8f6ac3ddcde1d8ef7acc7a0a57ad77f922343fc5bf93ce6dec703cd1fc675f88

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2024, 00:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8f6ac3ddcde1d8ef7acc7a0a57ad77f922343fc5bf93ce6dec703cd1fc675f88.exe
Size

115KB
MD5

320e4d4dc9b037e1b2d95b5d2a7b324c
SHA1

00652f9f2057bc334ce862a9a7f1e2fcf9a1f068
SHA256

8f6ac3ddcde1d8ef7acc7a0a57ad77f922343fc5bf93ce6dec703cd1fc675f88
SHA512

f690e852ef884a95d79d0e31b5e78bbe3ff486983c3ec7dec36ab8f58332ab105066e86ab9ebcf3866ef5181bde8ff0bc60d9234bda8e2c2ca5b39808831e0f3
SSDEEP

3072:8rXX4hwcb0bbaaai7MX2FW2VTbWymWU6SMQehalNgFuk0:8rH4Zb0bbaaa2MX2f6ymWU5MClN5

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8f6ac3ddcde1d8ef7acc7a0a57ad77f922343fc5bf93ce6dec703cd1fc675f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe

Executes dropped EXE 64 IoCs

pid	Process
3000	Jiphkm32.exe
1620	Jagqlj32.exe
2652	Jdemhe32.exe
4032	Jfdida32.exe
624	Jibeql32.exe
384	Jmnaakne.exe
4940	Jdhine32.exe
1808	Jbkjjblm.exe
4292	Jidbflcj.exe
3016	Jaljgidl.exe
2608	Jdjfcecp.exe
2268	Jkdnpo32.exe
4552	Jangmibi.exe
4004	Jdmcidam.exe
3680	Jbocea32.exe
1692	Jfkoeppq.exe
212	Jiikak32.exe
1796	Kaqcbi32.exe
2756	Kdopod32.exe
1844	Kilhgk32.exe
4072	Kpepcedo.exe
2260	Kdaldd32.exe
3656	Kphmie32.exe
2712	Kgbefoji.exe
4048	Kagichjo.exe
4868	Kdffocib.exe
2572	Kgdbkohf.exe
2444	Kkpnlm32.exe
1560	Kajfig32.exe
1292	Kdhbec32.exe
852	Kgfoan32.exe
2112	Liekmj32.exe
3268	Lpocjdld.exe
444	Lgikfn32.exe
1188	Liggbi32.exe
4680	Laopdgcg.exe
3484	Ldmlpbbj.exe
5020	Lkgdml32.exe
4332	Lnepih32.exe
4016	Lpcmec32.exe
1704	Lkiqbl32.exe
4316	Lnhmng32.exe
3160	Lpfijcfl.exe
3996	Lgpagm32.exe
3972	Lnjjdgee.exe
2556	Lphfpbdi.exe
2200	Lcgblncm.exe
2100	Lgbnmm32.exe
3476	Mnlfigcc.exe
3088	Mpkbebbf.exe
3212	Mdfofakp.exe
2412	Mkpgck32.exe
3592	Mnocof32.exe
3848	Majopeii.exe
3940	Mdiklqhm.exe
1192	Mgghhlhq.exe
4764	Mjeddggd.exe
4456	Mamleegg.exe
3052	Mdkhapfj.exe
5100	Mcnhmm32.exe
4516	Mjhqjg32.exe
5000	Mncmjfmk.exe
3892	Mdmegp32.exe
2388	Mglack32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bclhoo32.dll	Jfdida32.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Jfdida32.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Jagqlj32.exe	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Ichhhi32.dll	Jiikak32.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Liekmj32.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Jiikak32.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kajfig32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Kgfoan32.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Qekdppan.dll	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Lppaheqp.dll	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Gmlgol32.dll	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Jiphkm32.exe	8f6ac3ddcde1d8ef7acc7a0a57ad77f922343fc5bf93ce6dec703cd1fc675f88.exe
File created	C:\Windows\SysWOW64\Ggcjqj32.dll	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Honcnp32.dll	Jbkjjblm.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ibimpp32.dll	Jdhine32.exe
File opened for modification	C:\Windows\SysWOW64\Jiikak32.exe	Jfkoeppq.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Jdmcidam.exe	Jangmibi.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Jbkjjblm.exe	Jdhine32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Jbkjjblm.exe	Jdhine32.exe
File created	C:\Windows\SysWOW64\Jfkoeppq.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Kaqcbi32.exe	Jiikak32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4956	3564	WerFault.exe	166

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclhoo32.dll"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmfdf32.dll"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcjqj32.dll"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppaheqp.dll"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	8f6ac3ddcde1d8ef7acc7a0a57ad77f922343fc5bf93ce6dec703cd1fc675f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdhine32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3180 wrote to memory of 3000	3180	8f6ac3ddcde1d8ef7acc7a0a57ad77f922343fc5bf93ce6dec703cd1fc675f88.exe	85
PID 3180 wrote to memory of 3000	3180	8f6ac3ddcde1d8ef7acc7a0a57ad77f922343fc5bf93ce6dec703cd1fc675f88.exe	85
PID 3180 wrote to memory of 3000	3180	8f6ac3ddcde1d8ef7acc7a0a57ad77f922343fc5bf93ce6dec703cd1fc675f88.exe	85
PID 3000 wrote to memory of 1620	3000	Jiphkm32.exe	86
PID 3000 wrote to memory of 1620	3000	Jiphkm32.exe	86
PID 3000 wrote to memory of 1620	3000	Jiphkm32.exe	86
PID 1620 wrote to memory of 2652	1620	Jagqlj32.exe	87
PID 1620 wrote to memory of 2652	1620	Jagqlj32.exe	87
PID 1620 wrote to memory of 2652	1620	Jagqlj32.exe	87
PID 2652 wrote to memory of 4032	2652	Jdemhe32.exe	88
PID 2652 wrote to memory of 4032	2652	Jdemhe32.exe	88
PID 2652 wrote to memory of 4032	2652	Jdemhe32.exe	88
PID 4032 wrote to memory of 624	4032	Jfdida32.exe	89
PID 4032 wrote to memory of 624	4032	Jfdida32.exe	89
PID 4032 wrote to memory of 624	4032	Jfdida32.exe	89
PID 624 wrote to memory of 384	624	Jibeql32.exe	90
PID 624 wrote to memory of 384	624	Jibeql32.exe	90
PID 624 wrote to memory of 384	624	Jibeql32.exe	90
PID 384 wrote to memory of 4940	384	Jmnaakne.exe	91
PID 384 wrote to memory of 4940	384	Jmnaakne.exe	91
PID 384 wrote to memory of 4940	384	Jmnaakne.exe	91
PID 4940 wrote to memory of 1808	4940	Jdhine32.exe	92
PID 4940 wrote to memory of 1808	4940	Jdhine32.exe	92
PID 4940 wrote to memory of 1808	4940	Jdhine32.exe	92
PID 1808 wrote to memory of 4292	1808	Jbkjjblm.exe	93
PID 1808 wrote to memory of 4292	1808	Jbkjjblm.exe	93
PID 1808 wrote to memory of 4292	1808	Jbkjjblm.exe	93
PID 4292 wrote to memory of 3016	4292	Jidbflcj.exe	94
PID 4292 wrote to memory of 3016	4292	Jidbflcj.exe	94
PID 4292 wrote to memory of 3016	4292	Jidbflcj.exe	94
PID 3016 wrote to memory of 2608	3016	Jaljgidl.exe	95
PID 3016 wrote to memory of 2608	3016	Jaljgidl.exe	95
PID 3016 wrote to memory of 2608	3016	Jaljgidl.exe	95
PID 2608 wrote to memory of 2268	2608	Jdjfcecp.exe	96
PID 2608 wrote to memory of 2268	2608	Jdjfcecp.exe	96
PID 2608 wrote to memory of 2268	2608	Jdjfcecp.exe	96
PID 2268 wrote to memory of 4552	2268	Jkdnpo32.exe	97
PID 2268 wrote to memory of 4552	2268	Jkdnpo32.exe	97
PID 2268 wrote to memory of 4552	2268	Jkdnpo32.exe	97
PID 4552 wrote to memory of 4004	4552	Jangmibi.exe	98
PID 4552 wrote to memory of 4004	4552	Jangmibi.exe	98
PID 4552 wrote to memory of 4004	4552	Jangmibi.exe	98
PID 4004 wrote to memory of 3680	4004	Jdmcidam.exe	99
PID 4004 wrote to memory of 3680	4004	Jdmcidam.exe	99
PID 4004 wrote to memory of 3680	4004	Jdmcidam.exe	99
PID 3680 wrote to memory of 1692	3680	Jbocea32.exe	100
PID 3680 wrote to memory of 1692	3680	Jbocea32.exe	100
PID 3680 wrote to memory of 1692	3680	Jbocea32.exe	100
PID 1692 wrote to memory of 212	1692	Jfkoeppq.exe	101
PID 1692 wrote to memory of 212	1692	Jfkoeppq.exe	101
PID 1692 wrote to memory of 212	1692	Jfkoeppq.exe	101
PID 212 wrote to memory of 1796	212	Jiikak32.exe	102
PID 212 wrote to memory of 1796	212	Jiikak32.exe	102
PID 212 wrote to memory of 1796	212	Jiikak32.exe	102
PID 1796 wrote to memory of 2756	1796	Kaqcbi32.exe	103
PID 1796 wrote to memory of 2756	1796	Kaqcbi32.exe	103
PID 1796 wrote to memory of 2756	1796	Kaqcbi32.exe	103
PID 2756 wrote to memory of 1844	2756	Kdopod32.exe	104
PID 2756 wrote to memory of 1844	2756	Kdopod32.exe	104
PID 2756 wrote to memory of 1844	2756	Kdopod32.exe	104
PID 1844 wrote to memory of 4072	1844	Kilhgk32.exe	105
PID 1844 wrote to memory of 4072	1844	Kilhgk32.exe	105
PID 1844 wrote to memory of 4072	1844	Kilhgk32.exe	105
PID 4072 wrote to memory of 2260	4072	Kpepcedo.exe	106

C:\Users\Admin\AppData\Local\Temp\8f6ac3ddcde1d8ef7acc7a0a57ad77f922343fc5bf93ce6dec703cd1fc675f88.exe
"C:\Users\Admin\AppData\Local\Temp\8f6ac3ddcde1d8ef7acc7a0a57ad77f922343fc5bf93ce6dec703cd1fc675f88.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Windows\SysWOW64\Jiphkm32.exe
  C:\Windows\system32\Jiphkm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\SysWOW64\Jagqlj32.exe
    C:\Windows\system32\Jagqlj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1620
  - - C:\Windows\SysWOW64\Jdemhe32.exe
      C:\Windows\system32\Jdemhe32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4032
      - C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3656
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2712
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        26⤵
        Executes dropped EXE
        
        PID:4048
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2572
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2444
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1560
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1292
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2112
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3268
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:444
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1188
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4680
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        38⤵
        Executes dropped EXE
        
        PID:3484
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4332
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4016
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3160
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2556
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3212
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3848
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4456
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3052
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4516
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5000
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3892
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3796
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1624
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        70⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        71⤵
        Drops file in System32 directory
        
        PID:632
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        76⤵
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5116
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1708
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1948
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        83⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 400
        84⤵
        Program crash
        
        PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3564 -ip 3564
1⤵
PID:800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jagqlj32.exe

Filesize
115KB

MD5
06b9708b8f8b7f60ecaf9b1c1d62409b

SHA1
82a11b4c1c7edca407a8585b3e88d78eb3aa366d

SHA256
eb50823918792816ba8a3eb9be69688f0a7903f7af05e11c2e22444820e056a3

SHA512
da969cefe6b019a5ea891629823fb543c8c6c5c49697858f3175de40414e77c237d1567217726b63ee1a0fcf58722fa7306395aaacc1ba3e4a468b3adf620efa

Download Submit
C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
115KB

MD5
7a9bc30239afda42ab35ee2093b44eb6

SHA1
90b2fdb770417bfbaf9a07fa8ea34965ef6aefb4

SHA256
0118842322579e8d5c7c42b7743c644b7fc88bedfe630406a3a37ac778190431

SHA512
7a3c0241ea9236620f11866b25577d08abc07205243fdc42a1e8fd5de3a01a5245a8bb245ec8ade527e2258f012fcc69d0b7d03a7fdb701a7d427a2b48bc2ae4

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe

Filesize
115KB

MD5
89078bfc971d95e765f38081b9da7b32

SHA1
f42f9397aa3bd8db3365f6b005d8ebbe2157d832

SHA256
fe251002640c2f7781f07efeffdb1b1cee3f6532f5b577751f1a25ec4076ab3b

SHA512
6c5ef2e8ddb0f9519bfc74b6f6da48e262cdb0e5440b06faf4f8dfc17c12da6a993b6adcf73528569e7d64b8be23f0649ab63220b63d693ba564c392823b738b

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
115KB

MD5
7847a3e0097c1f50d7e7511a33ab6d86

SHA1
9eb6a6368b3b7ded2d33d462f5e13e391995368a

SHA256
b6790d0d72fe9c87e74c69264045b3a32acee0dde6aa42b615fe7719c8fdbb4f

SHA512
d89a866320aeaa48cca863ab2c4409b8945b5ccb368fa297bfc40b5ad0ae1aed6af343bffe1628454d072cfc939b51356d05ae7bf019c9b08dcd862f63a80e55

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
115KB

MD5
734603be89ecbaaaf6d67405888d6b0d

SHA1
2f01f7844b14a5e72325870f8799bcdc6abc3759

SHA256
8180a0b07c6a0100b1f5f72d4eb42b30f07f9d8569751d380005aa7267d5ea53

SHA512
2ac1243e0de2fa09545df65687df5692a072b384da0fc20b1902900a3391ea13f0125225dcfa30f30b845d73410cf2168516b773ab55fbb22fd0cc971ef11c6e

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
115KB

MD5
377735da4a4417616464a3917672ff24

SHA1
7f3995df357ecd481fe429fb589dc8c458978032

SHA256
b4a04c6460a730f2572c060212ebb351aca8f1afedaf4b140bafebe6f9d59bc7

SHA512
48319a08a6bdf229cc4333068ad67d2c313a8985fd693eb177ce9d0aec1762fa693b05b2a6bba35d02392e6a9994ee0cd0b121da89124b6ade08248fdf80bc43

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe

Filesize
115KB

MD5
6b51bef411d0d888847e2c789c80d215

SHA1
4342faea3cbe508516bcc3127cad7fd1990562bd

SHA256
37eef0fd348477b317480beff2e27062b3c0a6a3b59bedf82be7ceab1872924a

SHA512
492376af405b3994c1603358deb3dcbd76e7bd9e5440f57ee6e6b814465b52f53918c8fd755b0592f250d90796f866cdf1381e8c7bed4bcf20de4d8cc54b2d75

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
115KB

MD5
9bb3d3d89d1657c1b629afa107e828f3

SHA1
3e9f91d53fb1d46defe9cfeb09b668419bf51318

SHA256
13e0da758d91224cce09b59389fb608dea769c6ba5d70a33445d9ae3ff76f0b0

SHA512
6a0855af541fd2e345cc068f727286cf35270bf314464ad536b55811995f6493a6cccbf885eba88da5599dc2acbb9913f3de953b5b9fd4d09b4cefa2ac937dd5

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
115KB

MD5
611c185a13a24e287a0517c717b2767d

SHA1
788353beda3f32c96c9cb451c90221caf129f3af

SHA256
ef2910274cd5f96135fe32b680e38793accbeb6c02efa4aebb1ed6bc3e096bd3

SHA512
7979e2ab1d66b2668a4b39bb95f14b78a40f0a58fa068e2676349c247ef4de6699ddb7a121a35fe92408044abc1a3f55d80d03d08f1d2f7756bf932b0c0ba544

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
115KB

MD5
34695d3d4a29fd0c1a301593d39807f6

SHA1
b2a0e792260b3773c3607542ed7bb9ccc44e110b

SHA256
fca36f98aee133cafac34eea4d17bb9a877633383a56a874a2934b780fb7edc5

SHA512
4fc257e3514f8f7ceb6632a17bb3995891248b72118af09f1e3fbdb4eb3b637f3052b8846dfc140cb7884bf4f9b6d70aa9ee17b22d437e7f3c0f92eb3c06a37c

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
115KB

MD5
b96ea11e708d94c2dac68103858c2f1f

SHA1
d6d646785f529d9e3445f8494d864c5d97ddfbe0

SHA256
e319fc0ede2d7d2414971bf735821dbb870617af24ee87165bffd03f7fdd7cc6

SHA512
e28790d945791ebd13fa21765a0787ad1142e4fd4eb9e78049e44678d5e6217d56c50e569eac4bca0bef8f58f1ffd188169fd8f66d77e75a05982d16929ab22b

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
115KB

MD5
90902ee815e85a635f1ab3c10faadd7a

SHA1
2c9a16c1c19871e1df357a09a7f8e8e8a7ab2346

SHA256
324806e02f808e2f959e18daab4c73972f60c85dc2c98771647c0b56f9ee14eb

SHA512
7d67717ad3d979d4c72436a94f1e0d04f1d038e64f6ec3feeaef8f091630ec6bc847a93369fce98187758267e114bdd08240eb8caab335a0c129f9bd929fed45

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
115KB

MD5
d952d9d1cd7be94354c878515279d8ff

SHA1
ca6f57f61f755ca1e98da733cf17c4c2d3b023fe

SHA256
ea72dcd45b97e8561b2e7e9ddebca5354daaaa2641610788fe0b3bcc8410c2ee

SHA512
b8210acba494fd559f83eb2ffbb399ba3bd607a8bd3c2a0386b82cc1838be8ac170701e6c05e42efebaabf0375844aa3abc85aae527da25227a207afc174b765

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
115KB

MD5
44275499eda4a17a38e7a61097c0c009

SHA1
d0534d96ba93e58fa15f8ebe626545dbc9c90b99

SHA256
a9cdc322dddacbea1f729e8123acf98735ed56429ce51d467419cae406fbc146

SHA512
2d1a6cfbf92ee2a2be5e6033b026380af2f374ea572c3022b877062ef1daee23f39a51837b53c896d66a32b9311828fbf707ec7559a22887317cc7412f13b82b

Download Submit
C:\Windows\SysWOW64\Jiphkm32.exe

Filesize
115KB

MD5
06cb057ebf05a74c621d21d0124a0808

SHA1
b50cbd395960e2b474770b1c2e0f1c3eb1f172ec

SHA256
cb1c20dec286bd18f157905ae00dda4dbc317801eba98227df4c3da6223dc64e

SHA512
74e7ea9d616a10cdc8f5b6614541cdc2514b8584d13b7f5c0e295b6acbcdcad04050259e24b8d5a70657b12d7d3893649dca116abbc4f568d1b79a31a7c46b50

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
115KB

MD5
acbbceb7bb1c76cc7c562a40633145e3

SHA1
eba6b3344ba0a89395c6522f434990f24ac7b84b

SHA256
e063ff68bcea76f4612bb560b0a1bf015d7ff29e5e065489601f10786b713fc8

SHA512
ea3bbd9d883b7e96df0bd10120dbcc882fc3a8b0af47eedcbdccc3d133ba824638c196aee3e374fec957322c406cba6e9723bcc95844d0278f5a79b5088c7eba

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
115KB

MD5
011f7f2c51194c3be56432a56f17127a

SHA1
7c35f31f4c1e43948b277b72fbe3d90b3f2a7827

SHA256
728851b60adc3936f8b0e4953fd6e26bcd1c730feb57b1825b9921702bd6bbd6

SHA512
467ad3166137d1ba0a5b4e62fedb78c8353994325a985ed2d1b356f97e67ee932e23f68476dfa8851fadb9289dddd502f4a05dc4c03b1ff9fe6eb0688d30cb27

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
115KB

MD5
511ec9aceedc88c2c535bb2544dbaaee

SHA1
a4642824b68d7f41c617aa0cc0dabaca46503618

SHA256
d35f75cc4ad015f74aa2735a8b53fdf4abd720299247f5e3ee7e352d434c6ec7

SHA512
943f23d78b32f44399873483d1981da0d30df847764fae440dba00101b913fd2419abd7e7c0dbb1ba943e4ab3f613e7d0238f143473cb85ce06a238259027f21

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
115KB

MD5
e7370969743cf948e8f5534dc727752a

SHA1
8c90797cec3eef12549d3c58f3431c5321ace6de

SHA256
e80b80d4da8bde4b476064de8df53bff6988524df8ecad779ba80bf58cae88b3

SHA512
51e5720ab403b5011b7397a1d19e495632d691ae1ea3b7dd5aac1ff6e1328a497b188e88d14aa74f70326407668a54e6e7649bea1a5d914b2c8bce9a317d458c

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
115KB

MD5
ecca5f262bb06558595e7368f5ff43cb

SHA1
9311ebab3009de663eb5c786dd33b50d9a21dedf

SHA256
288faef1ceb23b852c695618f8bf26496e8de96ecbc58b6333b3e328382aa8e9

SHA512
bb66c7464875a8a095020e83a33731746bc13c31362a595cddc1b27a6a3cb279b422c6671e3e6b18f7bf55a8af1bbfaa3224dfa30f54ef56f7978ede47294d5d

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
115KB

MD5
479c3fb0f800bbf3af8b434aa42e7e1a

SHA1
d32a27ce7e49a3b9fe5d97747b7b099f3961255e

SHA256
20ddba5e397f112ab853c8422ce1f8ac6b03ee2690fa1350590f33c70604da97

SHA512
584df9cc47908cfd22ce8265c607d36cf323075faf0376dffb78d5d20dc0525c897f2c92691f66f7e23d662634b5488eacbbae3083c54f6312d7708a1c9309bc

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
115KB

MD5
9ffd68826d901760f7816afa9dc1290b

SHA1
e02cb57cceebfb39a202c1a9e887e0a8b975bdd0

SHA256
b982f8be6aa16865b6a2bde21c09e6de9fe72b3f521a188f93c040370b415288

SHA512
7178ac44850deed34a0e41d0e25b40952272c473ba2d601236021e4f552bdd61521a28de91ada206b42384f6bf59571fa8417ff7488b42ff85a90512af9a9842

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
115KB

MD5
7e3e216cc35d7d516f6ab342a0785447

SHA1
87c444f06923deb1f856b2424f4c0a5dfbc7074c

SHA256
7b6252eb43cbb2929d50018238d9cf4bc150f1125da148089ed0796b5b288111

SHA512
fb48f755ad8dbb1a0e094868c54dba27628ca0707cb5d7e7aefb9c5a8cde10a2e03d7dfd243940da78cea4c35c4d4c73ef5471eba6608730de478460d519e6a3

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
115KB

MD5
ee324009255ac7211cf28e84cc8df956

SHA1
820eccc94df9ce49a15fc717cae00a98a5082629

SHA256
594ee04731aa5247ee93fcebab7e93c3048055ada917efae1f322525339cd5b1

SHA512
82d0fe4d94dd9d01dcc51e916510d2f664451389e5cbd9c8a8273ccce071c4abed536ff61d71a117e3a20a654433001b09d4fa8fc3120364f3abdb28bd611123

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
115KB

MD5
9e3df0cf5231842c3e74813fd9773d74

SHA1
f96b839f6b4c37147b3077594ad04ad0bd112e1c

SHA256
8776c38d138777ad9c3fe3c1e72e0c7de4652b4f2ccf2f63d5982135e2fb9bf8

SHA512
dca0f5425062e840ef2c81c370eab4c447076f1d758684a8fbde4f09f09b9b443e693f5f38b78dbc8563f900896085d8b349f4833b0d7014b3dd9535d786e220

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
115KB

MD5
27f7e417adc7a478ef4ec31197eceb09

SHA1
396215af5c47542b71ad5227dfabd74a1d90bf07

SHA256
7f369f144e80d378334ac4c6011fecd535089da4b91adb0caf0dd1e910c5ee68

SHA512
485d7906c484de28b215bd6b95a81dcf62664aacbb25bac4c20040c73b48d10f1b2fc7dda1ccb6bb271cb7d7d6a3e3141831425d51c6e2d1aeb7899a4c1c2f38

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
115KB

MD5
3fb5c4b4ece160efa5f1b6f790d15f12

SHA1
cba7aea5228e6ceaf5ad00cb4cdc2a0c7d68efa8

SHA256
aa7d6fcf6c93103be12472b792dd691ccbbc3dd93e3d9ac4073125b5f9860a23

SHA512
8f24edf28eaba5c397cc7397413b9204d1d00661430edc89a9461f562ba1644227bad9b62dca82fac743792ec4e522dc423d030ae10003309ff4341fa609b7b5

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
115KB

MD5
2ee3f201a4b64630a9cab083cd7ba42b

SHA1
51e7285541f98608f966ccac9c71a431b07002df

SHA256
3acaed9740784462c69adecd6e2b3e66ee6158e26ad07f1e5c98e88faeae4d7d

SHA512
864d497ce5542fbc083af2e0a98b7e1e57289a300cef1041c8639e6540692d7468725c5e971867ca2781d99f71722a883b7c83cef128e258dd6df538c5346bda

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
115KB

MD5
8d35af26290f8b2ff1392564f0de184b

SHA1
f3f9a445e755462a40019f332f515d02721cdd9f

SHA256
3891065f034b354c01757bebf627360699f1f2e0577e8abeaaeca864a6ed60e6

SHA512
e8ee6d97fc1fceb2959eb9d029b7d4e703eb2723a1b2b2ec85dd2d881d6620b026dfdfa2234f14079b9dcec6d7abc3afc6f1cb73fb64bcb9d634230ea9f99d38

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
115KB

MD5
fbaab6274d21d5f840b874b1926188c5

SHA1
80750a6e11b65a48b49a1c30c27a93c0476368fd

SHA256
8b51a7e684cb0e41774e17ba280035e4572a8198bdb36d22c2d28c0e6cddb4ba

SHA512
bd09f3a10fca0e3bc170bd71da89e54649535627e2a5f42c15c7328283093a0c62e62b82004a5746b02123f455e440b1e2eae063f1535a15029ddee9dd5b7d1b

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
115KB

MD5
b74e98e8741df27f0622cdce7bc33c70

SHA1
1d95e9aab5fa48188e0a81f14d726e51a9031bfe

SHA256
b54b847f1637bce88f35863c98a84112ba4e6d210b3b1eb61f212540d84e9430

SHA512
8afe6887a4b1df303fd6e94609978175106c0e24803bcc9f148207bbbbd77bfdad1ab83489772af315307d5f1d2599619317431a051f5cf2f162675d90c26bc1

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
115KB

MD5
caf44409bde839ccf452a9a7ae712856

SHA1
2fe9992cf4fdd4489ace9eba5eed888e41cdf9b1

SHA256
61cc371c3e194e187656b4c5edd7564955c2cdbdb67c046e55499c1373fd1040

SHA512
90efc795b310c2ea1865a5611aebae0f4991e896b6a86790eda4d0315871574b0dbfe83dd278194a0568f6237208ff498d8c2f9836db272f8cbd8f195b2c1514

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
115KB

MD5
d02686b3d3b398f8b450938243fc516c

SHA1
6c8b74dc6ee36b85932e1c9a1a10f0a69b2d0f8a

SHA256
ce9dff780a9b4237218d1492780f34fc9678f258f08a723dce2918671d85a0f8

SHA512
cd0e933349838b713434acc646b66b2fa7c56407de536e7605b862159b0a13914a193d3e6be2e28a5939907c5748305358ce0c55f314d38dcdb8f8457af766d2

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
115KB

MD5
1c24d528c11038ee3199070344c9997f

SHA1
a53f4916f6e7f576d262c5ce1dfb6b36718957e5

SHA256
3b69d104fd92f4c7ae7d7b6d450e5374f8f0a15448d332bd500cf05d6391d177

SHA512
a4283b5a99c19dc7c9596a3e8df067019215ea0d15edd5bcfaddd0e5705453cc1b71e3c80e19bd636889914e7c116e4e5f0a71984f3ec960ddcb725913f4745c

Download Submit
memory/212-148-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/384-144-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/384-48-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/444-286-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/624-123-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/624-39-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/852-267-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1188-288-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1188-352-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1292-320-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1292-252-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1560-244-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1560-317-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1620-20-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1692-139-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1704-331-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1796-154-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1808-165-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1808-63-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1844-174-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2112-274-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2260-183-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2260-275-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2268-97-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2268-200-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2444-240-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2572-228-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2572-304-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2608-90-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2608-192-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2652-106-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2652-24-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2712-207-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2756-164-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3000-89-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3000-8-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3016-85-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3160-340-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3180-80-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3180-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3268-339-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3268-276-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3484-306-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3656-197-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3680-131-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3996-346-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4004-115-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4004-215-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4016-321-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4032-36-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4048-217-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4072-264-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4072-177-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4292-181-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4292-71-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4316-333-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4332-319-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4552-111-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4552-202-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4680-298-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4868-224-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4940-56-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4940-157-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5020-311-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads