e5a25bde7c48f7b8f9fdcc2048e737d9427e2b944a66604df1a61229b397c722

Analysis

max time kernel
138s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2024, 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d27448cdbed1fd0ed3c2d109a829f52f_JaffaCakes118.exe
Size

412KB
MD5

d27448cdbed1fd0ed3c2d109a829f52f
SHA1

ee897f229adf9ea1e552b0208644f5e63b76e799
SHA256

e5a25bde7c48f7b8f9fdcc2048e737d9427e2b944a66604df1a61229b397c722
SHA512

b2ba458665b5ed7abfad30dd24588f2aa1638a2011201423577ad0b8d42621a868fea08ea7c1946cd7d3fef3c84196e1ba07c26de808503315071fbb43f57f6f
SSDEEP

6144:q6t7FI0i+ZfSCZoBB5CMHP7RQmfMishe4Zgufq+cREyR/yfjoshaphaiB00:qi4zCMHieikLB

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe

Executes dropped EXE 64 IoCs

pid	Process
1248	Kinemkko.exe
964	Kaemnhla.exe
5092	Kgdbkohf.exe
3804	Kibnhjgj.exe
1600	Lalcng32.exe
1928	Lpocjdld.exe
4988	Ldmlpbbj.exe
4412	Lcpllo32.exe
1664	Lijdhiaa.exe
3204	Laalifad.exe
1944	Ldohebqh.exe
1720	Lgneampk.exe
4512	Lkiqbl32.exe
2380	Lnhmng32.exe
228	Lpfijcfl.exe
1596	Ldaeka32.exe
1956	Lgpagm32.exe
3600	Lklnhlfb.exe
3552	Ljnnch32.exe
3540	Lnjjdgee.exe
372	Lphfpbdi.exe
1748	Lddbqa32.exe
3740	Lcgblncm.exe
1528	Lgbnmm32.exe
1976	Lknjmkdo.exe
3276	Mnlfigcc.exe
4944	Mahbje32.exe
4516	Mpkbebbf.exe
4288	Mdfofakp.exe
1152	Mgekbljc.exe
4876	Mkpgck32.exe
2224	Mjcgohig.exe
1680	Mnocof32.exe
2968	Mpmokb32.exe
732	Mdiklqhm.exe
3524	Mcklgm32.exe
3780	Mgghhlhq.exe
544	Mjeddggd.exe
4352	Mnapdf32.exe
4596	Mamleegg.exe
2220	Mdkhapfj.exe
3156	Mcnhmm32.exe
2244	Mgidml32.exe
2720	Mjhqjg32.exe
4816	Mncmjfmk.exe
4664	Mpaifalo.exe
2280	Mcpebmkb.exe
5040	Mglack32.exe
1548	Mjjmog32.exe
2668	Mnfipekh.exe
2976	Maaepd32.exe
3536	Mdpalp32.exe
4604	Mcbahlip.exe
1384	Mgnnhk32.exe
932	Njljefql.exe
4260	Nnhfee32.exe
4112	Nacbfdao.exe
2268	Ndbnboqb.exe
2140	Ngpjnkpf.exe
4804	Nklfoi32.exe
2556	Njogjfoj.exe
3040	Nafokcol.exe
3956	Nqiogp32.exe
1200	Ncgkcl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Laalifad.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	d27448cdbed1fd0ed3c2d109a829f52f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Bdiihjon.dll	d27448cdbed1fd0ed3c2d109a829f52f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nafokcol.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1096	4896	WerFault.exe	160

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d27448cdbed1fd0ed3c2d109a829f52f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lgpagm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 1248	4000	d27448cdbed1fd0ed3c2d109a829f52f_JaffaCakes118.exe	83
PID 4000 wrote to memory of 1248	4000	d27448cdbed1fd0ed3c2d109a829f52f_JaffaCakes118.exe	83
PID 4000 wrote to memory of 1248	4000	d27448cdbed1fd0ed3c2d109a829f52f_JaffaCakes118.exe	83
PID 1248 wrote to memory of 964	1248	Kinemkko.exe	84
PID 1248 wrote to memory of 964	1248	Kinemkko.exe	84
PID 1248 wrote to memory of 964	1248	Kinemkko.exe	84
PID 964 wrote to memory of 5092	964	Kaemnhla.exe	85
PID 964 wrote to memory of 5092	964	Kaemnhla.exe	85
PID 964 wrote to memory of 5092	964	Kaemnhla.exe	85
PID 5092 wrote to memory of 3804	5092	Kgdbkohf.exe	86
PID 5092 wrote to memory of 3804	5092	Kgdbkohf.exe	86
PID 5092 wrote to memory of 3804	5092	Kgdbkohf.exe	86
PID 3804 wrote to memory of 1600	3804	Kibnhjgj.exe	87
PID 3804 wrote to memory of 1600	3804	Kibnhjgj.exe	87
PID 3804 wrote to memory of 1600	3804	Kibnhjgj.exe	87
PID 1600 wrote to memory of 1928	1600	Lalcng32.exe	88
PID 1600 wrote to memory of 1928	1600	Lalcng32.exe	88
PID 1600 wrote to memory of 1928	1600	Lalcng32.exe	88
PID 1928 wrote to memory of 4988	1928	Lpocjdld.exe	89
PID 1928 wrote to memory of 4988	1928	Lpocjdld.exe	89
PID 1928 wrote to memory of 4988	1928	Lpocjdld.exe	89
PID 4988 wrote to memory of 4412	4988	Ldmlpbbj.exe	90
PID 4988 wrote to memory of 4412	4988	Ldmlpbbj.exe	90
PID 4988 wrote to memory of 4412	4988	Ldmlpbbj.exe	90
PID 4412 wrote to memory of 1664	4412	Lcpllo32.exe	91
PID 4412 wrote to memory of 1664	4412	Lcpllo32.exe	91
PID 4412 wrote to memory of 1664	4412	Lcpllo32.exe	91
PID 1664 wrote to memory of 3204	1664	Lijdhiaa.exe	92
PID 1664 wrote to memory of 3204	1664	Lijdhiaa.exe	92
PID 1664 wrote to memory of 3204	1664	Lijdhiaa.exe	92
PID 3204 wrote to memory of 1944	3204	Laalifad.exe	93
PID 3204 wrote to memory of 1944	3204	Laalifad.exe	93
PID 3204 wrote to memory of 1944	3204	Laalifad.exe	93
PID 1944 wrote to memory of 1720	1944	Ldohebqh.exe	94
PID 1944 wrote to memory of 1720	1944	Ldohebqh.exe	94
PID 1944 wrote to memory of 1720	1944	Ldohebqh.exe	94
PID 1720 wrote to memory of 4512	1720	Lgneampk.exe	96
PID 1720 wrote to memory of 4512	1720	Lgneampk.exe	96
PID 1720 wrote to memory of 4512	1720	Lgneampk.exe	96
PID 4512 wrote to memory of 2380	4512	Lkiqbl32.exe	97
PID 4512 wrote to memory of 2380	4512	Lkiqbl32.exe	97
PID 4512 wrote to memory of 2380	4512	Lkiqbl32.exe	97
PID 2380 wrote to memory of 228	2380	Lnhmng32.exe	98
PID 2380 wrote to memory of 228	2380	Lnhmng32.exe	98
PID 2380 wrote to memory of 228	2380	Lnhmng32.exe	98
PID 228 wrote to memory of 1596	228	Lpfijcfl.exe	99
PID 228 wrote to memory of 1596	228	Lpfijcfl.exe	99
PID 228 wrote to memory of 1596	228	Lpfijcfl.exe	99
PID 1596 wrote to memory of 1956	1596	Ldaeka32.exe	100
PID 1596 wrote to memory of 1956	1596	Ldaeka32.exe	100
PID 1596 wrote to memory of 1956	1596	Ldaeka32.exe	100
PID 1956 wrote to memory of 3600	1956	Lgpagm32.exe	101
PID 1956 wrote to memory of 3600	1956	Lgpagm32.exe	101
PID 1956 wrote to memory of 3600	1956	Lgpagm32.exe	101
PID 3600 wrote to memory of 3552	3600	Lklnhlfb.exe	102
PID 3600 wrote to memory of 3552	3600	Lklnhlfb.exe	102
PID 3600 wrote to memory of 3552	3600	Lklnhlfb.exe	102
PID 3552 wrote to memory of 3540	3552	Ljnnch32.exe	103
PID 3552 wrote to memory of 3540	3552	Ljnnch32.exe	103
PID 3552 wrote to memory of 3540	3552	Ljnnch32.exe	103
PID 3540 wrote to memory of 372	3540	Lnjjdgee.exe	104
PID 3540 wrote to memory of 372	3540	Lnjjdgee.exe	104
PID 3540 wrote to memory of 372	3540	Lnjjdgee.exe	104
PID 372 wrote to memory of 1748	372	Lphfpbdi.exe	105

C:\Users\Admin\AppData\Local\Temp\d27448cdbed1fd0ed3c2d109a829f52f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d27448cdbed1fd0ed3c2d109a829f52f_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Windows\SysWOW64\Kinemkko.exe
  C:\Windows\system32\Kinemkko.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Windows\SysWOW64\Kaemnhla.exe
    C:\Windows\system32\Kaemnhla.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:964
  - - C:\Windows\SysWOW64\Kgdbkohf.exe
      C:\Windows\system32\Kgdbkohf.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5092
    - - C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3804
      - C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1976
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3276
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4944
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4516
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1152
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2968
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:732
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3524
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3780
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:544
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4352
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        41⤵
        Executes dropped EXE
        
        PID:4596
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2244
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2720
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4816
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2280
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1548
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2976
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2140
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        64⤵
        Executes dropped EXE
        
        PID:3956
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        66⤵
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4376
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3916
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4696
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4848
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4680
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1552
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        78⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 400
        79⤵
        Program crash
        
        PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4896 -ip 4896
1⤵
PID:1328

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2716

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
412KB

MD5
48c340f2d0a9cb8d969538cb1cc715be

SHA1
0b46e1cefcf01361e6482a99e11aacac54820687

SHA256
96030b889c82f40aef9d2180de0b5cc7b0db124e736731124412578bf9e0d7bf

SHA512
190c4f813e60879c737d1d8f69c4cdde5db1a452a757e979b2917d5e896678984859bef4ab8999efcc6811b0a22192e9e75d267cc231061c4fc58acb190da50f

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
412KB

MD5
42a5afbe2737ff985ab1e81031aecddc

SHA1
d385aa4d84bf0c97f4b654a1e6c8d6569a962880

SHA256
ecb3fa602fd4e2782b3d1050bf2c82c5aa15c4d1541b13a5d22fecc8132b6d3c

SHA512
54393f446de0d77549b39c9b3270d9a0c5ad2a20f950ed0712fc32fe83ca1c4ab7826148408fbafb43f82b11a3ed5933a241d84d57e4445295b6e528aba665dc

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
412KB

MD5
bac0d242e6ffbd320be1879ff39506e3

SHA1
dfd152d7a43196f301ac9455590d01fc0f327ad6

SHA256
924907480ece0ec99755e7083ececea51258545151c6a182ac8dbdd2361bae0e

SHA512
1a0784659089523ce5d07fc2ad52055f8a33ea1ba559b61e5090d8ec6c6011bac8631fbe7a5357eabc5f3fde108e84f58dfdbe5882ccfd5e3e8396141f610592

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
412KB

MD5
ccc65f68d966e8fae44626ec86b1b4eb

SHA1
28e8dee6328c77c8b3838c7d4caa45ce91955579

SHA256
31cbd0fa4ee10401a59963c37f7eec2d61bf3b54aa79cb1fd04f9d16a9f080a7

SHA512
13a7c73b6d53a81145fa4b2213a386b8e12b45218d39e141e5b392b44f666eb22ece3c4456a9df896d434a2b86162c4e4c9491c9aa01e0906bbc1564cbf77888

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
412KB

MD5
7a9aa7aaf0afdc2e9655987530a61618

SHA1
77af9dc17d971d591c8e41dd9ed706ad236263f5

SHA256
d86dae75005fb2ad669033227d74736bb765cb93ad0fafbe0f9883e0f72159bb

SHA512
8a6e943cd31a11bda4b23cd0ead66ba4207928f09b1156c525fdd79a332a1b659f47f91374b9721e3f9b03f008c75a9c50ae2bcbc3934c7ed97651a10a361c04

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
412KB

MD5
af45501f61ef57773e3fc44607c4f380

SHA1
c10be88993454a2147602e47fa08d3f6a49e05df

SHA256
f3881296bdc2344adabffb40907e09e43b49fe1e7e773558e164173bf363b7b4

SHA512
85b7ef92a0b16c65fa3d6330757590fc213d059d393a12c3ade2d0569568c5f77c0c5326a762821b35eb19061f1dd857765100a6b986cb7808dc4d2a57f74f77

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
412KB

MD5
e42c53a57aec335b14238cc3822c4f8a

SHA1
74bfab64af98668ae6eb8f31d964f1a280e629fa

SHA256
98aafe550b7ba174903901f8a01da00ce50ed484afbb8054adb4dd73b241e91a

SHA512
7895829b054342edf39751a4193c23a26973b093ea4e8e0dda149fd7046dabfd41ebf045041ad1b47b902c70836b8b62f22f15924f8902b65a1c7dd82ed12f3a

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
412KB

MD5
e63a45373b54d1fd1049e356bcd88637

SHA1
a1a6e087fcff3ae8d60abe11747def76e92594f6

SHA256
9d732eff02a5f10b9a1b0caa3b596934d17b294a81f925d50cf68f5d89764847

SHA512
825d3dc16b9337842b258775ba2072b9636adb846e1ad7e29706c447ada409cdee7d4640bda29366e2a7b683a401abb33691ea0e6ef013e2b3f704d664519e18

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
412KB

MD5
3438e7c822e66a51407d70b4bac5bc88

SHA1
a7a0d7c8f6f74adaf5783ceda9e2d1986d87b4e8

SHA256
d245ca80f749e13808ed964cf4c66af556fc324c10f5066e420ebc3e52aab5fd

SHA512
ce3082e95a899b4d16b601ad8b63a31e4f94064e7b604d2830504ba5a3d10acf0ea648635782337bfc1189652524f8d7460ef6df3484dd7a0aefbb545e5c89b8

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
412KB

MD5
e909f0b90bf3e62bc43e74d425b4d51b

SHA1
f02a95b8da3093f770800d6ef66219e3606a8880

SHA256
ce04af0e512045a3fb3d4f21874bb610e192747aeed7868cc38a86d4ef2ead5e

SHA512
2fb0444b6fd256cf86f56417cf27b000700b56729e5a2017d07bb8a8468761aca9bf86433b35b5e40373502e63f41761baef9cd37ddf1f49adf1767a56e226ae

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
412KB

MD5
418d63336026bfb91b9f1997f1bbd283

SHA1
0d21d27a3c52fb0a8b888d1a143da2b9865fbec7

SHA256
d0c75a46a6470fe6a4736eb09dab999197e950865708494a51383deb109b1c69

SHA512
0027a03ce9a3bd005ec6a99143894c5070715898306b17f16e11f0e86bca45cbf972825b699769c7fb4e36fee47d48de7fb2eb51ddb73031ba0a4685f9d631e8

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
412KB

MD5
1c70dbc8d26cfbbe0128ae6e52d1b4ea

SHA1
4fb2ee2c9be9d572ecf4fb00761aeb568f2df889

SHA256
1469aef3675c90a6e83e7f7f54a18f00cf6c4877b423c74090c22135861511d3

SHA512
1e8316bbc2e84d7dca491087bb4aa568be3e491894652304170fe3cb842ce793dd41b9ef2db3ba68e5b9d5f0ac5e14683fc582c311e8077c000b595d6d50f552

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
412KB

MD5
3b84323291ecbbff559573fd656e0003

SHA1
5ebfbe252f230690191de654d3cc2970c244fb15

SHA256
c8b7cdbe626bf298df356b0510f328959c443407a1a96916f1c5d92d26031fab

SHA512
1102201827dfea90606362b88788d617654d80e1708ca50cabd40238f2f4582d6747554edb0aa82c068e256e7cabfe1ceb476eb93853c7fa25ebcad80c8426a3

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
412KB

MD5
303a33e14d0c713882ebee001a8e4e5b

SHA1
6bfef75f49dcf4d4c9a3a8e67a144d6048f7b7fc

SHA256
58990461e77eb19bf4adb17032e337731cd25aec1c86f4074667b012681842c7

SHA512
d05347261329fb3886a505f6a71dcd9dbcc476913e2de3c65934e01ee04255b8687c81c0d0806877658e40d4d09f9cb7dde8589ed18761f8f42e253b52b901d2

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
412KB

MD5
d108ea7e523b28c2bedd779dcf1f2a4b

SHA1
ca53735f505d089a40d1364586be6fe621c6885b

SHA256
3e6272ed65eb690e4d164dc66b09582648548468172b01ac9376546acfd9d0c6

SHA512
b277ea36a6732e814c5a05ca3906084cc0466757b165ea99e215ba439f532ca24804224920d1883a5631ca56cacfc01f9aec515bcac00115b15957940f852d6d

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
412KB

MD5
73c956bb94fbad829a099174b9a58dd4

SHA1
6283a9bd36076e322df6a308fa1f8a29451831f3

SHA256
6cf9c9859299d4a3f203a7b4c7afca7cee2381d0eafb1eb08dc5e84bb53a09ec

SHA512
b1763c7627f0f68b25ddfac055313f751aeec28f81383d26e0bc1cab1a4629c00e3652214431f1f59872134ec7deabbf470b699be19385307573351aac833dfc

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
412KB

MD5
f0eb37224bfe2225fb127acb906bf13f

SHA1
3e2714fbc06089d64dc53c6e2a031858625d1759

SHA256
dc6f7010e20231145b7c2692a32e4846bc13e83ad0c71c9d939909d107ca8f74

SHA512
922fbdf44ab64eb7edc8e94560c3dfc6986fe88760a37333fb3c1794438feb99a9b457afc317e826aae9a8581845bec8bd73f46e736cadfb0ac3d8e3ab7a28e0

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
412KB

MD5
7fa5ddef136f2664e3d3cbe70b69e848

SHA1
12a77dd1835757c85a0816e587e36038912ec076

SHA256
bf771cbc525bcb09d16271e7045a7868ce08e511b6258f4941fa04c4209b41f9

SHA512
23220fd002e447a14ad307ea26690f856a821ecc4fd262a0718676084bb5e602c09a801b5c4c2c4e949807581f281b71035055b6704b1f44aae00bc4739e91fc

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
412KB

MD5
0c27e0040b55d52dde442eb68b326871

SHA1
1c5087a75c8ff7a43d348ef246e1b585e20c4939

SHA256
b6151de04e780f485e779a9f6de875266df6cba6ff5572b9fbfc7d2ff636e540

SHA512
47d09ebb351f06abaeb753366f2bb816f5ef1924a50e6dafdc2d36942d71c665ca419d47b7a26410f7504f41d59de7474bd5416fde1b2b87026f5eb49a6b36fe

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
412KB

MD5
4abdf3397e5e1bf96a84229eda4b02bf

SHA1
3e4d93e9d241950682d4fc3213122d256bc66970

SHA256
85105c82e929347c34db4ea29b6567480a022de6bdd3256bd8eab761d8dc05fd

SHA512
4a6ef41cf1afa0985d8e451a7edc26d000953da213b95ec238924fe418af0772bb518da8dfd92d4b086cf411790b5b5665ecf858b44353ebee517c436749c7b8

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
412KB

MD5
57325a01dcb338341afb921e8dfcfba2

SHA1
70f241ebd55e8d0b307275b3d51286474df95b68

SHA256
be273621f8a9a6335f677c8262c49da421a5648f1030ad5958adf936f8eaad30

SHA512
4c4a3ad0b25b00bdad38f06f5625be883dcce7952754ba5ccbdf3bd5a1f217965f7ccab2dd3a3c2b5eb3deeb4a9fc7c292ef0c452c36564ada66d1cbebec9905

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
412KB

MD5
30437f89be14346af273d238d92c1089

SHA1
4d03e7146538224d97f04c89fac909558eff84c7

SHA256
b7e9d295eb80165ed12960aafadf6831aec35d59ece03872e1621cd45126c272

SHA512
4f0f939cc05c0d4540409e09add568337cb21a1e28c9888632c1079a3eccdd946757fb24a98223fedc3b559d6ed8f1aacf5866cc3a8ed9b29ca6e8bc1d4a7c1b

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
412KB

MD5
b285c2b2f26b1d627138f7780d0a6350

SHA1
0b4341c1db12d74c61ab9385189089ac18793751

SHA256
43f05ec7e550ae802e8d13c7f9e6ed91f522fd6735b4c11993a9aec7fae8aa4d

SHA512
16f5958be05e75cba744d6d3e4e8a5907de84bc56e3252ce523623f32c0cf0660d71f990dd258127f039eee7b2690da3ca7323860711d276e9369afef0c109ec

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
412KB

MD5
c8f8f1d7bd77d6558db341d731681a95

SHA1
d381ce86bbc51e798501610dc8fdd5f4a656a254

SHA256
e7a7d9176dc7abc4e80e6cc2eb603a903635d3e6794f8944c063b114e5d4a708

SHA512
7effa6ea8165cd2f268d0c5718a86efc1f911e3ab87e7e4601c671afcad4320b050a7d46097af532a6d3ba41e927ba69fa8aa0df8879931941c965a0ff8cfe2c

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
412KB

MD5
4ba0b40596dd787bca6e82144b5cbbc4

SHA1
676126097e6a422052d8e5e883aad7c507ca8448

SHA256
381fdfd333d00c76aad1298b6981cab4786ddd0aaf0d6a58e95d5664911752ea

SHA512
c79e297662e41e430c6035d772397894a04e51936ed54ba0019fd8817cdcf6de5b2007de7df9807d1dd2f979d607963034d595082f148e3a58b6e1e8866cd0db

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
412KB

MD5
96fe1c313d96409ec1bd3eac2514b690

SHA1
2694d5716555c6d503fc9bcfdb82e6dc8d851bc7

SHA256
448c3e82aaaa487ebb58655a9552ffba509c9cecf54d4ae7747c544ef28764ac

SHA512
ca0e4efe957587b68f632c31057100a4735f105bd0f10fba458dbc8e71d07a8df2cdcad797fe12519940e1850b0c3f366839c5eedebce35fed125a089e142e39

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
412KB

MD5
83c410741cbf78c052040884aa53cb65

SHA1
f69726f1c22ca0ab85cb9f69d367368b88e2011a

SHA256
3697f3a8122c44007b0fa2f22dbc43e35e615a240b240b515938c64b0e0a05c1

SHA512
a569a84e2097bf7d21f9bddfc33cca8a32a7bdbfe34fbd13aec5d2b5843298c2d703d302ee8ca83dca68e71e25efc5b852e53280cb00bd9639f93bff4cf0e23f

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
412KB

MD5
9d7f9c8181133991a003d529b0dc782a

SHA1
fd36e82928c679b79e8dd88825d58c9caf8b71f1

SHA256
d5e24e7f5bd815d36907bdc291681760a6200a30a8e9d98034ef714d2b8d3594

SHA512
becb4c691ae929b9ef3840a09b5ce1feed9e7a8b6a4d8b3bda1597b0549ebceeb205b4bd1f5afdf417627fdb4bb625e2371ba1412a768cbb1d7254388de153c2

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
412KB

MD5
5199ac1c80e3a5a8e96c5a09b72c6933

SHA1
cb6120b3041940be79f8ec3cf1ddcd6a7d1c3cdf

SHA256
34ad506b7e621ec8674033e9fe9d5a24267b9deb14bed6b9c981cf304b5ad178

SHA512
ea82ff85b1b00e098f68069e2dc5432c9fe60925b2e1ffae6e3f3c3f8b6ac200e7fb7656c28b1555e03b3c259247732313ade7a345d277e779ac6861c2afcb70

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
412KB

MD5
f112ccbd4aff505fa3725e5c53be8a36

SHA1
94cb284067b7b5543e76f20f44eef4f7a55a6752

SHA256
1023b66f449bb779a668f9b583d30e2ea63938dc8aed1dd9bdd8580a4fa50fca

SHA512
b8fe8eb2f4de52a26913b04818bd74e7520729e226e1d38ddb94fc755a0708d76a074007c291985b85ce79bd90823d45a5227311a3b7270f04cd66a43acdf115

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
412KB

MD5
4d92006796bbcb7a35d7ebbfbdfff281

SHA1
35095ee0eadb2820520b0a2baf85f64556e2330f

SHA256
a87a62ebbfdb3afc0526bce72f8b5221b1bfcb1c7adc31667b44ff453a5e7f54

SHA512
b29e872e107ed61fdd29ed6c25174e2d268099ff8cc9f6ae38bec5db219766ccc9da63492232ce1fac5baf2331b1cad8d9d9ae54ba72f9b136bef81a771aedea

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
412KB

MD5
0f9973d996ddd918b45e2730ee675ad0

SHA1
d3b4f6d470c693de0d08ec50303bd216f337483c

SHA256
35dd670ef67321e22513f2044916323b3e55468ff6c903af474c259c5992d39f

SHA512
35864b27d3fb2cc9c834a143d7d23ab38e2c6e0e6d0c7a3c8cae7dd348274de0f7807932149fa51e533019146ca9cbc41429047ea5382ab1e55d6e10f70993c4

Download Submit
memory/228-465-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/372-471-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/372-600-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/544-566-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/732-572-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/932-532-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/964-17-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1152-582-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1200-514-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1248-13-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1384-534-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1528-594-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1528-474-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1548-544-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1552-492-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1596-466-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1600-41-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1664-78-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1680-576-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1720-102-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1748-472-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1748-598-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1928-53-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1944-101-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1956-467-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1976-475-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1976-592-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2140-524-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2220-560-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2224-578-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2244-556-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2268-526-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2268-479-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2280-548-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2380-464-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2556-520-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2668-542-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2716-505-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2716-481-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2720-554-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2720-477-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2968-574-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2976-540-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3040-518-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3156-558-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3204-99-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3276-476-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3276-590-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3524-570-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3536-538-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3540-470-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3540-602-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3552-469-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3600-468-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3716-490-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3740-473-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3740-596-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3780-568-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3804-33-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3916-508-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3956-516-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4000-6-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4000-0-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4112-528-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4260-530-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4288-584-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4352-564-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4376-510-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4412-65-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4456-512-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4512-110-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4516-586-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4540-503-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4540-482-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4596-562-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4604-536-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4664-550-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4680-494-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4696-506-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4696-484-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4804-522-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4804-480-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4812-483-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4812-501-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4816-478-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4816-552-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4848-498-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4876-580-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4896-486-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4896-488-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4944-588-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4988-58-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/5020-485-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/5020-497-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/5040-546-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/5092-29-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads