065d26dac48cfe562bafc82411828a2e3bba7bf02df444ab450112bafdcb18d2

Analysis

max time kernel
134s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2024 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf7a8a573acd42d1fb9a3e2c6fe494cf_JaffaCakes118.exe
Size

64KB
MD5

cf7a8a573acd42d1fb9a3e2c6fe494cf
SHA1

28115989cf868e8666d5cfb30086d0f9325a222f
SHA256

065d26dac48cfe562bafc82411828a2e3bba7bf02df444ab450112bafdcb18d2
SHA512

f54fdf6fbdce25ba13b39cdbe281ccbc11459c6b3bac7556c8f5ea788f5f4e72830576b8add3525dc14257cc60a15dee31e4fa4615e2ab9c0833d96f61e8556b
SSDEEP

1536:i/0RZW+1RnxekD8ltEVrNZb0Toxp2vlFly5VP:i/ylVbD8lYrNZi+p2vlFlkt

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	cf7a8a573acd42d1fb9a3e2c6fe494cf_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	cf7a8a573acd42d1fb9a3e2c6fe494cf_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe

Executes dropped EXE 54 IoCs

pid	Process
2036	Kdffocib.exe
4008	Kgdbkohf.exe
4424	Kmnjhioc.exe
920	Kpmfddnf.exe
4204	Kkbkamnl.exe
1812	Liekmj32.exe
3408	Lpocjdld.exe
1432	Lgikfn32.exe
3248	Lmccchkn.exe
5064	Ldmlpbbj.exe
3264	Lgkhlnbn.exe
5040	Lijdhiaa.exe
1324	Laalifad.exe
4856	Ldohebqh.exe
3768	Lgneampk.exe
3944	Lilanioo.exe
2708	Lpfijcfl.exe
1916	Lcdegnep.exe
2900	Lklnhlfb.exe
4396	Lnjjdgee.exe
1576	Lddbqa32.exe
4420	Lknjmkdo.exe
4500	Mnlfigcc.exe
1564	Mdfofakp.exe
4432	Mgekbljc.exe
4540	Mnocof32.exe
1640	Mpmokb32.exe
4060	Mgghhlhq.exe
3592	Mjeddggd.exe
2820	Mpolqa32.exe
4004	Mcnhmm32.exe
2416	Mkepnjng.exe
4292	Maohkd32.exe
2984	Mcpebmkb.exe
1352	Mkgmcjld.exe
3512	Mjjmog32.exe
3624	Maaepd32.exe
2716	Mdpalp32.exe
1616	Mgnnhk32.exe
1060	Nnhfee32.exe
4296	Nqfbaq32.exe
4388	Ndbnboqb.exe
2788	Ngpjnkpf.exe
4596	Njogjfoj.exe
1592	Nqiogp32.exe
4796	Ncgkcl32.exe
3096	Nkncdifl.exe
1572	Nnmopdep.exe
752	Nqklmpdd.exe
3176	Ncihikcg.exe
1924	Nkqpjidj.exe
5084	Nnolfdcn.exe
4160	Ndidbn32.exe
4056	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	cf7a8a573acd42d1fb9a3e2c6fe494cf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	cf7a8a573acd42d1fb9a3e2c6fe494cf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mjeddggd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1720	4056	WerFault.exe	139

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	cf7a8a573acd42d1fb9a3e2c6fe494cf_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	cf7a8a573acd42d1fb9a3e2c6fe494cf_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	cf7a8a573acd42d1fb9a3e2c6fe494cf_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mgekbljc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 2036	1980	cf7a8a573acd42d1fb9a3e2c6fe494cf_JaffaCakes118.exe	83
PID 1980 wrote to memory of 2036	1980	cf7a8a573acd42d1fb9a3e2c6fe494cf_JaffaCakes118.exe	83
PID 1980 wrote to memory of 2036	1980	cf7a8a573acd42d1fb9a3e2c6fe494cf_JaffaCakes118.exe	83
PID 2036 wrote to memory of 4008	2036	Kdffocib.exe	84
PID 2036 wrote to memory of 4008	2036	Kdffocib.exe	84
PID 2036 wrote to memory of 4008	2036	Kdffocib.exe	84
PID 4008 wrote to memory of 4424	4008	Kgdbkohf.exe	85
PID 4008 wrote to memory of 4424	4008	Kgdbkohf.exe	85
PID 4008 wrote to memory of 4424	4008	Kgdbkohf.exe	85
PID 4424 wrote to memory of 920	4424	Kmnjhioc.exe	86
PID 4424 wrote to memory of 920	4424	Kmnjhioc.exe	86
PID 4424 wrote to memory of 920	4424	Kmnjhioc.exe	86
PID 920 wrote to memory of 4204	920	Kpmfddnf.exe	87
PID 920 wrote to memory of 4204	920	Kpmfddnf.exe	87
PID 920 wrote to memory of 4204	920	Kpmfddnf.exe	87
PID 4204 wrote to memory of 1812	4204	Kkbkamnl.exe	88
PID 4204 wrote to memory of 1812	4204	Kkbkamnl.exe	88
PID 4204 wrote to memory of 1812	4204	Kkbkamnl.exe	88
PID 1812 wrote to memory of 3408	1812	Liekmj32.exe	90
PID 1812 wrote to memory of 3408	1812	Liekmj32.exe	90
PID 1812 wrote to memory of 3408	1812	Liekmj32.exe	90
PID 3408 wrote to memory of 1432	3408	Lpocjdld.exe	91
PID 3408 wrote to memory of 1432	3408	Lpocjdld.exe	91
PID 3408 wrote to memory of 1432	3408	Lpocjdld.exe	91
PID 1432 wrote to memory of 3248	1432	Lgikfn32.exe	92
PID 1432 wrote to memory of 3248	1432	Lgikfn32.exe	92
PID 1432 wrote to memory of 3248	1432	Lgikfn32.exe	92
PID 3248 wrote to memory of 5064	3248	Lmccchkn.exe	93
PID 3248 wrote to memory of 5064	3248	Lmccchkn.exe	93
PID 3248 wrote to memory of 5064	3248	Lmccchkn.exe	93
PID 5064 wrote to memory of 3264	5064	Ldmlpbbj.exe	95
PID 5064 wrote to memory of 3264	5064	Ldmlpbbj.exe	95
PID 5064 wrote to memory of 3264	5064	Ldmlpbbj.exe	95
PID 3264 wrote to memory of 5040	3264	Lgkhlnbn.exe	96
PID 3264 wrote to memory of 5040	3264	Lgkhlnbn.exe	96
PID 3264 wrote to memory of 5040	3264	Lgkhlnbn.exe	96
PID 5040 wrote to memory of 1324	5040	Lijdhiaa.exe	97
PID 5040 wrote to memory of 1324	5040	Lijdhiaa.exe	97
PID 5040 wrote to memory of 1324	5040	Lijdhiaa.exe	97
PID 1324 wrote to memory of 4856	1324	Laalifad.exe	98
PID 1324 wrote to memory of 4856	1324	Laalifad.exe	98
PID 1324 wrote to memory of 4856	1324	Laalifad.exe	98
PID 4856 wrote to memory of 3768	4856	Ldohebqh.exe	99
PID 4856 wrote to memory of 3768	4856	Ldohebqh.exe	99
PID 4856 wrote to memory of 3768	4856	Ldohebqh.exe	99
PID 3768 wrote to memory of 3944	3768	Lgneampk.exe	100
PID 3768 wrote to memory of 3944	3768	Lgneampk.exe	100
PID 3768 wrote to memory of 3944	3768	Lgneampk.exe	100
PID 3944 wrote to memory of 2708	3944	Lilanioo.exe	101
PID 3944 wrote to memory of 2708	3944	Lilanioo.exe	101
PID 3944 wrote to memory of 2708	3944	Lilanioo.exe	101
PID 2708 wrote to memory of 1916	2708	Lpfijcfl.exe	102
PID 2708 wrote to memory of 1916	2708	Lpfijcfl.exe	102
PID 2708 wrote to memory of 1916	2708	Lpfijcfl.exe	102
PID 1916 wrote to memory of 2900	1916	Lcdegnep.exe	103
PID 1916 wrote to memory of 2900	1916	Lcdegnep.exe	103
PID 1916 wrote to memory of 2900	1916	Lcdegnep.exe	103
PID 2900 wrote to memory of 4396	2900	Lklnhlfb.exe	104
PID 2900 wrote to memory of 4396	2900	Lklnhlfb.exe	104
PID 2900 wrote to memory of 4396	2900	Lklnhlfb.exe	104
PID 4396 wrote to memory of 1576	4396	Lnjjdgee.exe	105
PID 4396 wrote to memory of 1576	4396	Lnjjdgee.exe	105
PID 4396 wrote to memory of 1576	4396	Lnjjdgee.exe	105
PID 1576 wrote to memory of 4420	1576	Lddbqa32.exe	107

C:\Users\Admin\AppData\Local\Temp\cf7a8a573acd42d1fb9a3e2c6fe494cf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cf7a8a573acd42d1fb9a3e2c6fe494cf_JaffaCakes118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\Kdffocib.exe
  C:\Windows\system32\Kdffocib.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\Kgdbkohf.exe
    C:\Windows\system32\Kgdbkohf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4008
  - - C:\Windows\SysWOW64\Kmnjhioc.exe
      C:\Windows\system32\Kmnjhioc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4424
    - - C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:920
      - C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1640
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3512
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2788
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3096
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1924
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5084
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4160
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        55⤵
        Executes dropped EXE
        
        PID:4056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 408
        56⤵
        Program crash
        
        PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4056 -ip 4056
1⤵
PID:4648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kdffocib.exe

Filesize
64KB

MD5
61c4981446c9fc2ed44039dbc16bc971

SHA1
f7f1404bdbb76f3949dbfb535bd285e3e238d89e

SHA256
92ba9a0690285156913345b5a1e4cc7f2b001abb3f95f31aa5e8fffa9384464b

SHA512
3b40a923b0626ad02e85b58243f2f2f093cda84f4cbe9aa1a682c7f32f26d0e66f6526e45c26dc8916f99ca3c447f296dcba3ea21c3872ad8ff5895b782cbf7e

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
64KB

MD5
668d5b2f213b6b8826c34804dc995f3f

SHA1
43889dd16839b6ea8999789c26160188888f37aa

SHA256
5c6527d5f2bd3a9fc157d4b2a245424dc2cd0043841ee70768950b99980b6350

SHA512
acc88c14a4107d211740522553b22f7c36ecfc9e9edbd61c8f80885657e5bc094e0e63de7d0e5c650eb33231b46475cd6a0095e7879818c8a3de05fda3f44146

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
64KB

MD5
292cac838eb89908d52a004da4a998d6

SHA1
e7fe162cf5b1461b02a1118490aff998193982c5

SHA256
820f60412b84adc339604833b8bc71f13636edb68a362df9f8d639954f2d39dc

SHA512
f6e8de9878c7e6412b9129d0d26edba9fec946aedc41457e53e9ee4ba88c208b622d2a8a93ce9ac9c926bd0ae961f60fe4bc2ac7204be6e5049a488611e777d5

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
64KB

MD5
f9d3189fdc64bf001d47cd0e71800099

SHA1
d74ca05407d89b2482582c5dc7f8cba55a9d870e

SHA256
cf6fd9dcbf4b5cb73d05bcf081095a2fe1c662622c7db56726800a74115388fd

SHA512
a202c83ef0244fede8c35f6010497e1b98d4998afc117966656666ccc74e9c8acf751a8973ffa792081fe43d4b5b9dfab92a960163faf102be64bbd184eb05d4

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
64KB

MD5
8ca537dfcc65b8f6c983efe7d0fead4c

SHA1
aa511be4e7840d9172f381d11aa1b9cb4c3f6a06

SHA256
d831a71ce29077102ea3050094a9c858cade3c5201da541d30d70cd2def361e1

SHA512
c06a71ff144198f8a1f446e3b2177ef645f96e68f1753033dd1ed41937f0a6d8a221dc73638a23023aaee7a8a3bdbf67b1ef0b1324b1ef6ad1107e437f98bed0

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
64KB

MD5
d0ccbfb46ab0f2e4816e7b9fdcee34d1

SHA1
dbd7096f90e3e982b074e3558408abcae3a3cd6b

SHA256
3ed23d34982567b0a1cc64844693f7778d6a6acd7f7b30ac9d97b7806f1453a2

SHA512
e27354bf098f0be053c3e0b869d4ec85843dd6416a408badfa9dffdd66eabb3632bdcb84cc09a0840093e306bebb2350570893129b5013df5c3bfa3b1bd0bd6b

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
64KB

MD5
62ebae247a9083aa548a41b630c67f49

SHA1
ea4755fe1c8371588f6c674063729a2d7ab9a5b6

SHA256
bb208f606cd2d1bae8c09aa96f86968cb8cdec211186d86ee07b3f1a5a460b65

SHA512
9560a98e4686bd721aaccbe368238ee45d463ab51af3461169cd29cad83273621d3aea9092a38aca53c0e95f5ffd95e835c17ddad073b77c71bbbdf4ee1eb068

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
64KB

MD5
d67b557371055b9ae8ae0089b0932b29

SHA1
402919f2fc59dbb0a6c8e08396396f15762f5aa9

SHA256
9b8f2ae39ebb564316168412bdf7ce1fc8462c85dfc5f7dab43befe1f81902f5

SHA512
ea059d0708377fac4a82afe11cfd10d2fed2b0787663f5186da961958f5208b60d89174e96638bc52267f6571ab338641ee874a40cdd50beb700bff2fa2e22a6

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
64KB

MD5
eba0edc52b90d3ea684ffa07e7d7d88b

SHA1
577015518de9ffc74456959466c1c88584633950

SHA256
4c3ec805eef3ddaf39765bab068c5b1cc1ecbd04638a8e469a3075b9f8d31187

SHA512
5edfd94dc67b545dca3638c7feb6be6332158f349e420c6aa9833c47f76df26194235875c8ee5a5984f804653a301d67c8c8d3ac5dbcc1ffcdf86d19c3e4a01b

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
64KB

MD5
8444e7bf5683268d38efce20d8c215bc

SHA1
bbff3228d62cb950e216d69f0f4fa812e7b422ac

SHA256
5829fc4effe86e882f9917aabbad690e6caa103e1b0e0b868415a2896f674ee2

SHA512
9e8dbaf7e9920860c0ed073d1ac2dd6313ae8d69902df2b7c9317ce1769867fc45344a6f9e6f1abbc12fdfc07d1e1df1db653fa06343eb5eadf9aadbc2d5df03

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
64KB

MD5
0c5aa98d8fde82475778ab8ca237dd12

SHA1
4ed032f14bd79312a02b6283a8ad60e151af2329

SHA256
80b0ae4f20115087b8cdaf0ab98c6a8a6a4c0f9fe0c9d3ed1ee6cf7cb406b59f

SHA512
0d4c01f1479ab395a3b195222c2b1c746a617958eda0fe44889c48bbd2fcbaf499c12852391861edffcc11927a918db6687cf2cce01552f11a4cf1c54a5de99c

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
64KB

MD5
139579fba3237db7a08b77e7b9a1e2d6

SHA1
edea49a3aaf08e01641fdec7835ad76ea499095d

SHA256
5262009d114b38c1efebcaccd74507f16ecbf81b60d2fe5b6b499049bc24cf88

SHA512
f67103554f74ed52c3043a39e60965491d87c21a0a7dde4858cb44f573a7f593c95ad984ed71eed4378a5cca0e388eafd4dcdd87e1fbe2d3987536a30307d784

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
64KB

MD5
c3bf5ae95904d7608180e3c6153ecec3

SHA1
7b7089be8581de1dc700bf124668da8e2ce12691

SHA256
96e7fdc4f23070cb92ebc0c08af65b7bca8da8931c49707283c57a9f31458519

SHA512
e131039f16ad92c2b628206d88f91105ac35193c65299b816ccbb4644328fe9dd02f0b5cfc09e6596fd94c5e1dad02e00491deef859e350cd2c6737898e0c2b3

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
64KB

MD5
415d43d9f471ac31e7a022479c9048bd

SHA1
4736d2650f5f8d3bea296c16aa5e61c6267f24c9

SHA256
fc43e3da22e064b2886671cd7a87a6a3636ff179f209c99d198c1d0f0746ab35

SHA512
244d30d5e840046018543221237808742dae2cc727725806bdf5ae9b3c6606c58df02d0b1a2e708eb7ebedcfa2c10909b92715eef126a2dd5c83c017a45bdc44

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
64KB

MD5
7d0ce67d10f7a3a1920ea157d9251562

SHA1
9dd9a24545ccd64e9bd43b9fdaa565a7e66941bf

SHA256
baa90672016f283e33567567a64ec6519d72846cf7bf5f7b6888fdc4b1bb27cb

SHA512
9cc2bc49f6d040d13e3d484046307b639af3bda2bed338ef39d885bc36785256daaf7bba3e3bb290728cb3a2b2a08b05f8ae5dddd3a2631c226617bf16b5e64e

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
64KB

MD5
5f5869cf272390296cf61f5d45ebfb8c

SHA1
58f0ef0ca3026b3893ccce83244cc341abbdeafd

SHA256
4c5a040b45100b275bc54bd2724bce28211b0720a99da2f5fcbd67edfc593bbe

SHA512
2dc433a633c03bb343c424bc1be96f4b0b6e3e557c931a9f17d1a1a627096fd436fbfa887acc98e9deb0473004103e7be8897f847a0c1ae9c181ec53e8f585dc

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
64KB

MD5
3bcb65b0bb7fe326882c808f1ccaede6

SHA1
588d6380932f334d74529a547ee776d7b9d98fde

SHA256
5edcbf918df4edc1e2caf1067e6760c25a2bf2a761f50fdee3e6beae56e23406

SHA512
191a8a912ead6760abb295c502d2d71022e1630f3f6fbe71e177c75e48bc5d3593c14dc2507a7bd261cc8bb42720cabf1e04565195a3466f5eba9bb44d9852fd

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
64KB

MD5
d28b62ebc0b8d42df95d788a799576ce

SHA1
b8d7e3aaf028ad27d2e616023a83d4d9a89415fa

SHA256
622cf9840dad7abf4eb7f13e6f687203a5c4470623411fd9b20a3ff85b3d60d6

SHA512
e0fbceebbb7ca68230d6183885b3478cfa42c5fcf304c103e02905163e1a0ad6b370b00042acbf7f60051894bd138aac71a60185f365b0da32494c23dea06bba

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
64KB

MD5
376d74b460bdf6158066703f861b59f5

SHA1
d8927174417c83796474b9041e4adf91f06d8c43

SHA256
4ea51d3d0db2499dbc59393ab56271f509c2a4bc4afd43a68ddb7a4d755226b0

SHA512
401d2a1f232a1a5c1079069c8cafc86fe2f3bc71cdc22940e3740d4bcc4ecbf99b22e531f4651d87f28642614fe5ef505819854e7926fb411f6c9d468e35b9dc

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
64KB

MD5
90b2ad5137c71ebc0409925e91686700

SHA1
bcc8ba0f726d3b21f08e7e8e753962509a2fb995

SHA256
baf2b0d63f726b5989ce77648896a762ed0a6f19e28cf68bd2f7579b27624a76

SHA512
212ddf067ddd05f508727c8fa5b966c57ef8fc249b28df233ee48fbe17eb7339a6e91cd8aba1512f9b3dc25176d4abf1d746758c6f082782aaa234bf30d65021

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
64KB

MD5
4d59f6d392add8cc044fad672a12a3bd

SHA1
6fb0e9805c51a05e2249e03b70e4f975c8b50ad2

SHA256
1ea5415e7de2ea351b74ae576578f253295fc8a26bc2d7bf8e980892f53c74a4

SHA512
2751d1cff944894c64b31e0d7f9f7baf3be48e63cfa85bfddb40b8488f553be9beb9ed405c10344ab451343ffc9d3e27d9ff91f21ee6c06c533fd7edc0063977

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
64KB

MD5
a4bb52e0ddc15f7cdd63d97d8114509b

SHA1
8b2aa3cb787d91462b83449a1f393e3fcb61a29a

SHA256
1f99210a6c70a08cb06c0265a3fc414a92cf7f36888cb1db60e29bc0739dfcde

SHA512
1d6a0eb4d76ba65d053915ba7144d1f89c7eb78ed7800c7439ff83d45b27807500190cabe3692f951dc3f3329f8062489abe07a86a1dc6de94cd7885f68824e7

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
64KB

MD5
71f6b81deb88be89d834075219cc4263

SHA1
b6fef24bd22e41aa1a7cbedc39585bb8a99dc34a

SHA256
7adf171dc8e9dafc5093fc6e00ccc849b6c75406ecc7f03140368d1a445a3616

SHA512
8e8069bb927e81961a2fe93fc0bfdfed2ae85e3f4f7543d52c9f55d204598029dd45ef993929cd05cf74dd364f1f73e4bed267bb5ac7ebd36264230f39eac453

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
64KB

MD5
e926981eee694f94ad08add1a5a929f3

SHA1
c3c256456f3d9f74f1ca0ae75569ef4f191d87a2

SHA256
bf05b60587ed5584b4acf896834ea15f64da51203ca837d6c56db116eab4b2ce

SHA512
553a9919d07d5ac49ade99822a42921b268421c33cd222c16fdea0acf536847bee81065b7c7d5a27e1337a293f59016fe77391a15426cda951e8e58192e93436

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
64KB

MD5
8189fb24fc8d952b22ce0cd71234f7f8

SHA1
9e6774fc5a33bd032c79251453cade43d336c025

SHA256
838c5724dc7e53a293602a3d1defed2a72e12e2fd584ccbe44a85ae54c6e88d4

SHA512
ec063f2ec0998c003b94bf8c158f73838000811ea8bfbecbd9e747b4a2b3b587b630ee171967a30eb96e31bd6c9f99c1d01889efa3d5ea79106b6b8aff85f2a2

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
64KB

MD5
7a9ae3e5118e35cc56afa82a213b8252

SHA1
8efb141a3bcf1c1db6866a3d565bb79006404461

SHA256
b8801a72ce663d8ebad20182a85503e89406e2f39a95005a8313f8a7cb1b768f

SHA512
dc469a3ec20088d528427eebdc1254f9c856040cadfd58fdeb7043cb6f36e8cbed977389b904cc88fb9cb4454d6cc72774d776247c1e5e310558843aed28516b

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
64KB

MD5
247b88ca0f86ec31de60ca627f5cb609

SHA1
e698981544bcfe1acf0ea950e95447b1ecc872df

SHA256
a1f333282d57da60a8c2f30a2376c18f32e83da2a639e131fc24c10340bbebcd

SHA512
bd5c6d78b4887110b113cb260f013245d7a6a00b6f06c886740ec383f2713b5517110d3cd8b81d74fb58a8b9a5a1f67d7d84bc4f8501f2f7a88ea9ecff686f78

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
64KB

MD5
caf1c292575e550df356326f64d108f8

SHA1
a7d2340df305b00b358a5872addb5f966f3a8623

SHA256
9846a14ef9a39d5696a64387c7db5054d9e0d18faaae6195a03353a85cf18490

SHA512
823861bd2f5a352abcc201bd8d8315acb9c45ea1df579c0fbf21169b430e8df6976cfcd807529bfdd66b3080d65c693ecde12868cfe01f6eee6ca4f45a466f2d

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
64KB

MD5
fbb04d3b6f75ddab20832138475c39fe

SHA1
7d18a781ef9e5229320938729e47b218ee0aae7f

SHA256
97b0c749167cc520281aedb46c28f94e375a93729f3f375c29600ce3cb1afd47

SHA512
cdbde93110db9ca40466432583aa610c782bac730f46b0c659687188cd0dd9287f3e1f32944a77c66a672c34f64836b6f0a6b2ebf4a9eedcd39d4a71b2504f5b

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
64KB

MD5
917f6aa0f356dcf39895c8474d477a85

SHA1
ab9a108a463a20bed113cf9f25bd886016aa87e7

SHA256
15991642a9508f748185eb560637dbb1cfb3608dcaee63ddc7587169a8adbdb5

SHA512
7cac7dc770bef7f2424197ae248c04f5a2df2c917a3213159f63fe4b66f75b33e5c0a45f2152b1a8ee4137abf11a5b64f0b615c7b48dc565b2acd987d6df9a89

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
64KB

MD5
d4173755a5131aa5c1d89f77eb1b157e

SHA1
a46795206fa3bd5a187e49bf298c02e070cf5924

SHA256
98865c7f12062331e01840d64d9358c6c64f69ed2ec3ad32a6f2d63307164f83

SHA512
893bebb2f73ef3ed95c4c8838826cf87c79ea9b8f388152340087d97f205a862c91220d9b63ac4ef8cab9a7a9d26431ecf4e8dbe0eeba416e5954928acb294d0

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
64KB

MD5
6da0825b6698e0a41e85e503bf56c469

SHA1
a88a5bf4a0225baa66028f256cdf9972e5e0c63a

SHA256
ea8af4df771351da95187cb7e24b14f5387b3f8283a98947f22e8d6216fa93a0

SHA512
6ef6b5892f940408da3c5e0f267ee6676c7afe5e33820f22b45c44823ef5ab248002f55bd56d5a4237db8ce5090df717353b9335d2b6588bc9f35119bd6fb3cf

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
64KB

MD5
1121bf0b6694ea42698b7ebf2526d4fe

SHA1
f7656f003479b78c3efdf59e7fe38924bf6d3a6c

SHA256
9a03a110087b00d4b025f3d2c8445805f8d2575227e92f8cc909b3d097592af3

SHA512
0be596b48fee490dfa6d0820405db042817cbba3d8b769dfc1db8b82216ccd34bb17f97cd9e21c9f6637c47f6b4f210fe2fec8833554e6d7cfee289d93a8fcdf

Download Submit
memory/752-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/752-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1060-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1060-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1324-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1324-463-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1564-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1564-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1572-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1572-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1616-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1616-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1812-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1812-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1916-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1916-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-7-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1980-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-428-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-409-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-451-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3096-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3096-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3176-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3176-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3248-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3248-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3408-475-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3408-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3592-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3768-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3768-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-457-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4004-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4004-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4008-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4060-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4160-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4160-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4296-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4432-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4432-440-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5040-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5040-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-469-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads