4e037829d977fbe2675f0c1ba69129a541acf1beee19e82bc8944902031cd136

Analysis

max time kernel
92s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2024, 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e037829d977fbe2675f0c1ba69129a541acf1beee19e82bc8944902031cd136.exe
Size

246KB
MD5

1dcfceeb306429c1fae87b6e16dd7369
SHA1

c330446250f5ddb6f6859ce2724abd0a18ab81bf
SHA256

4e037829d977fbe2675f0c1ba69129a541acf1beee19e82bc8944902031cd136
SHA512

d8198a2e0638780dae4da4a359a572e77c0855964113f43179aa675d665cd1b52d2e33394b19ef9df72235cc8c03a2f672d7f3d997837858ae1e9c4d4289ca5a
SSDEEP

3072:43ROpNupEyLooI3DWA2B1xdLm102VZjuajDMyap9jCyFsWteYCWS3OF9HqoX:43wpNupEeY12B1xBm102VQlterS9HrX

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe

Executes dropped EXE 64 IoCs

pid	Process
3344	Ijdeiaio.exe
664	Iannfk32.exe
412	Icljbg32.exe
868	Ifjfnb32.exe
976	Ijfboafl.exe
3604	Ipckgh32.exe
4452	Ifmcdblq.exe
1996	Iikopmkd.exe
1412	Ipegmg32.exe
3780	Ibccic32.exe
3180	Iinlemia.exe
1488	Jaedgjjd.exe
4036	Jjmhppqd.exe
4740	Jmkdlkph.exe
5048	Jbhmdbnp.exe
1788	Jjpeepnb.exe
3484	Jmnaakne.exe
856	Jplmmfmi.exe
440	Jdhine32.exe
4216	Jfffjqdf.exe
880	Jfhbppbc.exe
3644	Jmbklj32.exe
4544	Jiikak32.exe
4532	Kpepcedo.exe
4328	Kmjqmi32.exe
4972	Kknafn32.exe
2804	Kagichjo.exe
4832	Kmnjhioc.exe
3376	Kdhbec32.exe
4148	Kgfoan32.exe
1904	Lmqgnhmp.exe
1216	Lgikfn32.exe
2436	Liggbi32.exe
3544	Lpappc32.exe
2860	Lcpllo32.exe
4460	Lkgdml32.exe
1288	Lgneampk.exe
4392	Lnhmng32.exe
232	Lpfijcfl.exe
4936	Lgpagm32.exe
220	Lnjjdgee.exe
4008	Lphfpbdi.exe
4588	Lddbqa32.exe
4880	Lknjmkdo.exe
2224	Mnlfigcc.exe
3592	Mpkbebbf.exe
2792	Mciobn32.exe
2852	Mjcgohig.exe
1760	Mpmokb32.exe
3020	Mcklgm32.exe
3324	Mjeddggd.exe
768	Mamleegg.exe
2232	Mdkhapfj.exe
1636	Mgidml32.exe
4256	Mjhqjg32.exe
3152	Mncmjfmk.exe
4768	Mpaifalo.exe
3432	Mcpebmkb.exe
1776	Mnfipekh.exe
736	Maaepd32.exe
516	Mcbahlip.exe
788	Njljefql.exe
4292	Nqfbaq32.exe
3532	Ngpjnkpf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ikjmhmfd.dll	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kknafn32.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Iikopmkd.exe	Ifmcdblq.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Iannfk32.exe	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Cpjljp32.dll	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kmjqmi32.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Dendnoah.dll	Iannfk32.exe
File created	C:\Windows\SysWOW64\Jaedgjjd.exe	Iinlemia.exe
File created	C:\Windows\SysWOW64\Hjobcj32.dll	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Ifjfnb32.exe	Icljbg32.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Jmbklj32.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Jiphogop.dll	Ipegmg32.exe
File opened for modification	C:\Windows\SysWOW64\Kpepcedo.exe	Jiikak32.exe
File opened for modification	C:\Windows\SysWOW64\Jiikak32.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Qnoaog32.dll	Jjmhppqd.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mjcgohig.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1568	4116	WerFault.exe	161

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfnojog.dll"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	4e037829d977fbe2675f0c1ba69129a541acf1beee19e82bc8944902031cd136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjmhmfd.dll"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	4e037829d977fbe2675f0c1ba69129a541acf1beee19e82bc8944902031cd136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 464 wrote to memory of 3344	464	4e037829d977fbe2675f0c1ba69129a541acf1beee19e82bc8944902031cd136.exe	85
PID 464 wrote to memory of 3344	464	4e037829d977fbe2675f0c1ba69129a541acf1beee19e82bc8944902031cd136.exe	85
PID 464 wrote to memory of 3344	464	4e037829d977fbe2675f0c1ba69129a541acf1beee19e82bc8944902031cd136.exe	85
PID 3344 wrote to memory of 664	3344	Ijdeiaio.exe	86
PID 3344 wrote to memory of 664	3344	Ijdeiaio.exe	86
PID 3344 wrote to memory of 664	3344	Ijdeiaio.exe	86
PID 664 wrote to memory of 412	664	Iannfk32.exe	87
PID 664 wrote to memory of 412	664	Iannfk32.exe	87
PID 664 wrote to memory of 412	664	Iannfk32.exe	87
PID 412 wrote to memory of 868	412	Icljbg32.exe	88
PID 412 wrote to memory of 868	412	Icljbg32.exe	88
PID 412 wrote to memory of 868	412	Icljbg32.exe	88
PID 868 wrote to memory of 976	868	Ifjfnb32.exe	89
PID 868 wrote to memory of 976	868	Ifjfnb32.exe	89
PID 868 wrote to memory of 976	868	Ifjfnb32.exe	89
PID 976 wrote to memory of 3604	976	Ijfboafl.exe	90
PID 976 wrote to memory of 3604	976	Ijfboafl.exe	90
PID 976 wrote to memory of 3604	976	Ijfboafl.exe	90
PID 3604 wrote to memory of 4452	3604	Ipckgh32.exe	91
PID 3604 wrote to memory of 4452	3604	Ipckgh32.exe	91
PID 3604 wrote to memory of 4452	3604	Ipckgh32.exe	91
PID 4452 wrote to memory of 1996	4452	Ifmcdblq.exe	92
PID 4452 wrote to memory of 1996	4452	Ifmcdblq.exe	92
PID 4452 wrote to memory of 1996	4452	Ifmcdblq.exe	92
PID 1996 wrote to memory of 1412	1996	Iikopmkd.exe	93
PID 1996 wrote to memory of 1412	1996	Iikopmkd.exe	93
PID 1996 wrote to memory of 1412	1996	Iikopmkd.exe	93
PID 1412 wrote to memory of 3780	1412	Ipegmg32.exe	94
PID 1412 wrote to memory of 3780	1412	Ipegmg32.exe	94
PID 1412 wrote to memory of 3780	1412	Ipegmg32.exe	94
PID 3780 wrote to memory of 3180	3780	Ibccic32.exe	95
PID 3780 wrote to memory of 3180	3780	Ibccic32.exe	95
PID 3780 wrote to memory of 3180	3780	Ibccic32.exe	95
PID 3180 wrote to memory of 1488	3180	Iinlemia.exe	96
PID 3180 wrote to memory of 1488	3180	Iinlemia.exe	96
PID 3180 wrote to memory of 1488	3180	Iinlemia.exe	96
PID 1488 wrote to memory of 4036	1488	Jaedgjjd.exe	97
PID 1488 wrote to memory of 4036	1488	Jaedgjjd.exe	97
PID 1488 wrote to memory of 4036	1488	Jaedgjjd.exe	97
PID 4036 wrote to memory of 4740	4036	Jjmhppqd.exe	98
PID 4036 wrote to memory of 4740	4036	Jjmhppqd.exe	98
PID 4036 wrote to memory of 4740	4036	Jjmhppqd.exe	98
PID 4740 wrote to memory of 5048	4740	Jmkdlkph.exe	99
PID 4740 wrote to memory of 5048	4740	Jmkdlkph.exe	99
PID 4740 wrote to memory of 5048	4740	Jmkdlkph.exe	99
PID 5048 wrote to memory of 1788	5048	Jbhmdbnp.exe	100
PID 5048 wrote to memory of 1788	5048	Jbhmdbnp.exe	100
PID 5048 wrote to memory of 1788	5048	Jbhmdbnp.exe	100
PID 1788 wrote to memory of 3484	1788	Jjpeepnb.exe	101
PID 1788 wrote to memory of 3484	1788	Jjpeepnb.exe	101
PID 1788 wrote to memory of 3484	1788	Jjpeepnb.exe	101
PID 3484 wrote to memory of 856	3484	Jmnaakne.exe	102
PID 3484 wrote to memory of 856	3484	Jmnaakne.exe	102
PID 3484 wrote to memory of 856	3484	Jmnaakne.exe	102
PID 856 wrote to memory of 440	856	Jplmmfmi.exe	103
PID 856 wrote to memory of 440	856	Jplmmfmi.exe	103
PID 856 wrote to memory of 440	856	Jplmmfmi.exe	103
PID 440 wrote to memory of 4216	440	Jdhine32.exe	104
PID 440 wrote to memory of 4216	440	Jdhine32.exe	104
PID 440 wrote to memory of 4216	440	Jdhine32.exe	104
PID 4216 wrote to memory of 880	4216	Jfffjqdf.exe	105
PID 4216 wrote to memory of 880	4216	Jfffjqdf.exe	105
PID 4216 wrote to memory of 880	4216	Jfffjqdf.exe	105
PID 880 wrote to memory of 3644	880	Jfhbppbc.exe	106

C:\Users\Admin\AppData\Local\Temp\4e037829d977fbe2675f0c1ba69129a541acf1beee19e82bc8944902031cd136.exe
"C:\Users\Admin\AppData\Local\Temp\4e037829d977fbe2675f0c1ba69129a541acf1beee19e82bc8944902031cd136.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:464
- C:\Windows\SysWOW64\Ijdeiaio.exe
  C:\Windows\system32\Ijdeiaio.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3344
- - C:\Windows\SysWOW64\Iannfk32.exe
    C:\Windows\system32\Iannfk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:664
  - - C:\Windows\SysWOW64\Icljbg32.exe
      C:\Windows\system32\Icljbg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:412
    - - C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:868
      - C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3780
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4544
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4328
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4832
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3376
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4148
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1904
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:232
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4936
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4588
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4880
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2792
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2852
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1760
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4256
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        59⤵
        Executes dropped EXE
        
        PID:3432
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:736
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:516
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:788
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        66⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:468
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        71⤵
        Drops file in System32 directory
        
        PID:2368
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        72⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        73⤵
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3488
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        78⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 408
        79⤵
        Program crash
        
        PID:1568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4116 -ip 4116
1⤵
PID:208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Iannfk32.exe

Filesize
246KB

MD5
3f3163c721e31769356d04c1b89860d6

SHA1
6493af1f1e6001542a9b89827d9a3d3e4729977e

SHA256
8ac342b4fe00cce07f19d9cbfe4f372b54828e1aa060a8458621a818c68200a3

SHA512
035ee0937688fd0db96a5beb11a5228f87a1582881d801f06708f9ee5472c981fcc683990733165aee2ca238c949bc34d4c5caa732744ffaf2af1d55abd1a611

Download Submit
C:\Windows\SysWOW64\Ibccic32.exe

Filesize
246KB

MD5
8d25acb35d74ee7a1bcf546647f2defa

SHA1
ef99b469639bd66a41e94b8c4aa1f0ddfadbe5b2

SHA256
3789e512ed6eca13d960c3a4241846fb3de6b3fb8a0dc1c4218b1c6b656fa32e

SHA512
5dbaa5f79a07ccab1966f714e6999d3f7c639c1e3113ec7834543eb5d265a07743151ba5fd403fe56ac006ef5554710544574abaf755db85dfb0a186902224af

Download Submit
C:\Windows\SysWOW64\Icljbg32.exe

Filesize
246KB

MD5
21cfbcca04b257bfeb8181517e817583

SHA1
e67ddc0bab64d530d86c6a17ded95114f2d04123

SHA256
7ad77d2818e6d0a672acd128acf9113481a51da6bd7509b048c0eece657c9970

SHA512
a207e9733061259cba6a3cb9064b83b0f5da8822e93500106eb651b65c9872acb9ed95cd130a3ef760ddfcb7707779dd68d2488cb969ec37956e6bff2d57a9ff

Download Submit
C:\Windows\SysWOW64\Ifjfnb32.exe

Filesize
246KB

MD5
ef13e2e2a1922153815eb1f7d348d080

SHA1
697573e03b6448f718b5c30b93b3d7e1218a2e65

SHA256
d1eb923c73916ee9b726f8a176bc5b3355af9c2dbce122b20be6e3a701ea7b6d

SHA512
06b342edc525077889f929b37e0d73e50670d3c691bbcf02f09aa5a717ef4f64592890ece301b54c68a60ae010a5b64703f60180e55bc477b49bf2c6bb6511e4

Download Submit
C:\Windows\SysWOW64\Ifmcdblq.exe

Filesize
246KB

MD5
ea6946cde358cc0dffe2049a5bb75ecf

SHA1
3268d3d1b0ef1a2493d55916fbf762f291e3e152

SHA256
3a694a06e18f3e313a46615fcdec2944c1211884837711d5cd20bffa88d05215

SHA512
86b4328ab41204bfa640ccb20167798be141deb8c2939d74adfadba619e0040f532469bba626d2604dd1f454039b737715c2242ddef140d5c6e1ef9a580216bb

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe

Filesize
246KB

MD5
7a64796e368d56beddce8067713238b6

SHA1
5605ad30a31842620466619552c07acdb6f29c06

SHA256
8e0fa923f08a496eb0831c453f498968d60e654e9acbf358de81f89a723de78f

SHA512
e24381ef6495b3f55e7fe3dafbdfbb99413935d61e34d71e97c113484ba7b7f4610c89f106e07b0c8625c58d73d905af9e5e99e90004bde3820b4f98cb735615

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
246KB

MD5
7126a584fa5330de0a9f15e5c8e3c085

SHA1
f05e3fe8a55f49298ec79d2dd4fdde8b5021c624

SHA256
4b6da3ccd83beea9b00bdf645fb5e525b516a280d7afefba0ebf9c01e9909a7d

SHA512
fd0fe824f36e916ee74d9a74518c00434958ecde41101df9d4af9f4a00995f81629d3f5b122a573a54a02cfb68b7b24b1be3f0d90e84c24ba1adf836395dbeea

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe

Filesize
246KB

MD5
603817cee86d7c7ba602fe0c93a14fea

SHA1
4afb3466ab5ae2dea2dcda767b5046c9118c9c02

SHA256
fa686f7985ae01802c73f6fa9f76e7649aa8231d12a685b9878db11f2816ebc4

SHA512
7741ab5e0b04a23fca1cb7ef739e35f4e30095bedb20a11ce4c7ad8385ca968f553f425c47b5a2f72352ea8f846041f718c4766f9e5f5fd8502be07615d0cec3

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
246KB

MD5
1a76a73bf6356c23b05d9f014d272dec

SHA1
10624a07f541fddb5379f3b5cbe1ef182da92085

SHA256
fb2bc652e0026a26f4d34ad05d7732f3b34b8db0a11188ddb16cb962516d95ea

SHA512
9c9a097424a68f57551d66e79458973a7a401ca9790416c382d5620818aae2708f876454c4427229ece9b22008579492812c98fe9ad22481156c7b4617fa15d3

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
246KB

MD5
cad79a944d2e3cb5656eaabee4bbc080

SHA1
029c2b45dd5098224452452d8e855fb3fe3eac80

SHA256
e716c55e75664dec5af8afc6682e551ed12dfc8752b6494cc534a2d41b366342

SHA512
1a204c1e4db1db2d9c087e2d3e8a5840eb27da7287bc815a3b69155fa2b64274eaa7af4bf07a84b84857ed1bbf5c90cd744112e711852f387050d0ffd9dfc8f3

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe

Filesize
246KB

MD5
1753c94d51c38ab363bd8c5e5ba6a13a

SHA1
2348cc77faf04e2307e919e7f33fbcfe21193f84

SHA256
0e9f37def697223846be2bafafd42f2783eb8b96a86b55af309b018d99b1b734

SHA512
9d6cbf2653e8e8da19698d84e779a691678f1a27d7c005e27ab563b5355d7bc90136b329dc132258e7574dec02550dff679d95a6aa6067e4a9b202f790711463

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe

Filesize
246KB

MD5
b2a4cc1b0425954f063a26546ff7a315

SHA1
a677bd7ca788bbcc5677ec0a169f50e342cc5003

SHA256
c6979b9dd1597f6ac5d1caf729ab824822def2edb69318e9f88828127e17e46a

SHA512
5ebd2f95315e5fd053bab9a91ebb9b4e7a74abe3a1de067610c9f50479bdcfda3d2105e0dee27ae6d3d5cd27d983912230e157fbf8edbbd4c988268dac69602e

Download Submit
C:\Windows\SysWOW64\Jbhmdbnp.exe

Filesize
246KB

MD5
1f4c2d292fe96f5fea99fb9cda429a22

SHA1
e21800461da6cfbeedc278dd43001aed51f3aebd

SHA256
20226b7d94e78ac036e31815da8530baba59f37b6332cf8639dc20fa40d7f73f

SHA512
0994628eb3bc2963cb3af0659921be12367e480130a9402840a32ef5abc0a1f20784d76b0362d51a4864312abcca29c3ad7d6632739c3cd9028faf1242dc7ae3

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe

Filesize
246KB

MD5
1f89e613728ed65c5ee2cfb9b7fb1dba

SHA1
ec58972f8dd2581ede1dfe8cd35013023b3baa34

SHA256
1dc665ca54789da307220d82006e2bc56a4fd0fde0abeb19f883c3689aa1ce1a

SHA512
6a7aae3e08d650c71d6f0be79fb1950717aa2c7f858c608a4c1e1dc508a96d70e08383f8d8bd33b850ea7581cf4285652eb7020190eddeceae06ce7f274475b2

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
246KB

MD5
1093b318978141b366b0a2e2d2974b18

SHA1
f83d51943f81d3b405dc020be5e3b1cb61e94972

SHA256
116b9592c7767e8e47a1a4a7e41935ebc7d4c1de02274db9f7f63fda3404eaba

SHA512
f394771ad1d2bad438708203c366b0bf4b5cd4d20dbcb6f4f12c3ec5d1dc4802b92f3eb42bceac7fad9282d1afe5a6d76fb489de74aabab35da35f06abd73b5f

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
246KB

MD5
6b17b2e5885cdeb354edb3ca472fd801

SHA1
dca1dc6ae7176b8b1ff88bbf08145d954f612954

SHA256
aeb5aea8a4ed670f70f36ea20bff35b99b117374357062ad8700950282daafe0

SHA512
c2cc05961d8dfdb8954c3331e1739b54779695dcaf46688021a1a07a75d27e3cfe12a370fc83856f445d371744bd460c8e937590d339bd5132c954c167a07fe2

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
246KB

MD5
ae651e62664f87c0756ae3a2f414f686

SHA1
670de95d504a59c5bb9ec843708bcb3c807e60f6

SHA256
69d81bc0a431aeddc1aa9bbe019022f485b3530c3b8d49c414c4e23b1d309a3e

SHA512
77b5640e7ee32956033274c92b39a133dc3b1821cdb212969c2a77b8fc7d37ed1d5e46fd06d1a58de4e34ea81a26d9342038fa37e32d0c18c5daa4b70e2c09ea

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
246KB

MD5
a9dd3f295ccc93f2636ae81e36c9193d

SHA1
998fd7ee396caff63a9551cc48309d690eefb5ff

SHA256
c99fb9082653db2c5fd27f55237ba0cb4e09719bbc1bbf06fa98e138e57db2cc

SHA512
3f0624c4b40de107baeb4cc513f68334edffe4c7e9b6813aff5d863d2c4328691f99950a0a8c2fc39142c40bc5c9a069c2a81c53f4c2e6de4067554adf23b211

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe

Filesize
246KB

MD5
2b3f0586093e119825830ad3f3b0e2df

SHA1
c10c650445f550bd7c8c920ca40e8edc7c539859

SHA256
167228caf58a5c9874a951a4139c556282a7b0fa69162e9c64f98f6cfd4ac076

SHA512
c96b95d0fd53231887f2ed3ef9576764b8f9a431471659047e40816efc3bb8aa8d4675df52c68045afebac6e364c82256551b7a22df3a434adf49ddb2f33c9a5

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
246KB

MD5
e4af7ed20373b3323fe1c3c09f78976d

SHA1
426f39db21e0d4e15fa1a99097e23e3b7854fee4

SHA256
e5552c732b3037953f7bb3679e7aa7531741846a852d6a643e609106a8237831

SHA512
12063a077777a7d71832a42fdd404f64cafeb747001e91fb47c2f1d55f199fc0c67f247fd9d1c1914b54399017258180508e8408b487d0db55231babfb940404

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
246KB

MD5
f575c85716d17edb60f253f134fc5a62

SHA1
b2a08e2d0f0e43520a06f1e3e0c85bc901751740

SHA256
b4248865370cae771d9f9143937d6ab4b8abb9d600002e2c982e003b1a50b7ff

SHA512
a27aac824003a1f265f0a36ead40ff6ede1d55f6bd7274f3662875447655aded59fe326520956df145c584e4e514b6d08aeb2771d09c55027ee0329cfcd91d57

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
246KB

MD5
0dd79642211e9a0fd395bcc32ba3202d

SHA1
4ee0ef48ae9b9379c9487ed5beafa338bf35ac21

SHA256
4e1fbd159ffda24fa43dbda14767a03d44f174855379fffe7c0980feeb81b893

SHA512
0add774d29b7e69301c0cf89ae1f4ffe774b6f2eca19202a062c3fb0f9926a79fb89803f4e7299be3aa195dab79927c8ba227ae8285f784c4ef2ea394cdfb6dd

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
246KB

MD5
160f8535db07e7e2b92350e785079b66

SHA1
fa0bf238d51968795de207313be596308e8b2e1f

SHA256
32c781d0e8e7d962e39917262cc11b4ba470d8d729bd54edb3040e7488c663aa

SHA512
966bd372954bf2d33e828c0f6ee4d7a05db60b11deb1b6e6b4439f8597873ec1279539a3fe0b8561597f40a980f2c69a6bd363ddac4c85b2412134c68d69dfb3

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
246KB

MD5
95af97800f9405c83e6662c46f1cc785

SHA1
b1435f195876fa1f02db4ece90d6ba0ef9cac570

SHA256
c4118fe3bebff957d8bb72a967c7a11913c34093bad451c994c1b72c94600336

SHA512
088481d9f3f08469db2484607d5362d6472544362a9d20497a8afb19e7c3f44232b8583a1bf9701cbb823f3e9defc6a7b0ac55887551204c63e03a519609b140

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
246KB

MD5
6d4ed27ff982d5fc6cfd474ba9015fae

SHA1
912b41f78e3d4e354f7d750e852c6a8d190dbf80

SHA256
86a86a1c61518e077c29831312ad0838666b1e19744b4c652a68d602eb035617

SHA512
2c9c303dfd153e70b89cdb61a906e7b7c1d32ce7d76e809bba4427ae52238f4a5629e6cd78c5302c962306636d5b6ef94c2eb7c317e437987d6b8aceca07610e

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
246KB

MD5
05fd056f7b9fc1c39cc222310f083901

SHA1
df49f8aa835a2dacc100826c635306cb345693ac

SHA256
894bdb22e4add940d4b2111c9d7c5667cd751deaa19fd0632c50eb206c321f58

SHA512
a7b85b4ca2c377d43868c67e4758677bdd2638d3f734e29986818c89985c61e7ea8505cebd336e73442df5cdfe76545f086908a097e773d04547d87fea3126d3

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
246KB

MD5
0b6dface63b45260d496fcc91450479d

SHA1
6d52689103ab6e68635659301e6eb54f567aa1b3

SHA256
48f7acdbe8a08f67f7efcdef47ba1334f89abc56e94bd986e4612da27e41dadb

SHA512
2e77910638d83e4081821a5c7187c983c4ad87235a84c0d328aa0d3d0177f075549323ac9ac8e19ffd83d534155a7da5248286610c697349d67d0cbe75c00392

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
246KB

MD5
c9c010b157bbada03a581349660d2483

SHA1
2e44f8665c2cc211b13efa3770eaddc22e19d79c

SHA256
7871da70dcd3c8c07ce7426f80bcded8c0e44f82d30d93a312a1eb18e3d10083

SHA512
e34382b8db32f8db0bcea675dd2e2f75563b4918bcdfcc9e5cb399ab77419d56bf11fc2791af66a9f7d612e12e105a1290202baef6bf37dd092019cff2a5d667

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
246KB

MD5
b20c8ba27366c6154f41795e244071a4

SHA1
012ee1f5282686f21175b2b8ba0076af4030205a

SHA256
143f93490d8bd9ceab39aac2cb828f1b1cd81be6d59f879544395ced5a9886f8

SHA512
88aa9445e66924725f6db575b765e39ab912bb90ce68cc085b5248c8c459c2ea527212c368d1302dd3bbfb22043cad7f10ebb6b59c936ef6e58474b22520e097

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
246KB

MD5
cbde10e420b8fc544ac1f2ee5246423c

SHA1
09221b668849dc1fb62da2a02d7934c8386cdadc

SHA256
67e304c73769ba3d6f14022af28a7c7a8abd27aa5d4b1001f25c406862dfa697

SHA512
966b0b29a9f75e6652239811c892d600f6ac5feda62afe7ad94ca9ca75388c9bb4dac6d970860bd8fe2142de52ae3cc65a2164fb963c79cea7bca9996edde040

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
246KB

MD5
1aa4c59de3482bb656f2532171be4cc5

SHA1
4b2077953260763bd350fcbf33f08a43fe7c61ba

SHA256
438006261273a5b110f119cf45a8cad02c6500e6c186bf49149b43d64a0dcedf

SHA512
6ba257b3e024d3cf7d17843cd9432f42b1d6ff333288ae86264ac4f45ec9e8766148090d02e12f553d5c2e84ea537175031d4c04a84b4c2885234f58c70cc27e

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
246KB

MD5
b2e4b7883ccfce79adad66d96866a88a

SHA1
5d5b92bd7758517724805cd35e34eaf6dd432cb6

SHA256
a031f7ac4d74e267b22121d0f6152dbe09c4127ea97a6e9255aebf2bd20d6969

SHA512
ac25a9d520d90208705ea0417ad97c54509cc6ab11e57d8ed50cbee17ba5e49bb2bb26397f0c214f858c14e45b152ce63d39fbfaf66036d3cf4b4f9d6c70fb8d

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
246KB

MD5
fec1ca51f3744fc246a31ea6bfc4f499

SHA1
faf724131b5c457dcafdf733a573b04e89eed2df

SHA256
a293618e89dc2a9eb495dc915451336d330d53b3126f5cd34f4be12b35162186

SHA512
c440de6b49bd9d6bad813ede1f32c7836361fa9a64112f00fdd553c290bce58ce4e642a4e5853b69ce52aa3b58808ab1d2088c0e54c4828adce7acbc2bebd65e

Download Submit
memory/232-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/412-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/412-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-5-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/664-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/664-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-115-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/880-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/880-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/976-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/976-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1216-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1288-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1412-77-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1904-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2804-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2804-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3180-94-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3344-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3344-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3376-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3376-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3500-577-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3604-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3604-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3780-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3780-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-202-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-576-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4100-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4116-571-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4148-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4148-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4216-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4216-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-131-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads