166cfa48927836f37f5b729437877f743772f39400444c88b5c0e59d85442d79

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28/04/2024, 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

166cfa48927836f37f5b729437877f743772f39400444c88b5c0e59d85442d79.exe
Size

109KB
MD5

b0b63c2ee648ba0af5691d97f304ec92
SHA1

d42875f251ec2f471f5c97aeaed4898956cfe14f
SHA256

166cfa48927836f37f5b729437877f743772f39400444c88b5c0e59d85442d79
SHA512

4afe2e2cb03f77b16eb879a53f86c2b63e72d3178a9b92dae83c26b14bb2e6d4c2c11c20919a9f9aabe7a5d3dbc22b91c82f399932ce94af859e1f0ea0cfe9ec
SSDEEP

3072:NR69Eel415kYEND8fo3PXl9Z7S/yCsKh2EzZA/z:3TnENDgo35e/yCthvUz

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mncmjfmk.exe

Executes dropped EXE 64 IoCs

pid	Process
1492	Iinlemia.exe
4016	Jdcpcf32.exe
4208	Jfaloa32.exe
4808	Jiphkm32.exe
2092	Jdemhe32.exe
2876	Jfdida32.exe
2124	Jmnaakne.exe
1948	Jplmmfmi.exe
2868	Jjbako32.exe
4920	Jmpngk32.exe
3740	Jaljgidl.exe
2880	Jfhbppbc.exe
3964	Jangmibi.exe
4800	Jdmcidam.exe
2104	Jfkoeppq.exe
3620	Jiikak32.exe
3112	Kaqcbi32.exe
3104	Kbapjafe.exe
3248	Kmgdgjek.exe
3400	Kdaldd32.exe
3504	Kgphpo32.exe
3660	Kaemnhla.exe
3252	Kdcijcke.exe
3208	Kipabjil.exe
4140	Kcifkp32.exe
3652	Kmnjhioc.exe
1036	Kdhbec32.exe
3272	Lmqgnhmp.exe
2052	Lgikfn32.exe
3140	Lmccchkn.exe
3564	Lnepih32.exe
2624	Lilanioo.exe
336	Laciofpa.exe
4844	Ldaeka32.exe
3324	Lklnhlfb.exe
3124	Lnjjdgee.exe
4172	Lddbqa32.exe
3884	Lknjmkdo.exe
2248	Mnlfigcc.exe
3900	Mciobn32.exe
1380	Mgekbljc.exe
1576	Mkpgck32.exe
384	Mnocof32.exe
772	Mpmokb32.exe
4512	Mcklgm32.exe
4976	Mjeddggd.exe
3804	Mnapdf32.exe
3052	Mpolqa32.exe
4992	Mgidml32.exe
1836	Mkepnjng.exe
1520	Mncmjfmk.exe
1000	Maohkd32.exe
3216	Mcpebmkb.exe
4032	Mjjmog32.exe
1196	Mnfipekh.exe
4424	Maaepd32.exe
324	Mcbahlip.exe
3228	Njljefql.exe
4892	Nnhfee32.exe
2540	Nacbfdao.exe
2080	Ndbnboqb.exe
3588	Nceonl32.exe
2536	Nklfoi32.exe
2024	Nnjbke32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kipabjil.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jaljgidl.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Jiikak32.exe	Jfkoeppq.exe
File opened for modification	C:\Windows\SysWOW64\Kmgdgjek.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Jangmibi.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Bnckcnhb.dll	Kmgdgjek.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Aajjaf32.dll	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Ecppdbpl.dll	Jangmibi.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Jfdida32.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Jjbako32.exe	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Jdmcidam.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Jiphkm32.exe	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Jjbako32.exe	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Feambf32.dll	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Jiphkm32.exe	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lnepih32.exe
File created	C:\Windows\SysWOW64\Iinlemia.exe	166cfa48927836f37f5b729437877f743772f39400444c88b5c0e59d85442d79.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kcifkp32.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Jfkoeppq.exe	Jdmcidam.exe
File opened for modification	C:\Windows\SysWOW64\Jiikak32.exe	Jfkoeppq.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2168	1164	WerFault.exe	162

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqncfneo.dll"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feambf32.dll"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aajjaf32.dll"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncldlbah.dll"	166cfa48927836f37f5b729437877f743772f39400444c88b5c0e59d85442d79.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbjnidp.dll"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkind32.dll"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 1492	4028	166cfa48927836f37f5b729437877f743772f39400444c88b5c0e59d85442d79.exe	83
PID 4028 wrote to memory of 1492	4028	166cfa48927836f37f5b729437877f743772f39400444c88b5c0e59d85442d79.exe	83
PID 4028 wrote to memory of 1492	4028	166cfa48927836f37f5b729437877f743772f39400444c88b5c0e59d85442d79.exe	83
PID 1492 wrote to memory of 4016	1492	Iinlemia.exe	84
PID 1492 wrote to memory of 4016	1492	Iinlemia.exe	84
PID 1492 wrote to memory of 4016	1492	Iinlemia.exe	84
PID 4016 wrote to memory of 4208	4016	Jdcpcf32.exe	85
PID 4016 wrote to memory of 4208	4016	Jdcpcf32.exe	85
PID 4016 wrote to memory of 4208	4016	Jdcpcf32.exe	85
PID 4208 wrote to memory of 4808	4208	Jfaloa32.exe	86
PID 4208 wrote to memory of 4808	4208	Jfaloa32.exe	86
PID 4208 wrote to memory of 4808	4208	Jfaloa32.exe	86
PID 4808 wrote to memory of 2092	4808	Jiphkm32.exe	87
PID 4808 wrote to memory of 2092	4808	Jiphkm32.exe	87
PID 4808 wrote to memory of 2092	4808	Jiphkm32.exe	87
PID 2092 wrote to memory of 2876	2092	Jdemhe32.exe	88
PID 2092 wrote to memory of 2876	2092	Jdemhe32.exe	88
PID 2092 wrote to memory of 2876	2092	Jdemhe32.exe	88
PID 2876 wrote to memory of 2124	2876	Jfdida32.exe	90
PID 2876 wrote to memory of 2124	2876	Jfdida32.exe	90
PID 2876 wrote to memory of 2124	2876	Jfdida32.exe	90
PID 2124 wrote to memory of 1948	2124	Jmnaakne.exe	91
PID 2124 wrote to memory of 1948	2124	Jmnaakne.exe	91
PID 2124 wrote to memory of 1948	2124	Jmnaakne.exe	91
PID 1948 wrote to memory of 2868	1948	Jplmmfmi.exe	92
PID 1948 wrote to memory of 2868	1948	Jplmmfmi.exe	92
PID 1948 wrote to memory of 2868	1948	Jplmmfmi.exe	92
PID 2868 wrote to memory of 4920	2868	Jjbako32.exe	94
PID 2868 wrote to memory of 4920	2868	Jjbako32.exe	94
PID 2868 wrote to memory of 4920	2868	Jjbako32.exe	94
PID 4920 wrote to memory of 3740	4920	Jmpngk32.exe	95
PID 4920 wrote to memory of 3740	4920	Jmpngk32.exe	95
PID 4920 wrote to memory of 3740	4920	Jmpngk32.exe	95
PID 3740 wrote to memory of 2880	3740	Jaljgidl.exe	96
PID 3740 wrote to memory of 2880	3740	Jaljgidl.exe	96
PID 3740 wrote to memory of 2880	3740	Jaljgidl.exe	96
PID 2880 wrote to memory of 3964	2880	Jfhbppbc.exe	97
PID 2880 wrote to memory of 3964	2880	Jfhbppbc.exe	97
PID 2880 wrote to memory of 3964	2880	Jfhbppbc.exe	97
PID 3964 wrote to memory of 4800	3964	Jangmibi.exe	99
PID 3964 wrote to memory of 4800	3964	Jangmibi.exe	99
PID 3964 wrote to memory of 4800	3964	Jangmibi.exe	99
PID 4800 wrote to memory of 2104	4800	Jdmcidam.exe	100
PID 4800 wrote to memory of 2104	4800	Jdmcidam.exe	100
PID 4800 wrote to memory of 2104	4800	Jdmcidam.exe	100
PID 2104 wrote to memory of 3620	2104	Jfkoeppq.exe	101
PID 2104 wrote to memory of 3620	2104	Jfkoeppq.exe	101
PID 2104 wrote to memory of 3620	2104	Jfkoeppq.exe	101
PID 3620 wrote to memory of 3112	3620	Jiikak32.exe	102
PID 3620 wrote to memory of 3112	3620	Jiikak32.exe	102
PID 3620 wrote to memory of 3112	3620	Jiikak32.exe	102
PID 3112 wrote to memory of 3104	3112	Kaqcbi32.exe	103
PID 3112 wrote to memory of 3104	3112	Kaqcbi32.exe	103
PID 3112 wrote to memory of 3104	3112	Kaqcbi32.exe	103
PID 3104 wrote to memory of 3248	3104	Kbapjafe.exe	104
PID 3104 wrote to memory of 3248	3104	Kbapjafe.exe	104
PID 3104 wrote to memory of 3248	3104	Kbapjafe.exe	104
PID 3248 wrote to memory of 3400	3248	Kmgdgjek.exe	105
PID 3248 wrote to memory of 3400	3248	Kmgdgjek.exe	105
PID 3248 wrote to memory of 3400	3248	Kmgdgjek.exe	105
PID 3400 wrote to memory of 3504	3400	Kdaldd32.exe	106
PID 3400 wrote to memory of 3504	3400	Kdaldd32.exe	106
PID 3400 wrote to memory of 3504	3400	Kdaldd32.exe	106
PID 3504 wrote to memory of 3660	3504	Kgphpo32.exe	107

C:\Users\Admin\AppData\Local\Temp\166cfa48927836f37f5b729437877f743772f39400444c88b5c0e59d85442d79.exe
"C:\Users\Admin\AppData\Local\Temp\166cfa48927836f37f5b729437877f743772f39400444c88b5c0e59d85442d79.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Windows\SysWOW64\Iinlemia.exe
  C:\Windows\system32\Iinlemia.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\SysWOW64\Jdcpcf32.exe
    C:\Windows\system32\Jdcpcf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4016
  - - C:\Windows\SysWOW64\Jfaloa32.exe
      C:\Windows\system32\Jfaloa32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4208
    - - C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4808
      - C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3660
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3208
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4140
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3652
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3272
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2624
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:336
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3324
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3884
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        40⤵
        Executes dropped EXE
        
        PID:2248
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3900
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1576
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4512
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3804
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4992
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1520
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3216
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1196
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:324
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3228
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2080
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3588
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3384
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3904
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4168
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        71⤵
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3120
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        73⤵
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3344
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        78⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 412
        79⤵
        Program crash
        
        PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1164 -ip 1164
1⤵
PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Iinlemia.exe

Filesize
109KB

MD5
9fe5e9502af3e6351dc968d485907fc6

SHA1
bcd75e9c6947a7ca5edc41b097ba98ca4b2135f5

SHA256
87c604991f8bf8cccb801735d0783bef1ca35a66009321a29f7ef77cf1d348f5

SHA512
f0c0839be411f67fbc939775edcbff6d5dcaed1e89c5d4c5c729bc0cc4bb30869230e64700a04f6dbe17e04b223d986760891df8e238e1282e470339959fe6c3

Download Submit
C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
109KB

MD5
b60649aae64c54d95709d3769915d2f1

SHA1
4e6ae068cd1f43dfac728bbee17590c33959ec48

SHA256
6fa9b3bb68ce7358763fe651bad39e9effae671114d92f227e8ce76e28828eb3

SHA512
68ac149f906be96d52336aba20fd8676ca03da07a3be37bc8aea7c6d1870901871967ba0a3855791e46bee4da401979a3369726918f122055c137052b5564097

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe

Filesize
109KB

MD5
4b3a6c246cd2efaa3a8dc6d53a075541

SHA1
58f451c1332353731a8390fab76635de78522370

SHA256
9d6bc7205bc76d289a4f7e5b338cb3b988868fd15df3f77901e59fe80b52dfe9

SHA512
3aee7d0aebba5df79f0f8db61a11ff23f5d9398fce62efad5b71bc463236cac6c5263ae4391b90ad0931e7afd31171e6a5084d2f482298911b3a257bb1e6714e

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
109KB

MD5
f94b470a0614511ab6b50118872cf078

SHA1
7a09d6b4f284d23bb9f673741fe40352f160fea5

SHA256
84fdf6db119639e21f3852a345789f7b5061d718c4c851260161faee432b6947

SHA512
19b53d78632830b33408b2a9a09ab4642ebea6079e7d603d8b5dca507a088def83162d41c2f01ed15c7236502d0e00248cdc83880573e9696f659cfd161f0795

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
109KB

MD5
e9d4b67656fa50851dc56b11e6dff568

SHA1
6a80d10b14f9a433fd8f94eab5d1f4e07fe312a0

SHA256
e891ce3e7f42c9c304313ec9d7bfa6b92d943cd3dcc87e6cf30ce16284d1d6d0

SHA512
0c690dc4250d1dc9d666d8bd7d1e3758765b132e61fda30bc3750223bb1add7833cafef10767b99fb1b6658e5ffd12a780363e6deccb60bfaf9f998a5d71e0af

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
109KB

MD5
71eddec42e1f1a9ab93ba9685562467d

SHA1
d63edc35cceea97212100b1b690b58c338ade0ac

SHA256
ee7c7fb84a17ec2922dad55e190facabcd2f851dd3754144180e82d7f6498849

SHA512
b2017655babba881eb4e3f84564fc2f163669b365ae35682ce1b02d93ea4d455a957c72694a68658b820152068eb1abef05f4096ccabebab4add1fcabeca7618

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
109KB

MD5
937626d48aff2011ad0fa2f5b81b8f58

SHA1
7ecdb22a22c9e7c0902b21c2da0eee58a070460f

SHA256
f8a6ea7aa5edda879fa1b7a7476dab254fa2804d4edf6ec0d88dfa5304c5bd9c

SHA512
e987838048eacb58e669539bb8ca44d073216c361a200710b26ca37e02f6e8038c1ecf4cd54e3aaf9e772d9a2b3c846697c95f597e4ab0da4610fd0a129eb0c3

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
109KB

MD5
c4cb3a654868d911e7144fd0471298cf

SHA1
bdafd18969417cab5f3afc1eb50fb5533ac226f5

SHA256
5e9ab960433a1911f919c79275c8718fc95af3e9d721077c606ed69eacfbc9dc

SHA512
ca52650613a21bc0b83469b9b517ec0abeeb6604ee857c618529e1328621ca19868d63f24123831701adefc94db52c8b904932ccc71bad1820565e1acfd68309

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
109KB

MD5
659f4053b22bc34ef3f299bdb7c365c4

SHA1
5e0715129595ff9bdbf574c86f7119edf7de030e

SHA256
d2d5df6e9e59b621256a1bebf2f79c107e4c8925a271cc31ee2908990770d55b

SHA512
a46e5225aad20ff01eafc43cce839394978abee404f44c5d5fe4554faebb053d69ec336c943d9c7910cc8c04a18558b26bb538221e6c2babd1d91d5097ec7374

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
109KB

MD5
68c4d90c21e3373973b22b43071f608b

SHA1
d2a8a47aaa8ab072f8369e09f560372253997b2d

SHA256
f46905dd6e096cfcca9d00e77d153f24d4e9ad505bba033e092ad04921ecbfde

SHA512
71c780c7ae7480c4a121019b0f7b58d37a26f3d2e565d4ece8f6bdd6e3e9629ee59c6f3c73f7b496ef916e69e9bdb294967e15f03dc5f64074a46f7cfea0f851

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
109KB

MD5
da0bc222f3515f51efa0a26abc6b3004

SHA1
163ef7e6565eac8434f10067a4a427a1fc4245e4

SHA256
63bba24fe872d023a032f914665a9ccfd7dfe7c8bc502bce93be82c8d84f5f8d

SHA512
6c0277bfeb7d7822276b341d0f1edda8aa9f5e14bda0cd76f0267238a0f8ae19bbaa9c2fc488ec4917ab1d0f6b82fca1fc5c80640d5f180f6fb5c16ba5678590

Download Submit
C:\Windows\SysWOW64\Jiphkm32.exe

Filesize
109KB

MD5
6c4286ba2a99087bffb3ccfdc2a74d21

SHA1
3063a565a9460b32fba91a6576dac32abd36e464

SHA256
7b34f7b9ddacd7e1f22029657414670f89d01a75eeeac74962a6ceb7054ca2a0

SHA512
7edde15864f82d8e230c5056eac52e665025e91a74563ce9bc05979f714504f8f75098fa1224bec3b84e1de2edf94a79cea4855728c6ac40ac78dcefcd2e075b

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe

Filesize
109KB

MD5
ef7abac9eecb9aed039398bace279831

SHA1
ca9a4c4b3574c6f396fc572d7d39e1cbb6225ecf

SHA256
e5e899c360984024e374bc4711241fc2fa0eb55c486260928447def9bc777407

SHA512
70198c831ea4be6754f0bd36378837f08a3f583f7c09878b6656e906567c3cba5f649ace602a8c8bd24b05650c6616b93fefee9582467a90f35382c9241709d6

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
109KB

MD5
a5f393ee6ae11bbb64b91d04997f4c4c

SHA1
6cc9ca41bbb80db16c84c2159d4bde66bcbade61

SHA256
4ea654491b882e7536599deac9d2e9fe7d21e53d33f2d8485b3824f9564e25cf

SHA512
c5894e0195451254ec06d1b7a59e74bd1cf01dbcdb3af0c960567530026477e009521e182ecf686fab0930a35987de8dfe2a6ea299d6963801ebdeeb64429531

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
109KB

MD5
ebe7ce96c2accfa75116d74eef4e174c

SHA1
fdf51fe72b2555c683df7722073745848b34eb93

SHA256
2ad66e340f2c9fa6ecfc4f2c2d4e39c4509b77e5f0048359823676ac4c30bca2

SHA512
cd926667c2cd1e53eea26b89f92ebeed604b4ccc3f5a3bbe4c6ceba4c40e449423a84595764ee94938cfaf349e8047654e6151501131537cd59f39400b5e3516

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
109KB

MD5
90c8fd53320c50aa2c885296c0b83d85

SHA1
a861b035e1f510eef477f22481343e0da62a7414

SHA256
16fece783ff0fd6c86d59163276f01c2930e7fbbde86e150e6479a67640f6426

SHA512
1d42043c49386869630bd8dc417ae5b1792a074eab40c6c4a8a4068af8e9a9b1428f48370fc9695408b423f86e77e1067b5bbf8b20a87ade6c5d4072822cd629

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
109KB

MD5
f698eec007a7c6de2c215e7b82bbb9b0

SHA1
bdda18c41f311550efd63ad28d83779983cd0c7d

SHA256
a2ec25146ae34222abe63e20f597e2ebd73177ccbe4bd2af21c8f9ccbe8fdd4e

SHA512
4a1df9c4b3d6844404024dd13eadd3b094dde48ba36ddcc70a6c30207ca588b40ea06e3c9ee1bb7ad6ac66cf900d823018761d56c455fb9ad8830b4031fc4c3e

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
109KB

MD5
27e5f9509972aaa8d0b188a3d5e76f4f

SHA1
52530abbeddb3c5bdf280b47c2e8acc165b905ef

SHA256
40a6975a9c9d6f5e9b8ad007b925d5c8d84b1a9f335b9cd46a1934e79b2d873f

SHA512
bd5ce94e08aebd67da14ddee7419871e7addeb14dd1b44ca5203a52bfeea1471116202f275926fb280eed57a5e3bb3164c18a74d1ec2d2fd35743608a54e953f

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
109KB

MD5
98af16347bc625f5e86a4dded3303d17

SHA1
43b8a8a37ec8314d3e9bcc06421a92ca5a7763da

SHA256
f631f716cf65e2f0ea4faa357d01672aa59b17ebc71a8345d7de31d02d59c870

SHA512
03d06271e02a722cfe49e2f8f6fae7608ddd2c233b0c6f5f0746c7600764fece6f26018dbaed9be595c40104a849d9384d8f6d8a929390487697d00efdc7bb60

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
109KB

MD5
4c2fd5c11fb39ee5615f88dd6097785c

SHA1
8e2c0d84ecce76606300d5892e90c833271939b7

SHA256
e9cc12c6af34e1254486d48474022ca55ce43d53e3256a189bb703cb8834f420

SHA512
c7623624bc07de632a3b95506d8cee44f1f69072a79531ffacbeb204bff65aac25f009ee79c3cc09f3c28065f968c1e04c46b7ec7fe2903fc8b7287cca1dbdf1

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
109KB

MD5
b31f599d8b40c82db60b90033d197022

SHA1
768c0dcbb9d985838fac7c20f4ee932e5b282f69

SHA256
77d50a2b34571131675215adc9b8e21f8a00705416c3a9e2eabb68009fdc6b56

SHA512
c3d5238255fa4e7f290f1760308073b24aeb03ab49438a7bff355b86983c10b2a63f3d834e81b77a7e446285294463b75cd10fe4298cc3a26ad4c48c3a9cfb06

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
109KB

MD5
cd8b75035d8e6eab9cb096963e042689

SHA1
9a6ba6c9f3d9c22a98db6b612ff7688e3049f043

SHA256
7e361d044986fe8ab4ac152b04ee828d8cd15b0b99254596fb0a563389e2041e

SHA512
941c3411b941fe433b28aa3b445d56c4bac6201937bddfd4c9877c3ec3501dc8db3d25f19908142e681726cf242d8ac351b13281fb20c39d9f1221e9572de6a2

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
109KB

MD5
71e29aa7fc82e4d7d5c0a1c2e7e2acfa

SHA1
98a869e1a5c0a304ac561f2fb1d7852f16f0594f

SHA256
7ec4d58275e9d12e08588a49e10f9ca2fc53f7c6edfb8deee0487190335a5692

SHA512
2c0dbc4dcddea1cb5f21a5f44a3902ba7af8bc43f2c45ca8201f54d56d76f58ce816ee8a3ca5d9206cce033dce699d9f66bdc12a810d5d6f07e6a086549735d2

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
109KB

MD5
fec427c41e81a5e787ae337b8e98b656

SHA1
abe71cd4d9cf977cb1c6420127e51011e766f0dc

SHA256
7be8156a4a8a726a8fdefa5be5528ef8d4fbba29472f7223384047efc3b4231a

SHA512
27e51ecf1bd9fe4b6834fe933a9174c555c54f4a8555ce5f4cf6443b6be2541175afb462d7eab993c628cc4c57f9f4f99c23282c9cf8961b8edfdbb2f476749c

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
109KB

MD5
46df679272ac0c88d56e6eabd2962769

SHA1
28bdab99ed344fde823ef2bdfd417b154aa5dd6f

SHA256
0133aa49eda0be8b82ae199d1eb134e8666b8b462a5ba799c25d4161fe16637d

SHA512
a4be4c20f17395509befd08659315df077b19603a49672d58b6c8ef3390f67976aa4caa918d9d6bbc69c9a6e6c22d50f00bf17f828c95c8dd72e72acce720e50

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
109KB

MD5
8253c43698ab88442a8b560347554d34

SHA1
d3a1912e172c8fbaf9e113b193dbcdddd94f64fc

SHA256
3988e5284c04a7474b60fdd79ffd7d83f116155ef46898769031eda81b92c46c

SHA512
af9a6fe6967f821ee57ff020d98ed545279a9df7de11fb8a851f2b4db90edce33b5c5a71b5642b082dc89193b86216e67d39b2f3eaa012e958aa0bd40832db92

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
109KB

MD5
a5a710dacad8d0a5798881a152cd9021

SHA1
a42e2b75cbb2cea90bf30daac7e43993049d37bb

SHA256
305f5a0dad33826ef5ee2fc9c35806ff5d9f6dcb345167c8c9a779adaaf22616

SHA512
e4785b316f9c08b14e073f4aaa70ba03921eb79a223f25d692fa33f906b31499448142ee26fceae2c99843ba30ddce0d0c7a0061c73260b3fb3bd8528b7951c7

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
109KB

MD5
4a687c62f9954b1680c1febb0c666023

SHA1
a15a801b2f9cbc605a812e2d496b50d4e0cb48aa

SHA256
438a7a57e995da47ec0405131fadf84208bb4f0d80e62ad60c3551304a2f8d7d

SHA512
81c3388dc286a398805d7a368c86688477381c25f5f2074567f9fb17d00e009272b05df71ef4e834eee81f43b54b74958427568ef78ef37941667769ca4b2f9d

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
109KB

MD5
4dc37ee74dc382168f996dabf28412b9

SHA1
977925ebd0671f94d715a19fe3ba9396b6a14756

SHA256
b652720b68953a1bd3f9ff18f71faf024019622e9eecd6dcfef7e09517e928bd

SHA512
13550627c7fe080c8322f7fc700034945e850bf467e56c1fc40d3f1c1bfd2f84329ef1a8b4f104bda250c374123f4c537f6719589adba3e021dcf48366016ae7

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
109KB

MD5
f3cea68939067478da1d9d128d559b6d

SHA1
d47a20be197ff605a8198f00dee3116da45a24e8

SHA256
cbaebd6c3fc1e4e15653cd0a81009c4d481c5dd17651cf653939d5bc6c223d9a

SHA512
95dfbf5b5863f2b6640de53979d23516afce4713a5c09b38362a28ac8f0f059220f9b83587cf5e3759953c14d035a60d903d1345086fb3b2c093f7e116d8865c

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
109KB

MD5
73b204270c69e93e5f760e61bd71126a

SHA1
086552dc04e9f2744c6fa45f971c47d4e0d7866e

SHA256
f5eca77d006b0fc8426363ff5ba8139b6a7c83fd83a7e59b6a39e116e21fa0ef

SHA512
00db0440bdedad8e1d86c6ff60664f274d4abfc85a24a8f53b4c3beb4dd21ff7e3fb76363233b273aeaac0d64b35de1b98374b34eb0a375723493dcd29f9b1a6

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
109KB

MD5
5d81f5310d1670e45e69b690d512b600

SHA1
cdb9bf7b276d587058d6b390baeef29562f8d269

SHA256
9aaf039dd1dfa054a154a7ac7f900127d2569fcb470af61920fb02681eb060cf

SHA512
7a255453bf618224981c67451551acce1a4fda28cee07a1526f205e005b810dc576c4f863d0451969080a17046464b8550e8ec4136b390fbd1278d9bae48a66d

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
109KB

MD5
85cf88aa81f0e679aa1d9043e04ac1b0

SHA1
05dbbfe2faaee7bcefe318d200ae66a47d25adba

SHA256
743a73e8612baf8732a0fa10b631e01f114dc1c8b0fb0ffb516706815da627da

SHA512
b7a232d6bfb673a1537d4e022b81b55f190df3a16ce34c69decad484c7fdc27cb4c12877ee6c308a33cf0024aeb7e1ad2e4a2ff0b430a221cdd95caa3ced1821

Download Submit
C:\Windows\SysWOW64\Mjlcankg.dll

Filesize
7KB

MD5
53c746647847ddeb33a3a1fc94bca1e8

SHA1
0c29d220712b42a9afcd015bef62e74da28ba38b

SHA256
4fbdfa23bd2bee3f1bdb73094943bc09dee6d9d4116d43e599c3de5b5f5991fe

SHA512
62ded97eed6e81aa7815423bfa42ea2c5a7c8028d1bb23100a6d26e920a0a4f1fbb1ce5c42672a5565d5e17e0b970ca626e98d002e538f1a6fcf950b232dfc40

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
109KB

MD5
b3f09abcdb47732e4e2786e3ab06f64c

SHA1
aad76dc43f0c7776eee74c09d823df48b0b5bf7a

SHA256
33c586ce14a79ae9457119a9ff5fea4489391438ae3746046ac5adf2132cb822

SHA512
3e8661b9bb186ce0bc5e62d9e52bae275edd72d140aadc7e24038a2d528b4209e6db751c60752fe54f4e60531df65f1c6e346c23556e9e2001c90f7a9cbf703e

Download Submit
memory/336-287-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/384-355-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/772-425-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/772-362-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1000-413-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1036-309-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1036-230-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1196-436-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1380-342-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1492-89-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1492-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1520-410-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1576-412-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1576-346-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1836-404-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1948-63-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1948-158-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2052-248-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2052-323-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2092-135-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2092-40-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2104-210-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2104-123-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2124-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2124-150-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2248-324-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2248-396-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2624-277-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2624-344-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2868-76-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2876-141-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2876-48-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2880-97-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2880-194-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3052-386-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3104-151-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3104-237-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3112-229-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3112-142-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3124-375-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3124-303-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3140-257-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3140-330-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3208-202-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3208-288-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3216-419-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3248-247-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3248-160-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3252-286-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3252-195-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3272-238-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3272-316-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3324-364-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3324-296-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3400-168-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3400-255-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3504-264-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3504-177-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3564-265-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3564-341-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3620-136-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3620-219-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3652-302-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3652-221-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3660-274-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3660-186-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3740-90-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3740-184-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3804-383-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3884-317-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3884-385-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3900-403-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3900-335-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3964-111-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4016-20-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4028-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4028-80-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4032-426-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4140-295-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4140-211-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4172-382-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4172-310-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4208-110-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4208-24-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4424-439-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4512-365-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4512-432-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4800-122-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4808-121-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4808-32-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4844-357-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4844-289-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4920-81-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4920-176-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4976-376-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4992-397-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads