf5c3ec86f9026e0d9811e54035b725cbacc22e9dd6bb5ca3d52d2d8f5e4f8e2f603547a37ae5ca40e7d9e4e4f2d416a4001ffb5ce7e79c2ef0f5420062098

Download Submit
\Windows\SysWOW64\Khgkpl32.exe

Filesize
45KB

MD5
8ee4de4aa416afd9a23486613ec392fc

SHA1
c5e70c9051579a91f5920d843a3273f3ad48a970

SHA256
cc6b94ae660d38657ec209a3663077e2b2db19808621daa2902427ad693d63b0

SHA512
b9f3f3c1d632b2c59088c2135195bd0eb5bfbd4c7b75368403a1d0eae7fef2e2eb2abe1c76bb82b6755b666176626b353fcb6c2eb5291d2f1831302dea635b69

Download Submit
\Windows\SysWOW64\Kjhcag32.exe

Filesize
45KB

MD5
12db7eb36bcc274235d4525870a7808b

SHA1
d07e56b1cc214638d221bf472b8298efb4d44eee

SHA256
dd02d67500a2f0231f7a585a71c9ed462921353061e503cfe63bd5c4b8f05f0a

SHA512
efb824132dab34e2bbde5cfb8cddcbdedcedc556267bdc07f7daee79ed19a31b0a074cf1c9a95ffa4d260247b6b463ac08c6a81094d24285c5edfffa88c86a4b

Download Submit
\Windows\SysWOW64\Kkjpggkn.exe

Filesize
45KB

MD5
fbc25b44716b7c7a74eae325dc746ac5

SHA1
2e46318f31fd4c325f35913d0a5c275d2e803802

SHA256
6036958e7f997520fa62285a0e09504fd6fd7795c7091b5fd8416c2f790b900c

SHA512
c3633ee8f8fc2de44ec88850f538dcfab3607b1680bc4b44e3eb00ba257bbbb195eec89549eebe6a66a45983461c4faa29e94f03bf518ae4d2746b5fc3bcc408

Download Submit
\Windows\SysWOW64\Kkmmlgik.exe

Filesize
45KB

MD5
3cc04029e597b9c35eec4438ea07de10

SHA1
e17d984719f18519fc275141351dd0dd9008b86d

SHA256
b639ddd32d8c9fc5dfb51bb21dfd181209f0dd04c56e623005a7070eaeb53791

SHA512
d4c7db81ef5187db1a7a4e03d62cabcc9ebecbd858a3e5700830bd3dfe34b05a0166e866afc5c27356de5658151c5ff06f0600bf41901bd1f1d2233fce9e7c6f

Download Submit
memory/512-150-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/512-164-0x00000000003A0000-0x00000000003CF000-memory.dmp

Filesize
188KB

Download
memory/512-165-0x00000000003A0000-0x00000000003CF000-memory.dmp

Filesize
188KB

Download
memory/512-288-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/968-293-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/968-220-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1348-257-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1348-297-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1396-276-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1464-287-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1464-144-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1476-238-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1476-244-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1476-295-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1512-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1512-278-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1512-22-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1512-28-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1652-205-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1652-213-0x00000000001C0000-0x00000000001EF000-memory.dmp

Filesize
188KB

Download
memory/1652-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1660-294-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1660-229-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1768-296-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1768-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1944-166-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1944-289-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1944-173-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2028-97-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2028-284-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2192-12-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2192-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2192-13-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2192-277-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2204-179-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2204-290-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2556-283-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2556-83-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2556-96-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/2592-285-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2592-115-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2596-279-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2596-41-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2712-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2712-42-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2712-56-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2712-50-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2748-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2748-131-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2748-123-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2808-69-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2808-281-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2880-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2880-291-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2928-282-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2928-70-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3024-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3024-275-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/3024-266-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads