3faa1b32b65257db91d55eaae7fcc2df3beceb2dd0519170f77a4aa03160f05b

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/11/2024, 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3faa1b32b65257db91d55eaae7fcc2df3beceb2dd0519170f77a4aa03160f05b.exe
Size

395KB
MD5

795d45073bf92790c24e227e3995bbdd
SHA1

6b2e36d8269e0229d429487c506e2a7a858181ef
SHA256

3faa1b32b65257db91d55eaae7fcc2df3beceb2dd0519170f77a4aa03160f05b
SHA512

ac5c47d313912d242912cfba159cc6d426dfe94a1734b4e4c165ea83744ff66f66c241f6ff9dc7310e18ba660b6a6906d6c27ecf8b4e2014cec64e3dd0ad8ec1
SSDEEP

6144:IVt/pmyvFOis4y70u4HXs4yr0u490u4Ds4yvW8lM:6t/UkE4O0dHc4i0d90dA4n

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlaeonld.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iimjmbae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbdonb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jgagfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjfjbdle.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icfofg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijdqna32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlaeonld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfnnha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbfdaigg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbgkcb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjfjbdle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kiqpop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkolkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmihhelk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npojdpef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Illgimph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkolkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iipgcaob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiqpop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphhenhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Melfncqb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkpegi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icfofg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iipgcaob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kqqboncb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbkameaf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Melfncqb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgagfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	3faa1b32b65257db91d55eaae7fcc2df3beceb2dd0519170f77a4aa03160f05b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijdqna32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbdonb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npojdpef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kqqboncb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migbnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfnnha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmihhelk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3faa1b32b65257db91d55eaae7fcc2df3beceb2dd0519170f77a4aa03160f05b.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbfdaigg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlfojn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlekia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iimjmbae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Illgimph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbgkcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphhenhc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmldme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Migbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlfojn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmldme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkpegi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlekia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbkameaf.exe

Executes dropped EXE 27 IoCs

pid	Process
2692	Iimjmbae.exe
2688	Illgimph.exe
2660	Icfofg32.exe
2716	Iipgcaob.exe
2600	Ijdqna32.exe
2112	Jfnnha32.exe
568	Jbdonb32.exe
3068	Jgagfi32.exe
1976	Jbgkcb32.exe
2812	Kjfjbdle.exe
2448	Kqqboncb.exe
2008	Kiqpop32.exe
1428	Kkolkk32.exe
1176	Kbkameaf.exe
1852	Lphhenhc.exe
1896	Lbfdaigg.exe
824	Mlaeonld.exe
2488	Melfncqb.exe
2216	Migbnb32.exe
2424	Mlfojn32.exe
2520	Mmihhelk.exe
704	Mmldme32.exe
2304	Nkpegi32.exe
2672	Npojdpef.exe
1584	Ngibaj32.exe
2820	Nlekia32.exe
2892	Nlhgoqhh.exe

Loads dropped DLL 58 IoCs

pid	Process
1924	3faa1b32b65257db91d55eaae7fcc2df3beceb2dd0519170f77a4aa03160f05b.exe
1924	3faa1b32b65257db91d55eaae7fcc2df3beceb2dd0519170f77a4aa03160f05b.exe
2692	Iimjmbae.exe
2692	Iimjmbae.exe
2688	Illgimph.exe
2688	Illgimph.exe
2660	Icfofg32.exe
2660	Icfofg32.exe
2716	Iipgcaob.exe
2716	Iipgcaob.exe
2600	Ijdqna32.exe
2600	Ijdqna32.exe
2112	Jfnnha32.exe
2112	Jfnnha32.exe
568	Jbdonb32.exe
568	Jbdonb32.exe
3068	Jgagfi32.exe
3068	Jgagfi32.exe
1976	Jbgkcb32.exe
1976	Jbgkcb32.exe
2812	Kjfjbdle.exe
2812	Kjfjbdle.exe
2448	Kqqboncb.exe
2448	Kqqboncb.exe
2008	Kiqpop32.exe
2008	Kiqpop32.exe
1428	Kkolkk32.exe
1428	Kkolkk32.exe
1176	Kbkameaf.exe
1176	Kbkameaf.exe
1852	Lphhenhc.exe
1852	Lphhenhc.exe
1896	Lbfdaigg.exe
1896	Lbfdaigg.exe
824	Mlaeonld.exe
824	Mlaeonld.exe
2488	Melfncqb.exe
2488	Melfncqb.exe
2216	Migbnb32.exe
2216	Migbnb32.exe
2424	Mlfojn32.exe
2424	Mlfojn32.exe
2520	Mmihhelk.exe
2520	Mmihhelk.exe
704	Mmldme32.exe
704	Mmldme32.exe
2304	Nkpegi32.exe
2304	Nkpegi32.exe
2672	Npojdpef.exe
2672	Npojdpef.exe
1584	Ngibaj32.exe
1584	Ngibaj32.exe
2820	Nlekia32.exe
2820	Nlekia32.exe
2560	WerFault.exe
2560	WerFault.exe
2560	WerFault.exe
2560	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Illgimph.exe	Iimjmbae.exe
File created	C:\Windows\SysWOW64\Kigbna32.dll	Ijdqna32.exe
File created	C:\Windows\SysWOW64\Eeieql32.dll	Kiqpop32.exe
File created	C:\Windows\SysWOW64\Afdignjb.dll	Mmldme32.exe
File created	C:\Windows\SysWOW64\Ngibaj32.exe	Npojdpef.exe
File created	C:\Windows\SysWOW64\Icfofg32.exe	Illgimph.exe
File created	C:\Windows\SysWOW64\Kjfjbdle.exe	Jbgkcb32.exe
File created	C:\Windows\SysWOW64\Lbfdaigg.exe	Lphhenhc.exe
File opened for modification	C:\Windows\SysWOW64\Nkpegi32.exe	Mmldme32.exe
File opened for modification	C:\Windows\SysWOW64\Npojdpef.exe	Nkpegi32.exe
File created	C:\Windows\SysWOW64\Eqnolc32.dll	Nkpegi32.exe
File created	C:\Windows\SysWOW64\Phmkjbfe.dll	Ngibaj32.exe
File opened for modification	C:\Windows\SysWOW64\Jgagfi32.exe	Jbdonb32.exe
File created	C:\Windows\SysWOW64\Kiqpop32.exe	Kqqboncb.exe
File opened for modification	C:\Windows\SysWOW64\Kiqpop32.exe	Kqqboncb.exe
File created	C:\Windows\SysWOW64\Kbkameaf.exe	Kkolkk32.exe
File created	C:\Windows\SysWOW64\Migbnb32.exe	Melfncqb.exe
File created	C:\Windows\SysWOW64\Cpbplnnk.dll	Melfncqb.exe
File created	C:\Windows\SysWOW64\Mmldme32.exe	Mmihhelk.exe
File created	C:\Windows\SysWOW64\Cgmgbeon.dll	Mmihhelk.exe
File opened for modification	C:\Windows\SysWOW64\Iipgcaob.exe	Icfofg32.exe
File created	C:\Windows\SysWOW64\Hoaebk32.dll	Kkolkk32.exe
File created	C:\Windows\SysWOW64\Mlaeonld.exe	Lbfdaigg.exe
File created	C:\Windows\SysWOW64\Mmihhelk.exe	Mlfojn32.exe
File created	C:\Windows\SysWOW64\Npojdpef.exe	Nkpegi32.exe
File opened for modification	C:\Windows\SysWOW64\Ngibaj32.exe	Npojdpef.exe
File created	C:\Windows\SysWOW64\Jbgkcb32.exe	Jgagfi32.exe
File created	C:\Windows\SysWOW64\Dpelbgel.dll	Jgagfi32.exe
File created	C:\Windows\SysWOW64\Enlejpga.dll	Jbgkcb32.exe
File created	C:\Windows\SysWOW64\Eiiddiab.dll	Jfnnha32.exe
File opened for modification	C:\Windows\SysWOW64\Jbgkcb32.exe	Jgagfi32.exe
File created	C:\Windows\SysWOW64\Bpmiamoh.dll	Kqqboncb.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nlekia32.exe
File created	C:\Windows\SysWOW64\Dddaaf32.dll	Illgimph.exe
File created	C:\Windows\SysWOW64\Mpjmjp32.dll	Icfofg32.exe
File created	C:\Windows\SysWOW64\Ijdqna32.exe	Iipgcaob.exe
File created	C:\Windows\SysWOW64\Kkmgjljo.dll	Iipgcaob.exe
File created	C:\Windows\SysWOW64\Kkolkk32.exe	Kiqpop32.exe
File opened for modification	C:\Windows\SysWOW64\Mmldme32.exe	Mmihhelk.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Nlekia32.exe
File opened for modification	C:\Windows\SysWOW64\Kkolkk32.exe	Kiqpop32.exe
File opened for modification	C:\Windows\SysWOW64\Mlfojn32.exe	Migbnb32.exe
File opened for modification	C:\Windows\SysWOW64\Illgimph.exe	Iimjmbae.exe
File created	C:\Windows\SysWOW64\Dempblao.dll	Iimjmbae.exe
File opened for modification	C:\Windows\SysWOW64\Icfofg32.exe	Illgimph.exe
File opened for modification	C:\Windows\SysWOW64\Kjfjbdle.exe	Jbgkcb32.exe
File opened for modification	C:\Windows\SysWOW64\Kbkameaf.exe	Kkolkk32.exe
File opened for modification	C:\Windows\SysWOW64\Lphhenhc.exe	Kbkameaf.exe
File created	C:\Windows\SysWOW64\Pecomlgc.dll	Lbfdaigg.exe
File opened for modification	C:\Windows\SysWOW64\Nlekia32.exe	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Jbdonb32.exe	Jfnnha32.exe
File created	C:\Windows\SysWOW64\Kqqboncb.exe	Kjfjbdle.exe
File created	C:\Windows\SysWOW64\Qocjhb32.dll	Kjfjbdle.exe
File created	C:\Windows\SysWOW64\Gnddig32.dll	Kbkameaf.exe
File created	C:\Windows\SysWOW64\Djdfhjik.dll	Mlaeonld.exe
File created	C:\Windows\SysWOW64\Hcpbee32.dll	Migbnb32.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nlekia32.exe
File created	C:\Windows\SysWOW64\Dgalgjnb.dll	Jbdonb32.exe
File created	C:\Windows\SysWOW64\Melfncqb.exe	Mlaeonld.exe
File created	C:\Windows\SysWOW64\Iipgcaob.exe	Icfofg32.exe
File opened for modification	C:\Windows\SysWOW64\Ijdqna32.exe	Iipgcaob.exe
File created	C:\Windows\SysWOW64\Jfnnha32.exe	Ijdqna32.exe
File opened for modification	C:\Windows\SysWOW64\Jbdonb32.exe	Jfnnha32.exe
File created	C:\Windows\SysWOW64\Jgagfi32.exe	Jbdonb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2560	2892	WerFault.exe	56

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbdonb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbgkcb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkolkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Illgimph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iipgcaob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijdqna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npojdpef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlaeonld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlfojn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmldme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngibaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgagfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjfjbdle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melfncqb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbfdaigg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3faa1b32b65257db91d55eaae7fcc2df3beceb2dd0519170f77a4aa03160f05b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiqpop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lphhenhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmihhelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkpegi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icfofg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfnnha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbkameaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlekia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iimjmbae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kqqboncb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migbnb32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnddig32.dll"	Kbkameaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iimjmbae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kqqboncb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfnnha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbgkcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kjfjbdle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoaebk32.dll"	Kkolkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbkameaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbfdaigg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	3faa1b32b65257db91d55eaae7fcc2df3beceb2dd0519170f77a4aa03160f05b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Illgimph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkpegi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkpegi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iipgcaob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbdonb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlejpga.dll"	Jbgkcb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kqqboncb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kacgbnfl.dll"	Lphhenhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Migbnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	3faa1b32b65257db91d55eaae7fcc2df3beceb2dd0519170f77a4aa03160f05b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icfofg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmihhelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmldme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiiddiab.dll"	Jfnnha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kiqpop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlaeonld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlaeonld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbplnnk.dll"	Melfncqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpjmjp32.dll"	Icfofg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijdqna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgmgbeon.dll"	Mmihhelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlekia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iimjmbae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jgagfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkeghkck.dll"	Mlfojn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kigbna32.dll"	Ijdqna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbfdaigg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djdfhjik.dll"	Mlaeonld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmldme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldjnfaf.dll"	3faa1b32b65257db91d55eaae7fcc2df3beceb2dd0519170f77a4aa03160f05b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpmiamoh.dll"	Kqqboncb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbgkcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphhenhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Nlekia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	3faa1b32b65257db91d55eaae7fcc2df3beceb2dd0519170f77a4aa03160f05b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	3faa1b32b65257db91d55eaae7fcc2df3beceb2dd0519170f77a4aa03160f05b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pecomlgc.dll"	Lbfdaigg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Melfncqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npojdpef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iipgcaob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpelbgel.dll"	Jgagfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcpbee32.dll"	Migbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmihhelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afdignjb.dll"	Mmldme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmgjljo.dll"	Iipgcaob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Melfncqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgalgjnb.dll"	Jbdonb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kjfjbdle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qocjhb32.dll"	Kjfjbdle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeieql32.dll"	Kiqpop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbkameaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphhenhc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2692	1924	3faa1b32b65257db91d55eaae7fcc2df3beceb2dd0519170f77a4aa03160f05b.exe	30
PID 1924 wrote to memory of 2692	1924	3faa1b32b65257db91d55eaae7fcc2df3beceb2dd0519170f77a4aa03160f05b.exe	30
PID 1924 wrote to memory of 2692	1924	3faa1b32b65257db91d55eaae7fcc2df3beceb2dd0519170f77a4aa03160f05b.exe	30
PID 1924 wrote to memory of 2692	1924	3faa1b32b65257db91d55eaae7fcc2df3beceb2dd0519170f77a4aa03160f05b.exe	30
PID 2692 wrote to memory of 2688	2692	Iimjmbae.exe	31
PID 2692 wrote to memory of 2688	2692	Iimjmbae.exe	31
PID 2692 wrote to memory of 2688	2692	Iimjmbae.exe	31
PID 2692 wrote to memory of 2688	2692	Iimjmbae.exe	31
PID 2688 wrote to memory of 2660	2688	Illgimph.exe	32
PID 2688 wrote to memory of 2660	2688	Illgimph.exe	32
PID 2688 wrote to memory of 2660	2688	Illgimph.exe	32
PID 2688 wrote to memory of 2660	2688	Illgimph.exe	32
PID 2660 wrote to memory of 2716	2660	Icfofg32.exe	33
PID 2660 wrote to memory of 2716	2660	Icfofg32.exe	33
PID 2660 wrote to memory of 2716	2660	Icfofg32.exe	33
PID 2660 wrote to memory of 2716	2660	Icfofg32.exe	33
PID 2716 wrote to memory of 2600	2716	Iipgcaob.exe	34
PID 2716 wrote to memory of 2600	2716	Iipgcaob.exe	34
PID 2716 wrote to memory of 2600	2716	Iipgcaob.exe	34
PID 2716 wrote to memory of 2600	2716	Iipgcaob.exe	34
PID 2600 wrote to memory of 2112	2600	Ijdqna32.exe	35
PID 2600 wrote to memory of 2112	2600	Ijdqna32.exe	35
PID 2600 wrote to memory of 2112	2600	Ijdqna32.exe	35
PID 2600 wrote to memory of 2112	2600	Ijdqna32.exe	35
PID 2112 wrote to memory of 568	2112	Jfnnha32.exe	36
PID 2112 wrote to memory of 568	2112	Jfnnha32.exe	36
PID 2112 wrote to memory of 568	2112	Jfnnha32.exe	36
PID 2112 wrote to memory of 568	2112	Jfnnha32.exe	36
PID 568 wrote to memory of 3068	568	Jbdonb32.exe	37
PID 568 wrote to memory of 3068	568	Jbdonb32.exe	37
PID 568 wrote to memory of 3068	568	Jbdonb32.exe	37
PID 568 wrote to memory of 3068	568	Jbdonb32.exe	37
PID 3068 wrote to memory of 1976	3068	Jgagfi32.exe	38
PID 3068 wrote to memory of 1976	3068	Jgagfi32.exe	38
PID 3068 wrote to memory of 1976	3068	Jgagfi32.exe	38
PID 3068 wrote to memory of 1976	3068	Jgagfi32.exe	38
PID 1976 wrote to memory of 2812	1976	Jbgkcb32.exe	39
PID 1976 wrote to memory of 2812	1976	Jbgkcb32.exe	39
PID 1976 wrote to memory of 2812	1976	Jbgkcb32.exe	39
PID 1976 wrote to memory of 2812	1976	Jbgkcb32.exe	39
PID 2812 wrote to memory of 2448	2812	Kjfjbdle.exe	40
PID 2812 wrote to memory of 2448	2812	Kjfjbdle.exe	40
PID 2812 wrote to memory of 2448	2812	Kjfjbdle.exe	40
PID 2812 wrote to memory of 2448	2812	Kjfjbdle.exe	40
PID 2448 wrote to memory of 2008	2448	Kqqboncb.exe	41
PID 2448 wrote to memory of 2008	2448	Kqqboncb.exe	41
PID 2448 wrote to memory of 2008	2448	Kqqboncb.exe	41
PID 2448 wrote to memory of 2008	2448	Kqqboncb.exe	41
PID 2008 wrote to memory of 1428	2008	Kiqpop32.exe	42
PID 2008 wrote to memory of 1428	2008	Kiqpop32.exe	42
PID 2008 wrote to memory of 1428	2008	Kiqpop32.exe	42
PID 2008 wrote to memory of 1428	2008	Kiqpop32.exe	42
PID 1428 wrote to memory of 1176	1428	Kkolkk32.exe	43
PID 1428 wrote to memory of 1176	1428	Kkolkk32.exe	43
PID 1428 wrote to memory of 1176	1428	Kkolkk32.exe	43
PID 1428 wrote to memory of 1176	1428	Kkolkk32.exe	43
PID 1176 wrote to memory of 1852	1176	Kbkameaf.exe	44
PID 1176 wrote to memory of 1852	1176	Kbkameaf.exe	44
PID 1176 wrote to memory of 1852	1176	Kbkameaf.exe	44
PID 1176 wrote to memory of 1852	1176	Kbkameaf.exe	44
PID 1852 wrote to memory of 1896	1852	Lphhenhc.exe	45
PID 1852 wrote to memory of 1896	1852	Lphhenhc.exe	45
PID 1852 wrote to memory of 1896	1852	Lphhenhc.exe	45
PID 1852 wrote to memory of 1896	1852	Lphhenhc.exe	45

C:\Users\Admin\AppData\Local\Temp\3faa1b32b65257db91d55eaae7fcc2df3beceb2dd0519170f77a4aa03160f05b.exe
"C:\Users\Admin\AppData\Local\Temp\3faa1b32b65257db91d55eaae7fcc2df3beceb2dd0519170f77a4aa03160f05b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\SysWOW64\Iimjmbae.exe
  C:\Windows\system32\Iimjmbae.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\Illgimph.exe
    C:\Windows\system32\Illgimph.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\SysWOW64\Icfofg32.exe
      C:\Windows\system32\Icfofg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\SysWOW64\Iipgcaob.exe
        
        C:\Windows\system32\Iipgcaob.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
      - C:\Windows\SysWOW64\Ijdqna32.exe
        
        C:\Windows\system32\Ijdqna32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Jfnnha32.exe
        
        C:\Windows\system32\Jfnnha32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Jbdonb32.exe
        
        C:\Windows\system32\Jbdonb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:568
        
        C:\Windows\SysWOW64\Jgagfi32.exe
        
        C:\Windows\system32\Jgagfi32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Jbgkcb32.exe
        
        C:\Windows\system32\Jbgkcb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Kjfjbdle.exe
        
        C:\Windows\system32\Kjfjbdle.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Kqqboncb.exe
        
        C:\Windows\system32\Kqqboncb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Kiqpop32.exe
        
        C:\Windows\system32\Kiqpop32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Kkolkk32.exe
        
        C:\Windows\system32\Kkolkk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Kbkameaf.exe
        
        C:\Windows\system32\Kbkameaf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Lphhenhc.exe
        
        C:\Windows\system32\Lphhenhc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\SysWOW64\Lbfdaigg.exe
        
        C:\Windows\system32\Lbfdaigg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Mlaeonld.exe
        
        C:\Windows\system32\Mlaeonld.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:824
        
        C:\Windows\SysWOW64\Melfncqb.exe
        
        C:\Windows\system32\Melfncqb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Migbnb32.exe
        
        C:\Windows\system32\Migbnb32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Mlfojn32.exe
        
        C:\Windows\system32\Mlfojn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Mmihhelk.exe
        
        C:\Windows\system32\Mmihhelk.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Mmldme32.exe
        
        C:\Windows\system32\Mmldme32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:704
        
        C:\Windows\SysWOW64\Nkpegi32.exe
        
        C:\Windows\system32\Nkpegi32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Npojdpef.exe
        
        C:\Windows\system32\Npojdpef.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Ngibaj32.exe
        
        C:\Windows\system32\Ngibaj32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Nlekia32.exe
        
        C:\Windows\system32\Nlekia32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 140
        29⤵
        Loads dropped DLL
        Program crash
        
        PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Icfofg32.exe

Filesize
395KB

MD5
496345c3e286fc03305ca1deade4327e

SHA1
c3babc23518590bf373735b1fb82ae3f52cdc457

SHA256
c0eeb84f32a50781c88592a6b8d114b8ce6f42bfdd72b3cb2f3cf6da3e0b75b2

SHA512
cf20f937c94018f897a0f4546e2cb3f283b14b5900a4b056f5dd578b9050fbebe68be803866af2e8921541243474fe060058711483213b54983e2bbddde2bc12

Download Submit
C:\Windows\SysWOW64\Iimjmbae.exe

Filesize
395KB

MD5
7b82680939e369b142ae09a23adc8d16

SHA1
ce4aeb734209cc1afc42477038dea08f26bbd2a4

SHA256
43fe465383b147a089dc4d02d182c2a982ab943cf9c5f3bc3a613a483f7e315c

SHA512
b3e30aec14320fa86e63be370bb90d1faac878a38e068504a014eacc48af57502a9496b9931bdf5a8c8deeebfa4e76a32f777fd5eccb9f19e662578ce77588a2

Download Submit
C:\Windows\SysWOW64\Iipgcaob.exe

Filesize
395KB

MD5
b9f9358a3626ad1e22347e6a4f286f7b

SHA1
2b2bc5feaabac7004e6c4a7b044cfc2908b773b8

SHA256
9482587cbd1e18eb4b6612116858f93e62e7b25fa1e7c9d1ce1f389e03c7d07d

SHA512
9c91ea75725756c098e3bed0095aada6699ddee7c6a94d992f27e33a0af44416cf1b0d2abd4edf824eb158a760af38fd6c0e42f919bdd4ba6e5a257cc1c5d514

Download Submit
C:\Windows\SysWOW64\Illgimph.exe

Filesize
395KB

MD5
5623ba6a77d39ae476bf2a93dc41dd6c

SHA1
ab5b149cb3a22255953119b23f51bee28ab502ab

SHA256
f2874ebc790a7d5d0d05d23ff44330b6e668f98d10239bdc7caea31c67c9e6ca

SHA512
0e338b61490718d74588023ac5b0714c59e4af532d376123ad44ccfa1e226e6436a9cf882b3c80236cb214b3350b0c2a3117b4d65aa4526ecbc122f8df5f53d3

Download Submit
C:\Windows\SysWOW64\Jgagfi32.exe

Filesize
395KB

MD5
13930861dfd14c24a3ff4cb8598ab53e

SHA1
dfd87e70b3a71374fc518450ae992ca3a3f2235f

SHA256
e9db34749f35db9b83d28a10b74c2542432fa70d59e743e2207077ab1f96f25e

SHA512
195d078bb1d195a0a878571db59a9087b9e4392982dbfd5a573bd408792354d298f26bd27e1913f4533b12aaece3a03e972b6fa8aa113456138c49614d6d9c73

Download Submit
C:\Windows\SysWOW64\Kkolkk32.exe

Filesize
395KB

MD5
84f8b117483eb7ca51714aeb57f10998

SHA1
fb04e71ff2bd592609a5c64d067dcc1042880bfa

SHA256
3f4a00a0bb632e6861a83b3c5572cac363f536f9eda9cb35ea6e1173df8622e1

SHA512
b664e1ed4d8bb836a6401393a8bc51534ec2f4b74a0d3b4d2c79d818ca4d1a334e6040af813913a8c6f74ff414d5c1c4d65f3f930befce62bf96583e9d7e4aa3

Download Submit
C:\Windows\SysWOW64\Kqqboncb.exe

Filesize
395KB

MD5
4828b4bfd6a10dc875dc592f755a5a8a

SHA1
03c8d06dbbf6639fec8bce3d9196b28ac43d2d58

SHA256
eafb906b666846b279d865e5cb4ec5e57db16602bbd69f4a25fef09865ad4498

SHA512
14583d1c67d7236a2b28b11f9874cf87c5219154f939e7f58b6b48c994045a879dfa722e3bbc0dd542f77a4357ff1e50bcc9d8e3153b4906e044edaffdbbfe19

Download Submit
C:\Windows\SysWOW64\Lphhenhc.exe

Filesize
395KB

MD5
864a14012c61535b812fca235d8866a1

SHA1
2807d78b1b5e5f68a821c5f90b694c59e157234a

SHA256
e51f90cda0a1d685e94e8877976a9fe9a7976be3670266c7bc6325b36859c9f8

SHA512
7d7de1550dae1f173a2f0cf9edd129b48de50c9bace9acab3312832d76f65d3799f696b6e93218465b78e9a6eb36b98c63cd5251fa81e8a4c76d2975a4e95fbe

Download Submit
C:\Windows\SysWOW64\Melfncqb.exe

Filesize
395KB

MD5
e822cddad862a0b3a6b0ab7cbc2edf79

SHA1
d3bb632c355869bc3789c5d8ad97eedccb80c806

SHA256
e3ee4e6f996e958a72dc1c124daf119c42c85280f64e7722e297404ff266f173

SHA512
667dd2ae7aee54840caf9be6fef0daebd5385fe8611424065a12805ca67eadcc6b05e865bd4b4208220ee202029b2e608aa09dffe30caf401f742b65d63293e7

Download Submit
C:\Windows\SysWOW64\Migbnb32.exe

Filesize
395KB

MD5
2797f7913f36df4f890d838766574950

SHA1
fa7d284e2d7a6abb3066837d533cc4491256d649

SHA256
32ee16923a9cbafd652f73bc681393d8887e8c9a93d6fce1fd1b9860b1ea3c27

SHA512
258b6bef96f8ef8ff8e296fdc4de67751b9bc564a58539474e7aaeb92ac640f9403cc10240886a69fb6ffb1fabe07e2eef3d9068d2edf79b7eb7efce9f392106

Download Submit
C:\Windows\SysWOW64\Mlaeonld.exe

Filesize
395KB

MD5
bfd3b746e27c538430cbbc209da1327d

SHA1
fb34f72e56d4a882352ef280ced4aa59deed5d48

SHA256
12f01c6ba8cf6fb7abfdde795e0f9a9220bd1f9620d9be3b0b191ff4e4d6157f

SHA512
41bdd30110ec0c79554fd0f2f056a977fdecbbabc0c0e66aa23350c7294f5c4981edf23cadf3a383ee579b027dca7fea834c71fa302c0c0e6eae110e8caa7caa

Download Submit
C:\Windows\SysWOW64\Mlfojn32.exe

Filesize
395KB

MD5
4f1abfc0a985afeb3a4a1c0757ab409c

SHA1
50b1801f74f49cdfa8c5c6f1e0231f3c7fc55337

SHA256
e5a284ab22e2a61e91b643f0b85bef8932c875ec0524b5cc2a88b0391531b013

SHA512
77c74350d2549795c7b5cbe2442795c939c98e08f34206730f6d21d03f0355d0e527512d234cdcffaf96faa873010adc22d1f7113908ed4a34d4d0059a06e700

Download Submit
C:\Windows\SysWOW64\Mmihhelk.exe

Filesize
395KB

MD5
f83841f362b6679b9c653ff20bbb54bc

SHA1
a54fc34165d4977355ce5cd8f2d0e4f8974d0fd0

SHA256
de49f80648acd2656ba40e49e5d5d8a0d7f5490c43cbb4fd5ac790e486eeedc9

SHA512
b5e233f276e503147e7af354827594ca03ddbf98aa55c4543f01587cf2e936262ece952b9facb43430c2c6aefd8a4b9c2bad19b393b96770938efda090f562d7

Download Submit
C:\Windows\SysWOW64\Mmldme32.exe

Filesize
395KB

MD5
266859a5de66770e486c64a48b15bb13

SHA1
6b24cfae6471432f7b517bf107f9e87691fc2be4

SHA256
991f54b4cdd0a7434eccce30f6de546c2ea5545880383f6fa53834087cfc49c1

SHA512
8b12a449750f39ee0f42731e16cd39a6667928071be17bdc2bcf9009ac68e238d90b1d24639de9a4e49c8743d67af84452c0a900f1ed968e47c00b2b6d306f83

Download Submit
C:\Windows\SysWOW64\Ngibaj32.exe

Filesize
395KB

MD5
f792bdaef5941297d50ecfc193ab98b0

SHA1
2f7cf093f5679a1e5404b567c97c6277ab6e2264

SHA256
80c6afc036633f249b3a51b00f354ed89a682a8243bd0c3ae8f330717bbe34c3

SHA512
15b13e2b677af4e963b2a9469b758eaaf4793f2049de8abc6419b42a3f6c82b123b07517d2e5e8d9ea3e49d72e960ef4b342a6e374b42d7c4baa76848343b963

Download Submit
C:\Windows\SysWOW64\Nkpegi32.exe

Filesize
395KB

MD5
7b9f1ba032c8533349675cdac56b12a3

SHA1
02c561623810266ae0185f51b9b63a2e3fadba52

SHA256
bfb319e859ca950311cea6103da153a0ebcc89982e9c1fc21df8cc3ea03797e9

SHA512
6dd5f7b81afe24bbd260a1eb8a8a5af7fbce3e607dd3be5e7c84eccdfec32b50106535dbacfbcd067c22bf55e3d2a839e424c74f24ce2f1ae0ed64356a048f29

Download Submit
C:\Windows\SysWOW64\Nlekia32.exe

Filesize
395KB

MD5
89f683defa54a3739ead0427015a342a

SHA1
e236aec87837bccf6c54321320025bdf8e83dc8f

SHA256
e0213a5f08121885c90cf6034a2eca564a9e372aff16a83bccc4aa6a0f3484f0

SHA512
b017a507d8002263b142e6022b4cd158fd159133b69004d1f2d96315258eaf8234f4caac9627c3d6086d53a06f951525ba1661f525c9056fc1be817516811d63

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
395KB

MD5
dba7a6594a7de0032108f1616c29515c

SHA1
3e863b928127a2f90df876e33b5c37e15f7f780d

SHA256
ad297ed79155dcdeec2d4c8e60c19e85c2c6d7e3c3aebcbf7b0e9468cece6aff

SHA512
69549d74aec8025a490167a46f9d9083d7a0cfd746d568970414f9e0d31637fa5e1598e1285da59d6686b1fe23ea9cc28ac67d599ec148942d770137b0471d34

Download Submit
C:\Windows\SysWOW64\Npojdpef.exe

Filesize
395KB

MD5
6b03ccea185045ecbb478aeb3aa29718

SHA1
d7ba57a3b03cba8dcf01c56848681fab3a039abe

SHA256
0fb425304558455163eb705eefcb64406411f890a9a4bceae4aeae402116d16e

SHA512
4ac03cbf041494bf11c6776199de7b47b917877c99f77ec5b76b1fa5c5fa0387ec62b5e37f7c5dd7b5e6a535b2162722f25b2d8527d5614c127d31c6d2e3433c

Download Submit
\Windows\SysWOW64\Ijdqna32.exe

Filesize
395KB

MD5
d3b331245547dbacbb12ccb540f03488

SHA1
6cf7458db82553f6a06181f7825c291c616a8e68

SHA256
f722945857608fbd2505bc4bcb421d4abb375c587e36675c7cf3b07f238141fa

SHA512
895c0cf437e4e7f15706a8e4ae1a7cbc90613a8d905554574484aaf2ba958a191462492b1fd73f75e9c7dc4b2d09ff41e71c0b72155bb31de2154b4bc0d2a296

Download Submit
\Windows\SysWOW64\Jbdonb32.exe

Filesize
395KB

MD5
c4b80a8c27386fd3f2af05ce18d40e72

SHA1
d972a4ecc8b5bed882532460b316522fc2187b02

SHA256
721a0de50f2c3b4c98705f85901e219cadfe9d7c120026e3a7c2c84dfa7b2061

SHA512
c72fc8650a0e07a44833705a48af2ab00f5e84b986ba10cab9eafa783fee6b053bc3ca86ee3fc0ab061136837a52ea02f0ebffa7605feff71e42e35e2ad21080

Download Submit
\Windows\SysWOW64\Jbgkcb32.exe

Filesize
395KB

MD5
ea209fa847304551599c48fb080519c9

SHA1
7f80ac7072f8dfdcb444ad510a0edd562c104fb0

SHA256
6fe0d338081323d1c5b9a91f4e84d360ba62f6724ea273f4c7d7c3377df0d246

SHA512
0c24ab5e1497ae090decc1c45b05491c4ae7549b42a16cafcaaba0ab25be33b56d1f3ca3ce7d1f44f94a40285c63865029c920f218ae0c7f6343ebf43233c701

Download Submit
\Windows\SysWOW64\Jfnnha32.exe

Filesize
395KB

MD5
ae72375880d8e51b363f5977b128831e

SHA1
6671dd9c65bd2229acd2cab3482f488701aaf37b

SHA256
8d83e2732ead36c68fc49372b1bf9a76ae69ece55e38ca7e56660889f925258e

SHA512
43d77a6fa149360be84280ac6c6137d2e009b7b06fdc5d99854d282fdd42e27fd2cc3270ce94b76e6bee64c386d51272770cd413a86412992fbd949d443e3992

Download Submit
\Windows\SysWOW64\Kbkameaf.exe

Filesize
395KB

MD5
bcd9807d9cc40b9d072f0d016955ddab

SHA1
c67fe50364f55ee229e608c8fddadeaff297370c

SHA256
724c68c0c830765ccb30c167d84ff8e83afe172fdbccbe97057f8359c9b21cbe

SHA512
a080567db076682022d5b5af5d5fc1ec1540e81ac51f7f173c8874b7c157fe47516482d8f440182c46f52128b90c020684fd4574cfd5291103fc3f63f67de560

Download Submit
\Windows\SysWOW64\Kiqpop32.exe

Filesize
395KB

MD5
65fc0caa08df44a8c4b9768a04635c0d

SHA1
a20b09d460ad47d4dfd0d8148d5ff2bde6d11c43

SHA256
f607ed5b2bff1eed81c89f9426d6e3acbde0eef6e328e1e74f25719dc0805fa6

SHA512
5ed01c4386d15b50222345c0786b22ceefc2a8c80c73aa147cdceb18f8f4396ac5284b4122ee76a371166ac09ea1535de43de8f334f5a35c5b1e4ed3ca185120

Download Submit
\Windows\SysWOW64\Kjfjbdle.exe

Filesize
395KB

MD5
a0e57d5173008ad1fea1a955bb7c3883

SHA1
1c95e5a2e93b9cfd66d42851d5a54b10fdbe2f6d

SHA256
36b3dbe5894dcb4b12c4020b381013a07d41f00295563df42433c719ad1be8a3

SHA512
cac401fa74cb73d22167a5b3af68fefb112870120485583f87a071e67f04eb84dff8c70e8110d91f2026ef4673957ae481d99adee1609797c78be82f78e47958

Download Submit
\Windows\SysWOW64\Lbfdaigg.exe

Filesize
395KB

MD5
7b4ac11aa72d456128f7a092f631b2a0

SHA1
2a6586d8030a6ced8736c2e64f1d32abf2f288bd

SHA256
83c477e2beeaa5415eaf87bd9af75de6706641beedce89d02cee45ca87052e63

SHA512
02b16131082a5006afe4548c53983f2e60dae2f3448db0a1a81c220b544eda7be5e61588a030fb4be5257d6351d71025c222353083a4ce57c544c29fdee543d6

Download Submit
memory/568-396-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/568-103-0x0000000000250000-0x00000000002D2000-memory.dmp

Filesize
520KB

Download
memory/568-90-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/704-299-0x0000000000250000-0x00000000002D2000-memory.dmp

Filesize
520KB

Download
memory/704-379-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/704-293-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/704-298-0x0000000000250000-0x00000000002D2000-memory.dmp

Filesize
520KB

Download
memory/824-250-0x0000000001FF0000-0x0000000002072000-memory.dmp

Filesize
520KB

Download
memory/824-248-0x0000000001FF0000-0x0000000002072000-memory.dmp

Filesize
520KB

Download
memory/824-390-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/824-235-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1176-380-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1176-193-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1176-212-0x0000000000350000-0x00000000003D2000-memory.dmp

Filesize
520KB

Download
memory/1176-211-0x0000000000350000-0x00000000003D2000-memory.dmp

Filesize
520KB

Download
memory/1428-190-0x0000000000350000-0x00000000003D2000-memory.dmp

Filesize
520KB

Download
memory/1428-191-0x0000000000350000-0x00000000003D2000-memory.dmp

Filesize
520KB

Download
memory/1428-398-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1428-178-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1584-324-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1584-332-0x0000000001F80000-0x0000000002002000-memory.dmp

Filesize
520KB

Download
memory/1584-382-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1584-331-0x0000000001F80000-0x0000000002002000-memory.dmp

Filesize
520KB

Download
memory/1852-215-0x0000000000250000-0x00000000002D2000-memory.dmp

Filesize
520KB

Download
memory/1852-219-0x0000000000250000-0x00000000002D2000-memory.dmp

Filesize
520KB

Download
memory/1852-393-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1852-213-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1896-234-0x0000000000330000-0x00000000003B2000-memory.dmp

Filesize
520KB

Download
memory/1896-228-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1896-233-0x0000000000330000-0x00000000003B2000-memory.dmp

Filesize
520KB

Download
memory/1896-397-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1924-4-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1924-12-0x0000000001FE0000-0x0000000002062000-memory.dmp

Filesize
520KB

Download
memory/1924-376-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1976-131-0x0000000000490000-0x0000000000512000-memory.dmp

Filesize
520KB

Download
memory/1976-118-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1976-384-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1976-130-0x0000000000490000-0x0000000000512000-memory.dmp

Filesize
520KB

Download
memory/2008-389-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2008-167-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2008-176-0x00000000002E0000-0x0000000000362000-memory.dmp

Filesize
520KB

Download
memory/2008-177-0x00000000002E0000-0x0000000000362000-memory.dmp

Filesize
520KB

Download
memory/2112-82-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2112-387-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2216-265-0x0000000000700000-0x0000000000782000-memory.dmp

Filesize
520KB

Download
memory/2216-266-0x0000000000700000-0x0000000000782000-memory.dmp

Filesize
520KB

Download
memory/2216-374-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2216-260-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2304-300-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2304-386-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2304-310-0x0000000000490000-0x0000000000512000-memory.dmp

Filesize
520KB

Download
memory/2304-309-0x0000000000490000-0x0000000000512000-memory.dmp

Filesize
520KB

Download
memory/2424-277-0x0000000000340000-0x00000000003C2000-memory.dmp

Filesize
520KB

Download
memory/2424-267-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2424-273-0x0000000000340000-0x00000000003C2000-memory.dmp

Filesize
520KB

Download
memory/2424-378-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2448-161-0x00000000002E0000-0x0000000000362000-memory.dmp

Filesize
520KB

Download
memory/2448-148-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2448-391-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2448-160-0x00000000002E0000-0x0000000000362000-memory.dmp

Filesize
520KB

Download
memory/2488-395-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2488-255-0x0000000000350000-0x00000000003D2000-memory.dmp

Filesize
520KB

Download
memory/2488-254-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2520-288-0x0000000000300000-0x0000000000382000-memory.dmp

Filesize
520KB

Download
memory/2520-388-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2520-287-0x0000000000300000-0x0000000000382000-memory.dmp

Filesize
520KB

Download
memory/2520-278-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2600-377-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2600-64-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2660-50-0x0000000002000000-0x0000000002082000-memory.dmp

Filesize
520KB

Download
memory/2660-394-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2672-320-0x0000000000250000-0x00000000002D2000-memory.dmp

Filesize
520KB

Download
memory/2672-375-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2672-326-0x0000000000250000-0x00000000002D2000-memory.dmp

Filesize
520KB

Download
memory/2672-319-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2688-399-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2692-18-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2692-400-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2716-56-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2716-381-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2812-138-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2812-392-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2812-147-0x0000000000330000-0x00000000003B2000-memory.dmp

Filesize
520KB

Download
memory/2812-146-0x0000000000330000-0x00000000003B2000-memory.dmp

Filesize
520KB

Download
memory/2820-339-0x0000000000490000-0x0000000000512000-memory.dmp

Filesize
520KB

Download
memory/2820-383-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2820-343-0x0000000000490000-0x0000000000512000-memory.dmp

Filesize
520KB

Download
memory/2820-336-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2892-363-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2892-344-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3068-112-0x0000000001F80000-0x0000000002002000-memory.dmp

Filesize
520KB

Download
memory/3068-105-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3068-385-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads