1796bab65f960b327e882efb6d6ac969b7c59484abac58cdac37ac7d8adcd7c7

Analysis

max time kernel
141s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30/04/2024, 19:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1796bab65f960b327e882efb6d6ac969b7c59484abac58cdac37ac7d8adcd7c7.exe
Size

224KB
MD5

79721ec065cb10fbd1a60402e4b26782
SHA1

4b50cffe0d1ac2b9ad497a5ad49b2a797b750be8
SHA256

1796bab65f960b327e882efb6d6ac969b7c59484abac58cdac37ac7d8adcd7c7
SHA512

30969aaa70c7a0d779620e895c94d7068d00d2cb33682cf7227444e7a111ec7863c3bef6e0ee5913d4b02339bde4a3490cff8103b7ce66aecc59ee3526bcef1e
SSDEEP

6144:NTm0850/oE4f9FIUpOVw86CmOJfTo9FIUIhrcflDML:985waAD6RrI1+lDML

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1796bab65f960b327e882efb6d6ac969b7c59484abac58cdac37ac7d8adcd7c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbapjafe.exe

Executes dropped EXE 64 IoCs

pid	Process
2848	Iabgaklg.exe
1612	Ifopiajn.exe
1392	Iinlemia.exe
1832	Jaedgjjd.exe
4732	Jjmhppqd.exe
3548	Jpjqhgol.exe
4292	Jfdida32.exe
1672	Jjpeepnb.exe
3884	Jfffjqdf.exe
4620	Jaljgidl.exe
2644	Jdjfcecp.exe
3124	Jmbklj32.exe
3836	Jbocea32.exe
5040	Jiikak32.exe
964	Kaqcbi32.exe
732	Kbapjafe.exe
2436	Kkihknfg.exe
1048	Kbdmpqcb.exe
4240	Kkkdan32.exe
2260	Kphmie32.exe
1504	Kmlnbi32.exe
4376	Kcifkp32.exe
2936	Kkpnlm32.exe
3592	Kajfig32.exe
4044	Kckbqpnj.exe
992	Kkbkamnl.exe
452	Lalcng32.exe
4848	Lgikfn32.exe
4156	Liggbi32.exe
4400	Lkgdml32.exe
1228	Laalifad.exe
904	Lgneampk.exe
4472	Laciofpa.exe
652	Lgpagm32.exe
1428	Lnjjdgee.exe
5084	Lddbqa32.exe
3852	Lgbnmm32.exe
2264	Mnlfigcc.exe
4808	Mdfofakp.exe
2988	Mnocof32.exe
628	Mpmokb32.exe
1396	Mcklgm32.exe
4308	Mkbchk32.exe
1324	Mnapdf32.exe
3156	Mamleegg.exe
4688	Mcnhmm32.exe
3992	Mgidml32.exe
840	Mjhqjg32.exe
3140	Maohkd32.exe
1144	Mpaifalo.exe
1772	Mcpebmkb.exe
3668	Mglack32.exe
4268	Mjjmog32.exe
4500	Maaepd32.exe
4584	Mdpalp32.exe
1520	Mgnnhk32.exe
1512	Njljefql.exe
2088	Nacbfdao.exe
1292	Nceonl32.exe
1160	Nklfoi32.exe
3968	Nnjbke32.exe
4416	Nqiogp32.exe
4632	Ngcgcjnc.exe
3480	Njacpf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Jfffjqdf.exe	Jjpeepnb.exe
File opened for modification	C:\Windows\SysWOW64\Jdjfcecp.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Qdhoohmo.dll	Jfdida32.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kkihknfg.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Iabgaklg.exe	1796bab65f960b327e882efb6d6ac969b7c59484abac58cdac37ac7d8adcd7c7.exe
File created	C:\Windows\SysWOW64\Ojmmkpmf.dll	Kkihknfg.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Jiikak32.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Ifopiajn.exe	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Ipmack32.dll	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Laalifad.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Jjpeepnb.exe	Jfdida32.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	Jiikak32.exe
File opened for modification	C:\Windows\SysWOW64\Kbapjafe.exe	Kaqcbi32.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Jjpeepnb.exe	Jfdida32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kkkdan32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Jpjqhgol.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Gmlgol32.dll	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2828	1596	WerFault.exe	159

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	1796bab65f960b327e882efb6d6ac969b7c59484abac58cdac37ac7d8adcd7c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhoohmo.dll"	Jfdida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmmkpmf.dll"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	1796bab65f960b327e882efb6d6ac969b7c59484abac58cdac37ac7d8adcd7c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olmeac32.dll"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lgikfn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3212 wrote to memory of 2848	3212	1796bab65f960b327e882efb6d6ac969b7c59484abac58cdac37ac7d8adcd7c7.exe	85
PID 3212 wrote to memory of 2848	3212	1796bab65f960b327e882efb6d6ac969b7c59484abac58cdac37ac7d8adcd7c7.exe	85
PID 3212 wrote to memory of 2848	3212	1796bab65f960b327e882efb6d6ac969b7c59484abac58cdac37ac7d8adcd7c7.exe	85
PID 2848 wrote to memory of 1612	2848	Iabgaklg.exe	86
PID 2848 wrote to memory of 1612	2848	Iabgaklg.exe	86
PID 2848 wrote to memory of 1612	2848	Iabgaklg.exe	86
PID 1612 wrote to memory of 1392	1612	Ifopiajn.exe	87
PID 1612 wrote to memory of 1392	1612	Ifopiajn.exe	87
PID 1612 wrote to memory of 1392	1612	Ifopiajn.exe	87
PID 1392 wrote to memory of 1832	1392	Iinlemia.exe	88
PID 1392 wrote to memory of 1832	1392	Iinlemia.exe	88
PID 1392 wrote to memory of 1832	1392	Iinlemia.exe	88
PID 1832 wrote to memory of 4732	1832	Jaedgjjd.exe	89
PID 1832 wrote to memory of 4732	1832	Jaedgjjd.exe	89
PID 1832 wrote to memory of 4732	1832	Jaedgjjd.exe	89
PID 4732 wrote to memory of 3548	4732	Jjmhppqd.exe	90
PID 4732 wrote to memory of 3548	4732	Jjmhppqd.exe	90
PID 4732 wrote to memory of 3548	4732	Jjmhppqd.exe	90
PID 3548 wrote to memory of 4292	3548	Jpjqhgol.exe	91
PID 3548 wrote to memory of 4292	3548	Jpjqhgol.exe	91
PID 3548 wrote to memory of 4292	3548	Jpjqhgol.exe	91
PID 4292 wrote to memory of 1672	4292	Jfdida32.exe	92
PID 4292 wrote to memory of 1672	4292	Jfdida32.exe	92
PID 4292 wrote to memory of 1672	4292	Jfdida32.exe	92
PID 1672 wrote to memory of 3884	1672	Jjpeepnb.exe	94
PID 1672 wrote to memory of 3884	1672	Jjpeepnb.exe	94
PID 1672 wrote to memory of 3884	1672	Jjpeepnb.exe	94
PID 3884 wrote to memory of 4620	3884	Jfffjqdf.exe	95
PID 3884 wrote to memory of 4620	3884	Jfffjqdf.exe	95
PID 3884 wrote to memory of 4620	3884	Jfffjqdf.exe	95
PID 4620 wrote to memory of 2644	4620	Jaljgidl.exe	96
PID 4620 wrote to memory of 2644	4620	Jaljgidl.exe	96
PID 4620 wrote to memory of 2644	4620	Jaljgidl.exe	96
PID 2644 wrote to memory of 3124	2644	Jdjfcecp.exe	97
PID 2644 wrote to memory of 3124	2644	Jdjfcecp.exe	97
PID 2644 wrote to memory of 3124	2644	Jdjfcecp.exe	97
PID 3124 wrote to memory of 3836	3124	Jmbklj32.exe	98
PID 3124 wrote to memory of 3836	3124	Jmbklj32.exe	98
PID 3124 wrote to memory of 3836	3124	Jmbklj32.exe	98
PID 3836 wrote to memory of 5040	3836	Jbocea32.exe	100
PID 3836 wrote to memory of 5040	3836	Jbocea32.exe	100
PID 3836 wrote to memory of 5040	3836	Jbocea32.exe	100
PID 5040 wrote to memory of 964	5040	Jiikak32.exe	101
PID 5040 wrote to memory of 964	5040	Jiikak32.exe	101
PID 5040 wrote to memory of 964	5040	Jiikak32.exe	101
PID 964 wrote to memory of 732	964	Kaqcbi32.exe	102
PID 964 wrote to memory of 732	964	Kaqcbi32.exe	102
PID 964 wrote to memory of 732	964	Kaqcbi32.exe	102
PID 732 wrote to memory of 2436	732	Kbapjafe.exe	103
PID 732 wrote to memory of 2436	732	Kbapjafe.exe	103
PID 732 wrote to memory of 2436	732	Kbapjafe.exe	103
PID 2436 wrote to memory of 1048	2436	Kkihknfg.exe	104
PID 2436 wrote to memory of 1048	2436	Kkihknfg.exe	104
PID 2436 wrote to memory of 1048	2436	Kkihknfg.exe	104
PID 1048 wrote to memory of 4240	1048	Kbdmpqcb.exe	105
PID 1048 wrote to memory of 4240	1048	Kbdmpqcb.exe	105
PID 1048 wrote to memory of 4240	1048	Kbdmpqcb.exe	105
PID 4240 wrote to memory of 2260	4240	Kkkdan32.exe	106
PID 4240 wrote to memory of 2260	4240	Kkkdan32.exe	106
PID 4240 wrote to memory of 2260	4240	Kkkdan32.exe	106
PID 2260 wrote to memory of 1504	2260	Kphmie32.exe	107
PID 2260 wrote to memory of 1504	2260	Kphmie32.exe	107
PID 2260 wrote to memory of 1504	2260	Kphmie32.exe	107
PID 1504 wrote to memory of 4376	1504	Kmlnbi32.exe	108

C:\Users\Admin\AppData\Local\Temp\1796bab65f960b327e882efb6d6ac969b7c59484abac58cdac37ac7d8adcd7c7.exe
"C:\Users\Admin\AppData\Local\Temp\1796bab65f960b327e882efb6d6ac969b7c59484abac58cdac37ac7d8adcd7c7.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Windows\SysWOW64\Iabgaklg.exe
  C:\Windows\system32\Iabgaklg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\Ifopiajn.exe
    C:\Windows\system32\Ifopiajn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Windows\SysWOW64\Iinlemia.exe
      C:\Windows\system32\Iinlemia.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1392
    - - C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1832
      - C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3836
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:732
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2936
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4044
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:992
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4156
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4400
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:904
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4472
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:652
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5084
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3852
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2264
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4808
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1144
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3668
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4268
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4584
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1512
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2088
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2492
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1496
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        71⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 416
        72⤵
        Program crash
        
        PID:2828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1596 -ip 1596
1⤵
PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hjobcj32.dll

Filesize
7KB

MD5
4e6525641cf319c76e944e2a3cf4830c

SHA1
991827f816d2f7fa0513871120ee78b16d5ee64a

SHA256
1bec7c3f24378351b2d0feb99237fa24ac567ded5e066459a0aaafd7599a0548

SHA512
4dd52334976b7fa6e0f78eaa572b05f5a1dcaa7b55589c04b9277ecbcd7faaffea75a296ff8305b1d0fb6bcca34a8f99917fe3ddf6aa7d87d4f03e27d1f6f752

Download Submit
C:\Windows\SysWOW64\Iabgaklg.exe

Filesize
224KB

MD5
543a156a1d3232c2077d8741811c6158

SHA1
e9f9512970de3b0615d680a76b60d829cd6ff765

SHA256
ceec05b2956076e23ee18a44226e371739e49ec3677b718259bcd2d951d31147

SHA512
1b04ccbcc34831a6c2f7e8f57faeb0eb5327008f0a0ca52a2bc29af5802003b182493d234dcaf3d0614bc389d9eefe5035a4fd6d0e487bc4b6a9878852887f5f

Download Submit
C:\Windows\SysWOW64\Ifopiajn.exe

Filesize
224KB

MD5
6ea4b5d2ddafc11d0efe32c13dd8cef3

SHA1
b974772fdfc33f9e1aee08760d137c9271af4585

SHA256
8646671ef96f857c646e2bac0ff17ee7f9c68eadbd85f8085420a21ec1433c36

SHA512
a8269fa160ad4e6e3dbc02d134cdacf6186b55541d3a3f71a4b93ea594a7c320bd8da6359843fdcb51d69b708a788ef64e9be39bc3b288fd5eb838e966968300

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
224KB

MD5
5d20c4b391d3da15388be24799c4cfed

SHA1
937d987ad6c482f47010875319d28bb7e9eeb64f

SHA256
7482a34128f2ca601cd8aa64768d23ff0138c7698b8edee1855c16de50eb1778

SHA512
e7e91daeb673173038f348d5adffb7636b47ecb50b6b3103f61dc21e4607680b56813dd306fd26cdad943c8fb291b301a7920c7c1961614e815b0b122dda2f97

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe

Filesize
224KB

MD5
697216e849845b57a4ec62109651a875

SHA1
52e452e8ec48512386c9e844bb501136e889400f

SHA256
3c5748c4077082c9cd12026540588d3d3c368a75efc144d3d7720fb9ad9e7df7

SHA512
f161663d3d379fee84f7e3f5ff98e952caf0d7c148d9d49bdf19289bc648e65cf462a9dd0197ff254c99585853c7ec7e102315f6805e22e04bd10c7d77dcccb2

Download Submit
C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
224KB

MD5
9b485e829698507239ce13f24f3f1216

SHA1
b5bb41c9c9e19fb075bedcb6b6723003d375e610

SHA256
9937330154ce9aeb7bc9465e4252280ed5c95c9774b4605b92aa5d1e9160f5ca

SHA512
be527e7e4b754d4f30784ff9d153eed27993c935fcb7bbe26c59b49842d78bf103214364fc665aa467ab68f7689e0f04d45ccab7a6a50060f6ab113cf1434e38

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
224KB

MD5
d8e5f6d8cb123a6d38894971c332069c

SHA1
a1c537ebf8bea2981a983d72f70d4c818809b917

SHA256
41d8370cd46679ac8180ad71659c26f33d7c39ace1b7b3fbefdeab8a0cddf9a6

SHA512
b02bdc0fefc70104d286e25350bc6b184d17cc73f5820e9fb82e43700e48ead90d88692b60efc7a3f62e8cb35fa2407608dac23696e24af3aee1ba470be1ec83

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
224KB

MD5
82c6ea257b77cb8577bcd1d232dd5254

SHA1
c068eae8e12492fe905c0d169cd514f3d80c947e

SHA256
e0c2c7ea15ca97a777c5dc5b70876b064d749a0b9baf3ef963a3c73213c67feb

SHA512
e3c5a41640ea9b25d815e97e9a449e7625d6a6ca2cc99ac64042096feef289f2321429d11e20958650e7a3c32363980cec3a7adacbf20b6f809079de2e96f40b

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
224KB

MD5
7d7056212ef42f5edd13c0480e9ab16a

SHA1
10540bd842e8721e98a447ac72873acd2b9c832a

SHA256
fcec960b8b98419f9774304e18c4a99a6e6d2cb768741a251a6e41e97446daa5

SHA512
50da2ac82289f35f906edef016aa4c55714ffaf037e762a42cced0a669911ac9cba088fb3bf8e82145a7e8a590f24b91d62c2b622978eef6988e2d16696dac36

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
224KB

MD5
4fde2846ffd0ce386dcd80a67d1fbafb

SHA1
8429dfcddf59a82bd27bcb0a12bbb59a31037051

SHA256
e69ff94614936214e647c339ab21a848d4f338bba018d47406f57496de5caac3

SHA512
a9617547365e6b4d4a36e25b5105969f6f02c8d7d1c7549919adca3eede368ddec2d47e406e797b6745dfbe06d0a9d203cd89d51967d59ea24b4b441e4ceb1c1

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
224KB

MD5
307e8a1d7ae64b74674dfb98cab53d53

SHA1
7568947e6c24a497fb56f189b469bf05d1a07b17

SHA256
bfd5570b681ab0f628e49a9eb93c8d52452a079b4a70636f268fc37e5373b474

SHA512
72861545fe151042e71e05348ae9c8fdd67566799b7927af970ddef44c28d1cd40814dd4e3174d975cc617e7dda50050fb8037b2c20c46d703753ff4ae9dedc2

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
224KB

MD5
b6b4cce0e79084bab1758a94ea78852c

SHA1
4087894270506b22657a5730ded2f0d5b69dfdda

SHA256
1345848d794492568a659db4f851894c2cf8a193c87942fa4b0a9c38bca1a098

SHA512
ce50b900a3809809880017c5b85570e8819f6e24725c0bbcb900499091745abc68640899814e1e57cfcaecb72c5e1c4bbed70772b498154409763f9e391bb90d

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe

Filesize
224KB

MD5
ddec48a4fcef174137ab8497905e60e0

SHA1
d34a43e3c4b6441ea9772ee1e82e09fd90815132

SHA256
96ac1450782c90c279dcd0266ba8ddbe0c1b8d7214f87df2d39d2fbd285896c1

SHA512
fbb34d4343b9eb9e9fa9c45362a6553d4f3455b43d73514d22f0d9a68b108c45f1c8ee1e4641859922c5fe22db04599bd028911fdf20ba6523a2c0886cdbadb7

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
224KB

MD5
af00abc56afe7ff6367088ee2e2eafbb

SHA1
d53bf38005c9f4e337c9d9aeb1353eee75a3e7ea

SHA256
ebdd9ee298eb9fbaea5c253ef2c125a224b106ca636bf09c3465fd551ff70e97

SHA512
68ab54f2a62c6940717720ed57deb01131ee9e2b1347b4a3108a0532176f0bff3d6dc234f4508339877b12cda0fdfc2cd8a27dfe479201be58ee482935363aec

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe

Filesize
224KB

MD5
22f45bc0f979c8cd9d87dba716928005

SHA1
57b22614f027f73d3b22a24a5703e3c48156d713

SHA256
19204c111bd611ce0545375e48c013f6aa3c08d5ddf2bb15513236f3406d2e3c

SHA512
4fe7a27a35b4fe15c8b7b384f72cfec9de9fb4acf7922e7ad8ce57bb482d584de57a59a65210921583b95760876da8c344bc6bc0cb2951f2cb69dff6e4cdaa16

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
224KB

MD5
3f2ace76f523b5ca9929ba11b67e1de4

SHA1
d7f78327ebe03746b4feb79fb26016a22a007aff

SHA256
5f936c832a5d89a2f1bffb5df06bebcd7a0b1837ac82c0d828dcba5ee508c675

SHA512
ecf37f3d47d03487cd0ef4b2289bb57573a1849293c58006f9b8a6b41398ce465cdc5084e674e0b6fef8aa0470d614ac33de92ef1412cfeda88861986c9a242a

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
224KB

MD5
62a5fa9a9bd040d963417768add12ed7

SHA1
5112da8b03527a5307855f07929ae3227c1cb481

SHA256
f9ab12c8a2adadbbbff22059ef816460f36fae159305a0b84d84d89279a0e5b0

SHA512
7ac1f18745dee11055130aabb890a52b363f809180b50a3dc29a47be6e96395fa93fb3b7f972f2c1aa5aae4928416f947e01781147cdd9616dcefe7e1bdb78d1

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
224KB

MD5
a218d7ecd68d365d976a2c286d0ec7f6

SHA1
d5103357da24c7c4aa46028b72000d82eb202056

SHA256
60538eb5d666e77be026a43b301d3279f560fa98c28d4979bc9fe9fe09ae3d53

SHA512
4b9e176969c77fe29256224355c18a1ae30a0571ff2741f631259574a412d87dbb81094406b4a43c2dd984912e9601b496adf6b3e56134bc71b8179906af8e15

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
224KB

MD5
8e777e945dfa2c2761606a7ad14954b3

SHA1
080c646bb12ccef669cfcd6e7052395907f8129e

SHA256
cc8d37f2ccd7042fd70c768018cfac5b28ee6625ad6885dfa5a67b1117196aa4

SHA512
3a1224b75bc3fa8b8318fcad3408104c21359ed35dc353b10c605689d720400ad022804bc2b0f88aded244b45d76b3a627d64db1824d221aeb36ade92b9d3103

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
224KB

MD5
dd2ca98d379e986bc06f944b6cbc21f3

SHA1
d42a62902cf8ef63ee4f2035a65d19b818132156

SHA256
144f52bd84a021af964e96b2c29e2fddcc11f46d8620116bbca1db2b4fb7cfbb

SHA512
9e41ab073f3a3e7f9fd2ddbafd24e9351638abffbc562bb210d29afd8fd92377ab7ac97c903e3c7c6541b57ce0c20366b2091853b3281e48ed35382ac7ca7587

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
224KB

MD5
90b8052fc0ebf9844eb44060b5506dfd

SHA1
af677c1dc618442a76c45941a72d28d00dfa8ee9

SHA256
1578848da41c74c97decdb18499c2ed497a5f50b991b443428779b4bffb33c80

SHA512
88c89478ff7c150ddfe87f2ff5f5f334a7950f2763110211c279383fa878f9d499d24f4719db21c299aa19e0db9471fb26d1f9e55b922e3a8eb33edf455656e7

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
224KB

MD5
c5c15109ce36d8ebc0710e4ace81b066

SHA1
d7e1ef07c424e64031140bcac85c1c2fab7fcdec

SHA256
aeab49278c94b8ecbf6572c542a30eec2165607bb4015e69c33dbc9b6ef26ae6

SHA512
a201daedd07f3a17771c200368f6ac28b21b79f8030ca5022973f8a1c5227bfe1fa722178065b24c1ff7de9594036c85b7dbeafab41cbe30c5886d8db27e3869

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
224KB

MD5
c2c096d8385651e7015bbdbafc9fd310

SHA1
28331a370c8ad512e3ab72eedd2fbe195b2ee68b

SHA256
20aa042966fc08650c99237e8b15bbd5c0afdad441b5b586cd85a7007c71e569

SHA512
08cfc4629f863fd81869a67a3efc61a3a9636d15b1bad1d6a3dc67d7cfbcefa7fd5fd229e025131b7c6a5cb65e9997f417d8c31d21a22320a0a66650e63fe744

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
224KB

MD5
f4f92a07aaf81c707548fa7003dadc96

SHA1
349af1f034ef8bf0210dc09ac4f09abcbad08c1b

SHA256
0834d323550fe3993f5b41a54af84d97eb788c8d88eaceef24150d8549a0b8fd

SHA512
265503161d967391935862c765e9de49f4360977cfbc7c11ae0fcfdfdc22a19064c41fe298081f4df6cd77bbd256e4f9004d883e9792654abd9c37f8b91a014e

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
224KB

MD5
df4b1107852ae2b44eadc02db0844d42

SHA1
919dc793db748382977bdd705b72287375fae1b7

SHA256
9367b3a34be68d10072288ff653b13603581640db3fecb4fe72af94b85d7c97b

SHA512
c80c10640d72ef02c3cda34e5072e5b57fee3a439deb425d66b8ac48a9a23e889a8927ee7d8a9b73726597c4cd3b6fcf26ca7e6c34e23c0eb41c44b1229a83d0

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
224KB

MD5
7d7afe17a83fb621716c1fd1283b2589

SHA1
e68159a63a69b8b3b80d7515fc695a76044941f8

SHA256
46e8bc1a6f3387cf2988ff2ee3c8cba856ba0a6b6acade008cd0a3d826acf9fb

SHA512
0d82c3e31b08ac18533c3eccbf4943f7e3b337651f17626b79400d146a3d3551e5d4688ad6652c532abbd7375c8f74001e1adeb6e834cb7279c00cb1bab7b1d5

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
224KB

MD5
2ae72d74024188987ee067548d785a8a

SHA1
9f5fad9cd55be9563a256ab95f15dbeec5f503ea

SHA256
a4a9e6df202443ef50ad5b69e6074f06f71557e9d91ebbf5ff94b5a883641905

SHA512
8c11c185a0ef996feccd62d2e6a687092c1fc881746ddd26a8daed866e2976bbd6982b8199b4da188554ef9813028f3dba7c69e2d2df7d0fe16088db368e0464

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
224KB

MD5
a57e1596d859d54e7e776120e9aa64c7

SHA1
459b6bce3e43b8c2907d98879c6c579d3faf4419

SHA256
80a74b2876306b8e03506cee066494b66d9c9ba65ab3f2d34ba2f4271c9b9a03

SHA512
76f49a6c2f97d6332a2c70a68ab96604f18828741044bd5aae2f265016810cc90bd92b33f0c9ff3dd85d5c57341b451abd7210a932254478e40e96ff05e8b4b9

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
224KB

MD5
16f3d1d1a53492ba0bc1334466e3fa8f

SHA1
74aad7338c5c0dac6093b86dc914724155929246

SHA256
87d8488a06f0358aa4f4a5e32d9e0ad42ebb7d7e752cec8c023df8ee9bfaadfb

SHA512
2fa710d37edbb2232b8544c7825163504a077d57582e0d8c6b68c96b56be74bcce16b07672c16d2dd69f367043401b5caf97afae8e6daf331ab73542def1d79f

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
224KB

MD5
67a3efa40bba4ce43e5e3709539c371e

SHA1
c1c0d0544b262d85a6fb033c29602d92badea706

SHA256
9fd062fe2b0b6509e9b845ce8807111de13d1cac3fc5ad8d52446e4099946fa4

SHA512
bdce8f4e0cf2628e296aa5e70f8cde7a47bb97f63a9fc46e51a6d5bf8c9d99abe754e68814f8b3994f0db1681c5a440fae43128b404f1c9a0c86a360ccdcc961

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
224KB

MD5
52d7d2f7d8649714382064514477e8e9

SHA1
62e298e2f7107a21cbefcdc7eaa686111d3f9737

SHA256
4db746541109c97cf6d9bc0b78a7d9a406aa8bf42c80d4b4450dd94489443569

SHA512
23018df7e3e91e88cfdb6afd044846d314f6042c9a78b29cac8b5c03a49dbaadc86e27d13a7865ac2c75c649acd2566f271e329a1300608692440fb13af127db

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
224KB

MD5
0cffe445f080755dedaa97252d544a3c

SHA1
9bf9e3f0b245bd4e2b1cfdd8faa8e01f28a754c0

SHA256
e8cc597856a7c5f86d45ee3d42adfdcea1dd151dc7420108b0b3c0c369711c0b

SHA512
b7227b33d5dc1d8653b6cd5bc31cae4ede7886097a722742a0b6392d004509ca61c0c6088def3e810b1ee4d8fbf662877cfa6c3ce9725a6f15ba790a1bae3521

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
224KB

MD5
ba4aaf7f0b4ea84dafb405ed618ca8f6

SHA1
ff12ab82ccc7677c395d59ab2a7263a81fe05248

SHA256
b734a5ea37ace629a3893064a6185886d55f494785b798c5955a900cfa9444ca

SHA512
60e4b9dd534a80f1d688e71a7f95a86cbc1d0511672514190d171ca3824278b13e179ab82228ef7fcdea888a530aa6ffd6f21f4edfc73def17999c2dd9f1aad7

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
224KB

MD5
d047164fed28c60392d93f8b0015b462

SHA1
bc9c0b5207141896b73d0ee226714316fe2301d4

SHA256
73fb707d79500862813b5046aab65a541d22db5e45c9016801e4104b165e2860

SHA512
e489c8821f5bf7b0d4f5b79792f5cbcb8b7e29e4ee8acd0b8851024d831e13896632fdce9505f632945774509b0fdcb8e315538cca646e77da5d160b8f6b2e6b

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
224KB

MD5
0bb3efdc37a22f23b510621b69e407cc

SHA1
dd494b3af554ea00b6234e597d6ee72550d129a0

SHA256
0f2da27f34cd5f2b347f46b0977e956c26b632bce2dc9d6e97da0c6783df691e

SHA512
58a4cda3671a3db4fce66a7d592a1e44cbe35dff9252b8b611054186a28faeb84a4a94af888def8675f45a290b2ef625c0bc51c738f2c5f1b8403e554607fbc3

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
224KB

MD5
8b4fa61b5efc7e6a6f3c422aeefbceef

SHA1
94863e46fd5a5c0f516c1e7d85816097d6fca382

SHA256
0bb94c8c377789687f03590f41bf94f9d1fb75a88ad6e0c42d2faa9b3976a118

SHA512
23790d306a7666d2ed4900c057ab736f74064e4bbfb5b45e3436c40e2c1e238bc528bacb3b1f67d3ec3971119ecb8d061ed811d7641343f73d5021c29f0f455d

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
224KB

MD5
d14954df892269d4cd03636388b1fc76

SHA1
baa44b1d2cbb62359005e19f1a2eaa7aca9c4866

SHA256
d2c705210625b7b5c22aa4a160613f68f12a93fe3034f2ba2adaa1b480fbc14c

SHA512
aeaae9a3c26545a5aa7c780c492eb18c8a194800429035d30e7a084b4bdb1e6bbea3e654989ec8ff37cfec9d33001eb2229124aeded7403507bcabda844516fd

Download Submit
memory/452-216-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/628-314-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/652-509-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/652-268-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/732-131-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/840-356-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/904-255-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/964-120-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/992-212-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1048-143-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1144-497-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1144-367-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1160-424-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1160-491-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1228-248-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1292-423-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1324-328-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1324-501-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1392-28-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1396-320-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1428-508-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1428-274-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1496-470-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1504-168-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1512-406-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1512-493-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1520-494-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1520-400-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1596-484-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1612-20-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1672-63-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1772-498-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1772-370-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1832-36-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1908-487-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1908-464-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1964-486-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1964-478-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2088-412-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2088-492-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2260-160-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2264-505-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2264-292-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2436-135-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2492-458-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2644-87-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2848-7-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2936-184-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2988-503-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2988-304-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3124-95-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3140-362-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3156-334-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3156-500-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3212-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3480-488-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3480-448-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3548-48-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3592-192-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3668-380-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3836-103-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3852-286-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3852-506-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3884-71-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3968-430-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3968-490-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3992-346-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3992-499-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4044-204-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4156-231-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4240-156-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4268-382-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4268-496-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4292-56-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4308-322-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4308-502-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4376-176-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4396-485-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4396-476-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4400-240-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4416-441-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4472-262-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4500-388-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4500-495-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4584-398-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4620-80-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4632-489-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4632-442-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4688-345-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4732-44-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4808-504-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4808-298-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4848-224-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5040-116-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5084-507-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5084-280-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads