6d5494fdb51b8b792208ac479ec6354f7c80ac76436bc6b6c721806e7ab06cc7

Analysis

max time kernel
0s
max time network
74s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2024 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00055454f937f7a1c6998b9f444d7c06.exe
Size

99KB
MD5

00055454f937f7a1c6998b9f444d7c06
SHA1

9b7f801510479f88239b95784c8fe115ab9af62a
SHA256

6d5494fdb51b8b792208ac479ec6354f7c80ac76436bc6b6c721806e7ab06cc7
SHA512

0d617f41e8b583ee86dce74e8a66331432191453d7f77af547b1ead818705b25cac787b7ed164e2b5d279b012282a0960ca50d8595628cbd1a0974b3c526a957
SSDEEP

3072:bkfXwvn6R5lrSkG9AVQ2CeyLpwoTRBmDRGGurhUI:gfAv6R3nVQCFm7UI

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jibeql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	00055454f937f7a1c6998b9f444d7c06.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	00055454f937f7a1c6998b9f444d7c06.exe

Executes dropped EXE 10 IoCs

pid	Process
1896	Jjmhppqd.exe
4464	Jmkdlkph.exe
4948	Jagqlj32.exe
2092	Jdemhe32.exe
3324	Jfdida32.exe
5100	Jibeql32.exe
3904	Jaimbj32.exe
4860	Jbkjjblm.exe
1964	Jidbflcj.exe
4716	BackgroundTransferHost.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jmkdlkph.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Jpojcf32.exe	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Jjmhppqd.exe	00055454f937f7a1c6998b9f444d7c06.exe
File created	C:\Windows\SysWOW64\Anjekdho.dll	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Jaimbj32.exe	Jibeql32.exe
File created	C:\Windows\SysWOW64\Leqcod32.dll	Jibeql32.exe
File created	C:\Windows\SysWOW64\Qnoaog32.dll	Jjmhppqd.exe
File opened for modification	C:\Windows\SysWOW64\Jdemhe32.exe	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Honcnp32.dll	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Bclhoo32.dll	Jfdida32.exe
File opened for modification	C:\Windows\SysWOW64\Jbkjjblm.exe	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Jmkdlkph.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Mjlcankg.dll	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Jfdida32.exe	Jdemhe32.exe
File opened for modification	C:\Windows\SysWOW64\Jfdida32.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Jibeql32.exe	Jfdida32.exe
File opened for modification	C:\Windows\SysWOW64\Jjmhppqd.exe	00055454f937f7a1c6998b9f444d7c06.exe
File created	C:\Windows\SysWOW64\Jagqlj32.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Ggcjqj32.dll	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Ibimpp32.dll	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Fbkmec32.dll	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Hjobcj32.dll	00055454f937f7a1c6998b9f444d7c06.exe
File opened for modification	C:\Windows\SysWOW64\Jagqlj32.exe	Jmkdlkph.exe
File opened for modification	C:\Windows\SysWOW64\Jibeql32.exe	Jfdida32.exe
File opened for modification	C:\Windows\SysWOW64\Jaimbj32.exe	Jibeql32.exe
File created	C:\Windows\SysWOW64\Jbkjjblm.exe	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Jdemhe32.exe	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Jidbflcj.exe	Jbkjjblm.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jbkjjblm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5912	5728	WerFault.exe	61

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	00055454f937f7a1c6998b9f444d7c06.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcjqj32.dll"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jfdida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	00055454f937f7a1c6998b9f444d7c06.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjlcankg.dll"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjobcj32.dll"	00055454f937f7a1c6998b9f444d7c06.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcod32.dll"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkmec32.dll"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	00055454f937f7a1c6998b9f444d7c06.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclhoo32.dll"	Jfdida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	00055454f937f7a1c6998b9f444d7c06.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	00055454f937f7a1c6998b9f444d7c06.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll"	Jbkjjblm.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 1896	4952	00055454f937f7a1c6998b9f444d7c06.exe	112
PID 4952 wrote to memory of 1896	4952	00055454f937f7a1c6998b9f444d7c06.exe	112
PID 4952 wrote to memory of 1896	4952	00055454f937f7a1c6998b9f444d7c06.exe	112
PID 1896 wrote to memory of 4464	1896	Jjmhppqd.exe	111
PID 1896 wrote to memory of 4464	1896	Jjmhppqd.exe	111
PID 1896 wrote to memory of 4464	1896	Jjmhppqd.exe	111
PID 4464 wrote to memory of 4948	4464	Jmkdlkph.exe	110
PID 4464 wrote to memory of 4948	4464	Jmkdlkph.exe	110
PID 4464 wrote to memory of 4948	4464	Jmkdlkph.exe	110
PID 4948 wrote to memory of 2092	4948	Jagqlj32.exe	109
PID 4948 wrote to memory of 2092	4948	Jagqlj32.exe	109
PID 4948 wrote to memory of 2092	4948	Jagqlj32.exe	109
PID 2092 wrote to memory of 3324	2092	Jdemhe32.exe	108
PID 2092 wrote to memory of 3324	2092	Jdemhe32.exe	108
PID 2092 wrote to memory of 3324	2092	Jdemhe32.exe	108
PID 3324 wrote to memory of 5100	3324	Jfdida32.exe	107
PID 3324 wrote to memory of 5100	3324	Jfdida32.exe	107
PID 3324 wrote to memory of 5100	3324	Jfdida32.exe	107
PID 5100 wrote to memory of 3904	5100	Jibeql32.exe	18
PID 5100 wrote to memory of 3904	5100	Jibeql32.exe	18
PID 5100 wrote to memory of 3904	5100	Jibeql32.exe	18
PID 3904 wrote to memory of 4860	3904	Jaimbj32.exe	106
PID 3904 wrote to memory of 4860	3904	Jaimbj32.exe	106
PID 3904 wrote to memory of 4860	3904	Jaimbj32.exe	106
PID 4860 wrote to memory of 1964	4860	Jbkjjblm.exe	105
PID 4860 wrote to memory of 1964	4860	Jbkjjblm.exe	105
PID 4860 wrote to memory of 1964	4860	Jbkjjblm.exe	105
PID 1964 wrote to memory of 4716	1964	Jidbflcj.exe	196
PID 1964 wrote to memory of 4716	1964	Jidbflcj.exe	196
PID 1964 wrote to memory of 4716	1964	Jidbflcj.exe	196

C:\Users\Admin\AppData\Local\Temp\00055454f937f7a1c6998b9f444d7c06.exe
"C:\Users\Admin\AppData\Local\Temp\00055454f937f7a1c6998b9f444d7c06.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Windows\SysWOW64\Jjmhppqd.exe
  C:\Windows\system32\Jjmhppqd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1896

C:\Windows\SysWOW64\Jaimbj32.exe
C:\Windows\system32\Jaimbj32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Windows\SysWOW64\Jbkjjblm.exe
  C:\Windows\system32\Jbkjjblm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4860

C:\Windows\SysWOW64\Jpojcf32.exe
C:\Windows\system32\Jpojcf32.exe
1⤵
PID:4716
- C:\Windows\SysWOW64\Jfhbppbc.exe
  C:\Windows\system32\Jfhbppbc.exe
  2⤵
  PID:564

C:\Windows\SysWOW64\Jigollag.exe
C:\Windows\system32\Jigollag.exe
1⤵
PID:3320
- C:\Windows\SysWOW64\Jpaghf32.exe
  C:\Windows\system32\Jpaghf32.exe
  2⤵
  PID:2368

C:\Windows\SysWOW64\Kilhgk32.exe
C:\Windows\system32\Kilhgk32.exe
1⤵
PID:2156
- C:\Windows\SysWOW64\Kacphh32.exe
  C:\Windows\system32\Kacphh32.exe
  2⤵
  PID:1084

C:\Windows\SysWOW64\Kaemnhla.exe
C:\Windows\system32\Kaemnhla.exe
1⤵
PID:4160
- C:\Windows\SysWOW64\Kdcijcke.exe
  C:\Windows\system32\Kdcijcke.exe
  2⤵
  PID:4528

C:\Windows\SysWOW64\Kgbefoji.exe
C:\Windows\system32\Kgbefoji.exe
1⤵
PID:4904
- C:\Windows\SysWOW64\Kipabjil.exe
  C:\Windows\system32\Kipabjil.exe
  2⤵
  PID:4104

C:\Windows\SysWOW64\Kdffocib.exe
C:\Windows\system32\Kdffocib.exe
1⤵
PID:4316
- C:\Windows\SysWOW64\Kcifkp32.exe
  C:\Windows\system32\Kcifkp32.exe
  2⤵
  PID:60

C:\Windows\SysWOW64\Lcmofolg.exe
C:\Windows\system32\Lcmofolg.exe
1⤵
PID:5036
- C:\Windows\SysWOW64\Lkdggmlj.exe
  C:\Windows\system32\Lkdggmlj.exe
  2⤵
  PID:2148

C:\Windows\SysWOW64\Laopdgcg.exe
C:\Windows\system32\Laopdgcg.exe
1⤵
PID:3764
- C:\Windows\SysWOW64\Ldmlpbbj.exe
  C:\Windows\system32\Ldmlpbbj.exe
  2⤵
  PID:4760
- - C:\Windows\SysWOW64\Lgkhlnbn.exe
    C:\Windows\system32\Lgkhlnbn.exe
    3⤵
    PID:4304
  - - C:\Windows\SysWOW64\Lijdhiaa.exe
      C:\Windows\system32\Lijdhiaa.exe
      4⤵
      PID:4052

C:\Windows\SysWOW64\Laalifad.exe
C:\Windows\system32\Laalifad.exe
1⤵
PID:1944
- C:\Windows\SysWOW64\Ldohebqh.exe
  C:\Windows\system32\Ldohebqh.exe
  2⤵
  PID:2388
- - C:\Windows\SysWOW64\Lgneampk.exe
    C:\Windows\system32\Lgneampk.exe
    3⤵
    PID:4708

C:\Windows\SysWOW64\Lilanioo.exe
C:\Windows\system32\Lilanioo.exe
1⤵
PID:4440
- C:\Windows\SysWOW64\Laciofpa.exe
  C:\Windows\system32\Laciofpa.exe
  2⤵
  PID:2208
- - C:\Windows\SysWOW64\Ldaeka32.exe
    C:\Windows\system32\Ldaeka32.exe
    3⤵
    PID:1424

C:\Windows\SysWOW64\Lgpagm32.exe
C:\Windows\system32\Lgpagm32.exe
1⤵
PID:1404
- C:\Windows\SysWOW64\Lklnhlfb.exe
  C:\Windows\system32\Lklnhlfb.exe
  2⤵
  PID:4932

C:\Windows\SysWOW64\Lnjjdgee.exe
C:\Windows\system32\Lnjjdgee.exe
1⤵
PID:3868
- C:\Windows\SysWOW64\Lddbqa32.exe
  C:\Windows\system32\Lddbqa32.exe
  2⤵
  PID:5076

C:\Windows\SysWOW64\Lgbnmm32.exe
C:\Windows\system32\Lgbnmm32.exe
1⤵
PID:4000
- C:\Windows\SysWOW64\Mjqjih32.exe
  C:\Windows\system32\Mjqjih32.exe
  2⤵
  PID:1604

C:\Windows\SysWOW64\Mpkbebbf.exe
C:\Windows\system32\Mpkbebbf.exe
1⤵
PID:3256
- C:\Windows\SysWOW64\Mdfofakp.exe
  C:\Windows\system32\Mdfofakp.exe
  2⤵
  PID:3952

C:\Windows\SysWOW64\Mgekbljc.exe
C:\Windows\system32\Mgekbljc.exe
1⤵
PID:2224
- C:\Windows\SysWOW64\Mjcgohig.exe
  C:\Windows\system32\Mjcgohig.exe
  2⤵
  PID:2944
- - C:\Windows\SysWOW64\Majopeii.exe
    C:\Windows\system32\Majopeii.exe
    3⤵
    PID:4364

C:\Windows\SysWOW64\Mdiklqhm.exe
C:\Windows\system32\Mdiklqhm.exe
1⤵
PID:5160
- C:\Windows\SysWOW64\Mgghhlhq.exe
  C:\Windows\system32\Mgghhlhq.exe
  2⤵
  PID:5200

C:\Windows\SysWOW64\Mkbchk32.exe
C:\Windows\system32\Mkbchk32.exe
1⤵
PID:5248
- C:\Windows\SysWOW64\Mnapdf32.exe
  C:\Windows\system32\Mnapdf32.exe
  2⤵
  PID:5292
- - C:\Windows\SysWOW64\Mpolqa32.exe
    C:\Windows\system32\Mpolqa32.exe
    3⤵
    PID:5332

C:\Windows\SysWOW64\Mcnhmm32.exe
C:\Windows\system32\Mcnhmm32.exe
1⤵
PID:5372
- C:\Windows\SysWOW64\Mkepnjng.exe
  C:\Windows\system32\Mkepnjng.exe
  2⤵
  PID:5424
- - C:\Windows\SysWOW64\Mncmjfmk.exe
    C:\Windows\system32\Mncmjfmk.exe
    3⤵
    PID:5484
  - - C:\Windows\SysWOW64\Mpaifalo.exe
      C:\Windows\system32\Mpaifalo.exe
      4⤵
      PID:5532
    - - C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        5⤵
        
        PID:5572

C:\Windows\SysWOW64\Mnfipekh.exe
C:\Windows\system32\Mnfipekh.exe
1⤵
PID:5616
- C:\Windows\SysWOW64\Maaepd32.exe
  C:\Windows\system32\Maaepd32.exe
  2⤵
  PID:5656
- - C:\Windows\SysWOW64\Mdpalp32.exe
    C:\Windows\system32\Mdpalp32.exe
    3⤵
    PID:5696

C:\Windows\SysWOW64\Mgnnhk32.exe
C:\Windows\system32\Mgnnhk32.exe
1⤵
PID:5744
- C:\Windows\SysWOW64\Njljefql.exe
  C:\Windows\system32\Njljefql.exe
  2⤵
  PID:5788
- - C:\Windows\SysWOW64\Nacbfdao.exe
    C:\Windows\system32\Nacbfdao.exe
    3⤵
    PID:5832

C:\Windows\SysWOW64\Ndbnboqb.exe
C:\Windows\system32\Ndbnboqb.exe
1⤵
PID:5876
- C:\Windows\SysWOW64\Ngpjnkpf.exe
  C:\Windows\system32\Ngpjnkpf.exe
  2⤵
  PID:5924
- - C:\Windows\SysWOW64\Nklfoi32.exe
    C:\Windows\system32\Nklfoi32.exe
    3⤵
    PID:5968

C:\Windows\SysWOW64\Nnjbke32.exe
C:\Windows\system32\Nnjbke32.exe
1⤵
PID:6012
- C:\Windows\SysWOW64\Nqiogp32.exe
  C:\Windows\system32\Nqiogp32.exe
  2⤵
  PID:6056

C:\Windows\SysWOW64\Ncgkcl32.exe
C:\Windows\system32\Ncgkcl32.exe
1⤵
PID:6100
- C:\Windows\SysWOW64\Nkncdifl.exe
  C:\Windows\system32\Nkncdifl.exe
  2⤵
  PID:6140

C:\Windows\SysWOW64\Njacpf32.exe
C:\Windows\system32\Njacpf32.exe
1⤵
PID:5184
- C:\Windows\SysWOW64\Nbhkac32.exe
  C:\Windows\system32\Nbhkac32.exe
  2⤵
  PID:5256
- - C:\Windows\SysWOW64\Ndghmo32.exe
    C:\Windows\system32\Ndghmo32.exe
    3⤵
    PID:5312

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
1⤵
PID:5380
- C:\Windows\SysWOW64\Njcpee32.exe
  C:\Windows\system32\Njcpee32.exe
  2⤵
  PID:5444
- - C:\Windows\SysWOW64\Nbkhfc32.exe
    C:\Windows\system32\Nbkhfc32.exe
    3⤵
    PID:5524
  - - C:\Windows\SysWOW64\Ndidbn32.exe
      C:\Windows\system32\Ndidbn32.exe
      4⤵
      PID:5608

C:\Windows\SysWOW64\Nggqoj32.exe
C:\Windows\system32\Nggqoj32.exe
1⤵
PID:5692
- C:\Windows\SysWOW64\Nkcmohbg.exe
  C:\Windows\system32\Nkcmohbg.exe
  2⤵
  PID:5728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5728 -s 420
    3⤵
    - Program crash
    PID:5912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5728 -ip 5728
1⤵
PID:5868

C:\Windows\SysWOW64\Lpocjdld.exe
C:\Windows\system32\Lpocjdld.exe
1⤵
PID:1392

C:\Windows\SysWOW64\Lmqgnhmp.exe
C:\Windows\system32\Lmqgnhmp.exe
1⤵
PID:912

C:\Windows\SysWOW64\Kckbqpnj.exe
C:\Windows\system32\Kckbqpnj.exe
1⤵
PID:1556

C:\Windows\SysWOW64\Kpmfddnf.exe
C:\Windows\system32\Kpmfddnf.exe
1⤵
PID:940

C:\Windows\SysWOW64\Kmnjhioc.exe
C:\Windows\system32\Kmnjhioc.exe
1⤵
PID:8

C:\Windows\SysWOW64\Kibnhjgj.exe
C:\Windows\system32\Kibnhjgj.exe
1⤵
PID:2220

C:\Windows\SysWOW64\Kagichjo.exe
C:\Windows\system32\Kagichjo.exe
1⤵
PID:696

C:\Windows\SysWOW64\Kmjqmi32.exe
C:\Windows\system32\Kmjqmi32.exe
1⤵
PID:5016

C:\Windows\SysWOW64\Kdaldd32.exe
C:\Windows\system32\Kdaldd32.exe
1⤵
PID:4068

C:\Windows\SysWOW64\Kgmlkp32.exe
C:\Windows\system32\Kgmlkp32.exe
1⤵
PID:1912

C:\Windows\SysWOW64\Kdopod32.exe
C:\Windows\system32\Kdopod32.exe
1⤵
PID:1032

C:\Windows\SysWOW64\Jiikak32.exe
C:\Windows\system32\Jiikak32.exe
1⤵
PID:2280

C:\Windows\SysWOW64\Jfkoeppq.exe
C:\Windows\system32\Jfkoeppq.exe
1⤵
PID:1436

C:\Windows\SysWOW64\Jidbflcj.exe
C:\Windows\system32\Jidbflcj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\Jibeql32.exe
C:\Windows\system32\Jibeql32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5100

C:\Windows\SysWOW64\Jfdida32.exe
C:\Windows\system32\Jfdida32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3324

C:\Windows\SysWOW64\Jdemhe32.exe
C:\Windows\system32\Jdemhe32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\SysWOW64\Jagqlj32.exe
C:\Windows\system32\Jagqlj32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4948

C:\Windows\SysWOW64\Jmkdlkph.exe
C:\Windows\system32\Jmkdlkph.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
- Executes dropped EXE
PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Anjekdho.dll

Filesize
7KB

MD5
4783ae35b5a772f6f5850dd31e62730b

SHA1
ac9490c951a8cabdceded35d2f9d955e5891b634

SHA256
f4d238af0fe880d4e669ecd31b2cf2ea6ad1e15ec16066164d2f98d4989abcda

SHA512
66bf5861d449e3197b5211d9120ea1335dad5ab7a60175bd875a721dd8b7d8a7b05a16ac13f158d2dea0e669c3bc6c6c4dda957025806def3236a53406b3d811

Download Submit
C:\Windows\SysWOW64\Jagqlj32.exe

Filesize
99KB

MD5
84c3e881073f1728a70ecc0a6a01fc6b

SHA1
6de58a4618b37fe283d4bc41fd7fede0fbfb6754

SHA256
dd7108c24dd595ac927152eac32778f483079d6b0d848f8937decf72c9abe420

SHA512
100ffab8c13dd6026b9e127d21b5721cdbee60f9c82512602c5a524628e3578f0c22517820c9bd18d691eb084c3c0504a7cac277f9d9ef0a48824272601d2ad7

Download Submit
C:\Windows\SysWOW64\Jaimbj32.exe

Filesize
99KB

MD5
ad28379ff58de132fabab093383863b9

SHA1
2d500e33ecd773dec764e47b2caebb2c15b76689

SHA256
e82c34b9c36e0b2deb1cedf1c5b1dca61978fb5335285e8cc1b502664e9f265a

SHA512
13f9d10a1ae6be311cc8087d62186bdc9a1795a256acfef476873d1aa547ec1edd129e664738798d8f14d9f33b4a0c6f69a606e961beb983719186fe3dbd24c9

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
99KB

MD5
c1a0ed767e8255abc3599971aa5a9d19

SHA1
3eb1f88690fac78d5ffa159f13e211c65358092c

SHA256
6e2709d29250a44ddbc483345cc3aecdbd7b0ed70442b31831ea6cf747d84ec6

SHA512
8baf18b1824db478fe71017ee7801065b83a704f0849f2afe53bb73cbaa49e451092047827c56481af383baccb186635fa3d8ab6e8149d62bc8c475b91e074b7

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
99KB

MD5
4c2cade5cc34b73b7d06e4f65ec00db8

SHA1
68eb0fac4c5c98028f6a4989c66d227cc40b39c8

SHA256
6f722aa25de7b951959cfff62b2ac412c90d8d476a6a5d3092095b965b643edb

SHA512
a5dce7fa87904fc40b2366051e2f7db9beba6cde8448bd0752825ae9d31f09db1ce00c1e77df1530f9271d0751abb748afecbdfff1fed334859d4e786020d1b6

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
99KB

MD5
39365aac74d75e761aa5abcd99aa6750

SHA1
96e87567d7ea2b0571bc4cc88b581cc9e2f23204

SHA256
6955c253e4dae6d5eaee157f428804ebb260f80d6445cf9acdc60fb78889552b

SHA512
86788df59a585e28927d5cd4296fd60b97ebadf1ceb6fef2e2e8b95824a9b773622dc051455b6a11db8fa79ce5e4b2e2d1e53d88c8962073841c5077c48bc3da

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
99KB

MD5
0873d691496dc6282850d4ca5246f1e6

SHA1
6e8cf50fd2fe452494384cafc09a2a44b49fde2d

SHA256
f364fba0991473aa3e5859329405e389bbcf1003b84c7a1207a1f62687380de2

SHA512
6d763bab179baaafb13f5c119d41ff609112442f5c5c90d22020aa5e9b4e711c02b69b948452eb24781ef32414fdd1258898ab519d575b32d431e88d41db48c5

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
99KB

MD5
e5d1d6306e8a50c7da92a88967b70b52

SHA1
59bef4c0a03d3404ec27d98dd54246d6aa910263

SHA256
57e64a584aa1227c9bca062b8e409d8e34764afe7f58d140a07b508bd54e9a7b

SHA512
44156f1e696172ec44255ee0632a2e590199dc0532e1181f2cab0597d67240f49e2d59a6ea35073779f82a68bb11c2e3a770df4133ec5558007959f469b03ed0

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
99KB

MD5
08d39fba5b3b38ba622f359fc2ab2641

SHA1
69ae050e73aae480e162e2685a737ab6d0494796

SHA256
8e393c5eecf955d2c48f1763284f84c4220e823cc260c3c03551f9e48a552c2a

SHA512
e29cc0eb705006071788663556024b79892a92a3f31e8ac50d3edcf7a1d3782b64ea3d5a6d91d0a46f096da2b68a92105272dd06d60b9d62b49bf6beba5cbc49

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
99KB

MD5
15c82bf4c057a9cc703a33a54b818ea0

SHA1
76f5c6b70f6c5cff7a312dd2890f85be1b78ba6b

SHA256
347014f7bea9a16285118e24a4274b5ff839f8b7bac8eaa5c144bc2d255c32b2

SHA512
effe740709f65b25a391b9d49f43ef3f9a55c6ca97f7e27e4602f0a8328ad3bd8b66715f2036a6073bbcb866acf728484947d7d4c9c77dbfff98e4c15ac2e4f3

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
99KB

MD5
40d0cfc403e4029e504060a9bf15ea07

SHA1
b588c4649fee56690c47e06a649051905da9c740

SHA256
e6f0857243f09560b6e3845d7d993b217c071001d94d9b0ccf880db96fb71666

SHA512
32bc3c1177666452c19e29eb426bc1a148bb32c57257b447e450e88fee7a7a929834e1e16f1e75c89b267e3cfe8874aa174154c85372fa4f10c0c1389fd02ac3

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
99KB

MD5
1255c02508ed666bba75a6e3c4802874

SHA1
19752bb021df28840c715486354b264452aa4178

SHA256
af611997720d3b191393ed86c7759052355489310493ea85f2ee91d137db89d3

SHA512
61afe8aaf4061f1e29a884b2f04560211e1545c3e450f7cb1d215725af3d7091bbe799faa64d27c42f84c569d91f0a95a1863d1ff59175fdcb229cc1b41c8fd9

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
99KB

MD5
dae33a4e9a10e989fe0d327f9dc4aa2f

SHA1
d39eb4e073bdec4687d04e1974286959f7880a8e

SHA256
400af73dcbc68ea98f09d293b110facc553b6a106bcbebd00368a700c12d892b

SHA512
8108b776468130359c614b1e24577f529e6f19671fa6bb0c4468ea592d0d8dc9c44fabcd343a39bda9bdaba27cc2d56c08cfbb789f9c8ee13d95c7a1e0362497

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
99KB

MD5
b4d1d3690f8587e42d7f3d10a8e16dab

SHA1
397c06445c31f25169648f7bc64b01895a05363e

SHA256
b4a8fc5ff557110eafa8594cb4128e5958567496c1df91c74b16c97d4527d904

SHA512
efba415e7bbae0041a5b3826322083341e84bdf489246d1a6edfaa87acd4c50932616b1000608976d9c9fba6612f58c323e00ef8f83a175bab6e379799de00e2

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
99KB

MD5
64599644850306d6ea2325171e21f4fc

SHA1
75757628a86e3465f35fc8f0b977116196b20ea9

SHA256
631be3a9dd80332174f66bfd1fc5c61bb1fb93c7b55e13e7e4c2789b6c74396b

SHA512
9dc444bccf1bb22d2f7227487d3664fc2fec129705c45bbdf825ecb796164e431d1ea4f21579757af364e2bfb673ef19bc1d5c3ed4fcbd83cbd391e46fab9e96

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
99KB

MD5
d1d2d97e57cb47be78777cc7b0cf9dcc

SHA1
097b06a2a7e2ed3383f4343a522363ae9ebfa994

SHA256
8b682946a7e08b3c5ab425134700e8183bdde7f9b8119ce1472a3e823d55c3f5

SHA512
c7c69ea7845872cae00ecdbd70b46ccbc44cc4a2a0ecff0d0bb0bd2175795b3bfd27dbff7a6f3a5c10a2dae258d6eebc5b9f0614cf3a3172bec068259db0162f

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
99KB

MD5
3ef3dfb5045afd0e41f48a5c87722676

SHA1
a43ed0b39addd575980bf8ba59ed3089f08b95f5

SHA256
1b5e41cca86da2cc6bda1b715df3c5c5598f6de03459b0a9233104314c748d0e

SHA512
a57253212d6b263f9b4a6124f211887450900b5f924f383ca9f10fb23cf16b1c34fbae65136c2f98c4fe6c5872557d016fc10a47b003fbf4c055ef1b347aeacc

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
99KB

MD5
c8ad3c639812337920ce19ac656c1e4a

SHA1
6c62e3b6d21502319d04d6e3beb605d24101f130

SHA256
7fafd2e8a8bb4f7f05a779eb06a995d8d3c10f0217c85f689e313c3acc87781c

SHA512
fe2388105bcfe36c8905791ad0b2050f6535bd18f56b9b957c8b23bcd115d86394b073adb784492df184674237ac396533ae5ca00f931a85bd3dc5e01264a4a6

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
99KB

MD5
1979d1f1d0816190e3e6aec0252bfd49

SHA1
c350b25f051975038983316228bc6a7f24c169ac

SHA256
304415f523be5f8e39c216522c6900789cc746125149633fc4070f54a37db403

SHA512
646b79c63f54cd2eb42c776f199ecac93af1764f2b93ce3671519ea46b79620aaac70237b756f75a84100182e402e18905c26648aa96b6ef2caf179705b1c610

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
99KB

MD5
5a06c4697fb0c908deac4cfb9eb1b032

SHA1
8418c7d97dfe090d1b760cb29493cf215787c5b5

SHA256
7294ce1020fde32edc0214cbb7ad658fc9a1ccd8b53d6c304ec2f70cbd8181bd

SHA512
ee11044d489a1ef02d6d5f4934a242120d5c008a15367c468c118871c52f7f0a2829d97327d13340193c20a943063e812733af43283fff268e81a124fd2dcfd9

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
99KB

MD5
9b294ee47865a6f40a3520663c5aacc1

SHA1
50af79a6e451da416611f1f02f41c502def8e8fa

SHA256
8733c9205f41b41e46df1ee065a5def75037b0a82027751e3f20ade4c4f8c27f

SHA512
639a59376c5c5b850b2d076c9e80a3fb401f14a0646f6bb1ae3161c9a42676a8044896c24f6bc62e24c2ab06ad05b884fad40ddef86399a645ade5622b066cc8

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
99KB

MD5
a210c65bccb5d22058b1145ebbecbbbd

SHA1
32817f3e7a9f486f2e9caf000008e5b7bb373376

SHA256
dc3881d256ad785832da305c60e4d1e71280569430a3ae11287aad11ef875e9a

SHA512
63787fdc61185703b23dd85d29211053368e8d4d99710487779e4f494f29c943a363aac9b3b9694c7085593930289eea022ade479ac4762e8759c97c62d781b3

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
99KB

MD5
55c507e07ff3d5eadcd3a6ddcf9e5a81

SHA1
f1d60ba32fad36c522b7bf0a5f84f865d578a91c

SHA256
327caa4bd1bb07fc7e84fd4d52a341b7fd3175c8f480f7696833e3896993af4c

SHA512
dd886c6e5ea63acca11a791cdd4fb601cd24ef3ba8d1c36bbe440ad3a48d535018294bb6ae4ae98f78deed92f6009ff640ac1d11119ea6205e18e16285ce3dba

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe

Filesize
99KB

MD5
214e7a9a6f5b993dc2311b273cb513ae

SHA1
acbbb351677fbf4464ac509f8fb98e2d7cb3ab79

SHA256
9d6915bbed55c83f8b5c17ed0222ee7b7059dd43ab4dc45c6d23591a3fa6cc1d

SHA512
43b04585bc0f185d52eb173eb61d635e70a883a9e2684c837239cf51c91a036bb395745fa63e7a0207a132224fb02a7caf2c3c5882cf580493ba5939197a3dbe

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
99KB

MD5
3525d94b09178406a0ce70bc0389149b

SHA1
91cdc3722de521f29c665bbbe93ee4e0a45c791d

SHA256
2eb6d282565c86198fdecbfffe3e97124d07e5cc9f0b3dacd4303591c1b6c546

SHA512
d9907e2c8b35ee4373dfe8b0800be35213df4911e97f09831f8aa83f65b35bbdf630bd6ab1509a0fd39d8ce03dbc0d2082aac01c8dae667dcd8651940e242ccb

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
99KB

MD5
51bd7765927b5e1f09a9e795ee9e3977

SHA1
90dc8ebcb8d1910b7d29383b2df6cb9506e58d2e

SHA256
ea0e5800984fcc5377c3e703f2f378c58eaa23df1afe5f2e051f85e4eff73b84

SHA512
9fac3e6fe0f92df9fd425b312afd9266c5b50d995361e36d38e61fceb5a92cc0ac8faa2f0396d54f255a64b3d1fcccbd5cfc946d0a1cd81d9e5bc9c24906b2b5

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
99KB

MD5
d7f603c9d8f9b6b004beff59e7618461

SHA1
1b17f547358177d25b68b4005dad7fce6c4355d0

SHA256
14a48864bf96571fcba206904b4ed2435812059c252744e8ebad5066f57d74c0

SHA512
efdad08d26a3cd9006ca9f4c81ffcd4148459c58ffb64d4d97f456bc425eaea452f9c3be43256a8715b69beca078a520e7b811507797fdcdbc34efc6e76daeaf

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
99KB

MD5
0afdf1bf588ff644672c04fe8107eb78

SHA1
008b3ef75056892ab3747c3ecf4bd13a3d6f3795

SHA256
84c4cbe47639b572e16ac9348a1c488e97d3b0fb575806b43ec508b830885570

SHA512
0737a53843e393d5fc7401527578e190da3c7eedc4272e36adcdb5bd418fa453ee73be0e54341ae0b4007b069158a7ff8957c4e030b6d3076d6599f74280d0f7

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
99KB

MD5
650fd0070dca79370bcad534c7f49733

SHA1
ef2a79a17b59c69a7712469359f4174032a88374

SHA256
d493d8551ba10bbcf1cb027e2584caebc63e554c43fa33231f3c6731283c9201

SHA512
a48d93b0c8754ca9d8ab3850159fbd751526facfd18dde1efc2b23481b5b29a528b059cf2dcedffdc57279da5ff234d17a35467e01ffaf1c9c9dce1b4d36f868

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
99KB

MD5
e5c65a0c3364974488d577636f366173

SHA1
42eb0797ad86910369ea3f5736edfca5e567a9bf

SHA256
ba6dca67ba6337a56a4bc1fc6eb3db8195b45af3cac7fcdfeeacc93367d06f69

SHA512
406b71cd7b7ad397493cf185bad205234178ee2c87ce4f18dbbca34bdcaac998424d1340b907e637cbfec83209f1a9d841e95731d95cd4f2f5b1c6e0576934d1

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
99KB

MD5
85904df58c04a09adbec91b2d425c16c

SHA1
4b44364d7a2b48fed2c423770a6b946f32756271

SHA256
d125e9af7166d12afb3a8aa3e848b6af035f8951fa63397b6f06f47adbe9f4ff

SHA512
2673259cb061573143768dd8775e71578d4efa8b4aef871dda62efcdd064f1877d2d87b1eaa0067750517a1b06719651c87ff4a5ed5684a32fe3e20d4e313a0c

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
99KB

MD5
0c5d113b59075c84b0e3ec659845db3f

SHA1
a8ea5cbbcfeaac7c0009e30876b4e2d317c794a0

SHA256
14db299a4dc4f7121e1954be9821d5fcc49ad261504e032bdbd036efdc445f64

SHA512
09fe3108d98431cf1afa11bd42974b7e525a5e32f3b134b91baa2b5ecac501e29abab00be1ffa6f5fff36538e27cc7907e88ff36a7c7b67854a707487a5395f6

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
99KB

MD5
b7aa251bc204edcc0e81892fc77b802a

SHA1
8b82da8eae52e1beba9897a9bb91eb3a2e169fa1

SHA256
d445d00fb81cc7cbaa3d5c14694702d932598157b6910e2958e23eb35e2c763f

SHA512
d12eca94acf08cb46059cc6045bdbd8382d5eee6d2e1a15332382efc74b15037f023ced05a2971dbdf900fe6b67c0f85a7bc64c416e9669676515242c4119e05

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
99KB

MD5
44773beddc65daa2170119cc664dcd5d

SHA1
ae632ab8870e2f8ed5a89ba01c26be3bf2db7687

SHA256
3893dd462ed9fea604bdd5e22010a447bd3d888277bdf8041002aa4970672a54

SHA512
6adaa4027de9eb9e3828d2f569be74792a547700aca820b77ad96592c46ec092dcd06c1d01b4bcfe5fe129dcf8651d89c63af1ae10742442dea09326b13c5e7e

Download Submit
memory/8-250-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/60-309-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/60-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/564-179-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/564-90-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/696-296-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/696-222-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/912-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/940-264-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1032-139-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1084-162-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1084-239-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1392-287-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1436-211-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1436-117-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1556-266-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1896-89-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1896-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1912-148-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1964-161-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1964-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2092-116-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2092-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2148-301-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2156-230-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2156-153-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2220-320-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2220-240-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2280-130-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2368-111-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2368-201-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3320-99-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3320-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3324-125-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3324-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3764-303-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3904-147-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3904-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4068-171-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4068-249-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4104-293-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4104-215-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4160-195-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4304-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4316-227-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4464-98-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4464-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4528-204-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4716-81-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4716-169-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4760-314-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4860-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4860-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4904-206-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4904-282-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4948-107-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4948-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4952-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4952-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5016-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5016-180-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5036-294-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5100-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5100-134-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads