cca29227ff4e04f3851984b688f44efba97991898e6a2e4db6639931175969cd

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 23:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cca29227ff4e04f3851984b688f44efba97991898e6a2e4db6639931175969cd.exe
Size

109KB
MD5

4707e3e0e4506f5325420798b06c48b3
SHA1

c3e883d7206dd5a85cf112b515b272e74b6dc715
SHA256

cca29227ff4e04f3851984b688f44efba97991898e6a2e4db6639931175969cd
SHA512

752f4b4720f3ec1f77b2a6b11c36f0c220f6a2cf7f2d63730658d1973f111c375051fb0cbf6d0e6bbb9d675193490f68cb28dc15a5f8e5c3fd361490582c15ef
SSDEEP

3072:3FgONk7bSp/2J9TXLCqwzBu1DjHLMVDqqkSp:C7bbJ93wtu1DjrFqh

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	cca29227ff4e04f3851984b688f44efba97991898e6a2e4db6639931175969cd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	cca29227ff4e04f3851984b688f44efba97991898e6a2e4db6639931175969cd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe

Executes dropped EXE 54 IoCs

pid	Process
3184	Jfffjqdf.exe
3700	Jidbflcj.exe
5092	Jpojcf32.exe
4948	Jkdnpo32.exe
3292	Jangmibi.exe
4488	Jdmcidam.exe
5108	Jkfkfohj.exe
3540	Kpccnefa.exe
5100	Kkihknfg.exe
672	Kmgdgjek.exe
984	Kdaldd32.exe
4116	Kkkdan32.exe
4168	Kaemnhla.exe
3808	Kknafn32.exe
780	Kagichjo.exe
3856	Kdffocib.exe
3160	Kibnhjgj.exe
2100	Kajfig32.exe
2828	Kgfoan32.exe
1560	Lmqgnhmp.exe
3640	Lgikfn32.exe
640	Lmccchkn.exe
3232	Ldmlpbbj.exe
2092	Lgkhlnbn.exe
2652	Ldohebqh.exe
400	Lgneampk.exe
4284	Lnhmng32.exe
3568	Lgpagm32.exe
3348	Ljnnch32.exe
4236	Lddbqa32.exe
5040	Lknjmkdo.exe
3140	Mnlfigcc.exe
664	Mdfofakp.exe
836	Mpmokb32.exe
4472	Mkbchk32.exe
5068	Mnapdf32.exe
3012	Mpolqa32.exe
3120	Mkepnjng.exe
3552	Mncmjfmk.exe
4460	Mdmegp32.exe
4668	Mkgmcjld.exe
4332	Mpdelajl.exe
1760	Mgnnhk32.exe
4624	Nnhfee32.exe
4404	Nqfbaq32.exe
2968	Ngpjnkpf.exe
4804	Nnjbke32.exe
2316	Ncgkcl32.exe
4092	Nkncdifl.exe
1360	Nbhkac32.exe
1744	Ncihikcg.exe
516	Nbkhfc32.exe
4744	Ndidbn32.exe
4768	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Kdaldd32.exe	Kmgdgjek.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Kkihknfg.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Bnckcnhb.dll	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kdffocib.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Kpccnefa.exe	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Jangmibi.exe	Jkdnpo32.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jfffjqdf.exe
File opened for modification	C:\Windows\SysWOW64\Jkfkfohj.exe	Jdmcidam.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Kgfoan32.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Eilljncf.dll	Jdmcidam.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nkncdifl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4664	4768	WerFault.exe	144

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	cca29227ff4e04f3851984b688f44efba97991898e6a2e4db6639931175969cd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppaheqp.dll"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	cca29227ff4e04f3851984b688f44efba97991898e6a2e4db6639931175969cd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olmeac32.dll"	cca29227ff4e04f3851984b688f44efba97991898e6a2e4db6639931175969cd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll"	Kpccnefa.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	1964	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3944 wrote to memory of 3184	3944	cca29227ff4e04f3851984b688f44efba97991898e6a2e4db6639931175969cd.exe	88
PID 3944 wrote to memory of 3184	3944	cca29227ff4e04f3851984b688f44efba97991898e6a2e4db6639931175969cd.exe	88
PID 3944 wrote to memory of 3184	3944	cca29227ff4e04f3851984b688f44efba97991898e6a2e4db6639931175969cd.exe	88
PID 3184 wrote to memory of 3700	3184	Jfffjqdf.exe	89
PID 3184 wrote to memory of 3700	3184	Jfffjqdf.exe	89
PID 3184 wrote to memory of 3700	3184	Jfffjqdf.exe	89
PID 3700 wrote to memory of 5092	3700	Jidbflcj.exe	90
PID 3700 wrote to memory of 5092	3700	Jidbflcj.exe	90
PID 3700 wrote to memory of 5092	3700	Jidbflcj.exe	90
PID 5092 wrote to memory of 4948	5092	Jpojcf32.exe	91
PID 5092 wrote to memory of 4948	5092	Jpojcf32.exe	91
PID 5092 wrote to memory of 4948	5092	Jpojcf32.exe	91
PID 4948 wrote to memory of 3292	4948	Jkdnpo32.exe	92
PID 4948 wrote to memory of 3292	4948	Jkdnpo32.exe	92
PID 4948 wrote to memory of 3292	4948	Jkdnpo32.exe	92
PID 3292 wrote to memory of 4488	3292	Jangmibi.exe	93
PID 3292 wrote to memory of 4488	3292	Jangmibi.exe	93
PID 3292 wrote to memory of 4488	3292	Jangmibi.exe	93
PID 4488 wrote to memory of 5108	4488	Jdmcidam.exe	94
PID 4488 wrote to memory of 5108	4488	Jdmcidam.exe	94
PID 4488 wrote to memory of 5108	4488	Jdmcidam.exe	94
PID 5108 wrote to memory of 3540	5108	Jkfkfohj.exe	95
PID 5108 wrote to memory of 3540	5108	Jkfkfohj.exe	95
PID 5108 wrote to memory of 3540	5108	Jkfkfohj.exe	95
PID 3540 wrote to memory of 5100	3540	Kpccnefa.exe	96
PID 3540 wrote to memory of 5100	3540	Kpccnefa.exe	96
PID 3540 wrote to memory of 5100	3540	Kpccnefa.exe	96
PID 5100 wrote to memory of 672	5100	Kkihknfg.exe	97
PID 5100 wrote to memory of 672	5100	Kkihknfg.exe	97
PID 5100 wrote to memory of 672	5100	Kkihknfg.exe	97
PID 672 wrote to memory of 984	672	Kmgdgjek.exe	98
PID 672 wrote to memory of 984	672	Kmgdgjek.exe	98
PID 672 wrote to memory of 984	672	Kmgdgjek.exe	98
PID 984 wrote to memory of 4116	984	Kdaldd32.exe	99
PID 984 wrote to memory of 4116	984	Kdaldd32.exe	99
PID 984 wrote to memory of 4116	984	Kdaldd32.exe	99
PID 4116 wrote to memory of 4168	4116	Kkkdan32.exe	100
PID 4116 wrote to memory of 4168	4116	Kkkdan32.exe	100
PID 4116 wrote to memory of 4168	4116	Kkkdan32.exe	100
PID 4168 wrote to memory of 3808	4168	Kaemnhla.exe	101
PID 4168 wrote to memory of 3808	4168	Kaemnhla.exe	101
PID 4168 wrote to memory of 3808	4168	Kaemnhla.exe	101
PID 3808 wrote to memory of 780	3808	Kknafn32.exe	102
PID 3808 wrote to memory of 780	3808	Kknafn32.exe	102
PID 3808 wrote to memory of 780	3808	Kknafn32.exe	102
PID 780 wrote to memory of 3856	780	Kagichjo.exe	103
PID 780 wrote to memory of 3856	780	Kagichjo.exe	103
PID 780 wrote to memory of 3856	780	Kagichjo.exe	103
PID 3856 wrote to memory of 3160	3856	Kdffocib.exe	104
PID 3856 wrote to memory of 3160	3856	Kdffocib.exe	104
PID 3856 wrote to memory of 3160	3856	Kdffocib.exe	104
PID 3160 wrote to memory of 2100	3160	Kibnhjgj.exe	105
PID 3160 wrote to memory of 2100	3160	Kibnhjgj.exe	105
PID 3160 wrote to memory of 2100	3160	Kibnhjgj.exe	105
PID 2100 wrote to memory of 2828	2100	Kajfig32.exe	106
PID 2100 wrote to memory of 2828	2100	Kajfig32.exe	106
PID 2100 wrote to memory of 2828	2100	Kajfig32.exe	106
PID 2828 wrote to memory of 1560	2828	Kgfoan32.exe	107
PID 2828 wrote to memory of 1560	2828	Kgfoan32.exe	107
PID 2828 wrote to memory of 1560	2828	Kgfoan32.exe	107
PID 1560 wrote to memory of 3640	1560	Lmqgnhmp.exe	108
PID 1560 wrote to memory of 3640	1560	Lmqgnhmp.exe	108
PID 1560 wrote to memory of 3640	1560	Lmqgnhmp.exe	108
PID 3640 wrote to memory of 640	3640	Lgikfn32.exe	109

C:\Users\Admin\AppData\Local\Temp\cca29227ff4e04f3851984b688f44efba97991898e6a2e4db6639931175969cd.exe
"C:\Users\Admin\AppData\Local\Temp\cca29227ff4e04f3851984b688f44efba97991898e6a2e4db6639931175969cd.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Windows\SysWOW64\Jfffjqdf.exe
  C:\Windows\system32\Jfffjqdf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3184
- - C:\Windows\SysWOW64\Jidbflcj.exe
    C:\Windows\system32\Jidbflcj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3700
  - - C:\Windows\SysWOW64\Jpojcf32.exe
      C:\Windows\system32\Jpojcf32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5092
    - - C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4948
      - C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:984
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3808
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3856
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2092
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:400
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3348
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4236
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:664
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:836
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4472
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5068
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3120
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3552
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4332
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2968
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1360
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:516
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        55⤵
        Executes dropped EXE
        
        PID:4768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 412
        56⤵
        Program crash
        
        PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4768 -ip 4768
1⤵
PID:3020

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jangmibi.exe

Filesize
109KB

MD5
cd11a5fdbd46596a04f64a85b3ed6ab6

SHA1
8c0ddd7b5aab90686019727d1580a8389de1667d

SHA256
2e71cd45388ac2af65bcd9996e030ba47ed6706427de26367c281ce1583f2c21

SHA512
69d2fdaad9111fd0d94a0c825a7fb0071dfe92ff0106b5350fab141e86abe9170ad6941f4a356ca5db1115875b6d761597543d5ce1ccf34f524b00d7ce53b84b

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
109KB

MD5
afdfea2f667a67b5d3c7100a1e57d0cc

SHA1
4bc2251c4fd5561723d93219d4821b62f0c2b299

SHA256
dcb19f76fe6c6bbc92efb1192aa7ba9a28beba89ab461145dbd3cda1657b7427

SHA512
25326e215caad59ee63c85fce9d1b80525e8cd8f76fb8626bf6e5e745299e6176420e5325195d0f156278df24e4734457d3e643af93ee2d47521a075c69a2005

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
109KB

MD5
16951985e0a80fa99e8db3314768b498

SHA1
4e6dac870356f579f064a11177ddd0e031b4c1e6

SHA256
6c2a5582a580940c74f0ef973f00e775ffa2fe081c60a63c0c64c551a33c5ad8

SHA512
a1d8d47a2a734514e043b19558a98819e7ba23533b2f9c5622a2b75b35192730cd729ca8fbcf83d1255f35982f9e39164edb6c7b46078797a48b830904c6a988

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
109KB

MD5
73ae705ec519ea87c85ce22f94257556

SHA1
f14967fb905497e9bb0be05fa3115454b23d5bf3

SHA256
cb3e2ae2d1ab2c8f7f30ba0564063da4e6d5dcd1f8b9b2781270f4cc6570ba05

SHA512
b141f09e0a4453d6d1d24a023cb692d87d09d05b748846dc67e4724297ca18f6095d50933b9bbaf57140d3ed67e408089e5d8bdc36d528927a865590d5c1f84b

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
109KB

MD5
bae979edb8c446393fa011a386ad75b6

SHA1
131b2b525dfb5e9ebe8f016e03638c7a45fb2609

SHA256
cfb76dbed4021a0dbe2f78e4b9f0532c794c9399ce95b55adf3559a4b7c6f2e1

SHA512
bc163a8f71813d821e6e25d4bcca68bd2522104e4e74007ffb119d2cac3588b7793199a6a8cabbc933ff6a084c54bf05e4d1e3d433ab536bdaa5f01f8ed657ea

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
109KB

MD5
61a8954010ab8a864e57bed811c80dd4

SHA1
4102946801039369465863ffe95e19810f2a27fb

SHA256
dbeb0f1e09e30c6f317f64961789286d1ce9c861793a02eceff04de3b64939ea

SHA512
e1761f45a69071badc083e279d771e90961be3e31f6767bf48d93231943a83e8d2f125027390a0f3945fc7f5e61628316fee548260d6454e78b9f9b6e6d0c859

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
109KB

MD5
c9c19c3f62e73403b751372e37006981

SHA1
2b18103193a754f2c12da8bdbed656c73a72bd08

SHA256
27852da0cd7ff4a585b535c13bb124bae84ba7a3fdc31a2d1df72c938e4bfe17

SHA512
bf1199247a71df5d30ecbfe795a8724def71faa0095a5b04cc7f76cb9c9ceaa14d28315d4a612cfbf4f00b0c9218112d5b824c4f3987c22d0b4281a84ad1b9d6

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
109KB

MD5
fb38761039a9a63293d746d18b7ace86

SHA1
d341cc11a8f71f9120b9e73daf6ec12b507a20ed

SHA256
eafa728035f8dac5e5dcc8de2eb14d6af7c90cf008fb9c8c094483423e8788b4

SHA512
25f7a32b43415bace24cac24618438c878d0428e842b8d30eee33fbe307ceb550df59bd3b3e4f7fa12b77e510c7f6a698a52f12626b65e0d91201edddd79139e

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
109KB

MD5
d8868f81576b6723c1c0b013f69a34b7

SHA1
bb30d12094e90b182a2edea16fa0e582a6c3b6fc

SHA256
6ec042d2e7c7914a5fd4e8910f245e10f59eede8df51c9aa47d8411e7c0b0c84

SHA512
d67a995d4eac2d1c40cfbddaa4db2fdd6af15f63a16d60a0978205a40a888165bda362cdbef9770405fff3291828094b8a1244961dedc927b5206cc6b4e42050

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
109KB

MD5
aecfc928132c81cf578568133364c028

SHA1
783205a6a92fafd28e634fa3080362b90bb5fe0e

SHA256
1020c49e122056d73130d79f1ae48b9474ae83eb2579dc911380b63c4df49bed

SHA512
557b387ac8b6b4584fc514f1feac7c5b340edf2680b7a0409151d50f1d268a198ffaa0f522b410dc709839207816f5807a1413e89d3377c9f6738125b57701e2

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
109KB

MD5
bb1b9ce5bf0f720fed7e1543787aacac

SHA1
3d03b9eeefd5750f715bd8370a35e761212c0958

SHA256
2dc419340072ab0362b6fdc5df40fd8c1b8577a14e1ff70e9dc0864ed04de82d

SHA512
4bab3bb932618cd7856baecdf795eeab6bd647fb3e3bf9c9919ab5ea20765287ba61815f88b489b000fe5206e57ec953dc653f037778d9f594a352c8e659d37b

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
109KB

MD5
8b1cd03491686285a156a9812dc637b1

SHA1
06206078062df531409e718337cc949f0093559c

SHA256
4ef561231e2d353720e4dea356ca9d0d453c1c241ab3853396cc28dea658211e

SHA512
c08ba2074cfc2165d99fefda27e0b7277c67056976cc1472de3c870467f1ec39379814243f30038b81a38b2e200594f6a42637ed915048bca9b27a06888746ba

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
109KB

MD5
c2e97da1d514b9df0f857963b8d4251d

SHA1
0789cf80c9db401ef56c9ed69f755ce408ec0a44

SHA256
cd0ee84110336391c52769522977d8631b52806e9d702dda7e8b2e75f22e33b9

SHA512
eaad96b618543aaf82e9d95125f4215d25691ea29f8a32784638531d663ecd9bd1c46119fd6a9c66d52557f451cecd827bf45827ae2741eca1095875147a1c90

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
109KB

MD5
0f60256e90f75c524f7874c38ec631e5

SHA1
2d039c61e79a947a08f4c8f2e0475d27ab233b18

SHA256
cfdaf97cf9e64f1b76e24bb21fcb259103e295521086e749a159e7bf076c8e89

SHA512
124b3f5860d34a7d1e03ea634b59e4e206656c679488f9c1553e624665996fef4bb7978a0e8db841d2998368f53536614c4e2cbf78357e5f4e00d1ce5cf12eb8

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
109KB

MD5
61b845689a228c1d0020581702af6ca9

SHA1
2cbf7b0d71a2bd31df6fb3a4697a02315069c9c4

SHA256
79aa9643cfc674b046745f83f1cfdbec4ea0f1009a1f7a6df5fafb083ddce035

SHA512
c689df64a1a4d639c25b934a1e38f1ed3917addc0b19f17d6b75a2e909ed411060cbf0830c089acbe030b5258f3ea04dd41015a78082b2891925e6f2a0c9420e

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
109KB

MD5
2053d30a95e026c61824599c01525cd0

SHA1
aed4cd0e05a8ea15b3939998af4f09a652999c30

SHA256
af9a6822bbf75ff03f5142ef8d633bcb9bd2fd1a692bc29dd047357f66b87db7

SHA512
4e2a87f9f930980bca65c725cd9b9959a48e00ebed6a99209e613dc263230bb7297cebaf921ec784ed87f2eb41b5b938a5548dfe7f89af54be3d5f94592f6367

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
109KB

MD5
dcf9a869b1b48b3f6f6ac5a5188f4625

SHA1
d76d3a23467cbebd63f29f1e60273dc9330f121e

SHA256
9e55a5b6398ad5b1095e4e6f7e2b0ca44809957f674dfa6741dfc6e89255d884

SHA512
f7a022aca264b400ca4a881ccc2f887c920ac26d268c01be6b43b1e3f99dbb190b810405bea1032acdebb36c58caba04ce11b174cb3beba753d4e0128f2e9953

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
109KB

MD5
62118bf60dbe87afb8c49bfd1e680257

SHA1
5a4aba018987b2ffd8f8cc0ff4faa4ef2e60ba6a

SHA256
0f8cfee41fff8d0f377921f331611f7162d7c255341c2e616bc3cb1a080ba862

SHA512
9c57596a4df1a45d4ee140f2613ea07c9a4235c744aea3f5ce1838d2b1efbc6fd3f8052faeb00818e375da860eb9dd4cc4d5100ba053887ebe2e7d92991a218a

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
109KB

MD5
91bef85f4540f078d6a3aa3cbcde8583

SHA1
edfd4d19afdcc34d8aa66d2a174a62d54b5927d6

SHA256
de9665f7a4f078b137caf456aa9bd372af206e504b29973d2280246dd3874d8c

SHA512
0935f870a62fcab2a00707953d09287c6c85f2fe8720a6db05d2b9283002a70a673b03f6ee7697f82af2fbf63e65ac9fe6e30a64bd7cde61e274bd2eba64e005

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
109KB

MD5
40a48fe9aeab055b4453a12dd303e6e9

SHA1
f1770e29992b0e7f5b285a5e1fa882cd3b3acbab

SHA256
db952dec310155455ad7e358fb14c50f11a508dec57eee26b08f3be87fe078b3

SHA512
c8961afc2c43508159ceb1b77315cd0f1408117b2ff8aaf2723694cbf017712bf8ef5671bf5e7c2ea0d8c7d2cf5aff51d45193c81f07b5e88b87866030f02b9d

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
109KB

MD5
69623ab1d2ac2c80da03c4948c3ef409

SHA1
2b46b9d81d405dd3f0baac69c04a1e1cb383e715

SHA256
2d7ceeffd53e20d9f044c30b5ef32a386325438a3d7e466a4075309a9e04d92d

SHA512
1ed37c0d2ed1ae19d83787b009abd5ce60c9ab17783b4908c56406895cb70cbcb48d8a538070e4ed693d1bfebba48e037c5d8b283067f954c046cf56db5926af

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
109KB

MD5
032739c5b45270902dff89c179c4cf29

SHA1
4b9969fbf7bcc00f97c27fba05e28eb7ad2ccf08

SHA256
a46b7240bdac8b366fe8ec15c153c67b4094b842b993b2647f6e6d817fd2aaa2

SHA512
36bd5f8391172307fd93bd536cd8481fa06ace56e49b483727ea2f4a1cd2fec5284e29f7313fa4c19ee5d079a173d19d576c2850c459590393a7eb42a54aa661

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
109KB

MD5
93cc78c96883e329ce49d86423417273

SHA1
3a71100787e5630c469fb6ccf33ea40a0f7686e4

SHA256
cab3fbc47e9bdc25c1548d404926e07641b6422df61a4454d490b76bb678a186

SHA512
a32549b661cfa52f7f47ad3e211b77bb6d79d4b000379a0ea1b2cd85de959174e0ce31c74936290c69e60b8dba2c6c4a96dee1be1f1e211a11f8735928186449

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
109KB

MD5
13562cbbef288bb4f49bfaf950470261

SHA1
2c137ca0850cb7ad8519bc27181448f75e4aa955

SHA256
6f0a58619b6e9e1a78ee06bb3dff2b91001f0ff9ddbbf0c8d0a3af1891db9d78

SHA512
ac4b441efe7770d3c5f1dcaf0f84d99b1d7eba739737a5fb552c32f9ea7a0a33611ddc0465557c4406a02facc125f2a596a60f857ee3e7bf53fdaf36f1ca1dbe

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
109KB

MD5
335c6dbed2ffe99c72a11a95efc1f806

SHA1
147989aca6a13bc842e65ded2503e974da05283e

SHA256
3a5ae4d3969ef96e501244c9a18846ec073ae4c38077a75e59360c5b1a6f4dbd

SHA512
2cf9d28b4f2e04c02d4ba548132aad257b08a3ff4caf6654e6a7a11ae090e9590b269abeefce4c51522a92c872a63e1049fdd6fec064bf7ce3d0858d1c98dfc9

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
109KB

MD5
2fe15b81bd2f6e858e9bfb3a0947b0c6

SHA1
97a4eeee127fc960ae55a57cabadc6bb7f7b322b

SHA256
a03450d7f67da85c1e297652b12ef943beb81d26229f6d84b66a10a819ea48ff

SHA512
e0d2c1c9e800cbf328058398bff52d2eb1ce61a9fedb4c1dcb5d4c8c543f5508560940e0380a31119846b7171e30c71b3cd4a2c52a555f9f39415fac33150146

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
109KB

MD5
5229094652e5a26ed0d35acf349d183a

SHA1
112176589f1d0015eaed3ea5c51076549722b932

SHA256
13aed7892cf9cf4edac1e492a7819f4bb1b21759d2a42626bd6bad44b522bf15

SHA512
6c0b5cc4077c33d63b0cc741ea056269c23756fa9981b70f4f9eebe8c333f407dc2ff67f9827e9f8356813cb50a083c8e4e337a463b4a31cfc13a98e0f3f2067

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
109KB

MD5
56958aad1993153df8e77ac6edcfebb5

SHA1
36158e5fa8b296c4f4878fd0e3d14f5734c707b9

SHA256
c98d46c0cc2a0db2d3e43da5ad0e25cb201ccbb905e774ab613aa330e8158d2a

SHA512
4d31471fff463bba05f91f6290914898dc5b0ba55037c12cff2bc5eb4ff7ccc17c19f5891907f3a4f7b6e1e4d82de91e05c5ec21828e1f2d50d4c3196a1140b4

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
109KB

MD5
b8cb307df8201569eefe0e06ee0a5b9b

SHA1
1e4d2108c53f0f750f9b9a160173b0046c1a8bfd

SHA256
b79c7c0a70777129649a3ce8c9f5db30d00aad70d26be52eb39916cb0f73b5b2

SHA512
47d8c11b0fef649439a2fd31be19dbb04319cf76a4cbf357649f3c19001117daa427a4506f455cf5ed9eb4de7e8173871bf31766378b932c44d16756cb761ce4

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
66KB

MD5
eb4f09fee8f47d53f8d22d17c2253489

SHA1
4d24d28d4e8578ecaa7c93326b7db27922bfd728

SHA256
aab24f38920b11756f3ef6540de253548c9346b63e73e7ac01c638ec1334ee4d

SHA512
6b3aebb1b8775025c8e25427767c74fd5a2417d1d6025f68d5a7a1245c9b9e8c1489dd40e366044ea1c136888555f9f60c9c96064a4ca8a0adfedc23c85655c8

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
109KB

MD5
adf0670049120d33dabcb7beb7ddfe06

SHA1
c3d08755f273f4a1ebb9cd84fc88581ab8c7224f

SHA256
7c69427ad468faa1c9629601812fede7ad0296844aa5573eb87d799cd981fc27

SHA512
f7cbb13bce43803f254501adf3dcf96ca10137e74937a2632e4215cd43a66366ab1707e4bc37e7db02d831dea6c67a283e4912dce7699239467b125e9c340c7a

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
109KB

MD5
8b0970798474eb8af35af475193db8e1

SHA1
b6db9483183a5abfb95f6f915fdba2f05d2eded5

SHA256
d884af3bc50367a620a4cffbb9cbc818e85d69828dd8fec2194a186e84d3bb8d

SHA512
ae674f3e976bf0e6a50b9287d79de004d357fbb49827de33d46789314d5e1686bf3cd1863021da1ce501d045777df98a777162cfd2b0c43b95f78d7572b50dfd

Download Submit
C:\Windows\SysWOW64\Lppaheqp.dll

Filesize
7KB

MD5
59902abdc5017b7bf55ca3a5cb94edf2

SHA1
d830c8b6b68ee95a5cd0701c188948c36093fcfd

SHA256
a340df35521e4991538cd044568398f2ac4c684e2d9adae33d537fc9777ad2fb

SHA512
922d616ad847f075422c1cf3a7ab94e1d1dc36bdaa2f6cde139efeddcde9a92774f6508202015fa842c3dcc1ab3af05ac303ec1a2565fe55f9e5b8aa5b4a6285

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
109KB

MD5
3e7de15b2c8c23cb682d18a552383ad1

SHA1
4d8d4f2cdcb93b3182ec7b3554965e6253a7e8e4

SHA256
4081ecca9aa29f24ecc239e0ac4a26ae8ece97b9ed062aec017afeb77aff8f0b

SHA512
e5827f8d3793c0ac37f5656b2d0b0acb062e14fd490dd8161f26a154be1a469884ac08954a3fc36b91e313f4c3d8113d32652e4987a74515f11b35d91190fe57

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
109KB

MD5
bad3344030f7c02507ed347a2c835e6e

SHA1
7cf837555e444245359e39ec0ea78741bb61908f

SHA256
8d66b99b7b6f8b645beebe609a4f066a4154fa0bbefa46ec823ac5593b37f4b3

SHA512
1bffb81766caac7c71534b2159c48536b988cff3ad95e5dcfe67cf17b9131cf69c2fd14043351911d7908e1242ad9da5f864a82f34f0f5a1f209c2c8fd553904

Download Submit
memory/400-208-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/516-376-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/516-391-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/640-176-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/664-262-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/672-80-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/780-120-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/836-272-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/984-88-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1360-369-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1560-160-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1744-370-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1744-392-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1760-322-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1964-470-0x0000021460A20000-0x0000021460A21000-memory.dmp

Filesize
4KB

Download
memory/1964-472-0x0000021460A50000-0x0000021460A51000-memory.dmp

Filesize
4KB

Download
memory/1964-454-0x0000021458740000-0x0000021458750000-memory.dmp

Filesize
64KB

Download
memory/1964-438-0x0000021458640000-0x0000021458650000-memory.dmp

Filesize
64KB

Download
memory/1964-474-0x0000021460B60000-0x0000021460B61000-memory.dmp

Filesize
4KB

Download
memory/1964-473-0x0000021460A50000-0x0000021460A51000-memory.dmp

Filesize
4KB

Download
memory/2092-192-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2100-144-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2316-394-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2316-352-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2652-200-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2828-152-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2968-396-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2968-340-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3012-286-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3120-292-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3140-256-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3160-136-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3184-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3232-187-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3292-45-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3348-232-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3540-64-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3552-298-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3568-228-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3640-168-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3700-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3808-112-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3856-128-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3944-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4092-393-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4092-358-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4116-96-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4168-104-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4236-240-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4284-216-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4332-316-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4404-338-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4460-304-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4472-278-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4488-48-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4624-328-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4624-397-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4668-310-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4744-390-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4744-382-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4768-388-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4768-389-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4804-346-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4804-395-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4948-36-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5040-248-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5068-280-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5092-24-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5100-72-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5108-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads