4402f0bae34af9354eb8314d4128ca91224a953622ed9a5d8924aa2de44b14e4

Analysis

max time kernel
51s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4402f0bae34af9354eb8314d4128ca91224a953622ed9a5d8924aa2de44b14e4.exe
Size

163KB
MD5

e7153dc838f82b79b1ad9dcc8f0e7122
SHA1

dd59d2a749535b8a658069bbd8f9efc529857738
SHA256

4402f0bae34af9354eb8314d4128ca91224a953622ed9a5d8924aa2de44b14e4
SHA512

0ee8357d1b48dbea809ce10d072447fa77d7ead9662f6ed091742209060865daf9f5e11f94e2a4511a54dab511dbf2155f3f16ebf3334b955250da2367b54535
SSDEEP

1536:Pw18uXs6wpSNyc0KQila34vee/lProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:I1VXs5VcBQiX/ltOrWKDBr+yJb

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Mpaifalo.exeNbhkac32.exeKilhgk32.exeMgekbljc.exeKphmie32.exeMnocof32.exeMpdelajl.exeNafokcol.exeKmegbjgn.exeKgmlkp32.exeKgphpo32.exeMcnhmm32.exeNkjjij32.exeJmpngk32.exeLcbiao32.exeLnhmng32.exeLgpagm32.exeMpolqa32.exeNbkhfc32.exeKdffocib.exeKajfig32.exeLpocjdld.exeLkdggmlj.exeLdaeka32.exeMjeddggd.exeMncmjfmk.exeJdhine32.exeJangmibi.exeNdidbn32.exeMkgmcjld.exeNceonl32.exe4402f0bae34af9354eb8314d4128ca91224a953622ed9a5d8924aa2de44b14e4.exeLijdhiaa.exeMnlfigcc.exeMpmokb32.exeJidbflcj.exeJpojcf32.exeKmlnbi32.exeLcgblncm.exeKdaldd32.exeMcpebmkb.exeJbmfoa32.exeMcklgm32.exeNklfoi32.exeLaalifad.exeMjqjih32.exeKdhbec32.exeLmqgnhmp.exeKbfiep32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4402f0bae34af9354eb8314d4128ca91224a953622ed9a5d8924aa2de44b14e4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfiep32.exe

Detects executables built or packed with MPress PE compressor 49 IoCs

Processes:

resource	yara_rule
C:\Windows\SysWOW64\Jdhine32.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Jidbflcj.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/752-21-0x0000000000400000-0x0000000000453000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Jmpngk32.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Jpojcf32.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Jbmfoa32.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Jangmibi.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Jkfkfohj.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Kmegbjgn.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4472-64-0x0000000000400000-0x0000000000453000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Kgmlkp32.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2328-74-0x0000000000400000-0x0000000000453000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Kilhgk32.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4732-81-0x0000000000400000-0x0000000000453000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Kdaldd32.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3204-89-0x0000000000400000-0x0000000000453000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Kgphpo32.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2076-97-0x0000000000400000-0x0000000000453000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Kinemkko.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3320-105-0x0000000000400000-0x0000000000453000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Kphmie32.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1972-117-0x0000000000400000-0x0000000000453000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Kbfiep32.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Kmlnbi32.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Kdffocib.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4572-133-0x0000000000400000-0x0000000000453000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Kkpnlm32.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/840-149-0x0000000000400000-0x0000000000453000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Kajfig32.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4728-153-0x0000000000400000-0x0000000000453000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Kdhbec32.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2896-161-0x0000000000400000-0x0000000000453000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Lmqgnhmp.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3700-169-0x0000000000400000-0x0000000000453000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Lpocjdld.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Lkdggmlj.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Laopdgcg.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Ldmlpbbj.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Lijdhiaa.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Laalifad.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Lcbiao32.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Lnhmng32.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Ldaeka32.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Lgpagm32.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\Lnjjdgee.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4544-341-0x0000000000400000-0x0000000000453000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1068-462-0x0000000000400000-0x0000000000453000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2592-473-0x0000000000400000-0x0000000000453000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4432-467-0x0000000000400000-0x0000000000453000-memory.dmp	INDICATOR_EXE_Packed_MPress

UPX dump on OEP (original entry point) 46 IoCs

Processes:

resource	yara_rule
C:\Windows\SysWOW64\Jdhine32.exe	UPX
C:\Windows\SysWOW64\Jidbflcj.exe	UPX
behavioral2/memory/752-21-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
C:\Windows\SysWOW64\Jmpngk32.exe	UPX
C:\Windows\SysWOW64\Jpojcf32.exe	UPX
C:\Windows\SysWOW64\Jbmfoa32.exe	UPX
C:\Windows\SysWOW64\Jangmibi.exe	UPX
C:\Windows\SysWOW64\Jkfkfohj.exe	UPX
C:\Windows\SysWOW64\Kmegbjgn.exe	UPX
behavioral2/memory/4472-64-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
C:\Windows\SysWOW64\Kgmlkp32.exe	UPX
behavioral2/memory/2328-74-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
C:\Windows\SysWOW64\Kilhgk32.exe	UPX
C:\Windows\SysWOW64\Kdaldd32.exe	UPX
C:\Windows\SysWOW64\Kgphpo32.exe	UPX
C:\Windows\SysWOW64\Kinemkko.exe	UPX
C:\Windows\SysWOW64\Kphmie32.exe	UPX
C:\Windows\SysWOW64\Kbfiep32.exe	UPX
C:\Windows\SysWOW64\Kmlnbi32.exe	UPX
C:\Windows\SysWOW64\Kdffocib.exe	UPX
behavioral2/memory/4572-133-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
C:\Windows\SysWOW64\Kkpnlm32.exe	UPX
behavioral2/memory/840-149-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
C:\Windows\SysWOW64\Kajfig32.exe	UPX
behavioral2/memory/4728-153-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
C:\Windows\SysWOW64\Kdhbec32.exe	UPX
behavioral2/memory/2896-161-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
C:\Windows\SysWOW64\Lmqgnhmp.exe	UPX
behavioral2/memory/3700-169-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
C:\Windows\SysWOW64\Lpocjdld.exe	UPX
C:\Windows\SysWOW64\Lkdggmlj.exe	UPX
C:\Windows\SysWOW64\Laopdgcg.exe	UPX
C:\Windows\SysWOW64\Ldmlpbbj.exe	UPX
C:\Windows\SysWOW64\Lijdhiaa.exe	UPX
C:\Windows\SysWOW64\Laalifad.exe	UPX
C:\Windows\SysWOW64\Lcbiao32.exe	UPX
C:\Windows\SysWOW64\Lnhmng32.exe	UPX
C:\Windows\SysWOW64\Ldaeka32.exe	UPX
C:\Windows\SysWOW64\Lgpagm32.exe	UPX
C:\Windows\SysWOW64\Lnjjdgee.exe	UPX
behavioral2/memory/4544-341-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
behavioral2/memory/1068-462-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
behavioral2/memory/2104-468-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
behavioral2/memory/2024-476-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
behavioral2/memory/2592-473-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
behavioral2/memory/4432-467-0x0000000000400000-0x0000000000453000-memory.dmp	UPX

Executes dropped EXE 64 IoCs

Processes:

Jdhine32.exeJidbflcj.exeJmpngk32.exeJpojcf32.exeJbmfoa32.exeJangmibi.exeJkfkfohj.exeKmegbjgn.exeKgmlkp32.exeKilhgk32.exeKdaldd32.exeKgphpo32.exeKinemkko.exeKphmie32.exeKbfiep32.exeKmlnbi32.exeKdffocib.exeKkpnlm32.exeKajfig32.exeKdhbec32.exeLmqgnhmp.exeLpocjdld.exeLkdggmlj.exeLaopdgcg.exeLdmlpbbj.exeLijdhiaa.exeLaalifad.exeLcbiao32.exeLnhmng32.exeLdaeka32.exeLgpagm32.exeLnjjdgee.exeLcgblncm.exeLgbnmm32.exeMjqjih32.exeMnlfigcc.exeMpkbebbf.exeMgekbljc.exeMnocof32.exeMpmokb32.exeMcklgm32.exeMgghhlhq.exeMjeddggd.exeMamleegg.exeMpolqa32.exeMcnhmm32.exeMgidml32.exeMncmjfmk.exeMpaifalo.exeMcpebmkb.exeMkgmcjld.exeMnfipekh.exeMpdelajl.exeNkjjij32.exeNjljefql.exeNacbfdao.exeNceonl32.exeNklfoi32.exeNafokcol.exeNddkgonp.exeNkncdifl.exeNnmopdep.exeNbhkac32.exeNjcpee32.exe

pid	process
4700	Jdhine32.exe
752	Jidbflcj.exe
2924	Jmpngk32.exe
4240	Jpojcf32.exe
1228	Jbmfoa32.exe
1912	Jangmibi.exe
2968	Jkfkfohj.exe
4472	Kmegbjgn.exe
2328	Kgmlkp32.exe
4732	Kilhgk32.exe
3204	Kdaldd32.exe
2076	Kgphpo32.exe
3320	Kinemkko.exe
1972	Kphmie32.exe
2480	Kbfiep32.exe
4572	Kmlnbi32.exe
3668	Kdffocib.exe
840	Kkpnlm32.exe
4728	Kajfig32.exe
2896	Kdhbec32.exe
3700	Lmqgnhmp.exe
1980	Lpocjdld.exe
4068	Lkdggmlj.exe
5044	Laopdgcg.exe
3732	Ldmlpbbj.exe
4740	Lijdhiaa.exe
2516	Laalifad.exe
2652	Lcbiao32.exe
4756	Lnhmng32.exe
516	Ldaeka32.exe
4492	Lgpagm32.exe
60	Lnjjdgee.exe
3508	Lcgblncm.exe
3520	Lgbnmm32.exe
4092	Mjqjih32.exe
876	Mnlfigcc.exe
4528	Mpkbebbf.exe
2996	Mgekbljc.exe
4076	Mnocof32.exe
1400	Mpmokb32.exe
4496	Mcklgm32.exe
2240	Mgghhlhq.exe
3496	Mjeddggd.exe
3188	Mamleegg.exe
5028	Mpolqa32.exe
4544	Mcnhmm32.exe
2520	Mgidml32.exe
3444	Mncmjfmk.exe
2128	Mpaifalo.exe
2752	Mcpebmkb.exe
1844	Mkgmcjld.exe
1988	Mnfipekh.exe
1548	Mpdelajl.exe
4260	Nkjjij32.exe
1908	Njljefql.exe
4972	Nacbfdao.exe
3624	Nceonl32.exe
4812	Nklfoi32.exe
2024	Nafokcol.exe
4420	Nddkgonp.exe
2592	Nkncdifl.exe
2268	Nnmopdep.exe
4824	Nbhkac32.exe
4432	Njcpee32.exe

Drops file in System32 directory 64 IoCs

Processes:

Kbfiep32.exeLcbiao32.exeNklfoi32.exeJpojcf32.exeMjeddggd.exeNkjjij32.exeMpaifalo.exeNjcpee32.exeJkfkfohj.exeKdhbec32.exeMpkbebbf.exeKajfig32.exeLaopdgcg.exeMpolqa32.exeLgpagm32.exeMpmokb32.exeMgghhlhq.exe4402f0bae34af9354eb8314d4128ca91224a953622ed9a5d8924aa2de44b14e4.exeJbmfoa32.exeNceonl32.exeKdaldd32.exeLcgblncm.exeMgekbljc.exeKmlnbi32.exeMnlfigcc.exeMnfipekh.exeNdidbn32.exeLaalifad.exeMcnhmm32.exeLpocjdld.exeNnmopdep.exeMamleegg.exeLdmlpbbj.exeLnjjdgee.exeMgidml32.exeMcpebmkb.exeKkpnlm32.exeKilhgk32.exeLnhmng32.exeMnocof32.exeNacbfdao.exeJangmibi.exeJidbflcj.exeLgbnmm32.exeMkgmcjld.exeJmpngk32.exeMncmjfmk.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Jeiooj32.dll	Jpojcf32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Kmegbjgn.exe	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Ghmfdf32.dll	4402f0bae34af9354eb8314d4128ca91224a953622ed9a5d8924aa2de44b14e4.exe
File created	C:\Windows\SysWOW64\Lppaheqp.dll	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kbfiep32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Jangmibi.exe	Jbmfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Jangmibi.exe	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Iljnde32.dll	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Eilljncf.dll	Jangmibi.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Anmklllo.dll	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jmpngk32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4656 1068 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
4656	1068	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

Mncmjfmk.exeKdaldd32.exeNnmopdep.exeLkdggmlj.exeLgbnmm32.exeMcnhmm32.exeKphmie32.exeKinemkko.exeMcpebmkb.exeNacbfdao.exeMcklgm32.exeNbhkac32.exeNbkhfc32.exeKgmlkp32.exeKdhbec32.exeLnhmng32.exeMnocof32.exeLijdhiaa.exeMkgmcjld.exeNjljefql.exeNklfoi32.exeLgpagm32.exeMjqjih32.exeNdidbn32.exeMamleegg.exeJdhine32.exeJmpngk32.exeKgphpo32.exeMpolqa32.exeMpmokb32.exeKdffocib.exeNkncdifl.exeJpojcf32.exeMnlfigcc.exeMpdelajl.exe4402f0bae34af9354eb8314d4128ca91224a953622ed9a5d8924aa2de44b14e4.exeKkpnlm32.exeMgghhlhq.exeKbfiep32.exeLcgblncm.exeJkfkfohj.exeLcbiao32.exeMjeddggd.exeLpocjdld.exeNceonl32.exeJidbflcj.exeNddkgonp.exeNafokcol.exeKilhgk32.exeLmqgnhmp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdeek32.dll"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdhine32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	4402f0bae34af9354eb8314d4128ca91224a953622ed9a5d8924aa2de44b14e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4402f0bae34af9354eb8314d4128ca91224a953622ed9a5d8924aa2de44b14e4.exeJdhine32.exeJidbflcj.exeJmpngk32.exeJpojcf32.exeJbmfoa32.exeJangmibi.exeJkfkfohj.exeKmegbjgn.exeKgmlkp32.exeKilhgk32.exeKdaldd32.exeKgphpo32.exeKinemkko.exeKphmie32.exeKbfiep32.exeKmlnbi32.exeKdffocib.exeKkpnlm32.exeKajfig32.exeKdhbec32.exeLmqgnhmp.exe

description	pid	process	target process
PID 1124 wrote to memory of 4700	1124	4402f0bae34af9354eb8314d4128ca91224a953622ed9a5d8924aa2de44b14e4.exe	Jdhine32.exe
PID 1124 wrote to memory of 4700	1124	4402f0bae34af9354eb8314d4128ca91224a953622ed9a5d8924aa2de44b14e4.exe	Jdhine32.exe
PID 1124 wrote to memory of 4700	1124	4402f0bae34af9354eb8314d4128ca91224a953622ed9a5d8924aa2de44b14e4.exe	Jdhine32.exe
PID 4700 wrote to memory of 752	4700	Jdhine32.exe	Jidbflcj.exe
PID 4700 wrote to memory of 752	4700	Jdhine32.exe	Jidbflcj.exe
PID 4700 wrote to memory of 752	4700	Jdhine32.exe	Jidbflcj.exe
PID 752 wrote to memory of 2924	752	Jidbflcj.exe	Jmpngk32.exe
PID 752 wrote to memory of 2924	752	Jidbflcj.exe	Jmpngk32.exe
PID 752 wrote to memory of 2924	752	Jidbflcj.exe	Jmpngk32.exe
PID 2924 wrote to memory of 4240	2924	Jmpngk32.exe	Jpojcf32.exe
PID 2924 wrote to memory of 4240	2924	Jmpngk32.exe	Jpojcf32.exe
PID 2924 wrote to memory of 4240	2924	Jmpngk32.exe	Jpojcf32.exe
PID 4240 wrote to memory of 1228	4240	Jpojcf32.exe	Jbmfoa32.exe
PID 4240 wrote to memory of 1228	4240	Jpojcf32.exe	Jbmfoa32.exe
PID 4240 wrote to memory of 1228	4240	Jpojcf32.exe	Jbmfoa32.exe
PID 1228 wrote to memory of 1912	1228	Jbmfoa32.exe	Jangmibi.exe
PID 1228 wrote to memory of 1912	1228	Jbmfoa32.exe	Jangmibi.exe
PID 1228 wrote to memory of 1912	1228	Jbmfoa32.exe	Jangmibi.exe
PID 1912 wrote to memory of 2968	1912	Jangmibi.exe	Jkfkfohj.exe
PID 1912 wrote to memory of 2968	1912	Jangmibi.exe	Jkfkfohj.exe
PID 1912 wrote to memory of 2968	1912	Jangmibi.exe	Jkfkfohj.exe
PID 2968 wrote to memory of 4472	2968	Jkfkfohj.exe	Kmegbjgn.exe
PID 2968 wrote to memory of 4472	2968	Jkfkfohj.exe	Kmegbjgn.exe
PID 2968 wrote to memory of 4472	2968	Jkfkfohj.exe	Kmegbjgn.exe
PID 4472 wrote to memory of 2328	4472	Kmegbjgn.exe	Kgmlkp32.exe
PID 4472 wrote to memory of 2328	4472	Kmegbjgn.exe	Kgmlkp32.exe
PID 4472 wrote to memory of 2328	4472	Kmegbjgn.exe	Kgmlkp32.exe
PID 2328 wrote to memory of 4732	2328	Kgmlkp32.exe	Kilhgk32.exe
PID 2328 wrote to memory of 4732	2328	Kgmlkp32.exe	Kilhgk32.exe
PID 2328 wrote to memory of 4732	2328	Kgmlkp32.exe	Kilhgk32.exe
PID 4732 wrote to memory of 3204	4732	Kilhgk32.exe	Kdaldd32.exe
PID 4732 wrote to memory of 3204	4732	Kilhgk32.exe	Kdaldd32.exe
PID 4732 wrote to memory of 3204	4732	Kilhgk32.exe	Kdaldd32.exe
PID 3204 wrote to memory of 2076	3204	Kdaldd32.exe	Kgphpo32.exe
PID 3204 wrote to memory of 2076	3204	Kdaldd32.exe	Kgphpo32.exe
PID 3204 wrote to memory of 2076	3204	Kdaldd32.exe	Kgphpo32.exe
PID 2076 wrote to memory of 3320	2076	Kgphpo32.exe	Kinemkko.exe
PID 2076 wrote to memory of 3320	2076	Kgphpo32.exe	Kinemkko.exe
PID 2076 wrote to memory of 3320	2076	Kgphpo32.exe	Kinemkko.exe
PID 3320 wrote to memory of 1972	3320	Kinemkko.exe	Kphmie32.exe
PID 3320 wrote to memory of 1972	3320	Kinemkko.exe	Kphmie32.exe
PID 3320 wrote to memory of 1972	3320	Kinemkko.exe	Kphmie32.exe
PID 1972 wrote to memory of 2480	1972	Kphmie32.exe	Kbfiep32.exe
PID 1972 wrote to memory of 2480	1972	Kphmie32.exe	Kbfiep32.exe
PID 1972 wrote to memory of 2480	1972	Kphmie32.exe	Kbfiep32.exe
PID 2480 wrote to memory of 4572	2480	Kbfiep32.exe	Kmlnbi32.exe
PID 2480 wrote to memory of 4572	2480	Kbfiep32.exe	Kmlnbi32.exe
PID 2480 wrote to memory of 4572	2480	Kbfiep32.exe	Kmlnbi32.exe
PID 4572 wrote to memory of 3668	4572	Kmlnbi32.exe	Kdffocib.exe
PID 4572 wrote to memory of 3668	4572	Kmlnbi32.exe	Kdffocib.exe
PID 4572 wrote to memory of 3668	4572	Kmlnbi32.exe	Kdffocib.exe
PID 3668 wrote to memory of 840	3668	Kdffocib.exe	Kkpnlm32.exe
PID 3668 wrote to memory of 840	3668	Kdffocib.exe	Kkpnlm32.exe
PID 3668 wrote to memory of 840	3668	Kdffocib.exe	Kkpnlm32.exe
PID 840 wrote to memory of 4728	840	Kkpnlm32.exe	Kajfig32.exe
PID 840 wrote to memory of 4728	840	Kkpnlm32.exe	Kajfig32.exe
PID 840 wrote to memory of 4728	840	Kkpnlm32.exe	Kajfig32.exe
PID 4728 wrote to memory of 2896	4728	Kajfig32.exe	Kdhbec32.exe
PID 4728 wrote to memory of 2896	4728	Kajfig32.exe	Kdhbec32.exe
PID 4728 wrote to memory of 2896	4728	Kajfig32.exe	Kdhbec32.exe
PID 2896 wrote to memory of 3700	2896	Kdhbec32.exe	Lmqgnhmp.exe
PID 2896 wrote to memory of 3700	2896	Kdhbec32.exe	Lmqgnhmp.exe
PID 2896 wrote to memory of 3700	2896	Kdhbec32.exe	Lmqgnhmp.exe
PID 3700 wrote to memory of 1980	3700	Lmqgnhmp.exe	Lpocjdld.exe

C:\Users\Admin\AppData\Local\Temp\4402f0bae34af9354eb8314d4128ca91224a953622ed9a5d8924aa2de44b14e4.exe
"C:\Users\Admin\AppData\Local\Temp\4402f0bae34af9354eb8314d4128ca91224a953622ed9a5d8924aa2de44b14e4.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\SysWOW64\Jdhine32.exe
C:\Windows\system32\Jdhine32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4700

C:\Windows\SysWOW64\Jidbflcj.exe
C:\Windows\system32\Jidbflcj.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\Jmpngk32.exe
C:\Windows\system32\Jmpngk32.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\SysWOW64\Jpojcf32.exe
C:\Windows\system32\Jpojcf32.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4240

C:\Windows\SysWOW64\Jbmfoa32.exe
C:\Windows\system32\Jbmfoa32.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\SysWOW64\Jangmibi.exe
C:\Windows\system32\Jangmibi.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\SysWOW64\Jkfkfohj.exe
C:\Windows\system32\Jkfkfohj.exe
8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\SysWOW64\Kmegbjgn.exe
C:\Windows\system32\Kmegbjgn.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472

C:\Windows\SysWOW64\Kgmlkp32.exe
C:\Windows\system32\Kgmlkp32.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\SysWOW64\Kilhgk32.exe
C:\Windows\system32\Kilhgk32.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4732

C:\Windows\SysWOW64\Kdaldd32.exe
C:\Windows\system32\Kdaldd32.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\SysWOW64\Kgphpo32.exe
C:\Windows\system32\Kgphpo32.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\SysWOW64\Kinemkko.exe
C:\Windows\system32\Kinemkko.exe
14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3320

C:\Windows\SysWOW64\Kphmie32.exe
C:\Windows\system32\Kphmie32.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\Kbfiep32.exe
C:\Windows\system32\Kbfiep32.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\SysWOW64\Kmlnbi32.exe
C:\Windows\system32\Kmlnbi32.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4572

C:\Windows\SysWOW64\Kdffocib.exe
C:\Windows\system32\Kdffocib.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3668

C:\Windows\SysWOW64\Kkpnlm32.exe
C:\Windows\system32\Kkpnlm32.exe
19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\SysWOW64\Kajfig32.exe
C:\Windows\system32\Kajfig32.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4728

C:\Windows\SysWOW64\Kdhbec32.exe
C:\Windows\system32\Kdhbec32.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2896

C:\Windows\SysWOW64\Lmqgnhmp.exe
C:\Windows\system32\Lmqgnhmp.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3700

C:\Windows\SysWOW64\Lpocjdld.exe
C:\Windows\system32\Lpocjdld.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1980

C:\Windows\SysWOW64\Lkdggmlj.exe
C:\Windows\system32\Lkdggmlj.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4068

C:\Windows\SysWOW64\Laopdgcg.exe
C:\Windows\system32\Laopdgcg.exe
25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5044

C:\Windows\SysWOW64\Ldmlpbbj.exe
C:\Windows\system32\Ldmlpbbj.exe
26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3732

C:\Windows\SysWOW64\Lijdhiaa.exe
C:\Windows\system32\Lijdhiaa.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4740

C:\Windows\SysWOW64\Laalifad.exe
C:\Windows\system32\Laalifad.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2516

C:\Windows\SysWOW64\Lcbiao32.exe
C:\Windows\system32\Lcbiao32.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2652

C:\Windows\SysWOW64\Lnhmng32.exe
C:\Windows\system32\Lnhmng32.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4756

C:\Windows\SysWOW64\Ldaeka32.exe
C:\Windows\system32\Ldaeka32.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:516

C:\Windows\SysWOW64\Lgpagm32.exe
C:\Windows\system32\Lgpagm32.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4492

C:\Windows\SysWOW64\Lnjjdgee.exe
C:\Windows\system32\Lnjjdgee.exe
33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:60

C:\Windows\SysWOW64\Lcgblncm.exe
C:\Windows\system32\Lcgblncm.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3508

C:\Windows\SysWOW64\Lgbnmm32.exe
C:\Windows\system32\Lgbnmm32.exe
35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3520

C:\Windows\SysWOW64\Mjqjih32.exe
C:\Windows\system32\Mjqjih32.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4092

C:\Windows\SysWOW64\Mnlfigcc.exe
C:\Windows\system32\Mnlfigcc.exe
37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:876

C:\Windows\SysWOW64\Mpkbebbf.exe
C:\Windows\system32\Mpkbebbf.exe
38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4528

C:\Windows\SysWOW64\Mgekbljc.exe
C:\Windows\system32\Mgekbljc.exe
39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2996

C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4076

C:\Windows\SysWOW64\Mpmokb32.exe
C:\Windows\system32\Mpmokb32.exe
41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1400

C:\Windows\SysWOW64\Mcklgm32.exe
C:\Windows\system32\Mcklgm32.exe
42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4496

C:\Windows\SysWOW64\Mgghhlhq.exe
C:\Windows\system32\Mgghhlhq.exe
43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2240

C:\Windows\SysWOW64\Mjeddggd.exe
C:\Windows\system32\Mjeddggd.exe
44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3496

C:\Windows\SysWOW64\Mamleegg.exe
C:\Windows\system32\Mamleegg.exe
45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3188

C:\Windows\SysWOW64\Mpolqa32.exe
C:\Windows\system32\Mpolqa32.exe
46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5028

C:\Windows\SysWOW64\Mcnhmm32.exe
C:\Windows\system32\Mcnhmm32.exe
47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4544

C:\Windows\SysWOW64\Mgidml32.exe
C:\Windows\system32\Mgidml32.exe
48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2520

C:\Windows\SysWOW64\Mncmjfmk.exe
C:\Windows\system32\Mncmjfmk.exe
49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3444

C:\Windows\SysWOW64\Mpaifalo.exe
C:\Windows\system32\Mpaifalo.exe
50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2128

C:\Windows\SysWOW64\Mcpebmkb.exe
C:\Windows\system32\Mcpebmkb.exe
51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2752

C:\Windows\SysWOW64\Mkgmcjld.exe
C:\Windows\system32\Mkgmcjld.exe
52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1844

C:\Windows\SysWOW64\Mnfipekh.exe
C:\Windows\system32\Mnfipekh.exe
53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1988

C:\Windows\SysWOW64\Mpdelajl.exe
C:\Windows\system32\Mpdelajl.exe
54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1548

C:\Windows\SysWOW64\Nkjjij32.exe
C:\Windows\system32\Nkjjij32.exe
55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4260

C:\Windows\SysWOW64\Njljefql.exe
C:\Windows\system32\Njljefql.exe
56⤵
- Executes dropped EXE
- Modifies registry class
PID:1908

C:\Windows\SysWOW64\Nacbfdao.exe
C:\Windows\system32\Nacbfdao.exe
57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4972

C:\Windows\SysWOW64\Nceonl32.exe
C:\Windows\system32\Nceonl32.exe
58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3624

C:\Windows\SysWOW64\Nklfoi32.exe
C:\Windows\system32\Nklfoi32.exe
59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4812

C:\Windows\SysWOW64\Nafokcol.exe
C:\Windows\system32\Nafokcol.exe
60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2024

C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
61⤵
- Executes dropped EXE
- Modifies registry class
PID:4420

C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
62⤵
- Executes dropped EXE
- Modifies registry class
PID:2592

C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2268

C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4824

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4432

C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2104

C:\Windows\SysWOW64\Ndidbn32.exe
C:\Windows\system32\Ndidbn32.exe
67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5052

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
68⤵
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 408
69⤵
- Program crash
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1068 -ip 1068
1⤵
PID:2692

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jangmibi.exe
Filesize
163KB

MD5
46399f0bec56744a14b240b35fbbfd75

SHA1
e5bd02e1662d3d2672d81954ad387859e616a9ca

SHA256
d7148c83349951e59af64db4613f46d61dcb48b0688f89bc24ed0be1ce772853

SHA512
c6bcfc7d98d66c0ade1fe209e43bcb5fc823cfcdcd4716733a1010faeeafe20d22ac1ccbbbf935dab822a20abda1868c9ce852543a7699f488a9ceb49a9c3291

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe
Filesize
163KB

MD5
3b183d28fbe4d4516360573b8dfedace

SHA1
85f5146f75504cd0b43edf64b7cc016125c8f262

SHA256
23ad25d3186f5672473434358e8b1b5662080a868dd77d23481cf749035cd802

SHA512
d8cac9e68037e8a2b2068089fae26aaf97961a5e61a527f1b4c66f7a4f3a5602e754fb3b05bf262ba8380ce6b784258228c57a82227f6aa882e692ba272d0173

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe
Filesize
163KB

MD5
56b323cab27874ca368eef277095e2fb

SHA1
f7145edd3ab1507150cb69a30d98c0f9a3e5c785

SHA256
3dfda52659cc6bdeed63221ed4cb62b9412a59b54a6a38d33a3a75c4f5be00cf

SHA512
a09686aef302ad4bdea950f8cff145ac1345beb175c6a0004f9d6243db789f6370842df7223cc7781018742358f37c1359d7cc8ce07dd609a948a337905859bc

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe
Filesize
163KB

MD5
f88fda06d19d14beb0c0d154ab33a257

SHA1
ec4601e5327a53e6751b52aaff3305e5722975ad

SHA256
0b13f13ae2c03db0ebf5c0755b0b53ad1c08c7dd8e674156bc2dee845e8c9ef3

SHA512
69cf3df8edc9c05bf8b80e9136cff2f46d94e656d28e2c2f67809711f95af87e87f9165e4d3485a0dbb00e31f39d1c4026f30d62130098444f81d5ebdd074f5f

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe
Filesize
163KB

MD5
d6ebd57aed550b5f5f687eecc0244660

SHA1
0c85519adf675a307c9bec757c937a4a84c7371c

SHA256
c148f2ab897b298efd102bb9202ff3087c176083463e06df88572e668a0dc2e8

SHA512
c4c562728fde28136d7d2355097153ef52c22baa82b4b13a9c8e0a89979a0864c0cccfbaf2a61c5eef69e688f9caaaa7d6480ad53c74ed7fece739133c36ef7d

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe
Filesize
163KB

MD5
197dd95515ce00c648071e91e8a6e059

SHA1
5840ce175fe3d8f2131c5d9b5a4707b30a78e591

SHA256
10637268bee09e2bb59d4757d88fb5e66565bb3acbfdbc87958c31cb88aebf99

SHA512
03dfc68c3a985c4c57fc16058df86b892a9ce3eb2303d1e8306b3578309d4714fb4c6ba36a99806c4556b2b2123605e24283096d0651a0db2e9047e9cfcabc63

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe
Filesize
163KB

MD5
96ab6ecd048ce44b9370d94fffbdd1b2

SHA1
e6612181bbb4b25e0fa2a8649c9ff5d91691a1f5

SHA256
c42728da8b6438068333c6382ea7f04737b5c39ae52397f072e6c9ab703d5e97

SHA512
508f8adbf9d1c34215cc7260a4ed3b92699faaa88d897cb9e6556cf7ce29cecf5c276e28f1297f36ad85ae10c3b19803040b51c0b14bb301eec4abdd8160037a

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe
Filesize
163KB

MD5
e65524ee998036fd2171df7bdd5598db

SHA1
cf46c01910da8ca92b47d12753c5962f28ea19dd

SHA256
5cfa5f7886c906dd93a62c1a575bb8ab8e20422db54b089347319ee9ebbc8060

SHA512
0f38b261fdd82501d3f5952004f89300e47f75c010d665a493d3e0f3d24c9e8b803de6a052bec09f52448a9f36ae3dd955c80e6e6d8c8a8814d828e1505f1d84

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe
Filesize
163KB

MD5
3d67f21c419fb949a41a41dc694cf7b5

SHA1
fc433d3ebf8cd039311d14ba063db7a8ff172b0d

SHA256
12d759c623fd2454b45e665fb2278a6de55e48b5e979446cefc0366fc5718761

SHA512
c66305f8ca85b83d661efd0baec8ee7ecac02c573a1c8d465d5274c46da1666b982f9105e789ebb69c8ebb35648d6a5babea98aef6cee384a1d7802adfc638ca

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe
Filesize
163KB

MD5
b5bd04027af9cae3260e571ee96083cf

SHA1
dc979dadcdb986c307f574ad9e17296017bbf8b5

SHA256
12bb1571cc7d99ae67860bf75b906e0e2ac7179ca199b6420be272d846a92eb7

SHA512
cb2f95268a2220b5cbd85861631c5ad0bffee10d45b7072b7653532abff30e3953a895e15dfed86c17c7832373b7ff71428d1e87c0146fa727147da1c7297814

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe
Filesize
163KB

MD5
f969496ccfc49ea10545b71b861221c6

SHA1
53761efe0b05e2034e9291b5efcce1910896d618

SHA256
34ff78ab2d127b2674c3a998505a365f3f4cca1db75e1d9662bd7b6b56c388c2

SHA512
3f28444142b00ecaa1617ab76bd2055d1cfcbe3f719d42de01547f622c4733406f9e0251f7c616ebbd0d7a3753c33eb7a4d3124a6f6048b139ce249843dbebdf

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe
Filesize
163KB

MD5
86e65889ca96c67e58a915e9c1bb9f7c

SHA1
a8ca5d3b115e25c4afa1955e3a861cc8aad40625

SHA256
398bc04dacb00cbf7cdd2c8fd4a81af6285d82f82512ea2e3bdf4ce24fe3ee57

SHA512
1ed0ab452c05687d551e4c9b6e19a7b2feff1877dd79b45b3d6a49592004c658696ec15bc4d4c1d903f0025248a1643a881a8c7b0a6f37f4c2f3bf10ab6fdbd2

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe
Filesize
163KB

MD5
1be1662bfbc6b65191ed32beeca6dfc3

SHA1
0a702cee8f2459ba752a94f508cc15788c9d1afa

SHA256
fb9af26ad483242cfcba569b46e4c9c23f4b1122ab1fc0c855675019c1244791

SHA512
0c02765ae7add3463089926e9d7a19eced0106cceb061e24211d0f3dd92206c3933773ee4aa9831715cea2592e4bff500a2418cf789af8ce1826b1b44665569a

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe
Filesize
163KB

MD5
1bf7b1b51848d4e81b6f1f7cdb875f28

SHA1
7309e5697d090a3a93cf135786f7a2bff2b256a1

SHA256
5715fd9ec74a3c24d664fbd384941f6c731d8e59369d5f742384614fad048e99

SHA512
fb4ae634bda052ca73ad466ef631ebf1391cbbf8e34e3021b2c9a0d902d40b9c8cf6c80e5bd1d7acac2067a643d479252299092b46c92dd4a825f1c269a5a77f

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe
Filesize
163KB

MD5
1a2dab00df6c1c78db5580726767ad31

SHA1
891e40fd192e00b73a7ee3426242f292793aff4e

SHA256
d1a9d7d0f2f4b9901a95f4c8614a04d2f4fea9e0375b49d9bbf1452aa27517bc

SHA512
c69085013b322ef7ac2910956085465ebb355e57d20b2351f752003d537d01325be40a2ef21f455ca6729cf920f4f757d4d12a1982ba2cc13b3a013471bcc8e8

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe
Filesize
163KB

MD5
9925c88ea23416d960cb4ea09fb89695

SHA1
a4619a95a3585704a6318a3d0dad865f8df0a4f1

SHA256
fac2f9b0f396d3e20f1ca4132c880fcf8f683ae83717ea1cb5f3213a5d9fad1e

SHA512
8fe61825e3d7b0928916814267ab62a80cc78e31fb43a0928a92668a8342dbfcca98bbb9d8abd3caec32312d73231f1ae9f71c7eb7a492b2775989aa708a55cc

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe
Filesize
163KB

MD5
923a9c058f1135c2347254acae549dbe

SHA1
79db3d536e2740bc51094e9c0eeecd0a5eb53481

SHA256
38d66bbb3669040a8ba7b80c6bd85a6cd04ddcd339d59da8b3be23ca0e4393de

SHA512
03f6e621ec5850cd6075d143ddbe379eb020dddd0b638d546f49d1eba5601d99854c029eb2c49a19655fd7974e27c232e9c2550f2741b040be9f5f8b8e25dd78

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe
Filesize
163KB

MD5
ee728a14232a252f328012dccac700e9

SHA1
ef4cfb99dbed6f2a15b26eff412e176cad5f9d1d

SHA256
1ebe58ba440413a73e17e10e87352e163218c9fce8b967a918e113023e5415a9

SHA512
5ba960bfefeef925118a137c43cb52023b941382002d147de5a27a27e15e7cb519d8514303a4526cb343163dff5b504639f35c573768a452f6e4ea26ced8b603

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe
Filesize
163KB

MD5
86beba5851bee4e8dbc04bede7b6afb5

SHA1
3b01c7d43e632dc6c965de6fa42d68994b1b7294

SHA256
150e2b8eea028784eb434169cf721e0aa1f11cba71bbbb8a523cdb7288119631

SHA512
d8fc84495563d2f5ecb9e5f084717b5bec5ca70726cb1a7a87fc6c58201e01c182c922178b40efae4cc027e6417eff80262feffd2e89acd040c6a81da61052e5

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe
Filesize
163KB

MD5
a74c0c8e9039b64aaf1ae684a4e93b0d

SHA1
b51b26dcb8307419f4579b49f2ec1e52d65f661d

SHA256
5ce2107446ec20abe5c7253fb985e1045509195f3a316905ccd6dca9426ec047

SHA512
96d2b5945cbf8a26fe2d91c384ea75ae61112b834dcb8b1d8e3030e9c9fe9e11b0fa0f915522f1135f06f35c591176e6141385e161b6f1b9bd6cf3c18c123df7

Download Submit
C:\Windows\SysWOW64\Laalifad.exe
Filesize
163KB

MD5
62cbeafab03de423889509b4d0546546

SHA1
1edbc74dc8db3b424caa14bf4637944ca36e1cec

SHA256
87a66d4fc9922e6f07be643db5417b5b37750659b8087ab1569859bab3908024

SHA512
2ee5c625018741a4e56a98b20e9054e5c2fff99cac5986c923a57896a7e4bb14d4c6cf8bdf16379c28a1f52b5ea4eeaef7aa98ac1ac0ffb76ca653122180fc79

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe
Filesize
163KB

MD5
3483328102b09c460e39ad288ece3ef5

SHA1
6b9ed4065287d9a5dc6a82a34730e307aab66afb

SHA256
0ccda32d6390a05acc572dc4f82a61b0719d139269fb7ee4d18abb9fa1817afd

SHA512
3f08103da01ebe4ec5ad3fece434e57fb04a8fafaed502429194625343ddd8f76f448a05598bc775251d54f9404d2db6946daef771b4560e607c8f5c4bb76b13

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe
Filesize
163KB

MD5
6fa1b5bbd6b58c9ce61d72ec012b6400

SHA1
5b3de3383a6fcf0f32cdac6107a2c6b4a5f31a0c

SHA256
ac9fe07ce35ca699ce91e149b0aa43f0a36dfe9b7e0b822be91bf1dd9cda3d38

SHA512
5cec8f149611feed1a8eaf76cf09b9d68ae1271650bc446b5b296d397c448798912f399afb24f2de5f8efd7f537f10b688a5e296adcf09cb5001c9b2bef91635

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe
Filesize
163KB

MD5
6ad4812b403c2b71156a1c7a1545c46d

SHA1
f98b26e30a0aad36262e9e0540de70e8f1f91334

SHA256
fa85fa5263ef13b7faf34b1d3ba5605a18cf01a8b9d07aeb1840385e9c58f959

SHA512
acbd5eb5f57612b378fa9f8bf365c33636d7fd5de7a5f65108e456cb4dad23bd9e005e82e675a62b73ca2b0d3636c8c333908368942eca44f12b8f211b8c1d9b

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe
Filesize
163KB

MD5
1aac1aa663be8b61c87e4bc51218998f

SHA1
64da26f95d0f5040cddb692ea1baf5a3a8202bea

SHA256
5c45e16ce8f6e0e1b7e5676fa0571a25e417a0a139c8657ae409ff748bb1d0b5

SHA512
692b03ab205933282845730c09fb4605127ac5c36826e220a599c1b03df2107432890aeb92b5d4a1c802f37b8f29e474de497b4dd62953d485075f9dffd75da7

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe
Filesize
163KB

MD5
01592ee81b41b967473c8cdb0525f4d3

SHA1
b815b3bc568c0f6a3a0360bc66e2f78263624157

SHA256
377af37c847eab02a2acd234152a88a2e559beef70f979b82a2831f824e36ff5

SHA512
f8df671301126cae20dfc2887888315439a5a251c9568635ba79542b4e41bfdd896c932c1bcdaf90a4dd0a072f7bb42fcd6347f1dc565c69ce64cd930eef95eb

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe
Filesize
163KB

MD5
de3dc62ba6c64957c10cfb32edf93170

SHA1
e6321c3e5983fa99f925acdd89b20ea01647dee9

SHA256
72f896cc84121ecb2ceb014b4f91ea0b1d36649848100a81cc2d6f3db18ef8c1

SHA512
f3e4eab684e683930178fd3703077601d5ddb2a52b238871188a7519d77086a2b7c6a8907a97faa12e5c80586f09623ff4462387d2d521b137511bcd29fa06c7

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe
Filesize
163KB

MD5
64650d57957a4aceebfdddb5e24b6bdd

SHA1
4d733321e1ad91a786e0cc54a75f2422cd10f1c5

SHA256
c485295c18bf196b7a59418dd7d6dd4e62a611005cf86e19e7bf531395ce5b46

SHA512
bdbd8a026813635d36e0ce0e0a357b2327c2d3124a9c0a2d990940fc6e28d8745c6892c1c7eff826b4e6f57baaa4dfced56a5ffa9c8751f249b6e8cf57454bd1

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe
Filesize
163KB

MD5
b9431eb984f6228493470a47bac0947a

SHA1
81760c655e9f00f42892b685e1c5443cbf4c5726

SHA256
433dc4cba25bb3213496b78762ccabab88985fec99200fffb4ae61c45625af76

SHA512
9caf857fabac26c0bb5e918130acf932c4a2e13927b6eb2841ba8c89eeb66917046589afb7a78034be3dc0f5cfc662d9f4c181db303caf29992619e089f037e6

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe
Filesize
163KB

MD5
5778b482d3a12d43990189ea7492a023

SHA1
1b47754a789e28f132f50a7016fb6f00b17f3761

SHA256
720be8dd8945c1fa0a306cddf1729493b44e7c0926de86c735583ee12671ab15

SHA512
793b17016dfc340f16c3417d673b2c1087536687adaa459e83335765e08583780bf8460550fc4c9832e693abefcb47a4553a23852fcba0d3f862ba2a5dbca389

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe
Filesize
163KB

MD5
77e0a11e0791ab8f8c4d9dc23feaa753

SHA1
2c97687ffe471af55d14377bdbbab6ff2b131ea4

SHA256
2e388ba3af28a66e03eaa22849e6a514633636c8c4f9bd401d0988ae31099e05

SHA512
cca52ca1d0b426d412081984c97ef0fa14e109c5248eb59c620159cbc2fb2d8874f35c9143dd9708c4a51ffedf1e880e30c616d2a1215a4165cd2ccc8d2467f5

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe
Filesize
163KB

MD5
c70e09d910c604c6c66f443bb498605a

SHA1
1e910d3017b5b3b389503e7244b142229e6ad8ab

SHA256
c91e9ace15ea7f05eec6f5be4681ab7bafc5d12f5583c3cc1bc74e08e9e1c509

SHA512
3b22714b2886a5f5e43db7fe220f794c0a480cd1acf89eb47c010dcb88e1478f8169d886bf1b5c21234f5c38de065dec728a283e92a09afff4693d079babf274

Download Submit
memory/60-256-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/516-240-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/752-21-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/840-149-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/876-524-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/876-282-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1068-460-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1068-462-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1124-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1124-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/1228-41-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1400-516-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1548-490-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1548-378-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1844-494-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1844-370-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1908-389-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1908-484-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1912-49-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1972-117-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1980-181-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1988-377-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1988-492-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2024-418-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2024-476-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2076-97-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2104-468-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2128-498-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2240-313-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2240-512-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2268-474-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2268-431-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2328-74-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2480-121-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2516-216-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2520-347-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2520-502-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2592-425-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2592-473-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2652-224-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2752-496-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2752-360-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2896-161-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2924-25-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2968-57-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2996-520-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2996-291-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3188-325-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3188-508-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3204-89-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3320-105-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3444-349-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3444-500-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3496-323-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3496-510-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3508-266-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3520-268-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3520-528-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3624-480-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3624-401-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3668-137-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3700-169-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3732-201-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4068-185-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4076-518-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4076-301-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4092-278-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4092-526-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4240-37-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4260-487-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4420-419-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4420-488-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4432-447-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4432-467-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4472-64-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4492-248-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4496-514-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4528-522-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4544-504-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4544-341-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4572-133-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4700-9-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4728-153-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4732-81-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4756-231-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4812-407-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4812-478-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4824-470-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4824-437-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4972-482-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4972-399-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5028-331-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5028-506-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5044-194-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5052-454-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5052-465-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads